Más contenido relacionado La actualidad más candente (20) Similar a Leverage the security & resiliency of the cloud & IoT for industry use cases - SEP203 - AWS re:Inforce 2019 (20) Más de Amazon Web Services (20) Leverage the security & resiliency of the cloud & IoT for industry use cases - SEP203 - AWS re:Inforce 2019 1. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Leverage the security & resiliency of the cloud &
IoT for industry use cases
Jana Kay
Cloud Security Strategist
AWS
S E P 2 0 3
Michael South
Americas Regional Leader,
Public Sector Security & Compliance
AWS
Anton Shmagin
Partner Solutions Architect
AWS
2. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Agenda
11:30 AM – Noon
• TTX guidelines and objectives
• Assumptions & constraints
• Incident response process
• Scenario overview
Noon – 12:15 PM: Event – on-premises incident response (IR) walkthrough
12:15 PM – 12:45 PM: Secure IoT architecture capabilities
12:45 PM – 1:15 PM: Event – AWS IR exercise
1:15 PM – 1:30 PM
• “Hot wash”
• Q&A
3. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Related breakouts
Tuesday, June 25
SDD307: Protecting your IoT fleet | Level 1, Room 151B, Table 3
11:30 AM – 12:30 PM
2:30 PM – 3:30 PM
5:30 PM – 6:30 PM
SEP208: Designing for data privacy on AWS
1:00 PM – 2:00 PM | Level 2, Room 207
DEV04: IoT security: Prevent your devices from becoming attack vectors
1:00 PM – 2:00 PM | Level 0, Dev Lounge Hall A + B1
SEP206: Securing Internet of Things (IoT) deployment with AWS
4:00 PM – 5:00 PM | Level 2, Room 212
4. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Related breakouts
Wednesday, June 26
SDD307: Protecting your IoT fleet | Level 1, Room 151B, Table 3
8:00 AM – 9:00 AM
11:00 AM – 12:00 PM
5:00 PM – 6:00 PM
SEP318-L: Leadership session: Aspirational security
11:45 AM – 12:45 PM | Level 2, Room 253B
SDD325: Bose uses AWS IoT to securely connect millions of devices and improve IT agility
1:15 PM – 2:15 PM | Level 2, Room 205B
FND321: Keeping edge computing secure
3:30 PM – 4:30 PM | Level 1, Room 151B, Table 8
5. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
TTX guidelines
Goals
• Stimulate thought
and discussion
• Identify
opportunities
• Have fun!
Don’t
• Fight the game
• Keep your
knowledge to
yourself
• Go too deep down
the rabbit hole
Do
• Consider people,
processes, and
technology
• Link the threat and
remediation to the
business
• Have fun!
6. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Assumptions & constraints
Assumptions
• You have an SOC in place
• Incident response plan may exist, but it may
need to be updated based on adoption of
cloud and IoT devices
• Incidents are confirmed
• Incidents have potential real impact to
reputation, financial health, legal liability, and
possibly safety
• Potential broader impact to national
economy and security
• No privacy implications, only business impact
Constraints
• Must take ownership; can’t offload to
contractor
• Focus on business and security objectives
related to capabilities
• Must comply with all applicable regulations
and adhere to mandated reporting
7. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
TTX objectives
• Highlight challenges in securing and responding to incidents for IoT in regulated
industries
• Demonstrate security and resiliency of the cloud over traditional on-premises
systems in support of IoT
• Discuss effectiveness of internationally accepted frameworks, such as the NIST
Cybersecurity Framework (NIST CSF), in improving cybersecurity and resiliency
8. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
9. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
The incident response (IR) process
Prepare
Identify
AssessRespond
Learn
Steady State
Steady State
Declare an Incident
Start Cleanup
Finish Cleanup
Back in Production
Done
On occasion, we might
be forced to jump back
10. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
The incident response process: Preparation
Establish an incident response capability so that the organization is ready to
respond to incidents and to prevent incidents by ensuring that systems, networks,
and applications are sufficiently secure
❑ Communications & facilities
❑ Analyst hardware & software
❑ Staffing & training
❑ Environment documentation
❑ Protection implementation (system owners)
11. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
The incident response process: Detect & analyze
Ability to detect and analyze events via the technologies and procedures
established in the prepare phase
❑ Generally prepare for all, but focus on common attack vectors
❑ Recognize signs of potential events, assess, and know what to do next
❑ Be aware of current threat intelligence
❑ Have knowledge of baseline configurations and behaviors (what does normal
look like?)
