AWS re:Inforce 2019: Aligning to the NIST Cybersecurity Framework in the AWS Cloud (GRC203-R)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

thanks for tuning into our session on aligning to the NIST cybersecurity framework in the AWS cloud my name is min Hyun I'm the global lead for the emerging tech trends and strategy team with in AWS security just wanted to go through just a couple of housekeeping items for you we do have a repeat session tomorrow that's occurring at 11 o'clock so for those of you who have colleagues or friends who've missed this session because it is 5:30 please feel free to relay this information to them thank you for being here you really want to be here if you're sitting here at this hour just a level set and go through the agenda so that you know what what this session will cover including the altitude at which this discussion will happen I will go through what the NIST cybersecurity framework is including what's its intended purpose then I'll get into why would you use the NIST cybersecurity framework what are some use cases what are some sectors organizations that are adopting the CSF and then talk briefly through AWS is responsibilities which will be manifested in our independent Assessor validation and then I'll hop it over to Michael who will go over some architectural concepts and approaches so if you're looking for a deeper dive this is a 200 level intermediate session now would be the time where you would not crush my feelings if you silent disco to any of the other sessions that are happening now but I will venture to say that if you've had a conversation about the NIST CSF and you've heard terms like it's something that you comply with or it's a standard or you just turn on some services and you just give it a go I think there are some things that you can take away from our session here so I hope you stay tuned and that you get some good value out of it so what is the NIST CSF and what was it actually intended to do and the reason I want to cover this is because a lot of folks apply the CSF but don't really understand what was the intention behind it and I think that that will really help you to appreciate the thought that went into it and help you to understand really the the criticality of the the entities that were originally intended to adopt the CSF so as many of you are aware this is a voluntary framework and it's comprised of best practices that enterprises in any sector of any size in any geography can actually adopt and regardless of whether you are a cyber security guru as an enterprise or you're a small to medium size business where cyber security may be something new this framework is actually intend to be intended to be flexible and relevant to your situation and it's it's to help improve the security and resiliency of your organization another another part of the framework is that it provides a common taxonomy what we mean by that is you can actually use the the the language in the CSF not only to implement security best practices but also to be able to talk to business leaders about it and so instead of security discussions really being at the operational or the technical or the compliance level and it remaining there it can actually cross over and you can communicate these things to to senior business leaders and so it really allows for that top-down left-right discussion you can use existing standards so you don't have to create anything net new the CSF actually allows for you to leverage frameworks standards other accreditations that are out there and I'll unpack what that means and then finally for the many of you may not know that it was actually originally intended for critical infrastructure sectors so you may be asking min what's considered critical infrastructure so critical infrastructure is actually a very particular designation that's given by governments worldwide it's not just limited to the US the definition that you see up here is was issued by actually in law and if you go across the pond you'll hear designations of critical infrastructure more as essential services but it's basically those assets this systems or functions that are so critical to national security public safety or the economy that any debilitation of those acet systems or functions would have negative first-order impact to citizens and so I hope that that definition really helps you to feel the gravity of what critical infrastructure is and in the u.s. these 16 sectors are designated critical infrastructure now I will say this I know that DHS recently in April switched designation of critical infrastructure sectors to 55 critical functions and but that does not interrupt the application of the NIST CSF to those functions I just did want to put a pin in that because I know that there are CIP gurus out there who may think hey this is not relevant anymore because DHS issued a new list but I wanted to stay true to the context in which the CSF was created and that's when we had 16 critical infrastructure infrastructure sectors so the backdrop the CSF was actually created back in 2013 under an executive order and so the context will have to rewind and go back to 2012 what was the cyber security environment in 2012 well we had a lot of critical infrastructure sectors that were being attacked D just actually had an uptick in reporting by 52% in 2012 and also that was the year when cyber command was stood up and the then head of the NSA said that if he had to to scale or give a number for the us's preparedness for a large-scale cyber attack from a scale of 1 to 10 it would be a three so that's the that's the backdrop in which the CSF was actually created so President Obama issued an executive order that called for the