AWS re:Invent 2021 - {New Launch} The new Amazon Inspector for vulnerability management

Aug 16, 2023

AWS re:Invent 2021 - {New Launch} The new Amazon Inspector for vulnerability management

Join this session to learn about the new Amazon Inspector from the product leadership team and Uber. Amazon Inspector is an automated vulnerability management service that continually scans Amazon EC2 and container workloads for software vulnerabilities and unintended network exposure. It has been completely rearchitected and now identifies vulnerabilities in near real time, supports containers, introduces a meaningful contextual Amazon Inspector risk score, is integrated with AWS Organizations, uses the widely deployed AWS Systems Manager Agent (SSM Agent), and offers many other benefits.

Learn more about re:Invent 2021 at https://bit.ly/3IvOLtK

Subscribe:
More AWS videos http://bit.ly/2O3zS75
More AWS events videos http://bit.ly/316g9t4

ABOUT AWS
Amazon Web Services (AWS) hosts events, both online and in-person, bringing the cloud computing community together to connect, collaborate, and learn from AWS experts.

AWS is the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. Millions of customers—including the fastest-growing startups, largest enterprises, and leading government agencies—are using AWS to lower costs, become more agile, and innovate faster.

#AWS #AmazonWebServices #CloudComputing

Content

0.76 -> Hello everyone and welcome.

3.19 -> I am Rick Anthony.

4.32 -> I'm with the Amazon Inspector team.

6.61 -> I have Kashish Wadhwa here with me on stage.

9.67 -> He's also with Amazon Inspector

12.74 -> and off stage I have Ankit Kumar

15.61 -> from Uber Security Engineering

17.28 -> and he'll be joining us in a little bit.

20.06 -> So we're really excited to be presenting

23.15 -> to you today to talk about the new Amazon Inspector service

27.41 -> that we launched on Wednesday.

30.3 -> We're gonna cover a couple items

32.52 -> and you know, show you how to use Amazon Inspector

36.84 -> for automated vulnerabilities.

39.03 -> However, before we get into the talk

41.7 -> we have a quick little fun video that we wanted

44.13 -> to show you, so please cut us over to the laptop.

51.03 -> Security gaps created

52.46 -> by software vulnerabilities and unintended network access

55.78 -> can lead to compromised workloads

57.43 -> and unauthorized access to data.

59.75 -> Amazon Inspector is a vulnerability management service.

64.83 -> Security gaps created by software vulnerabilities

67.81 -> and unintended network access

69.63 -> can lead to compromised workloads

71.27 -> and unauthorized access to data.

73.55 -> Amazon Inspector is a vulnerability management service

76.53 -> that is easy to enable across your entire organization

79.28 -> with a few clicks in the AWS management console.

82.29 -> Inspector's integration with AWS Organizations

85.21 -> simplifies multi-account management

87.03 -> and centralizes findings for the security team.

89.92 -> Once enabled, Inspector automatically discovers workloads

92.96 -> such as Amazon EC2 Instances and containers

95.77 -> and continually scans them for software vulnerabilities

98.31 -> and unauthorized network exposure.

100.88 -> Inspector correlates up-to-date CVE information

103.87 -> with factors like network accessibility and exploitability

107.24 -> creating accurate and meaningful risk scores

109.75 -> to help you prioritize your response

111.57 -> to address vulnerable resources.

113.86 -> Inspector helps you reduce mean time

115.84 -> to resolve vulnerabilities with automation

118.35 -> through integration with partner solutions

120.54 -> Amazon EventBridge and AWS Security Hub.

124.09 -> Launch Inspector's free trial to discover

126.46 -> your critical vulnerabilities.

130.29 -> All right, thank you.

131.123 -> Please flip us back.

133.5 -> So that is the new Inspector in a nutshell.

138.02 -> What we wanted to talk to you today about

140.34 -> was how did we get there.

142.7 -> So many of you may be aware

144.42 -> that there is an Amazon Inspector that has been

147.44 -> in market with AWS since 2015.

151.51 -> And that service is being replaced

154.19 -> by what we launched today.

155.87 -> And we want to talk about how we got there.

158.92 -> So we're going to cover that journey.

161.65 -> As part of that journey we're going to tell you

163.59 -> what we learned by talking to our customers,

166.09 -> what they told us about vulnerability management systems.

169.26 -> We're going to tell you about the philosophies

171.81 -> that we used from those learnings to develop Inspector

175.82 -> and then we're going to go ahead

177.31 -> and introduce Ankit who's going

180.35 -> to tell you about Uber's journey.

182.51 -> They were one of our private data customers

184.87 -> who have now operationalized Amazon Inspector.

190.04 -> And then at the end we'll do a live demo

192.88 -> and we'll see how that goes.

197.5 -> Okay, so Amazon Inspector V1,

202.29 -> the one that was launched in 2015.

204.31 -> You'll now see us call that Amazon Inspector classic.

207.93 -> That was developed to look like

209.99 -> a very traditional kind of point and click

212.7 -> vulnerability management system.

214.71 -> And we had really good response from customers

217.01 -> regarding Amazon Inspector V1,

219.87 -> but since 2015 a lot has changed,

223.15 -> even within the cloud so much has happened.

225.72 -> If you look at the pace of innovation here

227.89 -> at AWS you'll understand what I'm talking about.

231 -> So customers, quite naturally,

232.88 -> were asking us to do more with Inspector.

236.29 -> And so, you know, in looking at that we said, all right,

239.86 -> you want us to do more, what should we be doing?

243.42 -> And so we talked to customers and said, okay,

245.77 -> what are the challenges that you have with the products

249.61 -> you're using today?

251.25 -> And we really had customers come back

253.76 -> with four key areas that they were struggling with.

257.53 -> Number one, a lot of the solutions they were using

260.8 -> and I think Inspector V1 suffered from this a little bit,

263.57 -> is that they really weren't designed for the cloud.

266.82 -> The cloud is very elastic.

269.05 -> You know, it's very easy for your workloads

271.21 -> to spin up instances, spin down instances.

275.04 -> Customers have even migrated from EC2 unto containers.

279.33 -> And a lot of times what customers are saying is,

283.27 -> I don't know if I'm even capturing my entire environment.

286.57 -> These instances, they spin up very quickly,

289.16 -> they run short amount of time.

290.54 -> I'm worried that I have some vulnerabilities.

292.8 -> That's a problem we'd like you to solve.

295.45 -> Number two, we spent a lot of time managing these solutions.

300.74 -> You know, vulnerability management, it's important.

303.85 -> It generates a lot of findings.

305.82 -> Our job is to remediate those findings.

307.67 -> We don't wanna spend time managing software,

311.04 -> configuring it, enabling agents,

314.32 -> figuring out why they don't work.

316.12 -> You know, there's agents for everything.

317.58 -> How do we make that better?

319.16 -> How do we have one less agent to deal with?

322.75 -> Number three, the cloud again, is elastic

326.48 -> but it's also dynamic.

327.88 -> You can very quickly prototype.

329.57 -> You can very quickly go to market.

331.5 -> And customers are telling us,

333.49 -> I'm not sure I'm covering everything in my environment.

337.3 -> I have application teams launching things everyday.

341.32 -> How do I know I don't have gaps?

343.01 -> How do I know I didn't miss something?

345.9 -> Help us solve that.

347.48 -> I don't wanna have to go out,

349.88 -> discover all my resources, build these dashboards.

352.99 -> I wanna just solve security problems.

355.72 -> And lastly, they wanted to,

357.96 -> they asked us to say.

363.95 -> I have more tools, you know.

366.334 -> I have more things that I need to look at.

367.68 -> I have moved from EC2.

369.25 -> I've moved over to containers.

372.05 -> Help me solve that.

376.32 -> So, we took all that information.

378.47 -> We looked at Inspector V1.

380.07 -> We looked across AWS at some of the other services

383.25 -> that were out there that were really resonating

385.31 -> with customers and we said, okay,

387.75 -> there's two key philosophies that we think

389.88 -> we need to use in designing Inspector,

393.77 -> the new one that just launched.

