AWS CISO Stephen Schmidt speaking at AWS Re:Inforce 2021 | Image via AWS
AWS CISO Stephen Schmidt is a man that thousands of modern businesses should be paying attention to, but are likely not.
He’s the Chief Information Security Officer of Amazon Web Services (AWS), the platform that untold thousands companies have built their core products on. When your business is so tightly linked to another company’s service, it’s in your best interest to pay attention to what that company is doing. Schmidt is a particularly important figure, because AWS’s security tools are critical to the security program of any AWS-based service. Thankfully, it’s not too difficult to keep up with what Schmidt is up to. The AWS CISO gave the keynote address at Amazon’s own AWS re:Inforce event, where he covered a broad range of security topics that AWS businesses should have in mind. This year, Schmidt was especially focused on threat detection and incident response. While an ounce of prevention might be worth a pound of cure, tools that can help contain and limit data breaches if they do happen can keep a relatively minor incident from becoming a major emergency. Incident response is an integral part of cybersecurity, and Schmidt spent a good deal of time discussing where AWS’s tools come in. In particular, he wants cybersecurity tools to identify and respond in real-time to threats, instead of identifying and failing to do anything else before it’s too late. “You do not want your airbag in a car to deploy after a crash when the car is safe. You want your airbag to deploy during the accident itself, and your computer security processes should be no different,” said the AWS CISO during his keynote. Airbags in a car are deployed when a sensor detects sudden deceleration. In order to be inflated before the driver’s body reaches it in a high-speed accident, they have to deploy incredibly quickly. They pop out of the dashboard at 200 mph. It’s difficult to grasp just how quickly airbags deploy without slow-motion footage. Check out one below inflating at 2,500 frames per second. This is the sort of automated response speed that could be used to help seriously reduce damage a cybersecurity incident causes.
VIDEO
AWS CISO Stephen Schmidt’s “Cybersecurity Airbags”
In the airbag analogy for AWS, the sensors are tools such as GuardDuty and CloudWatch. The airbag itself is Lambda. Guard Duty is a threat detection tool that continuously monitors AWS accounts workloads, and data stored in Amazon S3 for malicious or unauthorized behavior. It analyzes streams of meta-data from AWS CloudTrail Events, VPC Flow Logs, and DNS Logs. Guard duty uses anomaly detection, integrated threat intelligence and machine learning to identify potential threats.
CloudWatch is a monitoring service for applications and cloud resources run on AWS. It provides actionable insights from monitoring data from resources such as EC2 instances, custom metrics, application log files, and events. CloudWatch allows you to set alarms on resources and detect anomalous behavior in your environments.
Lambda is a server-less computing service. It allows you to run code for applications and backend services with zero administration. This allows for auto-remediation of certain incidents. Lambda functions can be set to execute in response to events found through GuardDuty and CloudWatch.
To complete the analogy, a car accident (cybersecurity incident) occurs, the sensors (GuardDuty and CloudWatch) detect it, and the airbag (Lambda) deploys to reduce the immediate damage that occurs. Then, first responders (the incident response team) arrive at the scene to clean up, assess the damage, and make recovery efforts.
Cybersecurity Airbags, in Practice
The following scenario is one example of how these tools can work together in practice.
GuardDuty is enabled and set up to monitor Fake Co.’s AWS environment, and detects an EC2 finding: Backdoor:EC2/DenialOfService.Dns. This EC2 instance is generating a large amount of outbound DNS traffic, which may indicate that the instance is compromised and is being used to perform denial-of-service (DoS) attacks with Fake Co.’s DNS protocol. GuardDuty forwards this finding to CloudWatch, where it is categorized as a particular “Event.” CloudWatch is configured to recognize this type of Event (along with many other indicators of cyberattacks) and maps different Events to different incident response actions. The responses are created and invoked using Lambda. In response to this outbound DNS event, the corresponding Lambda function is automatically triggered to:
1. Isolate the suspect EC2 incident.
2. Archive the GuadDuty finding.
3. Send a notification to the appropriate parties. The airbags have been automatically deployed to contain and reduce the damage that would have been done had manual intervention be required.
Who should be using this?
If they have the knowledge and resources available – everybody! It never hurts to be more secure. But depending on what resources you have available, and what you risk you have – it may or may not be the best return on investment of cybersecurity efforts. Larger organizations with complex environments and companies with confidential data, trade secrets, personally identifiable information (PII) , other highly valuable data will receive a larger benefit from these advanced security tools. More resources are required to make sure this data is secure.
Smaller organizations with more simple environments are less likely to see the cost benefit. Here’s a rule of thumb: if the environment security monitoring can be done part-time by one employee, it’s probably not worth it.
AWS CISO Leadership is Important
One downside of these tools is that – though they run automatically – they are not set up automatically. AWS’s security tools are specialized and require specialist knowledge to make the most of them. AWS issues a number of certifications for professionals knowledgeable with their platform, so companies can ensure they hire skilled talent. Additionally, an “AWS CISO” (not the AWS CISO Stephen Schmidt) or CISO as a Service who is especially knowledgeable about the platform can be a huge help for an AWS-based service.
AWS is such an all-encompassing platform that many AWS-based companies use it for almost everything: servers, storage, networking, remote computing, email, mobile development, and security. It is a large portion – if not all, of the businesses’ infrastructure. These businesses often have developers/system administrators/engineers in charge of these environments – and these environment’s security.
An AWS-specialized CISO or vCISO can take the security tasks off of these individual’s plates, enabling them to take care of other duties more central to their role. The “AWS CISO” can build and manage the company’s AWS security program and help them meet compliance requirements such as SOC 2 or ISO 27001 – enabling sales as a result.
Conclusion
No matter what level of in-house AWS security leadership you have, the AWS CISO, Stephen Schmidt, is a cybersecurity leader to watch. He wouldn’t spend much time talking about security tools and concepts if he didn’t believe they were important for Amazon’s (and their customers’) security. So this year, if you don’t have a “cybersecurity airbag” running on your AWS-based service, now is the time to consider implementing it.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.