As our partner AWS likes to say, security is “job zero,” meaning it is far more critical than any other top priority for AWS. As an Advanced Consulting and MSP partner focusing 100% on AWS, we could not agree more. Over our 5 years as an AWS MSP (and an audited MSP Partner of AWS), we have built numerous security tools and integrations on top of AWS. Our philosophy has always been — there is no need to reinvent the wheel. To secure our clients’ environments, we use the best AWS services and 3rd party tooling available. We integrate all of the alerts into our Datadog event bus, trigger incidents with robust runbook actions for a response, and create longer-term project plans to address more significant, underlying security concerns.
Our feedback from customers has been consistent — they want a stand-alone, well-defined, cohesive security offering. They want the absolute best tools in the market, looking to leverage native AWS security tooling first, open-source when the technology is proven, and commercial third party when necessary. And they want it all delivered with a focus on protecting AWS APIs.
Throughout 2019, we have been researching all areas of security on AWS — from traditional EC2 instances and network security, to the AWS account and API-level security, to cloud-native architectures (e.g., serverless), and we are excited to announce Trek10’s Security Max offering — a fully managed suite of software solutions that hook directly into our customers’ AWS environments with Trek10’s AWS security experts managing remediation.
In our research, we identified the most critical elements of securing an AWS environment and applications from which we then selected different tooling to integrate into our customer-facing portal (which we call Harbor) and support systems as necessary. The remainder of this post outlines those various selections, as well as how we have used our own AWS R&D and engineering to add value to these services.
Securing the AWS Platform
Before we even begin thinking about how to secure an actual application, the AWS foundation must be rock solid. Gone are the days of merely installing security appliances in your network and agents on your VMs for security. To secure the AWS platform, Security Max offers the following:
- AWS Landing Zone audit: As part of onboarding, Trek10 reviews your AWS Landing Zone and account management configurations for initial best practices.
- Implementation of Sophos Cloud Optix: Trek10 implements Cloud Optix, which is an agentless cloud security solution that is continuously scanning your AWS environment for vulnerabilities and misconfigurations based on the guard rails that Trek10 helps your team define (more on this solution in below section).
- Enable AWS GuardDuty: GuardDuty is AWS’s threat detection service. It provides insight into your AWS API calls, as well as analysis of incoming/outgoing VPC traffic.
Once an account is secured, there are limited ways to prevent the account from having new risks created. The Sophos Cloud Optix platform provides the core guard rails and incident alerting to detect/prevent any drift from the baseline. It offers numerous capabilities; the below highlights some of our favorites:
- Constant AWS configuration scanning: Trek10 has built a recommended baseline compliance rule set with its core best practices, but Cloud Optix also contains out of the box engines for adherence to CIS, GDPR, SOC2, HIPAA, ISO 27001, PCI DSS, and more. Cloud Optix does this through read-only access to your AWS account.
- Anomaly detection (and data exfiltration detection): Cloud Optix baselines your environment for typical behavior and detects anomalous behavior — my personal favorite example of this is in its analysis of VPC flow logs to detect abnormalities that may indicate data is being exfiltrated for your environment.
- DevSecOps: In our desire to integrate all of the top buzzwords into the offering, we’ve made sure to cover “DevSecOps”! In all seriousness, the ability to apply the same policies to your infrastructure as code (e.g., CloudFormation / Terraform) as you have applied in your control and compliance frameworks means that security vulnerabilities or out of compliance configurations are detected before your application even deploys.
- Inventory management and topology visualization: If additional information needs to be gathered due to a security incident, admins can drill down into each instance to understand security group configs, patching compliance, traffic flows / outgoing connection details, and more.
Datadog (Logging + Monitoring)
Most security solutions acknowledge that logging is a need in any account, but are often vague about what exactly to do with the logs and how that makes your account more secure. With Security Max Trek10 offers a direct approach that is designed to keep costs low, give actionable alerting, and provide a way for log review if necessary. Specifically, we use Datadog’s state of the art Log Management product, with its
Logging Without Limits pricing framework, which enables us to decouple log ingestion from log indexing. This allows us to ingest the logs but only makes the logs searchable when desired, making Datadog’s solution more cost-efficient than anything the market has seen to date. And while the logs are not searchable unless requested, Trek10 has built some proprietary filters that are applied to logs at the time of ingestion. These filters read log messages and create custom metrics in real-time that we can then monitor and alert when necessary. Our default set of filters applies to log types we have seen across different types of accounts, but if you have custom log messages you want to be stored and alerted upon, our engineers can create custom filters to give you real-time alerting.
In addition, Datadog recently released its own Security Monitoring tool that we are incorporating into the Trek10 SecurityMax. Using the same log ingestion mentioned above, Datadog provides detection on all layers of your application. Datadog gets this information to you by ingesting, enriching, and unifying logs from multiple sources. What Trek10 really loves about Datadog’s security offering is that on top of the prebuilt security monitors rules, Datadog exposes the rule engine, allowing you to create custom security rules. Trek10 has already created new rules using this engine and will continue to keep developing rules as cloud environments evolve. At Trek10, we really can’t say enough about the logging and security solutions Datadog has brought to the table and are excited to include them in Security Max.