395.46 -> Number one, we don't want customers

397.44 -> to really be focused on those up front activities

400.13 -> such as setting them up, deploying agents, configuration.

404.33 -> How do we really make that super simple?

407.9 -> That's gotta be part of the solution.

411.2 -> Number two, how do we also take away

414.92 -> the problem of scanning traditional solutions as customer

420.21 -> you have to decide what am I gonna scan,

423.06 -> when am I gonna scan it, and how I'm gonna scan it.

425.66 -> You know, that's where gaps occur.

428.7 -> So we've said, okay, how do we solve that problem?

431.61 -> How do we take that burden away of figuring out

435.1 -> what that right schedule is going to be?

437.1 -> Because customers would always ask.

438.94 -> Should I be scanning daily?

440.56 -> Should I be scanning weekly?

442.83 -> Should I be doing this monthly?

443.96 -> Help us, tell us what's the right way to do this.

447.23 -> So, taking all those factors together

450.75 -> we launched Amazon Inspector.

453.6 -> And what we're going to show you

456.13 -> is the features that we've launched

458.7 -> with Amazon Inspector.

460.05 -> We're gonna tell you how those features

462.51 -> are satisfying those requirements for customers.

466.08 -> We're also gonna do a demo

467.72 -> and we're going to show you Uber's journey as well.

473.69 -> Thanks, Rick.

474.67 -> Before I get started, like you saw

476.8 -> the problem with the bug with the video,

478.57 -> that was intentional.

479.64 -> Just to show you how easy is it to find bugs

482.53 -> in normal day to day life.

484.836 -> And how important it is to remediate those.

488.23 -> Going back to Amazon Inspector now.

490.2 -> Amazon Inspector not only supports EC2 instances

492.67 -> but also container images that are residing in ECR

496.91 -> which is the elastic container registry.

498.9 -> This was one of the biggest change

500.63 -> that we have seen across industry.

502.42 -> Everyone is moving from EC2 instances to containers

506.06 -> and this became really important

507.97 -> and we heard back from customers a lot

509.96 -> that we have to support it.

514.19 -> So aligning to the philosophies that Rick pointed out,

517.76 -> the first one was like security should be focused

521.14 -> on the backend.

521.973 -> Like patching, remediating, implementing,

524.83 -> compensating controls, they should not be focused

527.37 -> on upfront activities.

529.84 -> They shouldn't be like, deploying agents

532.44 -> or trying to figure out if that agent

536.16 -> is responding back to the console or not.

537.99 -> Is that agent like, working or not.

540.76 -> Is that agent impacting my performance

542.85 -> of the instance or not.

544.17 -> So all those things we decided

545.94 -> to simplify onboarding, first of all.

550.3 -> So similar to other services like Security Hub

552.75 -> or Amazon Guard Duty, we have made it truly simple

556.03 -> for customers to onboard their entire organization

560.26 -> to Amazon Inspector.

561.64 -> So with potentially one click you can enable

564.68 -> Inspector across all your accounts

566.56 -> in your organization.

569.73 -> Then what we have done is we provide you

571.6 -> a single pane of view across all of your resources

575.78 -> and your accounts and across your organization.

579.07 -> So that you can take your organizational level decisions

583.12 -> through Inspector.

584.33 -> Like, your central security team

586.08 -> will have access to the centralized console.

588.88 -> Where they will be able to see across the board

592.28 -> what is my account like, general posture.

594.62 -> What is my environmental coverage?

597.69 -> How many resources accounts are we covering?

599.96 -> Some of the resources or accounts which

602 -> we are not covering, why not?

603.85 -> We will give you actionable guidance

605.6 -> so that you can avoid any security coverage gap.

610.06 -> The third thing that we have done

613.56 -> in alignment to our philosophy is that

616 -> we have tried to reduce the number of agents

618.27 -> that security teams have to maintain,

620.8 -> they have to launch and like,

623.28 -> it's just getting crazy out there.

625.34 -> So we decided to use the systems manager agent

628.02 -> which is already widely adopted

630.15 -> and we tried not to probe the instances anymore.

635.02 -> We just used the data that SSM is already collecting anyway

639.52 -> and we do all the processing on our side

641.73 -> so that it doesn't impact the performance of the instance.

644.79 -> For container images, we don't need any agent.

648.4 -> We just get the data of the container image

653.06 -> and we do the processing on our end.

655.91 -> Finally, this is one of the most differentiating

659.09 -> factors that we have introduced in Amazon Inspector

663.35 -> is that now we provide you a highly

665.54 -> contextualized score, what we call Inspector risk score,

669.11 -> to give you the realtime view of your environment.

672.47 -> One CVE identified in your environment versus

675.63 -> your environment could have different impact

677.7 -> depending on several factors, right?

679.8 -> One of your instances could have network accessibility.

683.91 -> Your instance might not have network accessibility.

687.03 -> And depending on the CVE metadata,

689.41 -> we look at if that CVE can be exploited remotely

693.99 -> versus not, and we look at other parameters also.

696.64 -> And we correlate with network availability results.

699.17 -> We look at exploitability data in general

702.08 -> and we have our internal threat intel groups

704.58 -> that kind of hunt for CVEs being actively

708.57 -> exploited in the wild, so that we get

710.55 -> that confidence score and we provide that in Inspector.

713.64 -> And we are being completely transparent about it.

715.96 -> It's not like it's a black box.

717.87 -> We are not hiding anything.

719.08 -> You will see in the console when I show

720.8 -> the demo that how did we arrive from,

723.91 -> let's say NVD, CVSS V3 score or if the vendor

727.55 -> like Red Hat, for example, provides

729.1 -> their own score, how did we arrive from

731.18 -> that base score to Inspector score in the dashboard?

737.65 -> So aligning with the other philosophy that we talked about,

742.03 -> I personally got a lot of questions from customers.

744.91 -> How often should I scan my instances?

747.14 -> Like, is one day enough?

748.63 -> Is once a month enough?

750.65 -> Should I scan every six hours?

752.32 -> Every 12 hours?

753.92 -> And this is something, it's consistent

756.05 -> across the industry and we felt customers

759.45 -> should not be deciding that.

761.68 -> They should not have to take the burden of deciding that.

766.07 -> So what we do is, now we continually scan

770.09 -> vulnerability or we continually do

772.59 -> vulnerability and network reach-ability scans.

774.96 -> And I will, in the next slide, cover.

777.603 -> I'll do a deep dive into what do I mean by continue.

781.4 -> And other important features or key features

787.065 -> that we have identified like Inspector score, etc.

792.14 -> One of the other things that you will see

794.21 -> in Inspector is that we automatically detect

796.65 -> if you patch something now.

798.4 -> So earlier, security teams, what they had to do

800.6 -> is they had to go and scan their environment

803.62 -> and if they find any CVE they would go and patch it

806.81 -> then re-scan it to see if it has been actually fixed or not.

810.3 -> And going through all this process is manual effort.

813.97 -> It's just too much work, right?

816.46 -> So, with Inspector we now automatically detect

820.52 -> if you patch anything, we will detect in almost real time.

823.94 -> And we will automatically mark that finding

826.07 -> in the Inspector dashboard has closed.

829.544 -> So that without any manual overhead,

831.382 -> you don't have to do anything.

832.689 -> It will automatically close up or close down.

837.02 -> Finally, we now are integrated with Security Hub

841.21 -> and also since everything in Inspector

843.54 -> is now event driven, we push all events to EventBridge.

849.17 -> And also Security Hub and container related findings

852.06 -> are also presented in ECR.

855 -> So like Rick mentioned, there is a concern

858.18 -> with security teams in general that they don't

860.75 -> wanna give the keys to the kingdom

863.432 -> to all the developers, all the application teams.

866.15 -> They want to provide those results

868.41 -> in their persona and what they use and their tools

872.094 -> and central security teams should have

874.579 -> that visibility oversight to manage, customize,

877.09 -> and just provide that oversight.

