As our partner AWS likes to say, security is “job zero,” meaning it is far more critical than any other top priority for AWS. As an Advanced Consulting and MSP partner focusing 100% on AWS, we could not agree more. Over our 5 years as an AWS MSP (and an audited MSP Partner of AWS), we have built numerous security tools and integrations on top of AWS. Our philosophy has always been — there is no need to reinvent the wheel. To secure our clients’ environments, we use the best AWS services and 3rd party tooling available. We integrate all of the alerts into our Datadog event bus, trigger incidents with robust runbook actions for a response, and create longer-term project plans to address more significant, underlying security concerns.
Our feedback from customers has been consistent — they want a stand-alone, well-defined, cohesive security offering. They want the absolute best tools in the market, looking to leverage native AWS security tooling first, open-source when the technology is proven, and commercial third party when necessary. And they want it all delivered with a focus on protecting AWS APIs.
Throughout 2019, we have been researching all areas of security on AWS — from traditional EC2 instances and network security, to the AWS account and API-level security, to cloud-native architectures (e.g., serverless), and we are excited to announce Trek10’s Security Max offering — a fully managed suite of software solutions that hook directly into our customers’ AWS environments with Trek10’s AWS security experts managing remediation.
In our research, we identified the most critical elements of securing an AWS environment and applications from which we then selected different tooling to integrate into our customer-facing portal (which we call Harbor) and support systems as necessary. The remainder of this post outlines those various selections, as well as how we have used our own AWS R&D and engineering to add value to these services.
Before we even begin thinking about how to secure an actual application, the AWS foundation must be rock solid. Gone are the days of merely installing security appliances in your network and agents on your VMs for security. To secure the AWS platform, Security Max offers the following:
Once an account is secured, there are limited ways to prevent the account from having new risks created. The Sophos Cloud Optix platform provides the core guard rails and incident alerting to detect/prevent any drift from the baseline. It offers numerous capabilities; the below highlights some of our favorites:
Most security solutions acknowledge that logging is a need in any account, but are often vague about what exactly to do with the logs and how that makes your account more secure. With Security Max Trek10 offers a direct approach that is designed to keep costs low, give actionable alerting, and provide a way for log review if necessary. Specifically, we use Datadog’s state of the art Log Management product, with its Logging Without Limits pricing framework, which enables us to decouple log ingestion from log indexing. This allows us to ingest the logs but only makes the logs searchable when desired, making Datadog’s solution more cost-efficient than anything the market has seen to date. And while the logs are not searchable unless requested, Trek10 has built some proprietary filters that are applied to logs at the time of ingestion. These filters read log messages and create custom metrics in real-time that we can then monitor and alert when necessary. Our default set of filters applies to log types we have seen across different types of accounts, but if you have custom log messages you want to be stored and alerted upon, our engineers can create custom filters to give you real-time alerting.
In addition, Datadog recently released its own Security Monitoring tool that we are incorporating into the Trek10 SecurityMax. Using the same log ingestion mentioned above, Datadog provides detection on all layers of your application. Datadog gets this information to you by ingesting, enriching, and unifying logs from multiple sources. What Trek10 really loves about Datadog’s security offering is that on top of the prebuilt security monitors rules, Datadog exposes the rule engine, allowing you to create custom security rules. Trek10 has already created new rules using this engine and will continue to keep developing rules as cloud environments evolve. At Trek10, we really can’t say enough about the logging and security solutions Datadog has brought to the table and are excited to include them in Security Max.
Now that we have a secure foundation on which to build a highly available, scalable, and cost-effective AWS application, we can now shift our focus to securing the application itself. Of course, being experts in building cloud-native architectures at Trek10, app security often is heavily intertwined with AWS’s APIs and PaaS offerings. The line between platform and app security is certainly blurry and is getting more blurry every day! We will focus on the specifics of the application through the lens of AWS, starting with the OS level. Before doing so, I’ll give a shout out to GuardDuty and Cloud Optix, once again, because both services certainly have application-specific protections within the VPC.
AWS Systems Manager provides numerous services — nearly 20 different core capabilities. As part of the onboarding process, we will deploy the Systems Manager agent, which allow us to leverage these core capabilities:
Based on your requirements, Trek10 will recommend a best practice approach to patch your Windows and Linux instances. Patch Manager is fully integrated into Trek10’s support system so that all patching across all environments can be tracked in our ticketing system.
Regular scans of your EC2 instances — both internally and externally — should be conducted on at least a quarterly basis.
Once the AWS foundation and the operating system security have been addressed, the next area of focus is in layer 7 application security. For this, Trek10 leverages the AWS WAF (Web Application Firewall) service. AWS WAF protects web applications from web exploits, especially from the most critical security risks from the OWASP Top 10. AWS just released an update for WAF that now allows more complex logic on rules you create, and AWS offers its own prebuilt set of rules.
AWS WAF can be applied to both CloudFront distributions as well as your Application Load Balancer (ALB) — or if you are using API Gateway for a serverless environment, for example, AWS WAF can be applied there as well. If you are not using either of these services today, Trek10 can help you implement one of them to add WAF support to your application. AWS WAF rules can be written manually based on your application, and of course, the aforementioned AWS supported Managed Rules. As part of the onboarding process, Trek10 will recommend the best approach to implement your AWS WAF rule groups based on your specific requirements.
Trek10, as a certified AWS MSP partner, has spent 5+ years developing different tools and integrations on top of AWS APIs. With the Security Max, Trek10 will release all tooling to its customers’ environments and continue to develop more innovative tools. Below is a brief overview of some of the top tools Trek10 has built with others in the pipeline as well. Many of Trek10’s tools have come from customer feedback, and we look forward to a collaborative development pipeline:
Customers are demanding not only the best security software and technology but direct access to AWS experts to navigate the challenge of security both traditional VM-based applications as well as applications that leverage PaaS and SaaS services (from AWS and 3rd party tools). Security Max provides the expert AWS staff to remediate your environment to continue to keep your AWS footprint within the guard rails, which we have defined together based on industry-specific, best practice recommendations. The suite of software solutions is fully integrated into your environment and our platform, and it is flexible enough to easily be integrated into our customers’ ticketing systems as well. We look forward to the opportunity to secure your AWS accounts and applications better. If you are interested in learning more, please reach out to info@trek10.com or head over to our Security Max product page and fill out a contact form.
