BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141...

38
BERLIN

Transcript of BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141...

Page 1: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

BERLIN

Page 2: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

Defending Your Workloads

against the Next Zero-Day

VulnerabilityUdo SchneiderSecurity Evangelist DACH

Page 3: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

The Story

More at aws.trendmicro.com

2012 re:Invent

SPR203 : Cloud Security is a Shared Responsibilityhttp://bit.ly/2012-spr203

2013 re:Invent

SEC208: How to Meet Strict Security & Compliance Requirements in the Cloudhttp://bit.ly/2013-sec208

SEC307: How Trend Micro Build their Enterprise Security Offering on AWShttp://bit.ly/2013-sec307

2014 re:Invent

SEC313: Updating Security Operations for the Cloudhttp://bit.ly/2014-sec313

SEC314: Customer Perspectives on Implementing Security Controls with AWShttp://bit.ly/2014-sec314

Page 4: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

Shared Responsibility Model

AWS

Physical

Infrastructure

Network

Virtualization

You

Operating System

Applications

Data

Service Configuration

More at aws.amazon.com/security

Page 5: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

Shared Responsibility Model

AWS

Physical

Infrastructure

Network

Virtualization

You

Operating System

Applications

Data

Service Configuration

More at aws.amazon.com/security

Page 6: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

Vulnerability Respond Repair

Page 7: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

Vulnerability

©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

Page 8: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

by Andreas Lindh (@addelindh)

Page 9: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

bash is a common command line interpreter

Page 10: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

a:() { b; } | attack

10 | 10 vulnerability. Widespread & easy to exploit

Page 11: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

Shellshock Impact

Page 12: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

1989Fantastic summary by David A. Wheeler at http://www.dwheeler.com/essays/shellshock.html#timeline

Page 13: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

"MicroTAC" by Redrum0486 at English Wikipedia

12.3oz

Page 14: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

Time Since Last Event Event Action Action Timeline

1989-08-05 8:32 Added to codebase

27 days, 10:20:00 Released to public

9141 days, 21:18:35 Initial report React Clock starts

1 day, 22:19:13 More details React

2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25

5 days, 9:16:35 Limited disclosure :: CVE-2014-6271 React

2 days, 4:37:25 More details React

3:44:00 More details React

0:27:51 Public disclosure React

0:36:30 More details React

0:34:39 Public disclosure :: CVE-2014-7169 React

Page 15: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

Important Shellshock Events

Time Since Last Event Event Action Action Timeline

1989-08-05 8:32 Added to codebase

27 days, 10:20:00 Released to public

9141 days, 21:18:35 Initial report React Clock starts

2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25

3:29:09 Official patch :: CVE-2014-7169 Patch 9 days, 19:17:00

3:15:00 Official patch :: CVE-2014-7186, CVE-2014-7187 Patch 4 days, 17:30:00

1 day, 11:55:00 Official patch :: CVE-2014-6277 Patch 1 day, 11:55:00

2 days, 20:24:00 Official patch :: CVE-2014-6278 Patch 2 days, 20:24:00

Page 16: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

Respond

©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

Day 1

Page 17: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

aws.amazon.com/architecture : Web application hosting

Page 18: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

aws.amazon.com/architecture : Web application hosting

Page 19: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

TCP : 443TCP : 443 TCP : 4433TCP : 4433

Primary workflow for our deployment

Page 20: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

AWS VPC Review

Page 21: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

AWS VPC Checklist

Review

IAM roles

Security groups

Network segmentation

Network access control lists (NACL)

More in the Auditing Security Checklist for Use of AWS, media.amazonwebservices.com/AWS_Auditing_Security_Checklist.pdf

Page 22: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

TCP : 443TCP : 443 TCP : 4433TCP : 4433

Primary workflow for our deployment

Page 23: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

HTTPSHTTPS

Intrusion prevention can look at each packet and then take action depending on what it finds

Page 24: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

aws.amazon.com/architecture : Web application hosting

Page 25: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

Intrusion Prevention in Action

Page 26: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

Review

All instances covered

Workload appropriate rules

Centrally managed

Security controls must scale out automatically with the deployment

Page 27: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

Repair

©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

Day 2

Page 28: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

aws.amazon.com/architecture : Web application hosting

Page 29: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

All instances deployment from task-specific AMI

TCP : 443TCP : 443 TCP : 4433TCP : 4433

Page 30: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

Workflow should be completely automated

Instantiate DestroyConfigure

AMI Creation Workflow

Bake Instantiate Test

Page 31: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

AMI Creation

Page 32: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

aws.amazon.com/architecture : Web application hosting

Page 33: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

Instances tend to drift from the known good state, monitoring key files & processes is important

AMI Instance

AlertIntegrity Monitoring

Page 34: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

Integrity Monitoring

Page 35: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

Keys

Respond

Review configuration

Apply intrusion preventionRepair

Patch vulnerability in new AMI

Leverage integrity monitoring

Page 36: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

Keys

Automation

Page 37: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

Build With Confidence

Page 38: BERLIN - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/AWS Summit Berlin 2015... · 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React

aws.trendmicro.com

BERLIN