878.46 -> That everything is going right.

881.32 -> So with Inspector we do that with ECR integration.

888.1 -> The same results will be provided in Inspector and ECR.

892.45 -> You could, developers could enable Inspector from ECR

895.46 -> or a centralized security team could enable

898.67 -> Inspector ECR scanning through Inspector console.

901.79 -> So it works both ways.

904.16 -> And the last thing about EventBridge.

906.78 -> Now, since everything is automated

909.29 -> we push an event for a new finding created.

912.21 -> If a finding state changes to closed,

914.62 -> or if a new instance comes up,

916.81 -> or if a new instance goes down,

918.45 -> we generate a finding for everything.

920.33 -> We generate an event for everything.

922.771 -> And we push that to EventBridge.

924.33 -> Now where that is really impactful

926.4 -> is that let's say that if you have

928.78 -> your ticketing system, right.

930.7 -> You can, since Inspector generates everything in real time,

934.87 -> you could integrate with your ticketing system

937.07 -> where a new finding can easily create

940.33 -> a new ticket with your ticketing system

943.36 -> and since we do support tags

945.98 -> and if you have different environments

947.61 -> you can tag it to the right application owner.

950.09 -> And it will automatically create tickets

952.39 -> as well as if something gets patched,

955.85 -> it will automatically close the ticket also

958 -> because we generate an event for that also.

960.09 -> So it eliminates all the friction,

962.61 -> the overhead that we have to go through

964.23 -> just to manage ticketing system.

966 -> Which is not good, right?

970.96 -> So let's deep dive into the key Inspector features.

974.02 -> We talked about frictionless one-click enablement

976.35 -> and multi-account support with AWS Organizations.

979.07 -> We also talked about highly contextualized

981.3 -> Inspector risk score.

982.61 -> This is what we do right now,

984.57 -> but in the future we do have plans

986.23 -> to improve Inspector score

987.43 -> and make it even more contextualized.

990.36 -> Now coming back to continual vulnerability management

994.03 -> or what I mean by continual.

996.84 -> So, the question I used to get quite often

1000.44 -> during our beta which ran for about seven months,

1003.82 -> was that when you say continuous,

1006.25 -> does that mean it will impact my performance,

1008.92 -> like instance performance?

1010.14 -> Do you run it every two hours?

1011.53 -> Do you run it every three hours?

1013.91 -> The answer is no.

1015.35 -> We do it continually.

1016.52 -> We monitor your environment and we monitor

1019.49 -> the CVE landscape.

1021.45 -> Now we correlate if there is any change

1024.17 -> in your environment.

1025.003 -> Let's say if you launch an instance

1026.36 -> or push a container image in ECR,

1029.17 -> we will automatically detect that.

1030.85 -> We will automatically trigger a scan.

1033.14 -> And let's say, now you install

1034.956 -> a new package in your EC2 instance.

1035.91 -> Let's say, open SSL.

1038.2 -> We will automatically detect that in real time

1040.32 -> and we will do a delta scan.

1042.14 -> Like a really small scan on the change,

1044.63 -> so that it doesn't impact on your,

1046.83 -> doesn't have an impact on your instance.

1048.86 -> We do the processing and that's how

1050.75 -> we can easily provide you findings in real time.

1054.38 -> Similarly, if we patch something,

1056.41 -> we automatically detect that also.

1058.76 -> And on the CVE side, we built an intelligent

1062.02 -> vulnerability database.

1063.8 -> And how that works is we can view 50 sources

1066.64 -> at the moment and we collate all the data.

1069.68 -> We kind of do a lot of analysis on that data.

1072.96 -> And let's say if there is a new CVE was published recently,

1078.28 -> how that will work is,

1080.81 -> since we already know in your environment

1083.52 -> which packages are where, like which all EC2 instances

1087.06 -> have what packages, which container images

1089.02 -> have what packages.

1090.21 -> And when a new CVE is published, we know

1092.9 -> that these resources will be impacted by it.

1095.82 -> So we do that in real time.

1097.41 -> So as soon as a CVE is published

1099.61 -> we automatically generate findings

1102.04 -> for all the resources within hours.

1104.63 -> So the greatest impact is,

1106.17 -> and as you know these days,

1108.04 -> zero day vulnerabilities are becoming more and more,

1110.01 -> more and more like, frequent.

1112.35 -> And usually security teams, depending

1114.28 -> on the size of your organization

1116.35 -> takes about, somewhere about a week to a month

1119.07 -> first to do like an entire sweep of your whole environment.

1123.75 -> See which all resources are impacted,

1125.48 -> then patches, then re-scan it to validate.

1128.08 -> And like, this could take a lot of time.

1129.903 -> With Inspector, this would take less than a few hours.

1135.33 -> So that is the real time impact where you can,

1138.21 -> without any manual overhead,

1140.1 -> you can see everything and anything in real time.

1145.75 -> And with frictionless one-click

1148.89 -> we already covered pretty much everything.

1152.318 -> And it's very similar to GuardDuty or Security Hub

1154.9 -> where you can assign a delegated administrator.

1157.63 -> That delegated administrator acts

1159.11 -> as the Inspector admin.

1161.06 -> And that Inspector admin can centrally manage,

1164.06 -> customize, configure, see all the findings

1166.54 -> in one centralized location through one central console.

1171.19 -> Now I'll pass it off to Ankit

1173.33 -> who is with Uber's Security Engineering team.

1178.72 -> Thank you, Kashish.

1180.33 -> Hello and good afternoon, everyone.

1182.13 -> My name is Ankit Kumar and I am

1184.23 -> a security software engineer with Uber.

1187.09 -> The focus of my team is cloud security

1189.24 -> and over the course of the last few weeks and months

1191.92 -> we have been evaluating the new Inspector solution

1195.82 -> to see how it integrates with our monitoring solution.

1198.18 -> So over the next few minutes I'll walk you through

1200.73 -> some of the integration, some of the high level designs

1202.65 -> that we were able to build out.

1205.73 -> So, just a look at our compute environment.

1208.4 -> It might be very similar to yours.

1210.14 -> So we have fleets of EC2 instances

1213.12 -> that are both long lived, that have been running

1215.61 -> over the course of say, months.

1218.47 -> They might also be running over the course of years.

1221.02 -> We also have ephemeral instances

1222.77 -> that come up and go down to perform

1224.34 -> a specific set of tasks.

1226.03 -> Come up, go down.

1227.98 -> And by the nature of EC2 instances

1230.16 -> you guys know that it's regional.

1231.42 -> So, it's distributed across different regions,

1233.92 -> accounts, and organizations that we have.

1236.66 -> On top of this, we also have AMIs.

1239.5 -> So as we use Amazon Machine Images

1243.64 -> we also have teams as fake private images

1246.69 -> that are used by teams that are packaged

1249.03 -> by teams with their own favorite OS flavors.

1252.6 -> With libraries, with tools and services

1254.82 -> that they want to use in their environment.

1256.56 -> So, with all of this we had quite a big challenge

1261.68 -> to solve in terms of vulnerability management

1263.98 -> because the scale is huge.

1267.89 -> Some of the challenges, these are some

1269.73 -> of the high level challenges.

1271.714 -> So, a lot of you would resonate with these challenges

1273.47 -> because it's an industry wide problem.

1275.16 -> So heterogenous instances.

1277.928 -> One of the big, good points about cloud

1282.04 -> is it provides you the capability

1283.5 -> to spawn up instances that cater

1285.98 -> to your specific needs, right.

1288.474 -> With these heterogeneous set of instances

1291.52 -> the bigger challenge is to address

1294.23 -> vulnerability management, or the bigger challenge

1296.06 -> is to address scanning all of these edge cases.

1298.64 -> Scanning all of these instances which

1300.8 -> might not be part of the larger fleet.

1304.62 -> Then agent management is a tedious task.

1307.23 -> You need to make sure that the performance

1311.31 -> of an EC2 instance is not reduced

1315.27 -> by installing more and more agents.

