Managing Cybersecurity Risks with the Next Generation of Managed Security Services
By Aaron Brown, Partner, Cyber Cloud Managed Services Leader – Deloitte & Touche LLP
By Steve Bollers, Sr. Partner Solutions Architect, Global Cybersecurity Leader – AWS
In this post, we will show you how Deloitte’s Cyber Cloud Managed Services (Cyber CMS) can help organizations become more trustworthy, resilient, and secure through proactive management of cyber risks.
Deloitte is an AWS Premier Tier Services Partner and Managed Cloud Service Provider (MSP) with the AWS Security Competency. As a pilot vendor of the AWS Level 1 MSSP Competency specializations launched at AWS re:Inforce 2022, Deloitte has achieved specializations in Digital Forensics and Incident Response, Modern Compute Security, and Business Continuity and Ransomware Readiness.
Both Amazon Web Services (AWS) and Deloitte understand that each client’s cloud journey is different and have their own set of requirements. This is why Cyber CMS provides a wide range of options for businesses to choose from to create the applicable package for them.
Deloitte can deploy and operate right-sized security solutions and services to help clients meet their ongoing business requirements, which lets them to focus on the business benefits of cloud adoption. This is what’s at the foundation of Cyber CMS.
Consistent with the mindset of bank robbers who focus on banks because “that’s where all the money is,” cyber bad actors are attracted to cloud services providers with the idea of larger payoffs in the form of multiple enterprises’ data.
To help businesses mitigate this issue, Cyber CMS brings the cyber solution to clients’ AWS environment. Leveraging Terraform and the AWS Cloud Development Kit (AWS CDK), all of the tooling required to provide this solution is deployed via Deloitte’s pipeline inside the client’s environment.
A differentiator for Deloitte in the managed security service provider (MSSP) space is the fact that Cyber CMS covers the full spectrum of cyber domains. Deloitte’s security services are offered à la carte by domain to help clients meet their requirements, but clients can also have the domains covered by a single provider under a single operation model.
Deloitte Cyber CMS Leverages Native AWS Services
Cyber CMS provides 24/7 security protection and monitoring of essential resources that help you to develop at the speed of your innovation. To achieve this offering, Deloitte collaborated with security specialists from AWS to develop the Cyber CMS core domain managed services using native AWS services.
The core offering includes:
- Identity and access management
- Data protection
- Infrastructure and network security
- Security logging and monitoring
- 24/7 threat and incident response
AWS customers can also benefit from Cyber CMS extended domain offerings featuring Deloitte’s innovative approach to:
- Compliance monitoring
- AWS resource visibility
- Managed detection and response for AWS endpoints
- Modern compute security (DevSecOps, automation, and orchestration)
- Cloud security policy
Identity and Access Management
The Deloitte Cyber CMS pipeline provides the base functionality necessary to integrate with clients’ identity management tools, AWS Organizations, and AWS Identity and Access Management (IAM) capabilities. It provides single-sign on (SSO) and enforces multi-factor authentication (MFA) for users having access to the environment.
Instead of a traditional virtual private network (VPN) connection that creates potential connectivity anywhere in a client’s environment once connected, the Cyber CMS remote access technology allows for secure point-to-point connection. This results in no exposure of the enterprise resources or servers and no lateral movement, while offering user controls for printing, copy/paste, screen capture, anti-keylogging, and watermarking.
No changes are required to existing topology, access control lists (ACLs), or firewall rules.
You can secure data in transit using 2048 bit datagram transport layer security (DTLS) end-to-end encryption. Meanwhile, secure data at rest with encrypted local files and a self-destruct option.
Figure 1 – IAM solution architecture.
The Cyber CMS Data Protection solution uses AWS Key Management Service (KMS) to create and manage cryptographic keys and control their use across a wide range of AWS services.
AWS Config is used to validate data encryption, handling the key management by providing a template to request and create keys while ensuring key rotation and monitoring changes like deletion and disabling.
Figure 2 – Managed KMS key administration for client services.
The Cyber CMS Data Protection solution provides a fully managed certificate management solution leveraging AWS Certificate Manager. It provides a service management workflow for users to request a certificate which will be generated based on a template and returned to the user for use.
The solution also leverages AWS Config to confirm that AWS services like Elastic Load Balancing, Amazon API Gateway, and Amazon CloudFront are using certificates. Cyber CMS provides annual review for certificate usage while monitoring for invalid certificate and expiration.