❑ Incident documentation
❑ Incident prioritization
❑ Incident notification
12. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
The incident response process: Contain, eradicate, and
recover
Ability to stop the spread and impact of the incident, completely remove the threat
from the environment, implement protections to prevent it from happening again, and
return all system and business processes to the normal operating state
❑ Choosing a containment strategy (e.g., need for evidence, service availability,
dependencies, solution duration, intel collection, etc.)
❑ Procedures for gathering and handling evidence
❑ Procedures to remove threat (e.g., compromised accounts, malware, patch
vulnerabilities, etc.)
❑ Procedures to restore systems to normal operations (e.g., restore from backups,
bring online in dependency and business priority order, etc.)
13. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
The IR process: Post-incident activity
It is imperative that organizations learn from incidents and improve their abilities to
protect, respond, recover, and survive
The scope should include not just the technical controls and improvements, but
also staff considerations like training and updating policies, processes, and
procedures
❑ Develop and use a lessons learned process to capture relevant data, analyze the
incident and response, and implement recommendations
❑ Collect and analyze data across multiple incidents to assess performance
improvement and identify trends (great use of machine learning in AWS)
❑ Follow procedures to retain and protect evidence
14. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
15. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Overarching scenario
You are the Chief Information Security Officer (CISO) for a highly regulated
company that provides services that are designated as mission-critical
The company has not adopted the cloud, although it is under consideration based
on past resiliency issues from on-premises data centers and aging technical debt
The company has adopted Internet of Things (IoT) devices and technology as part
of a larger operational technology (OT) ecosystem that is connected to corporate
data centers and applications to provide critical business services
17. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Event: Incident response for on-premises managed IoT
A phishing email with ransomware was sent to a distribution list that consisted of
about 30% of the company’s employees; early analysis shows that about 8%
opened the malicious attachment, which has started to affect corporate
workstations and servers
About 2 hours later, you receive reports from your security operations team that
there are confirmed indications that your deployed IoT technologies have also
been affected in some way
Review your table’s industry-specific indications
18. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
21. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Robust suite of governance and security services
Intelligent
threat detection
using machine learning
AWS Cloud
Third-party endpoint
protection, NGFW, IPS, other
security solutions
Security & compliance
assessment
Event management
and alerting
API logging
Operational view & control
of resources
Region
VPC
Private subnet
Application
servers
Private subnet
Database
servers
Public subnet
Web servers
Stateful firewall
between
each application tier
Web security group
Does NOT allow peer-to-
peer communications by
default
Application security
group
Database security
group
DDoS protectionWeb application firewall
ACLs
provide
stateless
firewall
capability
Flow Logs
Network traffic in/out
of VPC
Discover, classify, and
protect sensitive data
AWS Security
Hub
Centrally view and manage
security alerts and
automate compliance
checks
AWS KMS
Encryption key
management
service
Provision,
manage, and
deploy SSL/TLS
certificates
Securely manage
access to AWS
services and
resources
AWS Certificate
Manager
AWS IAM
22. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
AWS Identity & Access
Management (IAM)
AWS Organizations
AWS Directory Service
AWS Single Sign-On
Amazon Cognito
AWS Secrets Manager
AWS Resource
Access Manager
AWS Config
AWS Security Hub
Amazon GuardDuty
Amazon
CloudWatch
AWS CloudTrail
VPC flow logs
AWS Shield
AWS Firewall Manager
AWS Web Application Firewall
(WAF)
AWS Firewall Manager
Amazon Virtual Private Cloud
(Amazon VPC)
Amazon EC2
Systems Manager
Amazon Inspector
AWS Key Management Service
(KMS)
AWS CloudHSM
Amazon Macie
AWS Certificate
Manager (ACM)
