By Lynn Greiner
AWS RE:INVENT — “In security, the job is always growing,” Stephen Schmidt, vice president, security engineering and CISO at Amazon Web Services, told attendees during a session at the annual AWS re:Invent conference this week. “One of the most difficult things is understanding what is really important.”
The challenge for security staff and MSSPs, says Schmidt? Figuring out what to look at.
Yet despite this, AWS doesn’t have a traditional security operations center. Schmidt insists that by the time an incident hits SecOps, you’re too late. Instead, the company relies on automation to detect and remediate most attack attempts. AWS has a single on-call security engineer, rotated every four hours, who receives alerts when human intervention is required. At each handoff, the engineer passes on outstanding tickets detailing next steps and who is doing what. Each handoff must be acknowledged by the recipient.
Schmidt was bemused when the acknowledgements began to take the form of whimsical memes, until he realized that in the process the engineers were teaching each other what was important.
“People look forward to seeing the memes, so are super focused,” he said.
The security process is metrics-driven; every month Schmidt sits down with AWS CEO Andy Jassy to evaluate how well people are doing compared with expectations. (See Jassy’s announcements from Day 1 of re:Invent here.)
“Human error is rarely an acceptable root cause” for an incident, Schmidt says. “It’s a deficiency in tooling.” Every action is logged, and those logs examined to guide AWS’ developers toward the process that needs to be automated next.
“Automated remediation is the best thing to focus on,” he advised. “Save security engineers for high-judgement activities. Pick one thing and start to get you over the hump of automating. Automation keeps people happy.”
Security is a high enough priority to AWS and its customers that the company has announced a dedicated security conference, AWS re:Inforce, to be held in Boston, June 25 – 26, 2019.
Later, during his keynote, Jassy announced a new security service, AWS Security Hub, which provides a single panel of glass from which to view a customer’s complete AWS security and compliance status.
The Security Hub collects and aggregates data from native and third-party security tools it detects in the customer’s environment, such as vulnerability scan results from Amazon Inspector, intrusion detection data from Amazon GuardDuty, and information from Amazon Partner Network (APN) members’ tools.
Security Hub integrates with Amazon CloudWatch and AWS Lambda so customers can launch automated remediation. It also integrates with automation workflows and third-party tools. So far, 24 providers, including Alert Logic, Check Point, Cloud Custodian, F5, Fortinet, IBM, McAfee, Palo Alto Networks, Splunk, Sophos and Trend Micro, have built integrations, with more to come.
Jassy noted that a product like this works only in tandem with …