SEAS-8414 – HW2 – GWU Projects

GCK Client-Server Endpoint Protection

Background

The Kimchi King has found that after implementing his new Cybersecurity Architecture for Golden Chopsticks Kimchi (GCK), he needed more endpoint protection mechanisms. There is a bit of considerations he needs to think about while implementing a client-server infrastructure that will leverage data and endpoint security controls for his GCK architecture. There needs to be consideration of those who administer the system as well as all those customers on their mobile phones spamming the “kimchi me now” button for fresh homemade kimchi!

Where is endpoint protection needed?

There are two aspects of those who access the GCK architecture from an endpoint perspective. There are those who are administrators of the system and those who are GCK customers. Administrators will need various accesses related to not only deploying the application to AWS as well as manage those who will access the application as GCK customers. These administrators will most likely use their laptop and desktop computers to perform these sorts of business-as-usual functions. GCK customers can access the GCK app through their mobile phone as well as the website to order that special kimchi they crave. Because of how popular GCK is, there have been many attempts to hijack customer’s orders. Security adversaries have been attempting to use malicious software to not only hijack or disrupt customer orders, but to also target the GCK architecture to attempt to gain access to GCK special secret spicy recipes. After some analysis, the Kimchi King has targeted potential endpoints that should be watched over such as desktop computers, laptops, mobile devices (smartphones and tablets), workstations, servers, routers, and switches. Given most of the architecture is on AWS there are simple and effective tools that can be implemented to address these kimchi attacks. Figure 1 has highlighted red boxes where endpoint protection solutions exist or may be needed from the Kimchi King’s perspective.

AWS protection out of the box

As part of the AWS Startup Security Baseline (AWS SSB) there are some items that will be configured initially to help with endpoint security. The Kimchi King is leveraging edge-protection services for public endpoints. This will block direct traffic from compute services and add an extra layer for incoming traffic that serves traffic. AWS WAF and the API Gateway provide public endpoint protection and can filter unwanted traffic and enforce encryption. Amazon advertises that CloudFront, API Gateway, and Amazon Route 53 can provide denial of service (DDoS) attacks for free, but specifically AWS Shield can be leveraged for managed DDoS protection (Figure 2).

The AWS WAF (Figure 3) can provide application layer attacks. Rules can be created to filter requests based on IP addresses, HTTP information, and custom URLs. The GCK application login page can be monitored for unauthorized access using compromised credentials. Lambda functions can be leveraged to analyze web logs for malicious activity and automatically create new security rules. There are a bunch of preconfigured rules to protect against bots, SQL Injection, Cross-site scripting (XSS), HTTP floods, and other known attacks. Bad actor blacklists can be leveraged to prevent web attacks.

The AWS API Gateway provides a unified front door to web service API’s. The gateway utilizes bearer tokens or JSON web tokens (JWTs) and can be integrated with AWS WAF. Data is protected in transit and at rest leveraging encryption. Operations are encrypted using TLS when using HTTPS endpoints and can go further to be configured with certificates for custom domain name calls. All API definitions are deployed in memory and cached to encrypted disks. Log files are encrypted before being sent to CloudWatch Logs and then stored also encrypted at-rest. There is a strong relationship between AWS API Gateway and AWS IAM to provide granular access control by role and user to various resources.

AWS GuardDuty is primarily a detection and notification service. GuardDuty will provide detailed security findings for remediation. GuardDuty can detect cryptocurrency mining, Tor clients and relays, unexpected behavior, and compromised IAM credentials. AWS CloudWatch and Amazon SNS can be leveraged with GuardDuty to provide notifications when anything anomalous is detected.

The GCK app will be leveraging Amazon Cognito which is a service for user management of social logins from Facebook/Meta, Amazon, Google, or Apple (Figure 4). Cognito uses user and identity pools. User pools are user directories that provide sign-up and sign-in options for all GCK customers and users of the system. Identity pools grant those same users to access AWS services such as serverless Lambda functions going through AWS Gateway.

Kimchi customer signs in through a user pool and receives tokens after authentication.
The GCK app exchanges the pool tokens for AWS credentials through the identity pool.
The kimchi customer uses the AWS credentials to access other backend services.

AWS marketplace endpoint protection platform (EPP) options

Within AWS marketplace there are several solutions available to manage endpoint assets to secure against vulnerabilities, malware, and data loss. The options immediately available are CrowdStrike, Digital Guardian, SentinelOne, Tanium, and Trend Micro. These tools look to be endpoint detection and response (EDR) tools which combine data loss prevention (DLP) and intrusion prevention system (IPS) capabilities but look at them closer there is doubt. Given the GCK is a small startup a quick analysis was done to get a sense of what makes the best sense focusing on price and features (Table 1). There were some options which were way out of the price range of GCK or had some sort of other complication of unit pricing that may be limiting. There were three tools that looked right for a small startup CrowdStrike, SentinelOne, and Trend Micro. Trend Micro’s pricing model seemed too extreme and without trying would not get a sense of what this would really look like in a year for budgeting purposes. CrowdStrike was cheaper than SentinelOne, so out of the three SentinelOne was chosen.

Tool	Price	Features	Decision
CrowdStrike	$337.79 for 12 mo.	- EPP Complete with Threat Graph Extended Plus - Lightweight agents - AV for malware with ML - EDR, 24/7 elite security experts - USB device controls	yes
Digital Guardian	$110,000 for 12 mo.	- DLP on Windows, macOS, Linux - Account team to help	no
SentinelOne	$900 for 12 mo.	- 100 unit (Enterprise Sprt price) - ActiveEDR - Static AI and Behavioral AI EPP - 300 APIs for seamless integrations	maybe
Tanium	$1.2M for 12 mo.	- UES & UEM Core Essential 10,000 units - zero customer infrastructure - Unified Endpoint Management	no
Trend Micro	1000 serverless invocations ($0.026 / unit) Per gigabyte (GB) inspected ($0.013 / unit)	- Pricing is by the drink (Pricing) - 30 day free trial - free tiers - choose what services to use - malware, ransomware, virtual patching, IPS - secure your S3 buckets - open source security - network and application security	yes

Table 1 - AWS Marketplace EPP Analysis

CrowdStrike

CrowdStrike is a recognized leader in the security marketplace, and their product is the CrowdStrike Falcon platform. CrowdStrike’s expanded endpoint security provides extended threat detection and response (XDR) leveraging AI and deep link analytics. Falcon XDR at its core has an endpoint threat detection and response (EDR) framework that is supported 24/7 with company experts. The Falcon Agents can be deployed across the GCK ecosystem to give intimate knowledge of various components of the system (Figure 4). The AWS CrowdStrike solution is integrated with AWS GuardDuty and can provide immediate notifications if anything is wrong. For those using desktops or laptops, there is an endpoint USB device control to keep malware, ransomware, and viruses from entering the system by rogue files off a thumb drive.

Conclusion

Golden Chopsticks Kimchi’s client-server architecture has various entry points into the web application system. These connection points all need to be secured and protected at the client level as well as the server level. Leveraging AWS tools out of the box will help protect the application to some extent. Utilizing from the AWS marketplace the CrowdStrike platform will provide extra protection and insights to be able to remediate problems as soon as possible. Long live the Kimchi King and may his kingdom be defended with advanced endpoint protection technologies.