Using Security Incident Response Simulations (SIRS--also commonly called IR Game Days) regularly keeps your first responders in practice and ready to engage in real events. SIRS help you identify and close security gaps in your platform, and application layers then validate your ability to respond. In this session, we will share a straightforward method for conducting SIRS. Then AWS enterprise customers will take the stage to share their experience running joint SIRS with AWS on their AWS architectures. Learn about detection, containment, data preservation, security controls, and more.
2. Here is what you get today…
• SIRS: What is it?
• Demo
• Case study
• How to engage AWS
• Get your game on
3. SIRS: What is it?
Inspiration-
“Nothing gives one person so much
advantage over another as to remain
always cool and unruffled under all
circumstances.”
-Thomas Jefferson
4. Ariana Grande speaks to simulation
“Dancing in high heels is kind of tough. I learn the
dances without the heels, and then we add them.
We just practice, and I get used to it. My feet hurt
really badly at the end of the shows, but it’s fun.
While it’s happening it’s fun. I feel tall.”
Did she get it right?
Quote from https://www.brainyquote.com/quotes/quotes/a/arianagran571274.html
5. Working backward…what customers want?
1. Validate readiness
2. Generate artifacts for accreditation
3. Be agile – Incremental with laser focus
4. Get faster and improve tools
5. Refine escalation and communication
6. Get confident – Learn from and train staff
7. Get comfort with the rare and the creative
6. Security Incident Response Simulations
1. Find an issue of importance.
2. Find skilled security geeks.
3. Build a realistic model system.
4. Build and test the scenario elements.
5. Invite other security geeks and real people.
6. Run the simulation live.
7. Get better and repeat.
69. When should I engage AWS Support?
Engage AWS Support any time an event might be
occurring that affects your ideal operational state.
70. When should I contact AWS Security?
If you are planning SIRS:
• Obtain permission to perform penetration testing/scanning.
• Confirm the SIRS does not violate the AUP.
72. Engaging human support
Cloud support engineer (CSE)
Technical account manager (TAM)
Subject matter experts (SME)
You
Relationship POC
Available with enterprise support
Available with support
75. Is your architecture built for IR?
• Real-time monitoring
• Logs at the ready
• Tagged for escalation
• Rapid recovery
• Rapid data preservation
• Forensic instances
• Late binding privileges for responders
77. Pick a scenario to try and get started
1. Web server application layer issue recovery
2. Log dive for artifacts
3. Data preservation
4. Credential rotation
5. Responding to alerts
6. Some sort of insider threat
7. Business owner and external communications
80. Thank you!
Josh du Lac, Hart Rossman, Don Bailey, Khaja, Graham, AWS
Support, AWS Abuse team, EC2 Security team, and many more who
helped make these events possible