AWS re:Inforce 2022 - Strategies for securing your cloud & mitigating potential risks (DEM217-S)

Aug 16, 2023

AWS re:Inforce 2022 - Strategies for securing your cloud & mitigating potential risks (DEM217-S)

Join this talk to learn how AWS customers are using Wiz to build scalable and predictable security workflows that accelerate development and innovation for many teams. In this talk, Wiz shares its unique approach to correlating the entire security stack to remove unseen areas and effectively reduce risk. This presentation is brought to you by Wiz, an AWS Partner. (DEM217-S)

Learn more about AWS re:Inforce at https://bit.ly/3baitIT.

Subscribe:
More AWS videos http://bit.ly/2O3zS75
More AWS events videos http://bit.ly/316g9t4

ABOUT AWS
Amazon Web Services (AWS) hosts events, both online and in-person, bringing the cloud computing community together to connect, collaborate, and learn from AWS experts.

AWS is the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. Millions of customers—including the fastest-growing startups, largest enterprises, and leading government agencies—are using AWS to lower costs, become more agile, and innovate faster.

#reInforce2022 #CloudSecurity #AWS #AmazonWebServices #CloudComputing

Content

0.81 -> - Well, thanks for coming. So I'm Ken Sigel with Wiz.

4.62 -> I think this is the last presentation of the day,

6.27 -> so hopefully, I'll make it pretty exciting for you,

8.64 -> and then we can all go do some fun things.

11.13 -> I'm gonna talk about strategies for securing your cloud

14.7 -> and mitigating potential risks.

16.32 -> And really that means,

17.58 -> how do I see what's going on in my cloud,

19.23 -> and I can figure out what to focus on,

21.96 -> where I've got critical severities,

23.58 -> where attackers could actually get into my environment,

26.04 -> and cause some havoc?

27.36 -> I wanna figure out how to solve those.

30.9 -> Little background on Wiz first.

32.79 -> Wiz is just over two years old.

34.92 -> Already, we're trusted by almost 30%

36.84 -> of Fortune 500 companies,

39.45 -> that are trusting Wiz for their cloud security journey.

42.03 -> Some are going on a journey of migrating

44.1 -> from on-prem to the cloud,

45.78 -> lifting and shifting VMs and resources into the cloud.

49.29 -> Others are going on a more modernization journey.

51.869 -> They're already in the cloud and VMs, containers.

55.2 -> They have Kubernetes environments

56.64 -> and maybe they're modernizing those

58.35 -> using serverless functions

59.58 -> and in other cloud native application development practices.

65.4 -> Wiz monitors over 50 AWS services.

70.35 -> We also deployed in AWS China.

73.11 -> We can secure AWS GovCloud as well.

77.01 -> While we focus on large enterprises and other verticals,

81.3 -> we also can protect environments that are highly regulated.

84.33 -> So oil and gas, healthcare, financial services companies

88.47 -> rely on Wiz to protect their environments.

91.08 -> Wiz is a security competency partner with AWS

94.62 -> and that designation means AWS recognizes

98.28 -> our technical expertise and our success

100.74 -> with existing customers, joint customers with AWS.

105.09 -> We're on the marketplace and available by private offer.

110.28 -> Let's get into it.

111.113 -> So how do you prioritize vulnerabilities?

114.96 -> The traditional way to prioritize a vulnerability

118.35 -> would be by a CVSS score from zero to 10,

122.13 -> and you'd have a cloud resource like an EC2 instance,

124.71 -> a virtual machine, you'd have a container.

127.38 -> Potentially, that vulnerability would be there.

129.15 -> Anyone heard of Log4j? Probably.

132.45 -> It was pretty high and wide,

134.19 -> very exploitable on a lot of resources.

137.43 -> I had a customer that had thousands

139.38 -> of resources with Log4j.

142.23 -> How did they identify the ones

144.78 -> that actually had critical severity risks?

147.72 -> How did they focus on those?

148.74 -> And we found 30 out of the thousands

151.29 -> that they had that had things like public exposure,

155.55 -> secrets, admin access

159.06 -> into things like storage buckets and databases.

161.97 -> It's all of this context across the workload,

164.28 -> the cloud, the business context

165.81 -> of who owns that application.

167.07 -> Is it production? Is it serving customer applications?

170.79 -> All of that context is really important to understand.

173.64 -> And with Wiz, this is exactly what we do.

176.28 -> We take all of that information,

179.16 -> provide that context as one notification,

182.19 -> instead of multiple different alerts on vulnerabilities

185.22 -> that could have all different range of CVSS scores,

188.76 -> secrets like SSH or cloud access keys,

191.82 -> where you're given really no context other than,

194.58 -> hey, you have an admin permission associated

196.5 -> with a cloud access key.