1317.01 -> We need to make sure that we strike that balance.

1320.14 -> We also need image scanning because we have private images.

1323.31 -> We want to make sure that all of the images

1326.24 -> that are being used in our environment

1328.92 -> are patched from the get go.

1330.95 -> And there is always a need for centralized visibility.

1333.42 -> We need to make sure that we have a bird's eye view

1337.22 -> of everything that's going on in our environment.

1341.25 -> Again, patch management needs to go hand in hand

1343.23 -> with vulnerability management and it's

1345.23 -> a big and tedious task.

1347.8 -> How do we do this?

1349.328 -> In our scale in the number of accounts

1351.27 -> that we have, we cannot do this manually.

1354.27 -> And we wanted something that can scale

1356.71 -> with our infrastructure.

1357.69 -> So, we use an open source tool called Hammer.

1362.5 -> This tool is developed by the Dow Jones team

1365.3 -> and we have heavily customized it to our, Uber's, need.

1370.68 -> Very straight forward architecture.

1372.14 -> You have a trigger which is event ruled in our case.

1376.03 -> It triggers a lambda function.

1377.95 -> So on an everyday cadence.

1379.59 -> The lambda function in itself

1381.64 -> will go and check for mis-configurations,

1383.82 -> or identify vulnerabilities.

1386.17 -> Mis-configuration can be NS3 bucket data is public.

1389.65 -> We don't want that.

1391.23 -> It can be an IM user with no MFA enabled.

1394.82 -> We want visibility into all of these mis-configuration

1397.65 -> vulnerabilities across the entire footprint that we have.

1401.18 -> And after all of the identification is complete,

1403.94 -> we want to make sure that we have saved it somewhere,

1406.95 -> we have a source of truth that we can always

1408.67 -> go back and look at.

1410.18 -> Which is DynamoDB in our case

1411.9 -> because we leverage cloud to secure the cloud.

1415.4 -> Now how do we scale this particular platform?

1417.6 -> How do we scale our monitoring system

1420.7 -> to utilize or to do vulnerability management?

1424.92 -> It has to be done across all of the accounts

1427.14 -> that we have, all the reasons that are EC2 instances.

1430.64 -> And if you've used Inspector Classic,

1432.67 -> you would know some of these steps.

1434.93 -> You need to make sure your assessment target is set.

1438.45 -> You need to make sure that the template runs

1441.82 -> for the duration of time that you want it to run for.

1444.5 -> And there are rule packages that you have to setup

1446.87 -> and after all of that is done,

1448.95 -> we run scans and get the findings.

1452.34 -> With our monitoring platform this presented

1455.95 -> quite a lot of points of failure,

1457.32 -> so we wanted to make sure the entire pipeline

1460.86 -> is as reliable as possible.

1462.45 -> Because Inspector Classic is a regional service.

1466.43 -> There involves a lot of trouble shooting

1468.98 -> when something goes bad, something goes wrong.

1471.93 -> We wanted something that we can look at

1474.7 -> from a holistic view, identify all of the challenges

1477.66 -> and then just get the vulnerability data

1481.3 -> that we're looking at.

1482.77 -> How do we do that?

1485.72 -> Inspector, the new Inspector.

1487.3 -> So with the new Inspector all

1489.18 -> of the older steps are completely gone.

1492.23 -> Inspector has absorbed the initial steps

1495.77 -> of setting up your scans into itself.

1499.39 -> And all our Hammer pipeline needs to do now

1501.95 -> is call to get findings API.

1505.62 -> This is happening in only one account.

1509.39 -> The delegated administrator account as Kashish mentioned.

1512.57 -> We don't need to scale it

1514.421 -> to all of the accounts that we have.

1515.821 -> We don't need to scale it

1516.794 -> to all of the regions that we have.

1517.627 -> Just one account, all of the regions in that account

1520.67 -> get all of the vulnerability data out of that account.

1523.18 -> And push it again into a DynamoDB table

1524.87 -> because that's how we build out our team platform.

1528.96 -> What do we do from that?

1530.928 -> What do we do from here?

1532.81 -> We have all of the data now.

1535.28 -> The best way that we identify remediation

1539.59 -> is by opening the very dreaded security ticket.

1543.98 -> So we built out a ticketing platform that we call CMON.

1548.37 -> What this service does is constantly keep looking

1552.14 -> at the DynamoDB table entries,

1555.05 -> identify if there is something added to it,

1557.86 -> if it is updated, and open a ticket for you.

1560.9 -> Open a ticket for the end user that owns

1563.13 -> that particular EC2 instance.

1566.3 -> This happens on a regular basis.

1568.86 -> So, it will constantly keep looking at

1571.688 -> the DynamoDB table entry.

1573.04 -> It will try to see if there are records

1574.8 -> that are updated and as soon as there

1576.48 -> is something of an update,

1578.68 -> you get that update as Jira ticket.

1580.6 -> So, this is a template of one of our Inspector tickets.

1585.7 -> You see that the information presented is very concise.

1589.43 -> Get to know all of the vulnerabilities that

1591.56 -> are associated with your EC2 in a tabular format

1595.13 -> with the remediation steps that are needed

1597.41 -> to resolve that particular vulnerability.

1599.6 -> As soon as you do, as soon as you go and resolve something

1603.928 -> the ticket will auto resolve itself.

1605.78 -> The ticket will update with the other

1608.219 -> vulnerabilities that are identified.

1611.82 -> Over the course of our evaluation

1614.68 -> we collected a lot of metrics.

1618.55 -> You guys must be aware of this fact

1620.03 -> that of anybody who deploy

1621.66 -> a vulnerability management solution

1623.632 -> there is quite a lot of overhead.

1625.019 -> There is a lot of deployment that you need to do.

1627.22 -> With this particular solution it was just

1630 -> a one-click deployment for us.

1632.17 -> We had already onboarded unto systems manager

1635.58 -> so all we had to do was enable Inspector

1639.21 -> on the delegated administrator account

1641.699 -> and Kashish will walk you through that step in the demo.

1644.37 -> And as soon as that was done, within

1647.04 -> a course of the next few hours we had

1650.58 -> the entire environment under one

1652.74 -> centralized visible console.

1656.3 -> It also reduced our manual overhead

1658.86 -> to manage the entire solution by 40%

1662.33 -> because we don't have to now go and look

1664.35 -> at all of the individual accounts and regions

1666.37 -> and set everything up individually.

1669.32 -> One of the great things about

1670.92 -> this new integration that we built out was,

1674.46 -> we were able to address 87% of our critical vulnerabilities

1678.86 -> within the SLA that we had.

1680.92 -> And the biggest driving factor was

1683.07 -> the instant re-scans that Inspector provided.

1687.134 -> So initially with the classic version,

1689.91 -> what we had to do was initiate a scan

1693.3 -> on a regular cadence.

1694.56 -> So one day it would scan something,

1696.35 -> it would identify something.

1698.35 -> CMON would open a ticket for us.

1701.09 -> Next day when you fix something the scan

1702.88 -> would, you would at least have to wait for 24 hours

1705.8 -> for the re-scans to happen.

1707.83 -> And the feedback would take close

1709.93 -> to 24 to 26 hours to re-update it on the ticket.

1713.52 -> But with this, as soon as our customers

1718.31 -> or our end users fixed or patched their system,

1722.882 -> the ticket got updated within an hour.

1725.42 -> It was an amazing experience for the end user

1727.84 -> because they get to know what they have done

1730.47 -> has actually remediated a particular vulnerability.

1733.37 -> And it drove our numbers up.

1734.92 -> So that's something that has helped us a lot.

1739.99 -> So, where do we take it from here?

1742.76 -> What can we do next?

1744.16 -> So, our integration is built out.

1747.45 -> We want to make sure that we mature it to the next level.

1750.97 -> What we want to do next year is to make sure

1754.16 -> that everything that we identify in our environment

1757.46 -> gets pushed to our elastic search engine.

1760.64 -> So that we have information about everything

1763.45 -> that was identified.

