Vinay Bansal, Matthew Heinze, Blaine Schmidt

Oct 2019

Security Monitoring and Incident Response in the Cloud

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

• Cisco’s Journey with Public Clouds• Cloud Monitoring Strategy• Cloud Monitoring Architecture• Scaling Across Multiple Cloud Providers• Cloud Monitoring Automation• Incident Detection with Playbook• Retrospective and Lessons Learned

Agenda

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco’s Journey with Public Clouds

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

• Cisco Engineering, IT and product teams increasingly leveraging public clouds

• Many acquisitions with existing foot-print on public cloud providers

• More than 3000 AWS accounts, 500 GCP projects and 100 Azure subscriptions across Cisco and growing

Cisco’s Journey with Public Clouds

Challenge:How do we ensure that Cisco’s workloads

run securely in public cloud?

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Securing Cisco’s Workloads in Public Clouds

Establish Enterprise Agreement with Cloud Provider

Define Security

Guardrails

Apply Security

Guardrails at Account Provisioning

Security Automation• Ongoing

Audit Checks• Continuous

Monitoring• Vulnerability

Management

Risk Scoring and Metrics

Improve Cloud Security

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Security Guardrails for Cloud (AWS Accounts)

AWS Cisco Account/Project Space

1. Enforce Strong Identity

7. Create Account Level Encryption Key

Audit Role

Audit TemplatesAudit User

10. Tagging and Automated Security Audits

IAMBastion/Jump

2. Set Up Bastion/Jump Host for Secure Access

ELB Logs CloudTrailLogs

VPC Logs

Log Bucket

9. Trusted Advisor Setup

5. Set Up VulScanning

6. Enable Security Logging

New AWSAccountRequest

Cisco AWS Account

Provisioned

Security Applied

3. Harden Base OS

4. Network Zoning to restrict external

exposure

8. Harden Core AWS

Components

Tagging

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cloud Monitoring Strategy

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Monitoring Goals for Cloud

• As many useful logs as possible, same as we have in the private datacenter.

• We don’t want to lose visibility in cloud environments.

• We want toolset that allows us to detect compromise.

• We want to maintain (or improve) our efficacy as incident responders.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cloud Monitoring: Coverage and Scope

AWS

Azure

GCP

Oracle Cloud

AWS FedRAMP

AWS China

Box

G Suite

Office 365

Salesforce

Openstack

Openshift

DBaaS

…

PublicIaaS

PublicSaaS

PrivateCloud

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cloud Shared Responsibility Model

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Monitoring Logs – Traditional vs. Cloud

Traditional In Cloud

IPS/IDSCloud Event Logse.g. CloudTrail, StackDriver

DNS logsCloud NW Logs

e.g. VPCFlow

NetflowSystem Logs

e.g. OSQuery

Web Traffic Logse.g. ELB

Cloud Monitoring - Strategy

IDMAPIs Accounts Access Logs

Operational Playbook

VMs

Containers

Serverless Object Storage

Block Storage

Encryption Keys

Networking

VPCs

Direct Connect

PaaS Service

Kinesis…

Redshift..DB

APIs Web Tier

Load Balancer CDN WAF

Outbound Traffic

App Logs

DNS Logs

Host Logs

NW Logs

Resource Access Logs

AWS Azure GCP

Alerts/Threats

Security Logs Strategy

WAF, ELB - logs

Cloudtrail

Umbrella/Route53

VPCFlow

OSQuery/AMP

Cloudtrail

CSIRT Playbook

Tena

ntPr

ovid

er

AWS Azure GCP

Cloud Providers Maturity

Example

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cloud Monitoring Architecture

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cloud Monitoring Architecture Option 1

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cloud Infrastructure Logging

Cloudtrail

Stackdriver, Pub/Sub

Activity, Diagnostics, Event Hub

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cloud Host, Agent and Service Logging

Agent, Host, Service Data(AMP, fluentd, OSquery)

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Scaling Across Multiple Cloud Providers

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cloud Scaling – Automating Log Collection

MessageQueue

Cisco Cloud Account

Notifications from Cloud Service Provider Security team

Storage

Cisco CSIRT Account

Multiple Security LogsPlaybook,Reports,

Investigations

StealthwatchCloud

Cloudtrail ELB

LogStorage

NetworkLogs

CloudwatchLogsUnified Security Logs

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cloud Scaling – Automating Security Monitoring

Playbook,Reports,

Investigations

Stealthwatch Cloud

MultipleTenants

Cloud Service (IaaS)

CloudTrail,Stackdriver,VPC Flow

Playbook,Report Analysis,Investigations

API Calls

Alerts &

Observations

Data

Internet

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Automating Data Collection, Playbook,

and Remediation

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Protecting CiscoI HAVE THE DATA, NOW WHAT: Automating Loging

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Protecting Cisco

• What am I trying to protect?• What are the threats?• How do I detect them?• How do we respond?

I HAVE THE DATA, NOW WHAT: Playbook Objectives

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Root Cause&

Lessons Learned

The more that things change, the more they stay the same….

- Overly permissive Policies and Network Ingress permissions- Credential Leakage- Compute with weak (or non-existent) credentials

Root CauseI HAVE THE DATA, NOW WHAT: Incident Retrospectives

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Thank You