198.03 -> You go find and investigate how to deal with it.

200.37 -> These are the things that we wanna solve with Wiz.

204.15 -> Now there are really four steps.

205.68 -> First step is we want to connect to the environment.

208.32 -> A lot of tools use agents,

210.21 -> they have a long deployment process, it's very difficult.

212.85 -> With Wiz, we're connecting to the clouds

215.1 -> with the cloud APIs.

216.93 -> By doing that, we're able to set up a connector

219.15 -> that has read-only permissions

220.98 -> and permissions to take VM snapshots

223.26 -> to analyze the VM system disc, to see inside workloads,

227.1 -> to see applications, misconfigurations, vulnerabilities

231.96 -> across the entire full stack of the environment.

234.9 -> So a connector for us takes only a few minutes to connect

237.75 -> and then we can start seeing the entire AWS stack,

241.86 -> all resources, analyze risks,

244.59 -> and focus on risks that matter to prioritize them

246.87 -> based on combinations of risk,

249.39 -> and then we can start operationalizing.

251.37 -> We can automate ways we can remediate those

253.32 -> or help our customers to remediate

255.18 -> those most critical risks.

257.64 -> So I'm gonna dive into the first part.

260.7 -> When we connect into an AWS account or an AWS org,

265.17 -> the API access, we wanna have least privilege access

268.11 -> like read-only permissions, the lowest level possible.

271.38 -> We still want us to have visibility

272.76 -> to the entire environment,

275.46 -> but we wanna make sure that Wiz has very low privileges.

279.06 -> We also have the privileges to take a snapshot

280.98 -> of EC2 instances, and that's how we're able

283.14 -> to see inside those workloads without an agent.

285.78 -> And that's critical because that allows us

287.4 -> to connect in minutes to the entire AWS organization,

291.6 -> all of your AWS accounts, see all of your resources,

295.2 -> but the deployment takes only minutes.

299.04 -> Once we deploy, the next step for Wiz

302.22 -> is to start doing analysis, vulnerability analysis,

305.55 -> analyzing the network exposure,

307.23 -> looking at public exposure from the internet,

310.08 -> looking for misconfigurations in your workloads,

312.3 -> misconfigurations in your networks,

314.79 -> maybe over permissive identities and entitlements,

318.48 -> looking at secrets like SSH keys,

320.82 -> database connection strings

322.5 -> that might allow attackers to use those.

325.41 -> And what is special about Wiz

327.03 -> is everything that we're using to identify this information

330.78 -> is being put into the Amazon Neptune database.

333.96 -> So all the resources that we have,

335.88 -> network resources, identities, roles,

339.3 -> workloads like virtual machines, containers,

341.19 -> are all in Amazon Neptune,

343.35 -> and that allows us to take disparate pieces of information

345.99 -> like network, and entitlements, and vulnerabilities,

348.96 -> and understand the relationships between them.

351.72 -> Once we do that,

352.553 -> we can actually understand where the risk is.

354.84 -> If I have a complex risk like a virtual machine

357.57 -> exposed to the internet, it has a vulnerability

360.63 -> that can allow the attacker into the machine,

363.57 -> potentially an SSH key, or a cloud access key

365.937 -> accessing other AWS accounts.

368.49 -> I have some impact of exposure.

370.44 -> So it's the graph that allows us

371.79 -> to understand those relationships.

375.12 -> Once we use the graph to prioritize the most critical risks,

379.89 -> then we're doing this analysis,

381.45 -> effectively looking at the network of,

384.27 -> you may have cloud configurations of a virtual machine

387.45 -> exposed through an internet gateway

389.64 -> or exposed through CloudFront or a load balancer,

392.91 -> Wiz does all of the work

394.26 -> to understand exactly how things are exposed.

396.75 -> You may have containers exposed through Kubernetes cluster

399.27 -> which has its own network configuration,

401.97 -> and we need to layer on Kubernetes network information

405.54 -> with the cloud information, cloud network configuration.

409.08 -> So we understand effective exposure.

411.15 -> We take into account all routing rules,

413.46 -> any service control permissions, any network policies

418.35 -> that would grant or restrict access to those resources

420.9 -> exactly how the attacker sees it.

425.07 -> The next thing we do is the same thing for identities.

428.37 -> If we wanna see from a virtual machine or a container

431.67 -> that has access to storage or a SQL database,

435.21 -> we wanna understand that effective exposure.

437.61 -> So we take into account all the analysis

440.07 -> of the identity, the entitlement that gives access

442.56 -> so we understand what the attack path,

444.24 -> what the risk is and the impact of that.