Server-side encryption
AWS Config rules
AWS Lambda
Identity
Detective
control
Infrastructure
security
Incident
response
Data
protection
AWS security solutions
23. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Common threats to IoT
Information
theft
Surveillance Malicious
access point
RansomwareLateral threat
escalation
Cryptocurrency
mining
Sabotage
attacks
Denial of
service
Cloud
infrastructure
abuse
24. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Audit Alert MitigateDetect
Validate that IoT
configuration is secure
Detect anomalies in
device behavior
Know when & what to
investigate
Remediate
potential issues
Secure your fleet of connected devices, their connection, and their data from the edge to the cloud
Awarded Best IoT Security
Solution at IoT World 2019
AwardsAWS IoT
25. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
AWS IoT Device Defender
AWS IoT Analytics
AWS IoT SiteWise
AWS IoT Events
AWS IoT Things Graph
AWS IoT Greengrass
AWS IoT Core
AWS IoT Device Management
Amazon FreeRTOS
26. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS IoT Architecture
Endpoints
Fleet onboarding,
management, and
SW updates
Fleet
audit and
protection
IoT data analytics
and intelligence
Gateway
Things
Sense & Act
Cloud
Storage & Compute
Secure local
triggers, actions,
and data sync
Intelligence
Insights & Logic → Action
Secure device
connectivity
and messaging
AWS
IoT Core
AWS IoT Device
Management
AWS IoT Device
Defender
a:FreeRTOS
a:FreeRTOS
AWS Greengrass
AWS IoT Data Services
27. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Problem
Enel was looking to manage network distribution at
the edge. They were seeking to collect sensor and
meter data from over 500,000 cabins distributed
across the territory to measure energy consumption,
monitor network behavior in real time, and track the
effects of seismic waves and earthquakes.
Solution
Enel implemented AWS IoT Greengrass to collect,
convey, and process the largest amount of data to
trigger actions, govern activities, respond to
anomalies, and promote new services.
Impact
The project is the widest so far in Europe, and it
provides Enel an opportunity to leverage data to
design a better future.
28. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
29. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Event: Incident response for cloud-managed IoT
You believe that you have contained the ransomware throughout your corporate
and IoT environments
Based on mission-owner requirements and your security lessons learned, the
company migrates to AWS for your infrastructure and IoT platform
About a week after the migration, a corporate workstation is turned on that has
been offline since the first event
Having been previously infected but off during the incident process, it kicks off
another round of ransomware spreading throughout the network
30. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
What changes?
Starting with the prepare phase of the incident response process (or the protect
function from the NIST CSF)
• What changes with a cloud-based IoT platform?
• Are there now protections in place to prevent/mitigate the spread of malware
from your corporate network to your deployed IoT?
• What is the impact to your deployed IoT? Less, the same, or more?
• Do the other incident response phases change? Is this better, the same, or
worse?
• Are you more secure and resilient with a cloud-based IoT platform?
31. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
32. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Hot wash
• Do you see a difference in IoT security capabilities between the cloud and on
premises? If so, what are the differences, and which platform offers more
opportunities?
• What security capabilities would you want to see from a cloud-based IoT
platform that you didn’t see today?
• What value do you see in using a framework to help you prepare for and
respond to threats for your operating environment (on-premises, cloud, IoT)?
33. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
What’s next?
❑ Read the whitepapers
❑ Schedule training for AWS Cloud, AWS IoT,
and security operations
❑ Look into AWS and security certifications
❑ Schedule an AWS Executive Briefing Center
(EBC) day
❑ Look into the Zipline offering from AWS
Professional Services for incident response
support
❑ Look into AWS Partners for IoT and security
offerings
34. Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Jana Kay
kajana@amazon.com
Michael South
mlsouth@amazon.com
Anton Shmagin
antonsh@amazon.com