security monitoring and incident response in the cloud · serverless object storage block storage...
TRANSCRIPT
Vinay Bansal, Matthew Heinze, Blaine Schmidt
Oct 2019
Security Monitoring and Incident Response in the Cloud
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Cisco’s Journey with Public Clouds• Cloud Monitoring Strategy• Cloud Monitoring Architecture• Scaling Across Multiple Cloud Providers• Cloud Monitoring Automation• Incident Detection with Playbook• Retrospective and Lessons Learned
Agenda
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco’s Journey with Public Clouds
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Cisco Engineering, IT and product teams increasingly leveraging public clouds
• Many acquisitions with existing foot-print on public cloud providers
• More than 3000 AWS accounts, 500 GCP projects and 100 Azure subscriptions across Cisco and growing
Cisco’s Journey with Public Clouds
Challenge:How do we ensure that Cisco’s workloads
run securely in public cloud?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Securing Cisco’s Workloads in Public Clouds
Establish Enterprise Agreement with Cloud Provider
Define Security
Guardrails
Apply Security
Guardrails at Account Provisioning
Security Automation• Ongoing
Audit Checks• Continuous
Monitoring• Vulnerability
Management
Risk Scoring and Metrics
Improve Cloud Security
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Guardrails for Cloud (AWS Accounts)
AWS Cisco Account/Project Space
1. Enforce Strong Identity
7. Create Account Level Encryption Key
Audit Role
Audit TemplatesAudit User
10. Tagging and Automated Security Audits
IAMBastion/Jump
2. Set Up Bastion/Jump Host for Secure Access
ELB Logs CloudTrailLogs
VPC Logs
Log Bucket
9. Trusted Advisor Setup
5. Set Up VulScanning
6. Enable Security Logging
New AWSAccountRequest
Cisco AWS Account
Provisioned
Security Applied
3. Harden Base OS
4. Network Zoning to restrict external
exposure
8. Harden Core AWS
Components
Tagging
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Monitoring Strategy
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Monitoring Goals for Cloud
• As many useful logs as possible, same as we have in the private datacenter.
• We don’t want to lose visibility in cloud environments.
• We want toolset that allows us to detect compromise.
• We want to maintain (or improve) our efficacy as incident responders.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Monitoring: Coverage and Scope
AWS
Azure
GCP
Oracle Cloud
AWS FedRAMP
AWS China
Box
G Suite
Office 365
Salesforce
Openstack
Openshift
DBaaS
…
PublicIaaS
PublicSaaS
PrivateCloud
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Shared Responsibility Model
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Monitoring Logs – Traditional vs. Cloud
Traditional In Cloud
IPS/IDSCloud Event Logse.g. CloudTrail, StackDriver
DNS logsCloud NW Logs
e.g. VPCFlow
NetflowSystem Logs
e.g. OSQuery
Web Traffic Logse.g. ELB
Cloud Monitoring - Strategy
IDMAPIs Accounts Access Logs
Operational Playbook
VMs
Containers
Serverless Object Storage
Block Storage
Encryption Keys
Networking
VPCs
Direct Connect
PaaS Service
Kinesis…
Redshift..DB
APIs Web Tier
Load Balancer CDN WAF
Outbound Traffic
App Logs
DNS Logs
Host Logs
NW Logs
Resource Access Logs
AWS Azure GCP
Alerts/Threats
Security Logs Strategy
WAF, ELB - logs
Cloudtrail
Umbrella/Route53
VPCFlow
OSQuery/AMP
Cloudtrail
CSIRT Playbook
Tena
ntPr
ovid
er
AWS Azure GCP
Cloud Providers Maturity
Example
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Monitoring Architecture
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Monitoring Architecture Option 1
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Infrastructure Logging
Cloudtrail
Stackdriver, Pub/Sub
Activity, Diagnostics, Event Hub
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Host, Agent and Service Logging
Agent, Host, Service Data(AMP, fluentd, OSquery)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scaling Across Multiple Cloud Providers
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Scaling – Automating Log Collection
MessageQueue
Cisco Cloud Account
Notifications from Cloud Service Provider Security team
Storage
Cisco CSIRT Account
Multiple Security LogsPlaybook,Reports,
Investigations
StealthwatchCloud
Cloudtrail ELB
LogStorage
NetworkLogs
CloudwatchLogsUnified Security Logs
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Scaling – Automating Security Monitoring
Playbook,Reports,
Investigations
Stealthwatch Cloud
MultipleTenants
Cloud Service (IaaS)
CloudTrail,Stackdriver,VPC Flow
Playbook,Report Analysis,Investigations
API Calls
Alerts &
Observations
Data
Internet
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Automating Data Collection, Playbook,
and Remediation
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Protecting CiscoI HAVE THE DATA, NOW WHAT: Automating Loging
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Protecting Cisco
• What am I trying to protect?• What are the threats?• How do I detect them?• How do we respond?
I HAVE THE DATA, NOW WHAT: Playbook Objectives
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Root Cause&
Lessons Learned
The more that things change, the more they stay the same….
- Overly permissive Policies and Network Ingress permissions- Credential Leakage- Compute with weak (or non-existent) credentials
Root CauseI HAVE THE DATA, NOW WHAT: Incident Retrospectives
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Thank You