VIVRI

VIVRI, a company that marketed nutritional products, had e-commerce on a physical infrastructure, causing problems of high availability, low latency and limited scalability. However, the main problem that emerged was site security and even random attacks that could steal your customers' banking information or sensitive company information, in addition to not being supported by certification and compliance accreditations that would provide peace of mind to your customers.

They didn't have proactive monitoring to help them detect anomalies in their workloads, making their e-commerce more vulnerable. VIVRI's IT development team had no documented processes for solving problems focused on their workloads and the lack of a Disaster Recovery Plan. This results in a drop in service that affects continuity because they were only in the Virginia region.

Solution proposal by Compucloud

The compucloud team of experts offered a consultation to begin with the relevant remediations and best practices in the AWS cloud, to solve the problems presented, with our experience as a Managed Service Provider, Well Architected Framework and as a Service Delivery Program WAF, as well as the support and knowledge of Trend Micro, we developed a solution proposal based on security best practices and the Well Architected Framework, as well as knowledge of the AWS maturity model.

1. - Infrastructure vulnerability analysis

VIVRI is currently a customer that has sensitive information within its applications, for which it was necessary to implement a vulnerability analysis solution within its EC2 instances, with the objective of minimizing the percentage of vulnerability attacks and misconfigurations within its servers. For this reason, the use of a solution that provides network and host-level protection was recommended.

2. - Visibility of the AWS resource inventory

For VIVRI, it is important to have visibility of all the resources, changes, and events that occurred within the AWS console. Compucloud has an application that allows the customer to centrally view all assets and movements through a GUI interface. This makes gathering information easier and faster.

3. - Monitoring security best practices on AWS

Following the good security practices recommended by AWS is a fundamental part for the customer, since their console is constantly analyzed in search of misconfiguration deviations that may affect the security of the customer's console, so Compucloud continuously sends security reports based on the best security practices of the services that the customer has.

4. - AWS compliance monitoring

Due to the type of information that the Vivri customer handles, it was decided to use security solutions for the continuous monitoring of high security standards and regulations, such as the PCI DSS and the CIS AWS Benchmark v1.2.0.

5. - Monitor and classify security events

VIVRI, having an E-Commerce, it is important that they constantly monitor the security events that occur in their AWS infrastructure, so they currently have a support policy that provides 24/7 support as well

such as constant monitoring of their safety. Offering activities, automations and reports that are constantly being carried out to have wide visibility of your entire security posture.

24/7 support

Continuous monitoring of security events through Zendesk.

Different means of direct communication with Compucloud agents.

Incident response automations.

Continuous delivery of safety reports.

Security Incident Knowledge Base

6. - Managed Intrusion Prevention and Managed Detection and Response System for AWS End Points

Due to the workload, type of application and information handled by the Vivri client, it was necessary to implement a solution that would allow protection at all layers, including: Workload Security, Compliance and file storage security solutions. These solutions, together with AWS services, allow you to increase the security posture of the entire infrastructure to meet the highest security standards.

7. - Managed Web Application Firewall

The VIVRI client presented security problems with its workloads with different attacks aimed at its web applications, so Compucloud recommended the use of WAF to begin filtering all malicious traffic within its workloads and to have a significant reduction in attacks by improving the security of the infrastructure and its data.

AWS services that drove the development of a more robust project

The implementation of instances of the T3 family was recommended. T3 instances are general-purpose, scalable, next-generation instances that provide an optimal level of CPU performance, but offer the

ability to scale CPU usage at any time. The main reason for this is that T3 instances accumulate CPU credits when a workload is operating below the default base level.

M5 instances are the next generation of general-purpose instances and provide improved performance over M4. This family provides a balance of computing, memory, and network resources, and is a good choice for many database workloads.

Complementing the components that are part of the previous instances, EBS type GP2 general-purpose SSD volumes were implemented. The reason SSD-backed volumes are used is because they are

optimized to run transactional workloads that involve frequent read/write operations, since transactionality does not require the provisioning of additional IOPS, since IOPS

GP2's default settings meet the desired performance.

Because our client has an Ecommerce, he needs a secure connection from the end user, for this reason we propose an Application Load Balancer to redirect http requests to the https connection.

In the same way, we have implemented some rules that allow you to increase the security of your Ecommerce:

1. Given the nature of the workload, it is necessary to protect yourself from those

   IPs that the AWS intelligence team has detected as malicious or as bots, so this rule allows us to prevent these IPs from making requests to

   the workload.

2. Rules to minimize the exploitation or discovery of

   vulnerabilities.

3. Rules for blocking request patterns associated with the exploitation of

   SQL databases, such as SQL injection attacks, because the workload

   has an RDS.

4. Rules that block the request patterns associated with the

   exploiting specific Windows vulnerabilities, such as execution

   remote PowerShell command and loading of ec2 instances running Windows Server.

5. Rules for blocking and managing bot requests.

With regard to the network, a VPC was implemented for the entire infrastructure, this one to have access control to and from the subnets, in this sense, 2 subnets were configured, a public subnetwork, in which the

EC2 instances, which allow you to have an internet connection through the Internet Gateway, in addition to a private subnet for an RDS instance, and the network environment was complemented by the collection of VPC Flowlogs, which stores all the transactions that arrive at the interfaces of the environment's resources, this was complemented by Amazon Guardduty to detect and monitor the customer's environment, thus being able to automatically respond to security events found by the service through a developed script that detects the findings of Amazon GuardDuty and automatically blocks the actor from discovery at the WAF and Network Access Control List (NACL) level.

AWS services that are part of the solution.

AWS VPCs

Amazon Ec2 Instance

Amazon EBS

Amazon RDS

Internet-gateway

Application Load Balancer

Security Groups

Amazon Cloud Watch

Amazon Cloud Trail

Amazon S3

AWS Lambda

Elastic IPs

AWS IAM

Amazon Route 53

ACM

WAF

BOT CONTROL

RULES

VPC Flowlogs

GuardDuty

Through the AWS services that are implemented, it is possible to solve the customer's problems, which were high availability, low latency, security, flexibility and scalability. It is worth mentioning that the security of its infrastructure is further protected by the implementation of a Bastion host, which allows a secure connection to the instance, since the e-commerce instance only allows access through the bastion IP, however, that only solves the connectivity to the main resource, the integration of log collection to be analyzed by a security monitoring service such as GuardDuty, it allows informed decisions to be made about those resources that may become vulnerable, and finally, the integration of the WAF makes it possible to strengthen the delivery of

client web content with the configuration of rules that provide protection related to the types of requests that can be made to the principal. In addition, when the problem with the region arose, the customer's main problem was with more than 10,000 providers who could not access web content and that led to a loss of 20,000 USD, which is why as the modernization of the workload increased, the availability of the application was improved, reducing the likelihood of this incident happening again.