voluntary the creation of a voluntary framework for cyber security and and resiliency and the voluntary nature of it is important because the administration was not intent on issuing a set of requirements that were mandated that would be cumbersome because critical infrastructure is owned and operated by private sector at least 80% of it is and so you can see the impact if the administration were to issue something that were that were mandated and the regulatory burden that that would create and so on top of there being an executive order that was issued Congress actually codified into law the cybersecurity Enhancement Act and what that did was it actually provided an extra level of validity to the the creation of a voluntary framework I know that sounds a little odd legislation actually codified the development of voluntary framework but that's actually what it did and the underscoring message there is it's intended to be voluntary not intended to be a mandatory standard that would overburden organizations that were adopting it and then with this new administration there was actually an a cybersecurity executive order that now mandates federal department and agencies to comply with the NIST CSF under their federal Information Security Management Act FISMA reporting so I'll dive into that just a little bit so what is the CSF I'm going to go through the anatomy of what comprises the CSF so just at the highest level as I had mentioned the CSF is actually intended to provide an outcome focused risk-based way for you to implement cybersecurity risk management in your organization and the CSF is comprised of core of the core which is the flagship which many of you are familiar with the core consists of five functions identify protect detect respond and recover and these functions are going to be familiar to to all of you because you've seen some instantiation of it may be different terminology but but just in in practice these functions are going to be familiar to you an example of the the five functions in action would be the federal department and agencies as I had mentioned all of their FISMA reporting requirements now aligned to the five functions in the CSF so agencies as they are doing their quarterly and annual reporting to the White House and to Congress it is aligned to the structure of the core the tears the tears you can think of it as a way to measure the sophistication of certain capabilities that you have a place an example of tears in action so in the CSF the tears are for parts you'll see it going from tier one partial to risk informed repeatable and adaptive so you can see the evolution there and the tears what you'll note in practice is the Inspector General's which is basically the audit arm of the federal departments and agencies they've actually adapted the tears so that there are five tears when they're assessing federal agencies and they're tearing structure goes from ad hoc all the way to fully optimized so that's an example of an organization that's implemented the tiers and then finally you have profiles so profiles is really what's what's the state today and then what's the desired end State so a really cool anecdote about the the profiles so the financial services sector Coordinating Council this is the public-private partnership that's comprised of about 70 financial institutions and exchanges as well as the regulators they actually came together and did a mapping excuse me they actually developed a target profile specific for the financial services sector so they basically what that means is they took the CSF and then they customized it for financial services so that it's tailored to their requirements and they in in doing the mapping they actually found that when they mapped the risk management strategy category to nine different regulatory requirements it just all aligned into one and so they're finding in their own words which I actually have a great graphic for it I can't take credit for this this is due to this this is the financial services sector Coordinating Council they found that there are nine different regulatory requirements but they all aligned to the same category and the language may have been different but the security objective was the same and so this was a great opportunity to streamline and focus risk management for the financial services sector so getting back to the the flagship which is the core and the reason I'm diving into this is because it's gonna set up the foundation for what Michael will dive into and then also what our AWS white paper on the CSF is about so the core could consists of these five functions as I had mentioned and then you have these 23 categories that lives inside of these functions and then you have a hundred and eight outcome based security activities so we'll drill down just a little bit more so I'm actually I actually took the identify function here and then you'll see that then it gets a bit more granular so then the category that you have here is asset management and then the subcategory here are the individual risk based activities that support the security outcome and then finally you have informative references and these are basically standards frameworks that map to the security objective that you want to achieve you'll note that there's NIST 853 there's ISO 27001 these are some of the most widely used internationally recognized standards and frameworks and this is not meant to be an exhaustive list it is meant to be an illustrative list and so you can feel free to take whatever framework or standard and then do the mapping to the CSF and that's exactly what the financial services sector Coordinating Council did we're gonna drill down just a little bit more so for those of