1766.19 -> We also want to build out our auto remediation pipeline.

1771.32 -> So, in cases where there is an SLA breach,

1777.8 -> maybe this pipeline can automatically run

1779.77 -> and remediate everything.

1781.53 -> In a case where a customer is unable

1783.43 -> to fix something, they can just mark the ticket

1787.89 -> as fix it for me, and the same pipeline will run again

1792.02 -> and fix everything for them.

1794.55 -> Then systems manager is the prerequisite, right?

1798.75 -> We want to make sure that is,

1800.67 -> that agent is part of every private image that we have.

1804.25 -> So we will bake it directly

1805.89 -> into the AMI making pipeline that we have.

1810.82 -> One of the things that our fleet users asked us was,

1815.8 -> how can they proactively approach remediations?

1820.7 -> Amazon patches their AMIs on a regular basis,

1824.34 -> so we thought, why not migrate the entire fleet

1828 -> unto the new AMI as soon as it is out in the market?

1831.13 -> So we want to build out this pipeline

1833.4 -> where as soon as we get a trigger that Amazon

1837.12 -> has patched a number of AMIs,

1839.92 -> all of our fleet users will automatically

1842.14 -> migrate their EC2 instances unto the new AMI.

1845.56 -> And with our mergers and acquisitions we want

1849.16 -> to make sure that every single thing that we build

1852.51 -> for us is scalable to them.

1855.26 -> So, we want to build out the centralized

1857.72 -> integration for everything that we have at Uber.

1862.55 -> So this brings us to the end of my presentations.

1865.75 -> If you are interested in learning more about

1868.75 -> our Hammer cloud native and the CMON ticketing part,

1872.37 -> we have very detailed blogs.

1873.89 -> It's in two part and it will give you a good idea

1876.61 -> about how to replicate the same environment

1878.87 -> in your infrastructure.

1881.64 -> Thank you.

1883.882 -> (audience applauding)

1889.08 -> So before I start with a demo

1890.93 -> I just want to call out our partners.

1893.68 -> Where we have built integrations already.

1897.16 -> Some of the partners that you will see

1898.72 -> is we have built integrations in different security areas.

1902.2 -> For example, for vulnerability prioritization

1904.9 -> we have integrated with Rezilion and Vulcan.

1907.52 -> For attack surface management where

1910.269 -> they use Inspector as their vulnerability management

1911.77 -> solution, Axonius and XM Cyber.

1916.33 -> For basically same solutions we have IBM Security

1919.98 -> and Sumo Logic.

1921.93 -> And Snyk was one our, I would say very important

1926.58 -> vulnerability data provider.

1928.34 -> Then we have other partners like Palo Alto,

1931.29 -> Wiz, Cavirin, and for detection and response

1934.55 -> we have FireEye, Sophos, and SentinelOne.

1938.73 -> So I'm gonna start with the demo now.

1948.17 -> Did you wanna make that a little bigger?

1951.082 -> I don't think I can.

1952.269 -> All right, it's okay.

1953.797 -> So, this is the organization that I've setup right now.

1956.09 -> If you see the second account

1957.41 -> is the organization's management account.

1959.96 -> And the first one is the delegated admin account

1963.32 -> which I will setup as the delegated admin for Inspector.

1967.04 -> So before I get started, I just wanna call out

1969.09 -> that I will show four things,

1970.3 -> like four critical things during our demo.

1972.53 -> The first thing is the easy enablement piece.

1975.2 -> The second is the Inspector score.

1978.61 -> I'll show how did we translate from let's say Red Hat

1983.54 -> or NVD score to Inspector score.

1986.41 -> Then I will launch a new instance

1988.85 -> and we'll show you how easy is it

1990.54 -> to just attach an SSM instance role

1993.37 -> and how quickly Inspector picks it up.

1996.03 -> And finally, the ECR integration.

1998.92 -> And there are key differences

2001.25 -> where ECR currently offers a clear based solution natively

2007.12 -> which will now be called as basic offering

2010.27 -> and the enhanced offering will be powered by Inspector.

2013.7 -> And there are significant differences between

2017.07 -> basic and enhanced.

2019.307 -> And I would call out three of them

2020.6 -> and I'll show you in that demo right now.

2022.95 -> First is that we not only support

2025.2 -> operating system packages, we support

2027.23 -> all programming languages.

2028.69 -> Or most of the programming languages,

2030.2 -> also including Python, Java, Ruby, Lotus, etc.

2035.02 -> And we gave an option in enhanced

2038.29 -> if a customer wants to do only one time scan at push

2041.85 -> or a continual scan where if a new CVE is published,

2046.36 -> it automatically re-scans.

2048.64 -> The third is, since as you know,

2050.54 -> containers are comprised of multiple layers

2053.97 -> and one base image could be used in multiple images.

2059.89 -> So we provide the vulnerability view not only

2064.13 -> at the image level, but also by layer

2066.51 -> so that it's easier to remediate and fix.

2070.77 -> So let's get started with the demo.

2072.77 -> I'm just gonna.

2076.38 -> So when you login to Inspector as

2078.81 -> the organizers management account

2081.214 -> this is the first screen that you will see.

2083.229 -> And all I have to do is.

2086.28 -> And delegate, that's it.

2087.93 -> Now, what will happen here is that

2090.21 -> this will delegate that account

2091.897 -> as the delegated admin account.

2093.91 -> As well as enable Inspector for the ID account.

2099.02 -> Now, what I'll do is in the meanwhile,

2101.08 -> I'll login to the other account.

2107.43 -> So while Kashish is loading that up,

2110.34 -> we do have a video that shows all

2113.09 -> of the capabilities we just weren't going

2115.41 -> to have enough time to show it today.

2117.18 -> But if you look at our website

2119.55 -> in the coming weeks you'll be able

2121.56 -> to download that and watch the whole thing.

2126.09 -> So let's go to Inspector.

2134.21 -> So as you can see.

2136.45 -> As soon as you enter or see the first glance

2139.49 -> at the Inspector dashboard,

2140.99 -> you will be able to see that we provide

2142.5 -> the environmental coverage.

2144.522 -> And I'll click on one of these,

2145.48 -> each one of these in a second.

2147.2 -> But we provide you at the account level

2149.12 -> for the DA, how many accounts are being scanned

2151.05 -> by Inspector, how many instances

2152.42 -> are being scanned by Inspector

2154.08 -> and if there are some not, we will provide you

2157.64 -> that actionable guidance, also.

2159.49 -> So let's look at account management first.

2161.98 -> So one of the things that's featured

2163.85 -> is the auto enable scanning for new accounts.

2166.33 -> So let's say if you add a new account

2167.94 -> in your AWS organization, you don't have to come

2170.5 -> and manually enable Inspector anymore.

2172.98 -> You can just stall this and you can save it.

2175.5 -> So that any new account added to your AWS organization

2178.82 -> is automatically enabled.

2180.73 -> And for the first time when you're enabling,

2183.07 -> all you have to do is click on this

2185.25 -> and enable all scanning, that's it.

2187.44 -> This will automatically enable scanning

2189.42 -> for all your accounts across your organization.

2196.54 -> So not only does this solve one of those core problems

2200.61 -> we heard from customers regarding,

2202.12 -> I don't necessarily know what's out there,

2204.45 -> this also helps them prevent any holes

2206.85 -> from coming in the future by auto enabling.

2209.5 -> Yup.

2210.41 -> And this is what I was talking about.

2211.98 -> So for each of the instances

2214.07 -> we provide you this view.

2216.67 -> Which is scanning continuously.

2219.03 -> For example, this one is not being scanned.

2220.7 -> Why not?

2221.973 -> Because the EC2 instance is not managed yet.

2223.2 -> You have to either install the SSM agent

2225.859 -> or attach that instance role.

2229.52 -> Now, SSM agent is already pre-installed

2232.06 -> in a lot of the AMIs.

2233.76 -> Including Amazon Next, Susay, Ubuntu, different versions.

2238.2 -> So all you have to do is attach an instance.

