Session: Case Study by Dow Jones and Uber on Continuous AWS Security Monitoring at Scale Using Open Source DevSecOps Tool – Hammer
In this talk, we will cover how Dow Jones and Uber have been leveraging Hammer to secure their AWS environment. Hammer, is an open source cloud security automation tool, that helps monitoring security for over hundreds of AWS accounts under one hood. Not only does it identify insecure misconfigurations of AWS resources, but it also specializes in addressing them by auto-fixing the misconfigurations, without breaking the applications. The architecture of Hammer is catered to plug and play model, which can help integrating additional security checks with ease. Dow Jones uses Hammer, to monitor its hundreds of AWS accounts, which spans across variety of Product portfolio which includes the likes of The Wall Street Journal, Factiva, MarketWatch, Barrons etc.
Designed by the developers, for the developers, Hammer is built on DevSecOps principles, solutions and strategies which caters towards developer friendly processes, workflows and integrations. It is build API friendly and helps in integrating to ticketing systems such as Jira and instant messaging corporate platforms such as Slack.
Uber Cloud Security team, after evaluating a number of commercial and open-source AWS security monitoring solutions, decided to use Hammer to monitor AWS resources in their hybrid environment. Hammer allows Uber to repurpose several existing security services in their environment such as bug tracking and incident response. Using Hammer, Uber has created rich integration scenarios to make it easier for their internal customers to reduce their cloud security risks. Uber CloudSec is collaborating closely with Dow Jones Security team on project roadmap and has been making contributions via bug fixes and new features.
In this session, we will present a case study on common security misconfiguration problems and auto-remediate them.
- Protecting against Crypto Miners in your environment
- Over-exposed servers leading to lateral movement
- Protecting accidentally exposed databases, servers, pub/sub
- Mitigating risks related to Stale Access Keys.
- Authoring custom company-specific monitoring rules
- Single pane view for operationalizing security findings from other services such as AWS Trusted Advisor
Lastly, The audience here, will go back with few takeaways around starting the cloud security journey from Day 1.