you who are in the compliance world and who are very familiar with the NIST 800-53 controls for those of you who've never seen a control statement tada here you go this is the level of granularity that you get and you'll note that in a lot of standards and accreditation frameworks what they do is they'll actually start with very prescriptive implementation practices and then it goes and then what it does is it limits the innovation the latest security techniques that you can use to actually manage this outcome that you want to achieve what's different about the CSF is it actually did a paradigm shift or it starts with the security objectives and outcomes and then it is then supported by the risk based activities which then map to the standard or the framework so I'm gonna give you a very trivial example of what I mean by this and this is arguably physical security so I'm at the airport I'm boarding my plane I have my carry-on my purse in my laptop you can only you can only take on two personal belongings into the airport but I've done it before where my person my laptop are discrete enough where it fits below it fits beneath the seat in front of me I've done this half a dozen times I know the size of my purse the size of my laptop bag so I'm going in unassuming just trying to get past the agent and of course he Flags me and he says ma'am you need to consolidate your bags down to two and I didn't want to tell them look I know what's gonna fit in here because that's the objective of it right you don't want to carry these you know big bags that are not gonna fit and then take up too much room so that you're being that passenger so then of course I grumpily then take my laptop out and then I squeeze my laptop bag in my suitcase I get past the guard and I literally as soon as I passed him and I'm in the jetway I take my laptop bag out I take my laptop out and then I just have my two and walked down because I know it's gonna fit in the seat in front of me I know that was just a facetious example but if if you take it to if you apply it to the security context prescribing periodicity prescribing frequency prescribing hey your your systems need to be synchronized in six second increments the ROI to do that relative to the security value add it's not going to be there so just let me take my bags on board because I promise it'll fit under the seat in rotary all right so hopefully I've given you some context for the for what the CSF is you have a baseline understanding of it what's the value pop of the CSF what are some enterprises sectors that are using it so the healthcare sector so the US health HHS Health and Human Services actually did a mapping of the CSF to the health information Portability and Accountability Act HIPAA so HIPAA has a security rule covered entities actually show demonstrate that demonstrate the confidentiality integrity and availability of protected health data by meeting the requirements and the security rule there's no formal accreditation for HIPAA you don't get HIPAA compliance you can become HIPAA eligible how do you show that so they actually did a mapping to the CSF and what they found was that the CSF was actually provided an additional layer of security because it it it had more details and specificity than the actual HIPAA Security Rule so in this context you have HHS saying that the CSF provides more detail more specificity than the rule itself the commercial sector we went through the the healthcare example so we'll jump into federal agencies and I already talked about federal departments and agencies and their FISMA reporting requirements already aligning to the CSF States there are actually over 25 states who are aligning to the CSF and states right now are creating a state specific overlay of the CSF and there are countries such as those listed Italy Japan Israel Uruguay Israel actually is developing their cyber defense methodology aligning to the CSF the UK actually developed their minimum cybersecurity standards again aligning to the NIST CSF and you have countries that have translated the NIST CSF into native language so that they can actually adopt it we talked about some of the value prop of the CSF but some things that I did not mention are there's no cost it's absolutely free for you to do and it what I like about the CSF is that it's intended to be flexible and adaptive so you can take all three parts of the CSF the core the profile the tiers or you could piecemeal it depending on what your organizational need is so according to Gartner and this is a bit dated so I expect the percentage to be higher so by 2020 50% of organizations will have adopted some form of the NIST cybersecurity framework as of the release of our report which was updated earlier this year all 16 critical infrastructures are using the CSF we have over 20 states that have implemented it and then we talked about how federal agencies have also adopted it because it's mandated so in that context federal agencies can actually comply with the CSF but in other context unless there is an oversight agency or that requires it you align with the framework so you'll note in our white paper we're very deliberative about saying AWS enables customers to align to the CSF because this is not mandatory it would take away from the voluntary nature of the CSF so you may be thinking the NIST CSF is great NIST is based in the United States they do a lot of international work they may be internationally recognized they may may be widely reputed but they're still based in the US and this may be a non-starter for for some governments or even organizations that are based abroad what I wanted to do is highlight some international efforts that are occurring in the international