Figure 3 – Managed public certificates in AWS Certificate Manager.
Managed L7 Network
The Cyber CMS Layer 7 network solution provides fully managed web application firewall (WAF) protections for Application Load Balancers, Amazon API Gateway stages, and CloudFront distributions.
AWS Firewall Manager is used to centrally manage, deploy, and ingest logs from web ACLs for an organization from a single account and will send an alert if Firewall Manager web ACL protections are not enabled. When alerts are triggered, Cyber CMS handles the remediation on non-compliant resources and web ACL rules, including Tor and distributed denial of service (DDoS) protections.
Figure 4 – Layer 7 network micro-architecture.
Managed L4 Network
The Cyber CMS Layer 4 network solution provides a fully managed virtual private cloud (VPC) setup that leverages AWS Transit Gateway and AWS Network Firewall to centrally inspect north-south network traffic.
Internet gateways are only deployed in a central egress and central ingress VPC—the other VPCs contain only private subnets, connected via AWS Transit Gateway.
AWS Network Firewall provides stateful traffic inspection with rule groups for protocol and internet protocol (IP) matching, domain lists, and Suricata rules, which are based on the open-source intrusion detection system (IDS)/intrusion prevention system (IPS) of the same name.
The centrally deployed AWS Network Firewall sends alerts and flow logs to the central Amazon Simple Storage Service (Amazon S3) log bucket in the client security account. Proprietary Zero Trust remote access connectors are also deployed to the central network account within the Layer 4 solution.
Cyber CMS leverages a proprietary Zero Trust remote access tool as a way to limit risk associated with Deloitte personnel having access to the client’s environment.
Figure 5 – Layer 4 network micro-architecture.
Threat and Vulnerability Management
The Cyber CMS auto-healing capability is an event-based solution that leverages AWS-native services to monitor, analyze, and automatically revert critical misconfigurations that represent vulnerabilities in the environment. This includes misconfigured security groups, misconfigured S3 buckets, and overly permissive identities.
Where traditional cloud security posture management solutions use periodic reads of logs (leading to a potential lag time of up to 15-30 minutes), the Cyber CMS event-driven solution continuously monitors AWS environments for configuration deviations. This reduces the time between detection and remediation of misconfigurations to near real-time (the majority of the misconfigurations are reverted to a compliant state within two minutes).
The Cyber CMS auto-healing capability provides more than 65 auto-remediation rules. The solution supports customizing rule configurations (based on region, account, resource); it also has an extensive exception handling capability and provides visibility into the configuration compliance posture of the AWS environments.
Figure 6 – Auto-remediation architecture.
The remediation logs generated by the solution are ingested in for further analysis. The solution leverages the native capabilities of Splunk Security Information and Event Management (SIEM) to send notification emails to violators and account owners, and to raise ServiceNow tickets as needed based on the severity of the alert.
Figure 7 – Logging and monitoring architecture.
Virtual Machine Scanning with Auto Patching
The Cyber CMS patch management solution keeps Amazon Elastic Compute Cloud (Amazon EC2) instances up-to-date in a multi-account, multi-region architecture.
Amazon EventBridge, AWS Lambda, and AWS Systems Manager are utilized to set up an automated, scheduled patch/scan process. Inventory and patch data is aggregated in the client security account, where Amazon Athena generates a report of missing patches to be shared with application teams.
AWS Systems Manager’s patch manager and patch groups provide the capability to apply different sets of patches to different groups of EC2 instances.
Once an application team has reviewed the missing patch report, a list of rejected patches can be applied to a specific patch group through a Lambda function which updates the desired patch group in the specified accounts and regions. The patch installation process will utilize the patch group rejected lists to determine which patches will be installed.
Figure 8 – AWS Systems Manager patching.
Threat Detection, Incident Response, and Digital Forensics
With a specialty in Digital Forensics and Incident Response, Deloitte has designed the Cyber CMS cloud security posture management (CSPM) solution to provide a centralized view of the security landscape in a multi-account, multi-region architecture. The solution follows leading practices to collect findings, create insights, and check them against key standards and controls.
A variety of AWS services are utilized to monitor and alert on suspicious activity throughout the AWS environment. Amazon GuardDuty provides intelligent threat detection by monitoring Amazon CloudTrail Events, S3 activity data, Amazon VPC network traffic flow logs, and Amazon Route 53 domain name system (DNS) logs.
Amazon Macie assesses S3 bucket level security and perform sensitive data discovery. Amazon Inspector provides assessments of EC2 instances to identify vulnerabilities, exposures, and deviations from leading practices.
