Trevor Hawthorn | August 15, 2016

How Wombat Security Uses Threat Stack to Secure Its Own AWS Infrastructure

When  Wombat Security Technologies and ThreatSim (acquired by Wombat in October 2015) decided to develop and deploy our suite of end user risk management and education solutions in Amazon Web Services (AWS), we went "into the cloud" with eyes wide open. We knew that, to realize the full potential of AWS (scale, cost, performance), we needed to “do AWS right.” This meant treating our servers like cattle, not like pets.

Wombat's infrastructure is immutable. When we deploy code, apply OS updates, etc., our DevOps team will terminate server instances and replace them with updated instances in real time, in production, several times a day. We also take advantage of Amazon's scalability: when the load increases, we "scale out" parts of our infrastructure automatically. When the load subsides, we scale down.

Meeting the Unique Security Challenges of an Immutable Infrastructure

I've been in the information security industry for over 20 years and have designed and executed many vendor security management programs. Most enterprise customers demand that Wombat's security controls meet or exceed those of non-cloud-based vendors. From a security standpoint, an immutable infrastructure presents some unique challenges. To meet these, we have applied tried and true security concepts to our AWS infrastructure in a way that is unique to cloud technology. Here are some key examples:

  • Assigning IAM Policies that restrict API keys to specific source IPs so a compromised key cannot be used from anywhere in the world
  • Leveraging KMS encryption so database connection strings do not live on a server's disk
  • Restricting all administrative access (e.g., SSH) into our production environment to a VPN that uses two-factor authentication and then...
  • Logging VPC flow logs to Splunk, and alerting on any SSH traffic that is not dropped and not from a small list of source IPs

Ensuring Visibility Into Server Instance Activities

One challenging area was ensuring that we had visibility into the activities of our server instances when they were active as well as when they had been terminated. If a security incident were to occur, we needed the capability to detect the event in real time and to forensically examine what had happened on the server — even if the server was terminated. We looked at open source and commercial HIDS, but they required rolling our own management infrastructure, lacked alerting features, didn't integrate with AWS, and didn't play well with our immutable infrastructure. We also looked at rolling our own process accounting solution. That too was cumbersome and not suited for security-centric requirements. We log all our VPC flow logs to Splunk (which is really nice to have), but the flow logs didn't tie the network traffic to the process and then to the user.

The Threat Stack Advantage

For Wombat, selecting Threat Stack was a no-brainer. Threat Stack meets the needs outlined above AND is purpose-built for Linux servers running in the cloud, supporting the distributions of Linux that Wombat uses in production. (Most endpoint detection and response solutions are — appropriately — aimed at detecting attacks in Windows desktops and servers. Most of the threat intelligence feeds that are leveraged by these solutions are Windows-centric.)

In addition, Threat Stack consolidates system-level event alerting with CloudTrail events and streamlines real-time alerting. We pull Threat Stack events (via the Threat Stack API) into Splunk so we're able to correlate our own internal event data with Threat Stack. We know that, if we detect a malicious event, we are able to go back and search to see who launched the process, what it did, what it connected to, and how to proceed. Given that Threat Stack is a client-server, cloud-hosted deployment, we can launch agents within any AWS region, knowing that the events will securely make it to Threat Stack without having to figure out security groups, VPC peering, etc.

A Final Word...

Knowing the challenges of doing cloud security correctly and having evaluated the available solutions on the market first hand, I recommend that organizations running on AWS ask themselves if their current security controls give them the situational awareness and visibility into their infrastructure that is required to secure an immutable cloud infrastructure. If the answer is “No,” take a look at Threat Stack.

Trevor Hawthorn, CTO of Wombat Security Technologies, joined Wombat in October 2015 with the acquisition of ThreatSim, where he was co-founder and CTO. Trevor has a technical and hands-on background, with over 19 years of information security experience in both consulting and enterprise security across a wide-range of industries.

Read the article on Threat Stack