2240.89 -> And I'll show that in a second.

2244 -> But let's go and see how Inspector score is

2250.29 -> really critical.

2251.43 -> And I will walk you through what a finding looks like, also.

2255.5 -> So let's look at the CVE cloud in it.

2258.1 -> We will show you details like which ID it is,

2261.417 -> the severity and severity is determined

2263.17 -> by Inspector score.

2264.92 -> And we give you details around which packages are affected,

2268.21 -> which version, and so forth and so on.

2270.75 -> And so, we provide you Inspector score

2273.86 -> as well as the scores provided by Red Hat,

2277.42 -> NVD, both CVSS V3 and V2 wherever applicable.

2281.04 -> And then we provide you details like tags

2284.55 -> and you know, for example cost center tags, etc.

2289.05 -> And if you click on this tab here, Inspector score.

2292.66 -> So this will show you, how did we arrive

2295.27 -> from that base CVSS score to Inspector score.

2298.79 -> So here if you look at attack vector,

2301.34 -> which means the CVE can only be exploited remotely,

2304.34 -> but we found that instance doesn't have

2306.25 -> any open network path.

2308.13 -> So, it's not that critical anymore.

2310.42 -> So we adjust the score based on that

2312.55 -> and from there we get to the severity

2316.76 -> and the best part is we do that basic triage

2320.25 -> and analysis for you.

2321.61 -> So the risk base remediation panel that you see,

2324.33 -> this is what we call top five things on fire.

2327.36 -> And after talking to several security teams

2329.49 -> they were like, the bigger your environment is

2333.17 -> there are just so many findings.

2334.86 -> We don't know what to fix first.

2336.6 -> So here we identify top five packages

2339.5 -> based on how many critical, or how many CVEs it has.

2344.97 -> The severity of the CVEs as well

2346.83 -> as how many resources it is impacting.

2349.23 -> So we collate all that and what we call,

2352.16 -> like I said, five things on fire.

2354.2 -> So that you can go and patch those first.

2358.77 -> Now, what I'll do is I will launch an instance

2362.07 -> because it takes a couple of minutes

2364.51 -> for an instance to get launched.

2366.11 -> And in the meanwhile I'll show you how ECR would work.

2368.34 -> So let's say if we launch and instance.

2370.56 -> I'm just gonna use EL2.

2376.27 -> And just as a reminder,

2377.44 -> this was one of the other customer issues

2379.84 -> that we heard about.

2381.45 -> So Inspector will see this launch

2384.36 -> and it doesn't matter if it's now,

2387.37 -> tomorrow, middle of the night.

2389.47 -> Inspector sees it.

2390.92 -> If there's findings, it generates it.

2392.92 -> And if it goes down, that trail is still part of Inspector.

2397.15 -> So all you have to do is here,

2399.63 -> attach an instance role and you can create

2402.18 -> a instance role for SSM using quick setup also.

2406.07 -> So all I have to do is this, that's it.

2408.04 -> Next is basic configuration.

2409.91 -> If you wanna add tags and so forth and so on.

2413.185 -> I'm just gonna use an existing security group.

2419.87 -> Here, I've got to login.

2426.26 -> That's it.

2427.752 -> So let's see.

2429.53 -> This is the instance ending in 26D0.

2432.91 -> So while it launches, I'll show you how ECR piece works.

2441.2 -> So in the container image,

2443.01 -> let's see first by layer view.

2446.28 -> So this is the overall image view

2448.8 -> where we show you overall findings for this image

2451.61 -> and in layer view we show you how

2454.22 -> these vulnerabilities are distributed

2457.54 -> between different layers.

2458.88 -> So that layers, usually the base layer

2461.9 -> and as you can see there are 483 findings there.

2465.13 -> So you would rather go and patch that first

2467.532 -> versus having to go and patch all the other things.

2469.53 -> And since we are integrated with ECR

2473.13 -> you can see the same results.

2474.93 -> The developers can see the same results

2476.76 -> in their environment.

2479.33 -> So let's go to depositories.

2481.54 -> How this would look like now is basic and enhanced,

2486.69 -> like I mentioned earlier.

2488.505 -> Basic is powered by Clear.

2489.338 -> Enhanced is powered by Inspector.

2492.116 -> And if you don't wanna scan all your repos

2494.3 -> you can select prefixes and suffixes

2496.48 -> on which repos you wanna scan continuously.

2498.95 -> Which repos you wanna scan only on push.

2501.64 -> And developers can enable Inspector

2504.89 -> or choose enhanced scanning through ECR.

2507.4 -> That will automatically enable Inspector

2509.42 -> and vice-a-versa.

2510.32 -> If central security team enables Inspector through Inspector

2513.82 -> it will automatically change

2515.02 -> the scanning type to enhanced in ECR.

2517.5 -> And the same results you will be able

2519.2 -> to see in these repos.

2522.92 -> So for example, in overview you will be able

2524.61 -> to see all the same findings which

2526.59 -> is in Inspector as well as here.

2530.49 -> So let's go back to Inspector and see

2532.35 -> if that instance has launched yet.

2534.58 -> And as Kashish is going back there,

2536.11 -> just as a reminder, one of the things

2538.22 -> security teams told us is they don't wanna

2540.15 -> share their security tools.

2541.83 -> You know, they don't wanna provide

2543.17 -> their developers that view.

2544.33 -> Now developers can get that ticket.

2546.65 -> Like, you know, the dreaded ticket that Ankit talked about.

2549.67 -> But they can go into the tool that they're used

2552.019 -> to using every day and they'll see

2553.46 -> the exact same information because it's shared

2554.79 -> between Inspector and ECR.

2558.07 -> So one of the things that you can see here

2559.85 -> is the new instance that we launched ending in 26D0.

2563.73 -> It has no findings.

2564.563 -> We already scanned it.

2565.396 -> It has no findings.

2566.53 -> And I'll show you why.

2567.53 -> So if we go to this.

2571.87 -> And I'll show closed also.

2576.26 -> All right, let me.

2577.17 -> Let me go to all findings and show closed,

2581.04 -> because while we launch a new Amazon Next instance

2585.79 -> it automatically runs updates.

2588.39 -> So if there were CVEs that are automatically closed

2591.71 -> you can see here that if you look at age,

2595.37 -> two minutes, three minutes ago

2596.95 -> these were automatically closed.

2598.43 -> Since we tracked, we scan it immediately

2600.67 -> as soon as it launches.

2602.18 -> The auto update takes a couple of minutes to do that.

2605.09 -> In the meanwhile, we automatically dived it.

2606.83 -> We automatically closed it also.

2610.71 -> So this was the end of the demo

2613.127 -> and we can take questions now.

2618.712 -> And it is hard for us to see you,

2619.74 -> so if you could stand or something,

2621.25 -> I think that would make it a little easier.

2623.487 -> Does this work with WorkSpaces?

2627.217 -> Yeah.

2628.05 -> I heard.

2628.883 -> Yeah, will it scan WorkSpaces?

2630.286 -> Yeah, just to repeat the question for everyone.

2632.01 -> Does this also scan WorkSpaces?

2635.15 -> Today it does not.

2640.073 -> Is it in GovCloud yet?

2643.073 -> I'll just repeat the question.

2644.54 -> He was asking if it was available in GovCloud yet.

2647.56 -> No, not right now.

2648.57 -> But we are available globally in 19 commercial regions now.

2655.56 -> Any other questions, yeah.

2658.96 -> (Audience question)

2666.98 -> So his question was, Inspector Classic required

2669.89 -> a stand alone Inspector agent.

2671.45 -> Do we still need that or is it completely agent-less?

2674.06 -> So the answer is, you still need

2676.08 -> the systems manager agent, but you do not need

2678.19 -> the stand alone Inspector agent anymore.

2681.89 -> The reason was, SSM agent, we heard

2683.84 -> from the customers is already widely adopted.

2686.18 -> And has far broader use cases than just security.

2689.16 -> So for those customers it just becomes agent-less

2692.04 -> because they are already using it.