AWS Config monitors and records configuration changes of AWS resources, and enables AWS Security Hub to assess and provide configuration findings relating to Security Hub standards, such as Center for Internet Security (CIS) and AWS Foundational Security Best Practices.
AWS Security Hub provides a single, centralized location to view security findings in the client security account by integrating with each of the AWS services used by the Cyber CSPM solution.
AWS Security Hub runs continuous automated security checks, consolidates the findings, and forwards them to Cyber CMS, which is be responsible for handling alerts generated by security services.
Figure 9 – Cloud security posture management.
Deloitte’s response processes include steps to contain, mitigate, and recover from a cybersecurity incident. During this process, AWS security groups are utilized to isolate suspect hosts, and AWS Systems Manager is leveraged to securely capture system memory and take snapshots of Amazon Elastic Block Store (Amazon EBS) volumes for forensic analysis.
Figure 10 – Incident response and digital forensics.
As you can see, Deloitte Cyber CMS leverages native AWS security solutions. The use of AWS cloud-native services provides many benefits to clients, including reducing costs associated with third-party tool integration, administration, and maintenance.
Business Continuity and Ransomware Readiness
Ransomware events have been on the rise in recent years. As an MSSP with a Business Continuity and Ransomware Readiness specialty, Deloitte knows that having the ability to efficiently respond and recover from a ransomware event is critical to reduce disruption to business operations. Immutable backups and a risk-appropriate retention strategy are essential to prepare for the worst-case scenario.
Cyber CMS solutions are designed to provide resiliency and recovery capabilities needed to keep clients up and running. Data resiliency is achieved by leveraging AWS-native services such as AWS Backup using encrypted, immutable vaults to protect and restore mission critical data.
Figure 11 – AWS Backup across AWS accounts with immutable vaults.
Modern Compute Security
Specializing in modern compute security, Deloitte’s Cyber CMS pipeline (see Figure 12) leverages infrastructure as code (IaC) with continuous integration and continuous delivery (CI/CD). AWS CodePipeline is triggered by changes to the AWS CodeCommit repository, which begins the process of securely pulling, inspecting, and testing the Terraform templates using AWS CodeBuild.
Figure 12 – Cyber CMS pipeline.
Once the CodeBuild pipeline is complete, Terraform is used to apply the changes. AWS Lambda and containers are used to increase the speed and agility of software development activities. The pipeline includes steps to scan container images for vulnerabilities and potential misconfigurations (See Figure 13).
Deloitte also collaborates with third-party solution providers to offer runtime monitoring and real-time threat detection for containerized workloads.
Figure 13 – Container image scanning.
A DevOps mindset was followed with one primary goal in mind: continuously provide incremental value to clients. This is achieved using DevSecOps practices and procedures.
A release-on-demand strategy is implemented whereby new capabilities are deployed to clients promptly or incrementally based on client subscriptions. Clients submit a request for a new subscription using the solution API interface, which initiates the propagation of the solution but assets to the client repository.
Figure 14 – Release process.
Regardless of where your business is at on the cloud adoption journey, we know that security is likely your top priority. Now more than ever, it’s critical to protect yourself with the demonstrated operational and security leadership that AWS and Deloitte Cyber CMS offers.
Clients can benefit from a fully managed security solution that’s built on the foundation of more than four years as an industry-leading managed public cloud services provider. Deloitte Cyber CMS has the process and technical automation that helps clients to skip past the cloud security learning curve and the time required to develop the security automation required to scale.
A native AWS security service-centric approach like Cyber CMS also helps clients to bypass the time and effort to procure hardware and software, or integrate and configure new or existing security tools. With Deloitte Cyber CMS, clients can deploy secure solutions faster, enabling them to scale at the speed of business, and focus on their core objectives while Cyber CMS helps you manage security on AWS.
Learn more about Deloitte Cyber CMS or to connect with the Deloitte team.
This publication contains general information only and Deloitte and AWS are not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte and AWS shall not be responsible for any loss sustained by any person who relies on this publication.
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Copyright © 2022 Deloitte Development LLC. All rights reserved.
Copyright © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Deloitte – AWS Partner Spotlight
Deloitte is an AWS Premier Tier Services Partner and MSP. Through a network of professionals, industry specialists, and an ecosystem of alliances, they assist clients in turning complex business issues into opportunities for growth, helping organizations transform in the digital era.