22 AWS Security Pros Reveal the Most Underused/Under-Appreciated AWS Security Metrics
AWS offers a variety of built-in security features that users can take advantage of, but it’s easy for users of all experience levels to get lost in the sea of options and metrics. In fact, in a November 2017 survey, we found that 73% of companies have critical AWS cloud security misconfigurations, and more than one-fourth (27%) were not taking advantage of AWS-native security services like CloudTrail. (Misconfigurations are considered critical if they reduce or eliminate visibility for security or compliance, if they can be leveraged in a direct or complex attack, or if they enable trivial attacks on an AWS console.)
As an AWS Advanced Security Competency Partner, Threat Stack integrates deeply into AWS to provide its customers with unprecedented visibility, more advanced security capabilities, and a cloud-native user experience. Threat Stack’s CloudTrail integration, for instance, bridges the visibility gap between your AWS services and the core systems running in your cloud, giving you automatic alerts about changes to your instances, security groups, S3 buckets, and access keys.
Visibility is essential for sound AWS security, and continuously monitoring your security metrics is a must. Still, while many users understand the importance of ongoing monitoring, many AWS security metrics go underutilized (or ignored). To gain more insight into these important, yet often overlooked security metrics, we reached out to a panel of AWS security experts and asked them to answer this question:
“What’s the most under-used / under-appreciated metric when it comes to AWS security?”
Meet Our Panel of AWS Security Experts:
Paul Ivanivsky is a Security Engineer at Threat Stack. Paul has extensive experience in pentesting, blue teaming, and DevSecOps. Prior to his days in security, he held a variety of engineering positions in website and network operations, and in aerospace as a satellite operations engineer.
“AWS CloudTrail can be used for much more than mere auditing and logging purposes to conduct forensic investigations and operationalize cloud security.”
Cris Daniluk leads Rhythmic Technologies, an innovative, compliance-oriented managed cloud and security services firm based in the Washington, D.C. area. Before founding Rhythmic, Cris was responsible for project management and business development at Claraview, where his work in securing projects worth over $100 million helped key the company’s acquisition by Teradata.
“The most underused metrics are CloudWatch metrics for tracking changes reported through CloudTrail…”
CloudWatch metrics on infrequently changing security-related configurations are simple to set up. Unlike most security events that are more often than not false positives, these are high-quality events that are always worth investigating.
Sherry Wei started Aviatrix in 2013 and has raised $25 million. Aviatrix’s goal is to make cloud networking as dynamic and easy as cloud computing and cloud storage. Prior to starting Aviatrix, she was senior architect at Huawei. She spent 13 years at Cisco as engineering manager. Sherry holds a Ph.D. from Purdue.
“The most under-used and under-appreciated metric in AWS security is…”
Davy Hua, Head of DevOps for ShiftLeft, has spent the past 17 years designing, building, and managing complex infrastructures and distributed systems architectures for both Fortune 500 enterprises and venture-backed startups. As an early adopter of the DevOps movement, his specialty is at the forefront and intersection of CI/CD and security.
“Proper attention given to the network I/O metric will add another effective tool in your AWS security practices…”
As a Senior Engineer & Cloud Architecture Practice Lead at Very, Brian Zambrano works with clients to build products that leverage serverless architecture and blockchain technologies. Brian holds two patents for his work in social event recommendations systems and authored the book Serverless Design Patterns and Best Practices, which was published by Packt Publications.
“The most under-appreciated metric in AWS security is…”
Lenny Liebmann has been living at the intersection of business and technology for more than 30 years. After graduating Yale in 1979, he worked for AT&T Bell Laboratories during its heyday as a hotbed of innovation. He then began an independent practice that sucked him into the vortex of every successive revolution in IT — from distributed computing, the internet and convergence to mobile, social, Big Data, and cloud. Nowadays, he stays busy writing, moderating, speaking, consulting, and doing research for a diverse clientele.
“SecOps leaders generally don’t pay enough attention to…”
Andrei Anisimov is the Vice President of Technology at 8base, an application development platform and ecosystem that leverages blockchain technology to allow software teams to collaborate all over the world. Andrei is an experienced tech leader with a background in development for several industries and international markets. He wrote his first code at the age of 9 and won the Regional Programming Olympics in Russia at 15.
“Surprisingly, from our experience, many attack vectors don’t come from sophisticated zero-day vulnerabilities…”
Kumar Sambhav Singh
“Protection of data at rest is one of the most ignored aspects of security…”
Ryan Kroonenburg is the Founder and Chairman of the Board at A Cloud Guru, the place to go and learn AWS. They have over 50,000 students and tons of courses including all 5 certification courses.
“The most under-observed security metric is…”
Mike Baker is the Founder and Managing Partner at Mosaic451, a managed cyber security service provider (MSSP) with expertise in building, operating, and defending some of the most secure networks in North America. Baker has decades of security monitoring and operations experience within the US government, utilities, and critical infrastructure.