standards organization that's helping to internationalize the CSF so the first effort this one ISO 27 103 this publication is actually final and what this technical report basically says is if you're going to implement a cybersecurity framework go ahead and leverage existing standards there's no need for you to redo why don't you reuse what's already out there because there are tested and effective standards and frameworks that you can go ahead and use what the ISO 27 101 draft is is actually doing is it's going to step beyond and it's saying when you develop a cybersecurity framework guideline there there are five functions that you ought to consider identify protect detect respond recover and there are these categories and subcategories that you ought to consider and it looks a lot like the CSF and so what we're seeing here is an international adaptation of the NIST cybersecurity framework and what this will hopefully do the impact that this will hopefully have is that organizations abroad will feel will have that international banner and some form of attestation against under the International umbrella and so this document is currently and draft following the ISO process is probably at least a year out before we can see something more final but I did want for this audience to be tracking on this development so our paper for those of you who have not seen our white paper on the NIST cybersecurity framework you basically got a primer on what's in the actual white paper itself we take a two-pronged approach we talk about the security of the cloud and the security in the cloud this is a very common narrative for many of you and so what we did for in the cloud is is the part that Michael will cover will he'll review AWS services that can help you align to the CSF and then for of the cloud what what we did is we actually had a third-party Assessor review our FedRAMP moderate accredited services as well as our ISO 27001 accredited services and they validated that those services aligned to the CSF so we actually took it upon ourselves to provide you our customers that extra level of assurance that when you're using our FedRAMP accredited services or ISO accredited services that they to align to the CSF so you'll note that when you go into our white paper we actually have a copy of the attestation letter as Appendix A and in Appendix B that's the part that that Michael will cover where there's an actual customer workbook it's an Excel spreadsheet five tabs associated with each of the five functions and then a drill down of AWS responsibilities and the customer responsibility and so this is just an overview of how you would use the the white paper itself it's intended to resonate with the executive level as well as the program management level and the compliance level so we really hope that the flexible nature of the white paper itself will be very usable for you so with that let me turn it over to Michael South thank you man all right so real quick can everybody hear me okay good well make sure you switch this over here so as mentioned as mentioned earlier this is still kind of a 200 level all right so I am NOT going to go into how you configure specific services to meet very specific controls I'm going to just talk about how we mapped our services to the subcategories and kind of a way of thought of which the services you can use and then from there it's really going into working with your solutions architects to really kind of figure out ok for your particular use cases how would you configure which services right there's a lot of times you know there's many different ways to meet a security control right so you may not necessarily need need every single service that I'm going to talk to you for a particular area so it's really kinda at that point I'm identifying what are your specific requirements all right within the NIST CSF or the controls and then what specific services you need and then how you configure those services so this is just kind of taking you from the very top level down to the intermediate level and then from there it's really more of a very customer unique discussion as far what you need to do next so I'm going to start with the identify so there's a lot of ways to look at the services of how we mapped some of these all right there are very specific services that are kind of designed to meet very specific security controls or functions ok but there are also services or capabilities or offerings that really by themselves have nothing to do with security but you could still use in a manner in security I'm going to cover that so I'm not going to go into every single service that's listed here and to go in a lot of details I'm gonna just hit on some highlights as we move along okay so asset management right so C is top 20 controls numbers 1 & 2 are Nitori inventory of your hardware inventory of your software okay the inventory of your assets is one of the most critical aspects of security because if you don't know what's there you can't manage it secure it or respond to anything that's going on with it okay and that is actually why it's so challenging in a current on-prem environment today is we don't have the visibility we need in an on-prem environment and so there's always these challenges with trying to figure out what we really have I can tell you some nightmares from my experience you know trying to manage inventory where we have two different hypervisor platforms we have a physical server still out there throughout and trying to just bring it all together network segmentation and point protection trying to bring it all together could be very challenging so now we're not just talking about servers anymore or inventory of the workstations