============ Editor’s Note: Over time the Deep Security API has evolved making this workflow trivial using the APIs. Therefore the integration code has been retired and instructions on how to replicate the workflow are available in the Deep Security Automation Center. ============ Today at the AWS Summit in Chicago, AWS announced the general available of Amazon Inspector. This service has been available in preview since AWS re:Invent 2015 and with it’s wider release today, it’s easier then ever for AWS users to quickly and easily security their EC2 instances and AMIs. As a launch partner for Amazon Inspector, Trend Micro has been working closely with the team at AWS to ensure our Deep Security platform complement this great new service from AWS.

The Problem

Traditional vulnerability scanning simply doesn’t work in the cloud. Traditional scanners either are either black box (a scan where the scanner doesn’t have privileged access to the system being scanned), can’t keep up with the dynamic environments typical in AWS, or simply don’t integrate into the continuous workflows common in AWS. Enter Amazon Inspector.

Amazon Inspector

This new service uses a small agent easily deployed to your EC2 instances to analyze the behaviour of your instances and identify any potential security issues. The AWS blog has the simple steps to get up and running with the service. In simple terms, you;
  1. define a target set of resources using tags (e.g., Name: ToInspect)
  2. configure an assessment template that defines what you’re looking for (common vulnerabilities and exploits (CVEs), PCI requirements, etc.)
  3. run a assessment against your target resources
  4. examine the findings
  5. mitigate (a/k/a fix) the issues found
As you’d expect from AWS, the API and CLI for Amazon Inspector makes it easy to integrate into your development workflow. Assessments should be a part of all of your deployments.

Take Steps To Mitigate

When Amazon Inspector finds an issue (reported as finding) it makes a recommendation for a mitigation. Sometimes, these recommendations are simple configuration issue (e.g., turn on Data Execution Prevention) but occasionally a finding will show the need to update a key application or shared library in the form of a CVE. A CVE indicates a risk to your deployment. These risks are rated and apply to specific versions of software. The recommended fix is to update the software to an unaffected version. But it’s not always possible to update right away. More testing might be required or the fix might not be released yet. Thankfully, Deep Security can help.

Intrusion Prevention

For vulnerabilities that are remotely exploitable (a/k/a hackers can take advantage of it from outside your instance), Deep Security offers a full intrusion prevention engine that examines each network packet before it reaches the affected software. In the case of a potential attack, Deep Security simply discards the bad packets, keeping your workloads safe from hackers. Our initial integration connects the knowledge provided by Amazon Inspector to automatically protect your instances from these types of vulnerabilities.

Mitigation Report

After running an assessment in Amazon Inspector, a simple command line tool will automatically analyze the findings from Amazon Inspector and enable the appropriate protection within Deep Security. Here’s what needs to be in place for this to work;
  1. Deep Security running on your EC2 instances (here’s a quick way to get started)
  2. Amazon Inspector running on at least one EC2 instance using the same AMI or Deep Security security policy
One you’ve done an assessment run in Amazon Inspector, you can use the ds-analyze-findings.py tool available now on our Automation Center (Automatic Mitigation When you see an entry in the report that states an CVE should be mitigated immediately using Deep Security, that’s an indication that you can apply a rule in Deep Security to quickly stop attackers from taking advantage of this vulnerability.
i-fb9eac3c reports:
  There are 1 findings related to known CVEs
  ...and 2 other findings
  * CVE-2014-6271
    !!! Should be mitigated immediately using Deep Security (rule ‘Identified Suspicious Bash ShellShock Attack’)
This is great information that can help you improve the security posture of your workload. But why not let the tool automatically apply these rules to your instances? Simply add the --mitigate flag and the tool will do just that. This flag will automatically apply the required intrusion prevention rules to the policy of the affected instances. The tool offers even more options including running from AWS Lambda for a completely automate detection/mitigation workflow. Be sure to check out the README in the code repository.

Amazon Inspector + Deep Security

When it comes to vulnerability scanning in the AWS Cloud, Amazon Inspector solves the challenges faced by traditional tools. It’s an excellent way to identify configuration issues with your EC2 instances and AMIs. Add the defensive capabilities of Deep Security and you can easily identify vulnerabilities and prevent malicious attack from exploiting them. Read more in the Amazon Inspector documentation and in the documentation for our integration tool.

One thought on “Using Amazon Inspector and Deep Security

Comments are closed.