Amazon Inspector is a vulnerability assessment service that helps customers identify security vulnerabilities and deviations from best practices in their AWS environment. It automates security checks, integrates with DevOps workflows, and provides remediation guidance to help customers comply with frameworks like CIS benchmarks. The service scans infrastructure for vulnerabilities and exposures, with findings presented in a standardized format to facilitate automated remediation. Pricing is based on the number of "agent-assessments" performed.
2. What to expect from this session
• Why did we build Amazon Inspector?
• What is Amazon Inspector?
• How much does it cost?
• What does it help protect against?
• How does it help me with remediation?
• Where do APN Technology Partners fit?
• What regions are supported?
• What’s next for Amazon Inspector?
3. DevOps & Cloud
• Like Pretzels & Beer
• Better alignment with customer needs
• Increased ownership by developers
• Continuous feedback & bug discovery
• Configuration & Infrastructure is part of the code
• More frequent code rollouts
• Automation
• Better focus on operational excellence
• Cloud provides infrastructure as code
• Improved availability
• Cost optimization
6. • It’s not about DevOps + Security
• Not enough security professionals on the planet to do this
• Security teams need their own automation to keep up with automated
deployments!
• Security as code
• Seamless integration with CI/CD pipelines
• Ability to scan and run test suites in parallel
• Ability to automate remediation
• Consumable by APN technology partners as microservices
• www.devsecops.org
7. Amazon Inspector
• Vulnerability Assessment Service
• Built from the ground up to support DevSecOps
• Automatable via APIs
• Integrates with CI/CD tools
• On-Demand Pricing model
• Static & Dynamic Rules Packages
• Generates Findings
8. The Value of Vulnerability Assessments
“[With] any large network, I will tell you that persistence and
focus will get you in, we’ll achieve that exploitation without
the zero days,” he says. “There’s so many more vectors
that are easier, less risky and quite often more productive
than going down that route.” This includes, of course,
known vulnerabilities for which a patch is available but the
owner hasn’t installed it.
- Rob Joyce NSA TAO @ Enigma 2016
11. Supported Agent Operating Systems
• Red Hat Enterprise Linux (7.2 or later)
• CentOS (7.2 or later)
• Ubuntu (14.04 LTS or later)
• Amazon Linux (2015.03 or later)
• Microsoft Windows (2012, 2008 R2) - Preview
16. Pricing
• Free Trial
• 250 agent-assessments for first 90 days using the service
• Based on Agent-Assessments
• 1 assessment with 10 agents = 10 agent-assessments
• 5 assessments with 2 agents = 10 agent-assessments
• 10 assessments with 1 agent = 10 agent-assessments
• 10 agent-assessments = $3.00
First 250 agent-assessments:
Next 750 agent-assessments:
Next 4000 agent-assessments:
Next 45,000 agent-assessments:
All other agent-assessments:
$0.30
$0.25
$0.15
$0.10
$0.05
17. Anatomy of an attack
Service
XML Parser
Application
Database
SOAP Encode/Decode
18. Example Exploit
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "c:/boot.ini">
]>
<foo>&xxe;</foo>
21. Common Vulnerabilities & Exposures
• Tagged list of publicly known info security issues
• Vulnerabilities
• A mistake in software that can be used to gain unauthorized system access
• Execute commands as another user
• Pose as another entity
• Conduct a denial of service
• Exposures
• A mistake in software that allows access to information that can lead to
unauthorized system access
• Allows an attacker to hide activities
• Enables information-gathering activities
22. CIS Secure Configuration Benchmarks
Kathleen Patentreger Laurie Hester
Senior Vice President Program Executive
Center for Internet Security
23. Who is CIS?
• Pioneer in forming global IT communities
• Developer of key best practices for immediate
and effective defenses against cyber attacks
• Industry standard for security best practices
Confidence in the Connected World
CIS delivers
24. CIS can help your organization
Our Mission:
• Create and promote best practices in
cybersecurity
• Deliver solutions to prevent and rapidly
respond to cyber incidents
• Build trust in cyberspace
Our Programs:
• MS-ISAC (SLTT support)
• CIS Critical Security Controls
• CIS Security Benchmarks
25. What is a “Benchmark?”
• Security configuration guide
• Consensus-based development
process
• PDF versions are free via our
website
• 433K+ downloads last year
26. What’s inside a Benchmark?
What it applies to…
Who helped make it…
How to interpret…
What to do…
Why to do it…
How to do it…
How do you know you did it…
26
27. Amazon and CIS
•CIS AWS Foundations Benchmark:
• Provides recommendations for the security
of your AWS account
Amazon Inspector:
• CIS Security Software Vendor Membership
and certification service assesses against
the following CIS Benchmark:
Amazon Linux 2014.09-2015.03
Add’l CIS Benchmarks scheduled
28. CIS Amazon Machine Images (AMIs)
System is configured from launch to be in
conformance with the CIS Benchmark
AMIs currently available include:
• Amazon Linux 2014.09* -2015.03
• Debian 8*
• Microsoft Windows Server 2008, 2008 R2,
2012 & 2012 R2
• Red Hat Enterprise Linux 5*, 6 & 7
• SUSE Linux Enterprise Server 11* & 12*
• CentOS Linux 6* & 7
• Ubuntu 12.04* & 14.04 LTS Server
*Access via CIS Membership only, not available in AWS Marketplace
29. How to access the CIS Amazon Machine Images
(AMIs) in Amazon Elastic Compute Cloud (EC2)
•AWS Marketplace
•CIS Security Benchmarks Membership
Future plans:
•GovCloud - More details to come in May
•Intelligence Community (IC) Marketplace
For more information, visit https://benchmarks.cisecurity.org or contact
us at members@cisecurity.org.
30. Amazon Inspector
• Rules Packages
• Common Vulnerabilities & Exposures
• CIS Operating System Security Configuration
Benchmarks
• Security Best Practices
• Runtime Behavior Analysis
31. Security Best Practices
• Authentication
• Network Security
• Operating System
• Application Security
• Disable root login over SSH
• Password complexity
• Permissions for system directories
• Secure protocols
• Data execution prevention enabled
32. Runtime Behavior Analysis
• Package analyzes machine behavior during an assessment
• Unused listening ports
• Insecure client protocols
• Root processed with insecure permissions
• Insecure server protocols
• Impacts the severity of static findings
33. Automating Remediation
• Findings are JSON formatted and taggable
• Name of assessment target & template
• Start time, end time, status
• Name of rule packages
• Name & severity of the finding
• Description & remediation steps
• Lamd-ify your incident response
• Integrate with Jira-like services
• Integrate with Pagerduty-like services
35. AWS Partner Network (APN)
• Technology Partner Program
• AWS Marketplace
• AWS Channel Reseller Program
• AWS Managed Service Partners
• AWS Partner Test Drives
36. Regions Supported
• GA
• US West (Oregon)
• EU (Ireland)
• US East (Virginia)
• Asia Pacific (Tokyo)
• GA + 1 Month
• Asia Pacific (Sydney)
• Asia Pacific (Seoul)
37.
38. What’s Next for Amazon Inspector?
• Reporting
• AWS API Interception
• Threat Modeling
• Industry Specific Rules Packages