we're talking about being the inventory all of your assets now so we have services well I did an access management right we'll be able to have the inventory of your users the groups and the roles that are out there sis's manager which you're familiar with some kiss symbol capabilities on Prem so you're maintaining the inventory of your your servers but now right we're really expanding out to IOT you're seeing IOT really expanding out to not just smart cities or particular industries but like a lot of companies are starting to embed or use IOT that never had it before you look at the car manufacturing industry today right cars today are pretty much you know they're IOT devices inside cars okay and so how do you manage those that inventory the data has always been a big challenge how do you manage your data if so if you have any experiences like I do when it comes to shared drives and network share drives they're usually a disaster there's all kinds of data all over the place and you don't always know where the sensitive data is or if it's protected properly so we have services like Amazon may see they can scour your s3 storage or simple storage service looking for sensitive data social security numbers credit card numbers data that you can categorize and it gives you a report of what data you have before it's ever accessed right it can also give you some limited user behavior analytics so time it learns that HR department has an excel file with the Social Security numbers on it and these two people access that that file Monday through Friday normal working hours oh and then wait a minute two o'clock in the morning on a weekend either one of them or some other account is accessing that five hundred times in ten minutes all right so now you have this anomaly that's occurring so it helps you understand and identify what's going on within your data and then code commit or at a services like that right so we have to kind of take security from the production environment back to the development environment right if I'm an attacker why would I go after the hard protected production environment if I can get in the back door and insert code in the development environment right so now you need to be able to identify your code especially in an environment like the cloud where we start moving to infrastructure as code right we're moving away from physical appliances and devices everything is code now so being able to have the inventory of your code and maintain that right so now you're starting to really bring in a much larger picture for asset management it's no longer just your workstations and servers on the network okay moving over to governance we have a saying in AWS you know you can move fast and stay secure in AWS and that is absolutely true but I will caveat that with only if you spend some time in the beginning to figure out your governance strategy and implement your governance you have to build the guardrails so that the the application developer is the business unit managers they can go down that path as fast as they want because guardrails are in place and that's that governance if you don't do that first that's where you're gonna have problems so you have services to help you with governess like Service Catalog you know so you can use Service Catalog to to specify which services are going to be allowed within your environments which are not key management for your encryption keys how are you going to manage your keys for encryption ID in an Access Management another governance piece config so gate abyss config is a configuration management service being able to track all the services the changes within your environment so that you can kind of take a look back at what occurred and win and kind of maintain that visibility as we start moving into risk assessments we have Amazon inspectors to conduct a vulnerability scanning well your assets x-ray for again looking at your code and then guard duty which is our intelligence right detection service so this is looking at the risk you know constantly assessing operational risk within your environment all right then supply chain so supply chain you typically think of supply chain is you know that's kind of out of the scope for services right but not everything well does let's put this way security is a not a technology problem right security is a business problem it relies on people processes and technology right we cannot throw the technology easy button at every security problem so this is where we start to look at okay so these are not necessary services per se on there's gonna meet a security control but you can start implementing these to help you with supply chain risk so the first is your enterprise agreement understanding what's on your enterprise agreement with AWS and with your agreements with your partners okay making sure you understand exactly who's gonna be responsible for what what controls are going to be implemented and how those processes work a Tibbets artifact is a service from us but it's not what I really consider a true IT service it's a document repository so you can download all the third party audit reports from that's being done on us so you can actually look at the specific controls that were assessed from us and how we did for those controls okay and then marketplace so we have you know marketplace so you can have some trusted vendors and get some products from there so you're not necessarily downloading something from a community area which of community areas are fantastic but you always don't always know what's in there right what's in the code so this these are some services or some offerings that kind of help you manage the supply chain risk management aspect okay for protect