cis foundations benchmark for aws security
TRANSCRIPT
Copyright © 2015 evident.io1
CIS FOUNDATIONS BENCHMARK FOR AWS SECURITYAdam Montville, Center for Internet Security (CIS)Tim Sandage, Amazon Web Services (AWS)Tim Prendergast, CEO Evident.ioMarch 30, 2016
Copyright © 2015 evident.io2
WEBINAR LOGISTICS
• Question?To submit a question for the Q&Q click on the Questions button
• Vote To cast your vote for a poll question, click on the Votes button
• Additional ContentTo download other relevant content, click the Attachments button
• Tell us how we didTo provide a rating and feedback or comments click the Ratings button
• Tell a FriendTo share today’s webinar with a co-worker or colleague, click the Share
• Want the slides? To download the slides from today’s webinar go to blog.evident.io. The download link for the slides can be found in the blog post “CIS Foundations Benchmark for AWS Security” published March 14, 2016.
For more content on AWS security and compliance best practices check out our blog at blog.evident.io
Copyright © 2015 evident.io3
TODAY’S SPEAKERS:
Adam Montville is the Sr. Director for Security Controls and Automation at The Center for Internet Security (CIS), leading the teams working to define security configuration benchmarks and designing and implementing CIS’ security automation tools.
Tim Sandage is a Senior Risk & Compliance Strategist for Amazon Web Services (AWS) who is responsible for global strategic alignment of AWS cloud computing services with current and future compliance capabilities as well as external consulting with AWS customers, public policy organizations, and standard bodies across the globe.
CEO Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level. After years of building, operating, and securing services in AWS, he set out to make security approachable and repeatable for companies of all sizes. Tim also led technology teams at Adobe, Ingenuity, Ticketmaster, and McAfee. Follow Tim on Twitter @Auxome.
Copyright © 2015 evident.io4
WHO IS CIS?
• 750+ members worldwide• Security program support
− MS-ISAC (SLTT support)− Security Controls and Automation− CIS Critical Security Controls
• Start secure, stay secure
Copyright © 2015 evident.io5
CIS SUPPORTS SECURITY PROGRAMS
• SOC + Incident Response• CIS Critical Security Controls• Consensus benchmark development
process• Reduce guesswork• Automation support
Copyright © 2015 evident.io6
WHAT IS A “BENCHMARK”?
• Security configuration guide• Consensus-based development process• Best Current Practice + Best Leading
Practice• 433K+ downloads last year
Copyright © 2015 evident.io7
WHY DID AWS WORK WITH CIS TO PRODUCE THE BENCHMARK?
• Increase Customer Security• Leading Practice Guidelines• Supports various Security Standards• Repeatable & Verifiable• Auditability
Copyright © 2015 evident.io8
SCOPE OF THE FOUNDATIONS BENCHMARK
• Identity & Access Management (IAM) • Logging• Monitoring • Networking
Copyright © 2015 evident.io9
INTENT OF THE CIS FOUNDATION BENCHMARK
• Repeatable• Verifiable • Reliably • Auditable
Copyright © 2015 evident.io10
CHALLENGES OVERCOME BUILDING OUT THE BENCHMARK
• Scope of Services• Architecture neutral• Leading Practice focused• Global Security Framework alignment
Copyright © 2015 evident.io11
USE CASES FOR LEVERAGING THE BENCHMARK
Leading Practice Security Config:• AWS Identity and Access Management (IAM)• AWS Config• AWS CloudTrail• AWS CloudWatch• AWS Simple Notification Service (SNS)• AWS Simple Storage Service (S3)• AWS VPC (Default)
Copyright © 2015 evident.io12
SECURITY BY DESIGN – AUTOMATION APPROACHES
• Build security in every layer • Think parallel • Plan for Breach• Don't fear constraints • Treat infrastructure as code
Copyright © 2015 evident.io13
PARTNER INTEGRATION WITHIN SBD
• Evident.io• Splunk• Allgress • Center for Internet Security• Veris Group LLC
Copyright © 2015 evident.io14
FUTURE AWS CIS BENCHMARKS
• 3-Tier Web Architecture• AWS Data Containers• Additional broad architectures
Copyright © 2015 evident.io15
WHO SHOULD USE THE BENCHMARK - HOW AND WHEN?
• AWS Customers • AWS Partners • AWS System Integrators• AWS Consultants• AWS Auditors
Copyright © 2015 evident.io16
LEVERAGING THE BENCHMARK TO BE MORE SECURE
• Everyone should target the benchmark• There are no silver bullets!• It’s a framework – treat it as such• If you don’t believe, you won’t succeed• Security is about the journey, not the
destination!
Copyright © 2015 evident.io17
OPERATIONAL BENEFITS
• Clearer goals for Security• Measurable results (binary!)• Faster failure, faster success• DevOps can speak the benchmark• Security becomes part of the product
lifecycle! (Yay)
Copyright © 2015 evident.io18
AUTOMATING IS THE KEY TO SUCCESS
• Continuous Monitoring is required (and achievable)
• Without automation, elastic and dynamic environments will outrun security
• If you can automate detection, you can automate response!
Copyright © 2015 evident.io19
MEASURING YOUR SECURITY MATURITY
• Complete gap analysis• Select a cross-functional team to
implement• Establish the audit cycle• Begin automation work on relevant areas• Identify your current security posture, then
track drift and progress over time.
Copyright © 2015 evident.io20
LEVERAGING FOR COMPLIANCE
• Compliance is based on Frameworks, too• Relevant industry teams are watching CIS• CIS controls lead to satisfaction of other
framework controls. Ex: CIS AWS 1.2 through 1.7 supports NIST800-53r4 IA5.1
• The smaller, step-sized security moves create greater success
Copyright © 2015 evident.io21
COMMUNICATING SUCCESS TO PARTNERS, CUSTOMERS, INVESTORS
• Demonstrate your capacity for security• Evangelize your success• Iterate the benchmark (and participate!)• Take to the blogs!
Copyright © 2015 evident.io22
STAY ENGAGED TO ENSURE YOUR CONTINUED SUCCESS
• Join the CIS• Seek out the working group members• Don’t just run it once – it must be part
of your DNA• Engage on Twitter, Blogs, and
discussion groups with us• See you at some meetups!
Copyright © 2015 evident.io23
Q & A - ANY QUESTIONS?
THANKS FOR ATTENDING!