2694.5 -> There was a question up here, go ahead.

2696.91 -> Yeah, so in some

2698.562 -> of the slides it looks like you were scanning AMIs.

2702 -> Are you scanning instances or can you actually,

2706.097 -> can Inspector...

2708.06 -> Yeah, so the question was

2709.55 -> in some of the slides it looked like

2711.97 -> Inspector was scanning AMIs,

2713.97 -> are we doing that?

2715.3 -> Or are we just scanning the instances?

2717.27 -> So today we are not scanning raw AMIs

2720.35 -> but we are providing different views.

2722.64 -> So one of the things we learned

2724.347 -> from customers is that they all do

2725.61 -> their job in a different way and they're

2726.9 -> all creating dashboards for different purposes.

2729.47 -> And one set of customers,

2731.73 -> like Ankit was talking about with Uber,

2734.27 -> they wanna regenerate their AMIs.

2736.57 -> So within the dashboard, and are we on that right now?

2740.119 -> Yeah.

2740.952 -> You can see that one of the things we do

2741.84 -> is while we're not scanning the AMI

2743.32 -> we do allow you to group that data by AMI.

2745.94 -> So you can take a look and say, oh look,

2748.11 -> you know AMI XYZ has the most findings that are critical.

2752.65 -> That's the one I need to target for recreation and relaunch.

2757.31 -> You know, I would say stay tuned.

2759.44 -> This is just kind of the beginning of the new Inspector

2763.43 -> and so I think it's easy to imagine you seeing us

2766.98 -> support a lot more resources in the future like AMIs.

2773.653 -> If you scan an image in the registry

2777.545 -> and you have a vulnerability,

2779.093 -> can you tie that to if it's seen running

2782.14 -> on an instance in your environment,

2784.756 -> is that part of the scoring?

2786.93 -> So right, the question was

2788.18 -> since we scan the static images,

2790.42 -> do we map it to the running containers also?

2793.13 -> Not at the moment.

2795.036 -> Okay.

2798.289 -> Are there any plans to do it?

2801.023 -> (indistinct)

2802.31 -> We are exploring such options.

2803.98 -> If we have to do it, we will start with mapping first.

2807.73 -> The images that are being used in ECS and EKS especially.

2811.24 -> Yeah, because one of the things you can imagine

2813.18 -> is you know, for some customers, these container images

2815.73 -> turnover very quickly and you know,

2818.68 -> a container that's five days old

2821.1 -> may never be used.

2823.46 -> Or it could be used, and so knowing that

2826.9 -> it's actually running.

2828.48 -> We've heard from security teams,

2830.9 -> that's really important to us.

2833.58 -> And so obviously that's something you would

2835.8 -> imagine we would do.

2839.21 -> Question?

2841.42 -> Is it limited to EC2, ECR

2843.853 -> or does it scan also those others?

2847.01 -> Yeah, so the question is,

2848.828 -> is this limited to EC2 and ECR

2851.15 -> or can it do other types of images like RDS?

2854.81 -> So today it is limited to EC2 and ECR, yup.

2860.05 -> RDS is a manged service so we're

2863.31 -> not collecting data from those services.

2868.58 -> Go for it.

2870.682 -> Is the aggregation

2872.799 -> that you're mentioning to do with per region

2875.68 -> only at the organization level?

2878.82 -> So we do it account aggregation right now.

2881.38 -> So the question was, do we aggregate

2883.48 -> the regional thing at the delegated admin level, right?

2887.9 -> I saw it come up

2889.945 -> and I enabled it up on my account immediately

2891.54 -> and saw that it's per region right now?

2894.36 -> Yeah, it is, it's a regional service.

2896.4 -> But what you can do is Security Hub recently launched

2900.1 -> a feature for centralizing that.

2902.44 -> So you can use Security Hub for centralizing

2904.76 -> across regions, but in Inspector we consolidate

2908.68 -> across all accounts but regionally.

2913.135 -> I saw a question back here.

2914.522 -> (Audience question)

2917.333 -> Yeah, so the question is, does it cover CIS and STIG?

2919.75 -> So Inspector V1 does cover CIS.

2924.61 -> That is not covered by the new Inspector.

2927.91 -> Our intention is to make this Inspector

2931.76 -> at parity with V1 so that customers

2934.77 -> feel comfortable completely moving to the new Inspector.

2938.12 -> There were questions there.

2940.441 -> (Audience question)

2951.4 -> Got it.

2952.821 -> So his question is does Inspector allow

2954.14 -> custom configurations or custom rules?

2956.36 -> No, we felt like security teams told us

2960.1 -> they don't need that overhead.

2961.5 -> So at the moment we don't do that.

2964.322 -> (Audience question)

2967.23 -> So when you say rule sets?

2970.388 -> (Audience question)

2983.96 -> Oh yeah, so right now we don't expose

2986.49 -> our vulnerability intelligence database externally.

2989.84 -> But we might in the future.

2992.2 -> But if that's something, you know,

2993.84 -> if teams feel like they're interested

2995.9 -> we'll write that down as up and coming.

2999.59 -> Yeah, well one of the things is like,

3001.682 -> we will show our contact information

3002.56 -> and there is a email alias that we created

3006.25 -> [email protected].

3009.65 -> Feel free to reach out.

3011.907 -> Rick and I continuously monitor that

3013.1 -> and if we get an overwhelming response

3016.07 -> for a certain feature, we will definitely explore that.

3018.31 -> Because as you know Amazon delivers 90%

3022.28 -> of the features depending on the customer feedback.

3028.18 -> Yup?

3029.588 -> (Audience question)

3035.11 -> So I'll answer that in two parts.

3038.628 -> So, his question was, does it only identify

3042.01 -> vulnerabilities in OS layer

3043.25 -> or also in the application layer?

3045.08 -> So our EC2 instances we do.

3049 -> We discover everything installed

3052 -> through OS package managers.

3053.84 -> But if you are installing those applications

3056.05 -> through OS package managers we do scan those also.

3059.32 -> And for container images, like I mentioned,

3061.54 -> we support all programming languages also.

3064.762 -> (Audience question)

3073.24 -> Yeah, yeah.

3077.455 -> (Audience question)

3086.642 -> Yeah.

3087.88 -> (Audience question)

3090.03 -> Sorry, could you repeat that question?

3092.548 -> (Audience question)

3098.4 -> So the question is,

3100.615 -> since SSM agents can be installed on prem instances,

3103.84 -> also do we support on premise right now?

3106.72 -> No, we do not.

3107.85 -> Not at the moment.

3110.83 -> Yup?

3112.682 -> (Audience question)

3127.562 -> Correct.

3128.413 -> (Audience question)

3134.522 -> It's your wish.

3135.355 -> Because right now when we push findings

3137.47 -> to Security Hub, we push findings

3139.66 -> from one to one mapping in account.

3141.47 -> Because there could be different security teams.

3144.18 -> Vulnerability management team might be just

3145.68 -> looking at Inspector.

3147.61 -> Overall central security might be looking at Security Hub.

3151.07 -> So we do one to one mapping

3152.78 -> and both can have their individual DAs.

3156.746 -> Yup.

3157.802 -> Question?

3158.655 -> For the images

3159.986 -> is there a way to identify which

3161.401 -> are actively used or last used,

3163.374 -> or if there's images in your ECR

3165.518 -> that are just sitting there?

3167.705 -> (Audience question)

3168.81 -> Yeah, so the question was,

3170.852 -> is there a way for you to,

3173.37 -> and I'm just making sure I get your question correct.

3175.31 -> So the question was, it sounded like your question was,

3178.89 -> how do you know how active this image is?

3182.34 -> Do you care if it's an image?

3184.104 -> Yeah, so one of the things we did not really

3186.465 -> kind of talk about is that when you enable

3189.22 -> Inspector we only look backwards for images

3192.12 -> pushed within the last 30 days.

3194.85 -> And we kind of consider that the active set.

3198.1 -> There's two modes for ECR.