we talked about in Access Management but look at awareness and training right so looking at our partner training services our training offerings our certification these are going to still go into looking at how you can align and support the subcategories within the NIST cybersecurity framework data security from encryption lifecycle management right so one of the challenges in a non-prime environment is you kind of have to you have storage and you're paying for this storage and you might archive it to some backup state backups but that can always be challenging if you ever have to do a restore now within 80 bit services like s3 in Glacier you can have that full lifecycle management of your data it's always you know you can turn on always encryption and but you don't really have to worry about some tapes that might get damaged or don't you have to restore from later on you can manage a whole lifecycle information for protection looking at cloud formation the ability to again go using the infrastructures code where you can save your architecture save your applications as templates and then deploy you know on a moment's notice so one one use case for this so I support the the US government the DoD quite a bit so we have to they have to go through the risk management framework alarm that process so they have to get a thority to operate or ATL letter and so what the challenge is with that is that every time you have a new application there's a lot of controls have to be assessed right now there's a lot that they can inherit from AWS but you also want to start chopping what's left over into more manageable blocks okay so now if you have an organization it has to go through this type of process you can have a standard architecture that maybe it's a pii architecture or - it's a FedRAMP or it's a it's a a moderate level categorization architecture and so now every time you have a new application that's going to be deployed you could just you know a quick CLI command or it's a click of a button and you can deploy the template into a new environment so now those controls are already set and all you have to worry about is the specific application what you're putting into that new environment okay maintenance being able to automate your maintenance from a security perspective one of the biggest challenges from security is kind of always knowing with the ground truth is right what's the baseline what is known good and so within the yes being able to manage what's allowed having that configuration information from config the ATM stops works for that DevOps process you're able to get a better handle on the maintenance is going on be able to automate that maintenance and be able to audit what's going on within that and then we have the protective technology so looking at this focus on auto scaling and availability zones okay so I'm gonna put these into protective technology for an aspect because of the resilience piece okay one of the challenges we have today is the fact that when we lose a server we're down for for a period of time right so if you are sysadmin if you've ever been if you know sis admins right we Street our servers like pets we give them names we feed them we pet them we pray to server gods if they die we cry it's a very bad day right now we don't have to worry about that anymore right our servers have gone from being pets to being cattle if something happens to a server we don't really care about that particular server anymore we care about the overall application and in the mission it's performing so when you have services like auto scaling to be land the load balancing right so if a server fails you can automatically shift everything over to another server that might be in another datacenter alright it's a more of a self-healing architecture I'm going to go into that a little bit more actually right here so when you pick the region any data you put into a nativist region stays there we do not move copy or backup your data into another region by default everybody gets DDoS protection for free which is a double shield are you going to create that virtual private cloud that VPC which is a security boundary around your application by default it does not have any internet connectivity so right now we have the AWS Web Application Firewall here to be honest with you what it's missing is an Internet gateway right so you're gonna select at least two availability zones for those who have ever done risk calculations you're gonna want to you're gonna understand why you're gonna want to pick at least three availability zones but you're going to select your subnets and the access control list so that's kind of the equivalent of your stateless firewall capability around each subnet you're gonna have the elastic load balancing service now in an on-prem environment typically you have a physical appliance which is a load balancer hopefully you have at least you know two or more but oftentimes they're only load balancing at the top level so if you have a three-tier web app they're only load balancing between the web servers all right if you have a failure an app server then the traffic that's going down that path is is being it's it's dying at the application to app server right so you have half of your customers that are no longer being serviced they're being timed out now you have load balancing within each tier of your application much more cost-effectively you have the auto scaling group you have the security group that you're gonna put around your tier so this is equivalency of a stateful firewall capability okay and so this is where with innocent type environment this is a self-healing environment ok so again when I said you if you have a server crashes it's ok