We are all embarking on a journey in the cloud that can be frightening at times, thrilling at others, but at all times filled with pitfalls and scary monsters that threaten the security of our infrastructure, applications, and data. The ultimate reward for all our hard work is to achieve a state of autonomous, self-healing security within our environment--one that can withstand any threats, whether internal or external. In this session, we walk you through the steps you need to be successful in your journey, just like Ellie Mae and many other enterprises and agencies. Your journey starts with security automation, and from there you will push outside of your security comfort zone, thanks to the gift of enhanced visibility and omniscience. Next we use CloudFormation Templates and custom signatures to move through our next security challenge with speed, and finally, we build auto-remediation into our security strategy with AWS Lambda workflows that enable the system to self-correct when misconfigurations occur. This fast-paced session will be filled code, best practices to help you in your quest, and even a few surprises about the ultimate destination of your journey. Session sponsored by Evident.io.
AWS Competency Partner
2. What to expect from the session
• Evident.io and programmatic security
• The journey to
security automation maturity
• CIS AWS foundations benchmark
• AWS security by design
• Evident.io custom signatures
• Exploiting the bots
• Taking stock of your environment
• The Ellie Mae journey
3. Anthony Johnson @ Ellie Mae
• Cloud Computing and Security
expert
• Works at Ellie Mae
• Previously at Nokia
• Extensive automation
experience
Introductions
John Martinez @ Evident.io
• I’ve worked “in the cloud” since
2010
• At Evident.io since early 2014
• Background in Unix wizardry
and all things related
• I love making latte art (or at
least trying!)
6. Evident.io ESP and programmatic security
• Evident.io ESP is a new-generation security platform
designed in the cloud for the cloud
• All security data is derived from the AWS service APIs
and AWS CloudTrail
• Performs continuous security monitoring
• Provides continuous compliance testing and reporting
• Covers all AWS services
7. Evident.io ESP and programmatic security
API for
programmatic
access to both
control plane and
data plane
8. Evident.io ESP and programmatic security
Output integrations
for doing interesting
things with report
data
Amazon
SNS
Slack
Jira Hip Chat Pager Duty
Webhook
Service Now
9. Evident.io ESP and programmatic security
Example API use case
• Automatically add new
AWS accounts to
Evident.io
https://github.com/EvidentSecurity/esp_sdk
10. Evident.io ESP and programmatic security
Example integration
use case:
Analyze ESP data in
Sumo Logic
http://docs.evident.io/#sumo
12. Security automation maturity
Proactive
CI/CD toolchain
AWS CloudFormation
templates
Code analysis and
review
Pre/post deploy
testing
Continuous
Infrastructure testing
and alerting
Application logging
Auto Scaling
HISA/NIDS
FIM
Config management
Self-healing
Auto-remediation via
AWS Lambda
Automatic rollback to
known good state
Automatic failover to
other regions
13. Security automation maturity
Proactive
CI/CD toolchain
AWS CloudFormation
templates
Code analysis and
review
Pre/post deploy
testing
Continuous
Infrastructure testing
and alerting
Application logging
Auto Scaling
HISA/NIDS
FIM
Config management
Self-healing
Auto-remediation via
AWS Lambda
Automatic rollback to
known good state
Automatic failover to
other regions
Most of us are here
16. CIS AWS Foundations Benchmark
• CIS AWS Foundations Benchmark is a great place to
start for automated infrastructure testing and alerting
• Benchmark is the result of months of hard work by AWS,
CIS, Evident.io, and a lot of other dedicated contributors
• Use the benchmark as a base set of controls to test and
use to enforce security of your AWS accounts
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
17. CIS AWS Foundations Benchmark
Evident.io ESP
provides continuous
testing of CIS AWS
Foundations
Benchmark controls and
helps prevent security
“drift”
Included in all Evident.io ESP accounts
20. AWS security by design
• The AWS recommended approach to proactive security
in AWS
• Provides a practical approach to creating your security
controls matrix and enforcing those controls
• Heavy on the proactive automation via AWS
CloudFormation
https://aws.amazon.com/compliance/security-by-design/
24. Custom signatures
• Evident.io’s platform includes checks of many different
AWS services, but you can extend with your own custom
signatures
• Check services on included
• Create conditional tests that make sense for your
environment
• Refine our built-in signatures
• If you can write it in the AWS Ruby SDK, it should work
25. Custom signatures
Example use cases:
• Enforcing tagging standards
• Checking corporate egress IP spaces in EC2 security
groups
• Enforcing ELB SSL ciphers
• Even useful for general operational automation
Open-source custom signatures repo:
https://github.com/EvidentSecurity/custom_signatures
29. Exploiting the bots
• Take advantage of AWS’ serverless compute
service, Lambda, to self-heal your environment
• Immediately react to changes in your
environment
• Auto-remediation of AWS resources by revoking
change or rolling back to a known good state
30. Exploiting the bots
Example:
Auto-remediating global
SSH port on an EC2
security group
https://github.com/EvidentSecurity/aws-
lambda/blob/master/autoremediate/autoremediate-EC2-002.py
32. Exploiting the bots
Other areas to exploit:
• Automatic rollback
• Failover to other regions
• Automatic creation of quarantined environments
for forensic testing
37. Come see us at Evident.io booth #404!
anthony.johnson@elliemae.com
https://www.linkedin.com/in/antho
ny-johnson-566b356
john@evident.io
@johnmartinez
https://www.linkedin.com/in/johnm
artinez
https://github.com/EvidentSecurity/reinvent2016