“Keeping your AWS environment safe from hackers is entirely manageable…”
Barely a day goes by without news of yet another breach of an AWS S3 bucket, but these breaches are preventable. AWS is a powerful and highly secure cloud environment, but it must be configured and maintained properly. The most careless of mistakes that many companies make is not knowing what they are doing with default settings and not knowing what data they are actually making available.
The default privacy setting for AWS S3 buckets is owner-only. Most AWS breaches involve organizations choosing the “all authorized users” setting when expanding access to their buckets, not realizing that this setting includes all authorized users of Amazon Web Services, not just their account. This means that anyone with an AWS account can access that bucket with whatever permissions are granted to that level of access: It’s a free-for-all.
Organizations must understand what level of access they’re granting to their data and who they are granting it to. A good rule of thumb is, if you’re not sure, don’t do it! Get help before you end up exposing your data to the world.
The other half of this critical, but preventable, mistake is not knowing what data you actually have. Data governance is one of the pillars of cloud security. You cannot secure your data if you don’t know what you have. Is your data important? Is it unique? Does it have value?
“Unfortunately it’s often a tough task to assign a number to something like security…”
Mr. Peter Ayedun has over 20 years’ of expertise in Microsoft, Cisco, and Citrix technologies. He has consulted for government and enterprise, implementing network and security solutions based on leading best practices. Microsoft regularly invites Peter to speak with, and educate business owners, on Microsoft cloud solutions, such as Azure and Office 365. Mr. Peter Ayedun is the CEO and co-founder of TruGrid, a company that specializes in Simple & Secure Workspaces for businesses.
“One of the things IT people could look at is…”
Uwe Weinkauf is the CEO of MW2 Consulting, experts in Enterprise Application Development, Ecommerce, IT Outsourcing, and IT Operations that deliver valuable solutions for global business needs.
“AWS security can be achieved by following a variety of practices…”
Vivek Chugh is the Founder and CEO of Listables (available for Android and iOS). He’s an accomplished technology leader with domestic and international experience in all business cycles, a recognized authority on the strategic application of technology to drive revenue, engineer, and manage world-class development teams, enhance service quality, improve production, and control costs.
“The most under-used and under-appreciated AWS security metric is…”
Marcus Turner is the Chief Architect and CTO at Enola Labs Software, an Austin, Texas based software development and AWS consulting company. Marcus is a certified AWS architect, specializing in AWS security and legacy migration to AWS.
“The most under-used metric when it comes to AWS security is…”
Fraser Gough is the Senior Security Consultant (Security Tester) at DigitalXRAID. They provide industry-leading cyber security offerings to their customers, enabling them to reduce risk, protect digital assets, and gain knowledge using the most cost-effective approach.
“Users rarely utilize the built-in encryption for EBS (Elastic Block Storage) and S3 Storage, which is disabled by default…”
“Simply rotating your AWS access keys on a regular interval is a great start…”
In the IAM section of the AWS console, users can quickly see which users have stale access keys. There are also built-in facilities that allow you to determine risky security group configurations that allow remote management connectivity via ports that are opened to the entire world.
Minimizing one’s attack surface is important because usually, once an attacker is inside the walls, it’s easier to penetrate into resources. Most folks don’t realize that security isn’t intended to be a single layer system. Security is supposed to be built like an onion; that is, in layers.
Paul McGough, Founder and CTO of Qwyit, LLC, a leading cryptosecurity technology firm, is a telecommunications expert with over 35 years’ of progressively greater responsible experience managing IT technology teams for the development, integration, implementation, and support of financial, project management, database applications, and security systems.
“The focal point of AWS attack prevention (not recovery) is the host…”
Lindsey Havens is the Senior Marketing Manager at PhishLabs with over 10 years’ of experience in Marketing, Communications, Public Relations, Lead Nurturing/Generation, and Analytics. With a unique blend of marketing and communications experience coupled with a background in behavioral and situational analysis, she brings metrics-driven results and the ability to focus sales and marketing efforts in a direction that offers the highest potential for long-term, sustainable growth.
“A common mistake that can be avoided is…”
Jamie Shields is the CTO at Flaunt Digital. He’s a full stack web developer, Zend and Oracle certified with over 7 years’ experience working within technology startups and award-winning digital marketing agencies.
“The most under-appreciated metric for AWS security is definitely use of AWS CloudTrail…”
CloudTrail is an AWS service enabled by default on all AWS accounts. By simply logging in to the dashboard, you can find a log of every single action taken on your AWS account over the last 90 days. This type of audit trail is essential for IT security professionals and is totally free of charge.
Gregory Morawietz is an IT Security Specialist at Single Point of Contact with over 20 years’ of network and security experience. He has worked with hundreds of firms on improving IT environments, consulting, and integrating technology for the enterprise network.
“The most under-utilized and under-appreciated metrics are the simplest ones…”
“Assigning different IAM roles to different IAM users is one of the most under-used and under-appreciated AWS security features…”
Many small companies have a single login with access to every role used by multiple people — which compromises security.