right so the load balancer will reach redirect everything over to the other side and immediately spin up a new server to take the one the place of the one that just crashed ok for security purposes if you want to isolate the failed server so you can do some forensics on it or your developers want to take a look at it you can do that you can automate that entire process alright so before typically especially when I come from on the government side we typically don't fund extra servers sitting around ok so when a server crashes there's only one requirement get that back up and operational we don't have the time to take a really a good look at it we might image it and then try to see what we can do from that image from a security forensics but we don't really have time to take a look at everything now we can do both right we can have we can replace the one that went down and we can still take a look at the one that failed ok you're gonna want to encrypt in transit you want to encrypt that rest and that's on storage and then in a database and then within a region we have sub to millisecond latency so you can achieve that synchronous data replication between the data centers okay so this is how you start kind of building at that high availability architecture it's going to be you're going to have the protections in place but you're also going to have that resiliency this what is what allows you to shift from a reactive disaster recovery risk model to a proactive resiliency risk model right not that you're going to get risk to zero you can never get risk zero at any time you can mitigate risk on the front end especially at lower cost then you're going to be in a much better place because we all know how well backup restorations work right so that's what we want to do we want to get that we want to mitigate on the front end all right so for detect we have I think I'm gonna focus on Amazon guard duty right I think everybody's kind of heard about that already aren't telling it's ready detection service this is what's looking at what's going on your environment but it's adding that additional context of the threat Intel so before you might know you're being scanned but what type of scan is it who is it coming from which scan is more risky than others right as soon as you stand up a web server on the internet it's being scanned right search engines are scanning it to add to their list you might have cyber criminals scanning it you might have nation-state scanning there's different types of scans so now with Gardner you can say okay this is a type of scan this is a more of a malicious type of scan it's coming from this IP address it's a known cyber criminal maybe it's coming from this particular country so now you know you ever met some additional context so you can say okay this is what I want to focus on a little bit more okay we have IOT device defender right so we had a tabletop exercise earlier today where now you're able to provide some of those detective controls within your IOT trying to look for anomalous behavior of your IOT devices we have our security continuous monitoring all right so if you're if you're familiar to risk men in your framework one of the things that did it added the requirement for continuous monitoring right that's kind of the one thing that's always been lacking from compliance but compliance was you meet the security controls you get audited and then you don't know if you're compliant for another three years later when you get audited again right or one year depending on your your cycle right continuous monitoring you need to know every day or every hour every minute depending of how you are with compliance and I just compliant but with security are the controls that you put in place staying in place all right they've been modified so we have the services again such as guard duty Macie for looking at your data x-ray again for your code all right so now you're able to implement that continuous monitoring within your environment and then the detection processes you'll see you I have a vs lambda so detection is fantastic it's absolutely critical all right but you cannot rely on detection when it comes to security you have to be able to mitigate the threats right and so we see quite often where you know customers and my experience we have a security operation center so that typically there are analysts security analyst tiers one through four Tier one is typically the young person just out of school super motivated super smart they get to the job they're all excited and they're told sit here watch this screen don't touch anything if something happens follow this playbook right follow this checklist if you have a checklist that needs to be automated right because now you have somebody who's again rather inexperienced watching things have come in and they're trying to figure out what's important what's not important right and then they got to figure out what to take action on so even if you go from the tier one analyst at a Tier four analysts and they really know what they're doing guess what they're still slow right they cannot beat the speed of the computer right of compute of the IT they cannot beat the speed of the attackers right so this is where we're going to start to automate and this is where it's going to come in on the on the response planning so you have stuff like config where it can watch for specific changes in your environment and if it changes me that's not authorized it can actually go back and and revert it back to the to the approved configuration okay you have functions like lambda so lambda is our civil assumption service so when a particular event triggers you can have a function triggered to revert something back or