EC2 and Application Security
Now that we have a secure foundation on which to build a highly available, scalable, and cost-effective AWS application, we can now shift our focus to securing the application itself. Of course, being experts in building cloud-native architectures at Trek10, app security often is heavily intertwined with AWS’s APIs and PaaS offerings. The line between platform and app security is certainly blurry and is getting more blurry every day! We will focus on the specifics of the application through the lens of AWS, starting with the OS level. Before doing so, I’ll give a shout out to GuardDuty and Cloud Optix, once again, because both services certainly have application-specific protections within the VPC.
AWS Systems Manager (Patch Manager)
AWS Systems Manager provides numerous services — nearly 20 different core capabilities. As part of the onboarding process, we will deploy the Systems Manager agent, which allow us to leverage these core capabilities:
- Patch Manager: Allows us to leverage AWS for patch management with full integration into our support systems (with optional integration into the customer’s ticketing system)
- Session Manager: This allows admins to securely SSH into EC2 instances with authentication occurring through AWS IAM (no more managing SSH keys on instances!)
Based on your requirements, Trek10 will recommend a best practice approach to patch your Windows and Linux instances. Patch Manager is fully integrated into Trek10’s support system so that all patching across all environments can be tracked in our ticketing system.
Vulnerability Scanning: Inspector and Rapid7
Regular scans of your EC2 instances — both internally and externally — should be conducted on at least a quarterly basis.
- Internal Scanning with AWS Inspector: AWS inspector is an agent-based solution that provides internal scans to produce vulnerability reports across a fleet of EC2 instances. There are numerous rules packages to choose from (Network Reachability, CVEs, CIS Benchmarks, Security Best Practices, and Runtime Behavior Analysis), and we will work with your security team to define the appropriate packages.
- External Scanning with Rapid7 InsightVM: Rapid7’s technology is the gold standard for external vulnerability scans. Rapid7 reports will integrate into our ticketing system, so there is a seamless transition from scan findings to remediation.
Once the AWS foundation and the operating system security have been addressed, the next area of focus is in layer 7 application security. For this, Trek10 leverages the AWS WAF (Web Application Firewall) service. AWS WAF protects web applications from web exploits, especially from the most critical security risks from the OWASP Top 10. AWS just released an update for WAF that now allows more complex logic on rules you create, and AWS offers its own prebuilt set of rules.
AWS WAF can be applied to both CloudFront distributions as well as your Application Load Balancer (ALB) — or if you are using API Gateway for a serverless environment, for example, AWS WAF can be applied there as well. If you are not using either of these services today, Trek10 can help you implement one of them to add WAF support to your application. AWS WAF rules can be written manually based on your application, and of course, the aforementioned AWS supported Managed Rules. As part of the onboarding process, Trek10 will recommend the best approach to implement your AWS WAF rule groups based on your specific requirements.
Trek10 Security Tooling
Trek10, as a certified AWS MSP partner, has spent 5+ years developing different tools and integrations on top of AWS APIs. With the Security Max, Trek10 will release all tooling to its customers’ environments and continue to develop more innovative tools. Below is a brief overview of some of the top tools Trek10 has built with others in the pipeline as well. Many of Trek10’s tools have come from customer feedback, and we look forward to a collaborative development pipeline:
- Event-Driven Remediation: Trek10 has built best practice Lambda functions to auto-remediate vulnerabilities in your environment based on your preferences for automatic remediation. For example, if port 22 (SSH) has been opened to the public, a Lambda function can immediately remediate this vulnerability and create a ticket for after-action-review.
- GuardDuty + AWS WAF Integration: This tool effectively turns the GuardDuty threat detection service into a prevention service with blocking capabilities. When an attacking IP address is identified by GuardDuty, Trek10 has built an integration to parse this IP address and drop it into an AWS WAF IP match condition to block for a configurable amount of time.
- S3 Auditor: This solution scans every object in every bucket. Even large buckets with millions of objects can be scanned in hours. This allows Trek10 to alert you if your private bucket has objects with misconfigured object-level ACLs and thus public.
- CloudTrail Integrity Validator: On a daily basis, a Lambda function verifies the integrity of your CloudTrail logs against a hash. This will create a support ticket if any log tampering has been identified.
Fully Integrated Incident Management and Remediation
Customers are demanding not only the best security software and technology but direct access to AWS experts to navigate the challenge of security both traditional VM-based applications as well as applications that leverage PaaS and SaaS services (from AWS and 3rd party tools). Security Max provides the expert AWS staff to remediate your environment to continue to keep your AWS footprint within the guard rails, which we have defined together based on industry-specific, best practice recommendations. The suite of software solutions is fully integrated into your environment and our platform, and it is flexible enough to easily be integrated into our customers’ ticketing systems as well. We look forward to the opportunity to secure your AWS accounts and applications better. If you are interested in learning more, please reach out to firstname.lastname@example.org or head over to our Security Max product page and fill out a contact form.