Automation is the new 24/7 SOC
As cloud matures and Enterprise use accelerates further, one of the critical use cases that has gathered a great deal of attention is the management of sensitive data like PII and PHI. AWS has matured greatly to support such use cases in recent years. Sophisticated capabilities in services like IAM, S3, KMS and logging/auditing like Config, Cloudtrail and Cloudwatch, make HIPAA, PCI and other compliant workloads.
In GPST403 at re:Invent yesterday, a number of speakers touched upon advanced techniques to achieve this in AWS, particularly focused on KMS and Cloudwatch events.
A key theme across this and a number of other talks has been the automation of security remediation. This was an important message in Werner Vogel’s keynote as well of course. This is being driven by the fact that security teams are overwhelmed with data. As a result, the speakers posited that "Automation is the new 24/7 SOC". We at Cloudreach have spoken before about our strong belief in this philosophy.
A typical example scenario is described like so. AWS Config is used in conjunction with Cloudwatch Events to invoke custom Lambda functions to take remedial action. Customers all have different perspectives on what this means; some simply warn and alert stakeholders, some might stop resources, and others take unilateral delete actions immediately to remain compliant.
A particularly effective demo was performed showing IAM policies being locked out automatically when activity aberrations occurred – such as repeated downloads of data in a short time frame or increased use of a decryption key from a non standard geoip location. These are typically each created in hours and is a useful and required investment for any organisation. After all, once done, as the speakers reminded us – these Lambda functions never sleep.
If you are interested in trying such techniques and want to get started fast, there was a timely reminder of the existence of the CIS benchmarks – community sourced rules and remediations that you can use to perform basic and not-so-basic initial governance. There is virtually no limit to the combinations of data points you might want to correlate to achieve your objective.
So far, so good. But now consider this – Andy Jassy’s excellent keynote earlier in the week described new capabilities in Machine Learning and Artificial Intelligence. This will only increase the breadth and scope of detection possibilities beyond simple thresholds. For example, it seems to me that easy-access analytics on log files with the new Athena service is one approach I’m looking forward to enabling when I get back.
If you are at re:Invent, why not swing by our booth on this final day (#225) and discuss how we can bring our experts to help you with automated Cloud Governance.