15. Criterios de ”Punta a Punta”: Feedback
Ciclo de mejorías
- Ampliar alcance, mayor eficiencia
- Corregir deficiencias, remediar
16. Habilidades de traducción
•Leer el ”Código Fuente”
•Personas de compliance pueden
codificar/Desarrolladores pueden leer frameworks
de control
•Documentar, documentar, documentar…...
19. Identity & Access Management
Ejemplos de controles de seguridad
(implementados de ”punta a punta”)
20. Habilidades de traducción – Gestión de
cuentas
NIST 800-53 Access Control Family (AC)
AC-2 Account Management
Control: The organization:
a. […];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and
other attributes (as required) for each account;
e. Requires approvals by for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts [...];
• [1] – NIST Special Publication 800-53 Revision 4; Security and Privacy Controls for Federal Information Systems and Organizations, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
21. Habilidades de traducción – Gestión de
cuentas (reducción de palabras)
NIST 800-53 Access Control Family (AC)
• AC-2 Account Management
• Control: The organization:
• a. […];
• b. Assigns account managers for information system accounts;
• c. Establishes conditions for group and role membership;
• d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e.,
privileges) and other attributes (as required) for each account;
• e. Requires approvals by for requests to create information system accounts;
• f. Creates, enables, modifies, disables, and removes information system accounts [...];
• [1] – NIST Special Publication 800-53 Revision 4; Security and Privacy Controls for Federal Information Systems and Organizations, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
22. Habilidades de traducción – Gestión de
cuentas (reducción de palabras)
Verbos Sustantivos
Asignar Gestores de cuentas
Establecer Grupos y roles
Especificar Privilegios y atributos
Requerir Aprobaciones
Crear, habilitar/deshabilitar,
modificar, eliminar
Cuentas
23. Gestión de cuentas: ”Punta a Punta”
Ciclo de mejorías
- Menor privilegio, NeedToKnow
- Corregir deficiencias, remediar
24. Política de IAM - Ejemplo
http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html
27. Amazon Organizations:
Service Control Policies (SCP)
• Define los servicios que pueden ser accedidos
• SCPs pueden ser aplicadas a nivel de:
- Organización
- OUs
- Cuenta AWS
• SCPs son heredadas (Cuenta AWS, OU, Organización)
30. NIST 800-53 Audit & Accountability Family (AU)
AU-6 Audit Review, Analysis, and Reporting
• Control: The organization:
• a. Reviews and analyzes information system audit records for indications of organization-defined
inappropriate or unusual activity.
• b. Reports findings to organization-defined personnel or roles.
• [1] – NIST Special Publication 800-53 Revision 4; Security and Privacy Controls for Federal Information Systems and Organizations,
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Habilidades de traducción – Controles de
detección
31. Controles de detección: ”Punta a Punta”
Ciclo de mejorías
- Nuevas reglas, Extensión de alcance
- Corregir deficiencias, remediar
32. Análisis exploratorio – Usando VPC Flow Logs para
detectar comportamiento anormal (beaconing)
Histograma: Granularidad en segundos
Histograma: Granularidad de 20 minutos
• Analizando el flujo en una escala
de seg. o ms no muestra un
patrón.
• Consolidando los datos con
granularidad de 20 minutos
permite una visualización clara del
patrón.
33. 2.AmazonKinesis
Firehose
6 Cluster History by Host
Communication
5a.SparkDataPrep
Applicationand
StoreinS3
5c–k-Means
7. Cluster
Changed Alarm
3.StorerawdatainS3
5.bStoreEnriched
datainS3
5.EMR
20MinBatch
8.EMR
RunDaily
9.SparkDataPrep
Applicationand
StoreinS3
10.DailyBatch
SparkStreamingK-
Means
4. Amazon Glacier
5d.–Identify
Changes
11.HiveMetastore
12.PrestoOnDemand
EMRandSparkCluster
13.
Zeppelin
Notebook
EC2
1-1Lambda
Runson
Schedule
1-2.Lambda–
CollectENIData
peracct
MVP 1 – Procesamiento en Batch: 20min y diario
Flow
Logs
35. NIST 800-53 Configuration Management Family (CM)
CM-2 Baseline Configuration
Control: The organization develops, documents, and maintains under configuration control, a current
baseline configuration of the information system.
This control establishes baseline configurations for information systems and system components including communications and connectivity-related
aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or
configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems.
Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook
computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and
configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining
baseline configurations requires creating new baselines as organizational information systems change over time.[1]
• [1] – NIST Special Publication 800-53 Revision 4; Security and Privacy Controls for Federal Information Systems and Organizations,
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Habilidades de traducción – Gestión de
Configuración
36. NIST 800-53 Configuration Management Family (CM)
CM-2 Baseline Configuration
Control: The organization develops, documents, and maintains under configuration control, a current
baseline configuration of the information system.
This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems.
Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration
items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include
information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network
components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration
settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline
configurations requires creating new baselines as organizational information systems change over time.[1]
• [1] – NIST Special Publication 800-53 Revision 4; Security and Privacy Controls for Federal Information Systems and Organizations,
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Habilidades de traducción – Gestión de
Configuración
37. • Baseline configurations are documented, formally reviewed and agreed-upon
sets of specifications
• Palabras Clave (Sustantivos): “Documented […] sets of specifications”
Habilidades de traducción – Gestión de
Configuración
Componente Documentación
Red Tablas de enrutamiento
Reglas de FW
Políticas de balanceador
Subredes
Sistema Operativo Versión
Librerías
Nivel de patches
Aplicaciones Código
Parámetros de build
Dependencias
Archivos de configuración
38. • Baseline configurations are documented, formally reviewed and agreed-
upon sets of specifications
• Palabras Clave (Verbos): “ […] formally reviewed and agreed-upon […] ”
Habilidades de traducción – Gestión de
Configuración
Componente Revisión
Red Tickets
Requerimientos de servicios
Commit de código
Pull request
Sistema Operativo Master Image
Commit de código
Build
Aplicaciones Tickets
Commit de código
Build
Pull request
39. Gestión de Configuración: ”Punta a Punta”
Ciclo de mejorías
- Aumentar el alcance, Service Catalog
- Corregir deficiencias, remediar
40. Gestión de Configuración: ”Punta a Punta”
Ejemplo de arquitectura
AWS
CloudFormation
AWS
CodeCommit
AWS
CodePipeline Template
Diseño del Control Implementación del Control
AWS
CloudTrail
AWS
Config
Validación
de
Efectividad
EC2
VPC
SecGroups
RDS
APIGW