3200.97 -> One is I'm only going to scan it once on push

3204.46 -> and you know, we're doing that because some customers

3207.01 -> just cycle through their containers so quickly

3210.2 -> like, continuing to monitor

3213.03 -> just doesn't make sense for them.

3214.64 -> Then there's another mode called continuous,

3216.51 -> and if you select that then for 30 days

3219.05 -> we will continue to monitor that image.

3221.4 -> And if there is, you know,

3222.65 -> as we look at the CVE landscape that Kashish talked about,

3225.39 -> if there is a change that impacts that image

3227.6 -> we will reassess it and you may

3229.32 -> have new findings based on that.

3231.6 -> But today it's strictly based on kind of that push date.

3235.85 -> So then you stop after 30 days?

3238.1 -> In continual mode we do stop after 30 days,

3241.03 -> that is correct.

3243.77 -> In the back?

3244.84 -> Do you have any plans to include

3247.397 -> recommendations as part of training the API

3250.234 -> for a base of knowledge.

3252.357 -> (Audience question)

3255.92 -> So his question was do we provide remediation details.

3258.18 -> We do provide some remediation details right now,

3260.63 -> but in the near future you will see we will also

3262.79 -> provide fixed in package data.

3265.11 -> So for example, this version is vulnerable,

3267.55 -> this version you will fix that CVE.

3272.99 -> Any other questions?

3274.424 -> In the back right.

3275.451 -> (Audience question)

3277.13 -> How does it handle stop instances?

3280 -> So right now we are handling it as active instances.

3285.6 -> Because some customers, what we heard was,

3287.71 -> this is stop the instance overnight

3290.51 -> or over the weekend to save costs.

3292.6 -> And new CVEs can still pop up during that time.

3296.1 -> So we do consider them as active instances at the moment.

3299.76 -> But we are actually talking to a lot

3301.83 -> of customers to get that feedback.

3303.917 -> Do they want to consider it as a terminated instance

3305.54 -> or as an active instance?

3308.704 -> (Audience question)

3311.37 -> Yeah, that's another option, definitely.

3318.277 -> (Audience question)

3323.95 -> Yeah, so basic scans are still free of cost

3328.18 -> as they're offered today.

3329.09 -> Enhanced scanning has a cost attached to it.

3331.9 -> For enhanced we charge nine cents per image

3335.34 -> for the initial scan.

3337.14 -> And if you choose continuous scanning,

3340.55 -> for each automated re-scan we charge one cent.

3344.75 -> And another difference between Inspector classic,

3348.25 -> which is the one, you know, the rename

3350.06 -> for the service that launched in 2015.

3353.97 -> That pricing for the EC2 assessments

3356.33 -> was every time you assessed it we would charge you.

3359.26 -> Here because, you know, we're monitoring

3362.4 -> and we're assessing when we feel like we need to

3364.38 -> based on the landscape, we're charging you based

3367.15 -> on coverage hours.

3368.3 -> So it's very easy to predict based

3371.26 -> on how long your instance is running.

3373.71 -> If you're running the SSM agent

3375.8 -> and you have it configured correctly,

3376.9 -> then we're covering it the same amount of time

3379.25 -> and your charge is gonna be very predictable based on that.

3382.5 -> But that is the difference between

3384.26 -> the old Inspector and the new Inspector.

3389.15 -> A question over there.

3391.28 -> Is there any thought

3393.142 -> of adding common weakness enumerators, CWEs?

3396.71 -> So the question was is there any

3399.73 -> plan to add common weakness enumerations, CWEs?

3403.13 -> Not right now, but happy to take that feedback.

3411.13 -> Any other?

3411.963 -> Yeah, it's a little hard to see

3413.877 -> with the lights, so please don't feel bad

3414.77 -> about shouting out your question.

3417.604 -> Is there plans

3419.143 -> to be able to classify the risk factor?

3421.517 -> No, actually a lot of customers have asked that.

3424.18 -> We would rather ask you to tell us

3427.32 -> what you want to get included.

3429.379 -> Because most of the times

3430.212 -> most customers want the same things.

3431.36 -> So whatever you feedback, we'll try to include it

3434.73 -> so that all customers benefit from it.

3437.87 -> And one thing that we didn't really highlight,

3439.89 -> but when you looked at that findings detail,

3442.75 -> while we do have the Inspector score,

3444.84 -> we've also preserved scores from NVD and from vendors.

3448.31 -> So, as that data gets pushed into the Security Hub

3451.13 -> or EventBridge, you have access to all that data.

3454.8 -> And so if you feel like the vendor score

3456.33 -> is the one you wanna standardize on or NVD,

3458.98 -> that data is there as well.

3464.003 -> Oh.

3464.836 -> I think you just talked,

3465.828 -> there was a mention about AWS CodeGuru.

3467.763 -> Is there any plan to correlate

3468.637 -> the findings between the two?

3470.977 -> Inspector and CodeGuru.

3472.617 -> And see whatever lines up?

3474.283 -> We have talked about it,

3475.337 -> but there are no concrete plans yet.

3479.91 -> (Audience question)

3481.137 -> Oh, so the question was,

3482.89 -> he attended another session with CodeGuru

3485.07 -> and he was wondering if CodeGuru

3487.207 -> and Inspector will be integrated.

3491.92 -> Over on the right.

3493.3 -> Does it run just fine

3494.67 -> in parallel with the classic Inspector?

3497.24 -> So, the transition is?

3498.27 -> That's a good question.

3499.27 -> So he's asking, can you run Inspector Classic

3501.72 -> and the new Inspector together in the same account.

3504.297 -> The answer is yes.

3505.27 -> Since we built this service from the ground up,

3507.66 -> we didn't use any competence from V1.

3510.05 -> And you can use both in parallel.

3512.2 -> That being said, we will put a deprecation notice

3514.86 -> on Inspector Classic soon.

3516.62 -> A 12 month deprecation notice.

3519.33 -> So we will support it for sometime

3520.95 -> until all our existing customers migrate

3523.14 -> to the new Inspector.

3524.49 -> But we do have plans to deprecate it.

3527.06 -> And if you are using Inspector V1

3529.31 -> and you wanna kick the tires on the new Inspector

3532.21 -> there is a free trial.

3533.7 -> So you can use it for 15 days risk free

3537.11 -> to understand if it meets your needs

3539.7 -> and kind of see all the features and things

3542.793 -> that we kind of only did a partial demo of today.

3546.89 -> Go ahead.

3547.723 -> With that being said,

3549.416 -> for classic Inspector.

3550.52 -> Classic Inspector gave PDF reports of the scans.

3555.65 -> Yeah, so you know, it's difficult for us

3558.24 -> to kind of make any commitments up here,

3560 -> but obviously we know that there has

3563 -> to be a level of parity between the new Inspector

3565.567 -> and the old one for customers who are using

3567.74 -> the old one, to feel comfortable moving.

3570.5 -> Yeah, his question was about reporting.

3572.64 -> So here we do allow exporting the findings

3576.44 -> in JSON and CSV format.

3578.63 -> And you can do in multiple ways.

3580.34 -> You can either try, you can export the complete

3582.99 -> set of findings through delegated admin,

3584.98 -> or you can add filters.

3586.37 -> So if you want to export only let's say for one account

3589.5 -> or two accounts.

3590.333 -> Or only one severity, or only a specific CVE.

3595.69 -> So you can play around with filters

3597.28 -> and you can customize as much as you want

3599.13 -> and you can either choose to just download

3602.15 -> or export the whole finding list,

3603.89 -> or that filtered finding list.

3606.36 -> And similar filters apply to suppression rules also.

3611.06 -> I'm sorry, go ahead.

3611.893 -> Oh, I was gonna say I think we're out of time here.

3613.61 -> So, we are out of time.

3615.48 -> But if you have more questions please feel free to grab us.

3619.68 -> We'll be here for a couple minutes

3621.35 -> and then we can certainly talk to you outside as well.

3624.56 -> Thank you for joining.

Source: https://www.youtube.com/watch?v=0nyy7fP4vCI