448.74 -> When we put those together,

450.72 -> we can start with a real world example.

452.25 -> In the bottom, I have in blue,

454.35 -> those are my workloads in the graph.

456.78 -> These workloads are running Linux, it's unpatched,

459.75 -> it has many vulnerabilities,

461.97 -> it allows the attacker to gain access.

464.16 -> The problem is now it's exposed to the internet.

466.23 -> If it wasn't exposed to the internet,

467.7 -> maybe it would be a lower risk.

469.86 -> But because we can see exposure through CloudFront

472.5 -> and an internet gateway, I know that it's exposed

475.44 -> and the vulnerability allows the attacker into the VM.

478.86 -> I also know that maybe there's a misconfiguration.

480.96 -> Maybe all access should go through CloudFront,

483.93 -> not the internet gateway.

486.33 -> So it's very easy to identify potential misconfigurations

489 -> in the network because we know exactly

490.71 -> how things are connected.

492.9 -> The other piece of information we collected

494.67 -> is there's a private key that exists inside that workload,

497.82 -> on the disc of that machine.

499.53 -> This private key, we don't just tell you,

501.517 -> "Hey, there are private keys in your environment,"

503.28 -> 'cause everyone has private keys,

505.087 -> "and you do the investigation."

507.81 -> We're gonna do that for you.

509.13 -> We're gonna figure out what public keys

510.66 -> are associated with the private key,

512.4 -> we'll go find those public keys on every resource

515.13 -> in your AWS environment or other clouds,

517.83 -> and tell you what the lateral movement path looks like.

520.38 -> So now I can see I've got public exposure

523.29 -> to a VM that's vulnerable, a private key that gets access

526.98 -> to another machine that has access to a database.

530.37 -> This is how most breaches happen is,

532.83 -> there's indirect exposure to a database.

534.75 -> The database or the storage bucket

536.25 -> is not exposed directly to the internet,

537.96 -> there's no access point directly,

539.97 -> but through indirect exposure is how it's affected.

542.91 -> And Wiz is able to uncover that,

544.71 -> all with setting up a connector

546.69 -> that takes only a few minutes.

548.49 -> We do this analysis across all of your clouds

551.7 -> on a daily basis, so we see all risks on a regular basis.

556.35 -> Now the fourth step is once we identify those risks

559.56 -> in the cloud environment,

561 -> how do we enable teams to act on those?

563.31 -> I get the question pretty regularly of, "Can you remediate?

566.88 -> How do you remediate?

567.9 -> Because that's really the concern

569.1 -> is now that I have this issue,

570.54 -> I've been able to focus on the risk,

572.34 -> what do I do next?"

574.05 -> With Wiz, we'd integrate with dozens of products.

576.48 -> Most commonly is to integrate with Jira to create a ticket.

579.54 -> If I see a critical issue,

581.31 -> we can immediately create a ticket in Jira,

584.34 -> deliver it to the right team so they can fix their issue.

587.37 -> DevOps application owners can also access Wiz

590.61 -> so they can see their own issues, act on them,

593.85 -> and we know that it's resolved.

597.63 -> In addition to looking at the cloud estate,

599.28 -> we also wanna protect earlier in the life cycle.

601.41 -> So when there's a build process

603.33 -> where a virtual machine image

604.92 -> or a container image is being created,

606.81 -> or infrastructure as code

608.01 -> where you might have a Terraform plan

610.11 -> or a cloud formation template, Helm chart,

613.26 -> we wanna analyze using the same policies we do

615.84 -> with a cloud estate,

617.19 -> we wanna do that in that build pipeline,

620.01 -> so we can fail the build or notify

622.26 -> if we find vulnerabilities or secrets or misconfigurations

625.62 -> that shouldn't get into your cloud.

627.3 -> So not only can we identify that most severe cloud risks

630.81 -> in your cloud estate that are already running

632.43 -> and remediate those, we can go back into the build process

636.96 -> before those risks even get into the cloud.

643.62 -> Now I know this is a pretty quick discussion about Wiz.

647.88 -> If you do have additional questions about how Wiz works

651.48 -> or if you'd like to see a live demo,

653.37 -> I'd love to have you come over to booth 507,

656.13 -> we'll have a couple of solutions engineers

657.93 -> over there as well, or we can actually walk you through

661.29 -> how Wiz gets connected to an environment in a few minutes

664.5 -> and actually see the entire visibility of all resources

668.22 -> and focus on those risks and remediate those.

671.79 -> Thanks very much.

Source: https://www.youtube.com/watch?v=8W5wL2Bo5FQ