1 of 26

Dealing with an �Adolescent Cloud

Ross Young

CISO

CAT Financial

CYBERSECURITY

Caterpillar: Non-Confidential

2 of 26

Cloud Journey is Inevitable

  • Europe and China require data to remain in their countries
  • You already use 10+ SaaS solutions (GitHub, Salesforce, …)
  • Your Executives believe it is cheaper 
  • Your Fortran Developers and Mainframes are no longer supported

CYBERSECURITY

Caterpillar: Non-Confidential

3 of 26

And Then There Were Two

  • AWS probably won your initial contract
  • You still run Applications On-Premises for 3-5 years while you transition
  • Another part of the organization decides they want a different cloud
    • Azure - Enterprise Desktop Organization wants Office 365, OneDrive, & SharePoint
    • Google Cloud - Data Scientists want Google's Machine Learning or Google Firebase/K8s

CYBERSECURITY

Caterpillar: Non-Confidential

4 of 26

Multi-Cloud Wasn't Enough 

  • You are on a Digital Transformation
    • Agile
    • AI/ML
    • Blockchain
    • Containers
    • DevOps
    • DevSecOps
    • IoT
    • Kubernetes
    • Serverless

CYBERSECURITY

Caterpillar: Non-Confidential

5 of 26

AWS Best Practices

Overwhelmed yet?

CYBERSECURITY

Caterpillar: Non-Confidential

6 of 26

Prepare

Prepare for security events

Keep

Keep people away from data

Protect

Protect data in transit and at rest

Automate

Automate security best practices

Apply

Apply security at all layers

Enable

Enable traceability

Implement

Implement a strong identity foundation

CYBERSECURITY

Caterpillar: Non-Confidential

7 of 26

1) Implement a strong identity foundation

Access Control, Authorization, Least Privilege, & Separation of Duties

Fundamental

    • SAML 
    • MFA

Advanced - Limit the AWS resources for each Application 

  • Action Hero- Tells developers which API calls are being made
  • Policy Sentry- Simple CRUD style YAML List to Create IAM JSON

CYBERSECURITY

Caterpillar: Non-Confidential

8 of 26

Action Hero By Anthony Barbieri

CYBERSECURITY

Caterpillar: Non-Confidential

9 of 26

Automated Tests with Helium 

CYBERSECURITY

Caterpillar: Non-Confidential

10 of 26

Policy Sentry by Kinnaird McQuade

CYBERSECURITY

Caterpillar: Non-Confidential

11 of 26

2) Enable Traceability

Monitor, alert, and audit actions and changes to your environment

Fundamental

  • Cloudwatch – log everything
  • Cloudtrail – record every AWS action

Advanced

  • Cloud Custodian – Automate Security Monitoring & Response
  • Scout Suite – Multi Cloud Security Auditing Tool
  • Fargate + Prowler -> AWS Security Hub – Automate Cloud Findings

CYBERSECURITY

Caterpillar: Non-Confidential

12 of 26

Things to Monitor on AWS

CYBERSECURITY

Caterpillar: Non-Confidential

13 of 26

CYBERSECURITY

Caterpillar: Non-Confidential

14 of 26

Scout Suite - Multi-cloud security-auditing tool

CYBERSECURITY

Caterpillar: Non-Confidential

15 of 26

3) Apply Security at All Layers

Defense in Depth approach with multiple security controls

Fundamental

  • Basic patching a Web Server - OS, Runtimes, App Server, Web Frameworks, App Libraries
  • Network Controls to limit access - VPC, Security Groups, & WAFs

Advanced

  • Automated AMIs Vulnerability Assessments - AWS Inspector
  • Realtime System Inventory - Vuln Management + RASP solution

CYBERSECURITY

Caterpillar: Non-Confidential

16 of 26

AWS Inspector – Automated AMI scanning

CYBERSECURITY

Caterpillar: Non-Confidential

17 of 26

Real Time Asset Inventory (Qualys Asset Inventory + Contrast Security)

CYBERSECURITY

Caterpillar: Non-Confidential

18 of 26

4) Automate security best practices

Make Security Policy Code

Fundamental

  • Lock down S3 buckets

Advanced

  • Automated Security Guidance

CYBERSECURITY

Caterpillar: Non-Confidential

19 of 26

CYBERSECURITY

Caterpillar: Non-Confidential

20 of 26

Checkov GitHub Actions for Terraform and CloudFormation

CYBERSECURITY

Caterpillar: Non-Confidential

21 of 26

5) Protect data in transit and at rest

Encrypt, Tokenize, and Limit Access to Your Data

Fundamental

  • TLS 1.2
  • Encryption at Rest

Advanced

  • Required WAF, VPC Flow Logs, Guard Duty, … – AWS Config
  • API security scanning- OWASP Top 10
  • Tokenization & Test Data (PCI, HIPAA, …)

CYBERSECURITY

Caterpillar: Non-Confidential

22 of 26

One Stop Shop for AWS Compliance

  • Managed Rules
  • Encryption
  • Guard Duty
  • Rotating Secrets
  • Shield
  • VPC Flow logs
  • WAF

CYBERSECURITY

Caterpillar: Non-Confidential

23 of 26

6) Keep people away from data

Reduce or Eliminate Direct Access to Data

Fundamental

  • Public Databases / S3 buckets

Advanced

  • Remove unused accesses – IAM Access Analyzer
  • Block all RDP/VNC/SSH access to Production
    • We don’t remote into into production
    • We write better logs & we generate better backups

CYBERSECURITY

Caterpillar: Non-Confidential

24 of 26

Analyze Access Continuously and Remediate Broad Accesses

  • Developers initially granted * access
  • Use IAM access analyzer to monitor:
    • IAM Roles, S3 Buckets, Lambda functions, KMS Keys, SMS Queues
  • Identify when services were used by the development team
    • aws iam get-service-last-accessed-details --job-id 98a765b4-3cde-2101-2345-example678f9
  • If access isn’t used in X days, then remove

CYBERSECURITY

Caterpillar: Non-Confidential

25 of 26

7) Prepare for security events

Events happen! Have an incident response plan that’s tested

Fundamental

  • Having Incident Response Teams

Advanced

CYBERSECURITY

Caterpillar: Non-Confidential

26 of 26

THANK YOU!

Questions

Ross Young

LinkedIn- https://www.linkedin.com/in/mrrossyoung/

SANS- https://www.sans.org/instructors/ross-young

CYBERSECURITY

Caterpillar: Non-Confidential