change the state based off an event communications you have service to service a system to system communications you have your internal communications and you have your external communications again the ability to automate as much as possible those type of communications to let the systems and the people know what's going on is critical the ability to analyze what's happened and what's going on so you can be able to take a look at you know one was it just you know a bug in the code or was it an actual security event you know what do we need a change either in the code or protections to go back and and mitigate this that doesn't happen again the my other mitigations and improvements now I don't have any particular service listed for improvements because that's really a process now we have services that can help you with this right but if that's really where that process goes and so this is what it can look like so I highlight and Amazon guard duty if it detects that particular malicious scan it'll create a cloud watch event all right so if you have a you can have a lambda function may be called the the cybercriminal you know web server scan the function so as soon as it creates the event that a a known cyber criminal is scanning your web server it can trigger the lambda function the lambda function can take that IP address and insert it into your web application firewall filtering rule right so now in a very short period of time you've mitigated that threat no human action required right this would take a human even your tier 4 person from the time they looked at that one alerts because they're looking at a lot of alerts it probably still took them 20 30 minutes or longer to implement this to figure out what it was going on to validate it and then to to implement the mitigation right now you can automate this now you can say okay well this is great but the attacker can just change your IP address right so then now we're playing whack-a-mole well again do you want to waste the human resources playing whack-a-mole all right that's not value-added so you can continue to mate the process so you might still be a few seconds or a minute behind but at least you're not wasting you know human resources to do that and of course you can build an additional logic okay within your automation so if I see you know a number of IPs from the same subnet over a short period of time just block the whole subnet maybe for 30 minutes or an hour you know those are the things I can do to start building more logic into my automation in addition you can automate actions with partner solutions you know add it to the your next generation firewall add it to a communications channel another thing is from a security operations perspective one of the biggest challenges is when security operations makes a change to the environment because they have to mitigate a threat those changes rarely make it back to your configuration change management database right so now security is making changes and whether it's your developers your DevOps your IT operations your configuration manager they're not happy because changes are made and they don't know exactly what was changing when okay so now don't just automate the mitigation automate the updating your configuration change management database automate the communications right automate as much as you can to take humans out of it right now you can add a human stop gate if you have a need for a human to make an actual judgment call which is what we do best you can add a human stop gate into this alright so for example in this particular example if you have a sock analyst that needs to make a decision do I want to ignore this event maybe there's some context that I have that the system doesn't or do I want to kind of have choices to be made you can have everything automated up to a point give thus the sake analyst choices do I ignore do I add it to the laughs do I go ahead and block the whole subnet what do I want to do they can make that judgment call click the button and then automate the implementation right so at least that point time everything is presented to the analyst to make that judgment and they're not doing the research and implementation themselves so in the last piece on the recover this is probably I think one of the greatest benefits of using the cloud in AWS is because the infrastructure code again right so we talked about before if you lost the server you can replace the server but what happens if you lost an entire environment right if you had that entire environment saved as a template you can have that entire environment back up and running running in a few minutes you know it's really massive and really complex maybe an hour but the point is you can have everything back and up and operational without a lot of heartache relatively soon in comparison to what you can do an on-prem environment and so with that greatly appreciate your time today we know it's late so I got back a few minutes so you make it to happy hour so and the men and I will stick around if anybody has any questions so thank you have a great night

Info

Channel: Amazon Web Services

Views: 6,952

Rating: undefined out of 5

Keywords: AWS, Amazon Web Services, Cloud, cloud computing, AWS Cloud, AWS re:Inforce, AWS re:Inforce 2019, security, identity, compliance, cloud security, AWS security, cloud security community, learning conference, Detective Controls, Infrastructure Security, Data Protection, Incident Response, Governance, Risk, Compliance, security best practices, & Compliance, AWS re:Inforce 2019 Sessions, Session, GRC203-R, Min Hyun, 200 - Intermediate

Id: TZIxzLsFKO0

Channel Id: undefined

Length: 47min 24sec (2844 seconds)

Published: Wed Jun 26 2019