More Related Content Similar to AWS Security Week: Intro To Threat Detection & Remediation (20) More from Amazon Web Services (20) AWS Security Week: Intro To Threat Detection & Remediation1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Pop-up Loft
Introduction to Threat Detection and Remediation on AWS
Jeff Levine
Sr. Solutions Architect, Security Services
Amazon Web Services
2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Agenda
• Quick Intro to AWS CAF Security Perspective
• Overview of Threat Detection and Remediation on AWS
– AWS WAF
– AWS Shield
– Amazon GuardDuty
– Amazon Macie
– AWS Lambda
– AWS Config
– Amazon Inspector
– AWS Systems Manager
– AWS Secrets Manager
– Amazon CloudWatch Events
• Putting it all together
3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Who Is This Jeff Levine Guy?
• The first big computer I worked on was an HP 3000
Series II.
• I have used keypunchers and card sorters.
• My first programming languages were Fortran, COBOL,
and RPG.
• I like to scuba dive!
• I came to AWS in 2016.
4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
My Job
• I help our customers understand the security capabilities of AWS.
• I assist our customers in the pursuit of their compliance objectives.
• I develop content such as blog posts, whitepapers, and code.
• I meet people like you from all kinds of companies doing incredible
things and helping them to do it at scale.
• Work hard, have fun, make history!
5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Why is security traditionally so hard?
Lack of
visibility
Low degree
of automation
6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS Cloud Adoption Framework
• Each Perspective provides guidance for
different parts of an organization
• Helps YOU adapt existing practices or
introduce new practices for cloud
computing
• https://d1.awsstatic.com/whitepapers/AWS
_CAF_Security_Perspective.pdf
7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Directive controls establish the governance, risk, and compliance models the
environment will operate within. (example: AWS Organizations)
Preventive controls protect your workloads and mitigate threats and
vulnerabilities. (example: AWS IAM)
Detective controls provide full visibility and transparency over the operation of
your deployments in AWS. (example: Amazon GuardDuty)
Responsive controls drive remediation of potential deviations from your
security baselines. (example: AWS Config + AWS Lambda)
The AWS CAF Security Perspective Controls
8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
The AWS CAF Security Perspective Epics
5 Core Security Epics
Identity and Access Management
Detective controls
Infrastructure security
Data protection
Incident response
9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Threat Detection and Remediation on AWS
10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is a WAF?
Web Application Firewall
Monitors HTTP/S requests and protects
web applications from malicious
activities
Layer 7 inspection and mitigation tool
11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is AWS WAF?
Web traffic filtering with
custom rules
• Rate based rules
• IP Match & Geo-IP filters
• Regex & String Match
• Size constraints
• Action: Allow/Block
Malicious request blocking
• SQLi
• XSS
Active monitoring & tuning
• CloudWatch
Metrics/Alarms
• Sampled Logs
• Count Action mode
12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Where AWS WAF can help
Application
layer
Bad botsDDoS Application attacks
HTTP floods
Content scrapers
Scanners & probes
CrawlersSQL injection
Application exploits
Social engineering
AWS WAF
13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS WAF benefits
Fast incidence
response
Powerful rule
languageEasy to deploy
AffordableSecurity automation Managed
rules
14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS Firewall Manager is a security management
service to centrally configure and manage web
application firewall rules across your accounts and
applications.
Using Firewall Manager, you can roll out WAF rules
all at once for your Application Load Balancers and
AWS CloudFront distributions across accounts.
AWS Firewall Manager
15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS Firewall Manager Key Benefits
Simplified Management
of WAF Rules
Integrated with
AWS Organizations
Centrally managed global
rules, and Account-specific
rules
Ensure Compliance
to WAF Rules
Ensure entire Organization
adheres to mandatory set
of rules
Apply protection even when
new Accounts or resources
are created
Central Visibility
Across Organization
Central visibility of WAF threats
across Organization
Compliance Dashboard for audit
firewall status
An organization’s InfoSec team
learns and operates WAF
instead of each Account owner
16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Managed rules from security leaders
17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS SHIELD
Standard Protection Advanced Protection
Available to ALL AWS customers at
no additional cost
Paid service that provides additional
protections, features, and benefits
18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Automatic defense against the most
common network and transport layer DDoS
attacks for any AWS resource, in any AWS
Region
• Comprehensive defense against all known
network and transport layer attacks when
using Amazon CloudFront and Amazon
Route 53
• Application layer defense available when
using AWS WAF
AWS SHIELD
Standard Protection
Automatically provided to all AWS
customers at no additional cost
19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Fast escalation to the AWS DDoS
Response Team (DRT) to assist with
complex edge cases
• Attack visibility and enhanced
detection
• Cost Protection to mitigate economic
attack vectors
• AWS WAF for application-layer defense,
at no additional cost
AWS SHIELD
Advanced Protection
Available globally on Amazon
CloudFront, Amazon Route 53, and in
select AWS Regions
20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Effective Against:
• HTTP Floods
• Bad Bots
• Suspicious IPs
Effective Against:
• SSL Attacks
• Slowloris
• Malformed HTTP
Effective Against:
• SYN Floods
• Reflection Attacks
• Suspicious
Sources
DEFENSE IN DEPTH
Border Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoS
Detection
Internet
Internet-
Layer
Mitigations
DDoS
Effective Against:
• Large-scale
attacks
Effective Against:
• Sophisticated
Layer 7 attacks
DDoS
Response
Team
21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
What is Amazon GuardDuty?
• A threat detection service re-imagined for the cloud
• Continuously monitors and protects AWS accounts, along with the
applications and services running within them
• Detects known and unknown threats
• Makes use of artificial intelligence and machine learning
• Integrated threat intelligence
• Operates on CloudTrail, VPC Flow Logs & DNS
• Detailed & Actionable Findings
22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Detecting Known Threats
Threat intelligence
• GuardDuty consumes feeds from various sources
• AWS Security
• Commercial feeds
• Open source feeds
• Customer provided threat intel (STIX)
• Known malware infected hosts
• Anonymizing proxies
• Sites hosting malware & hacker tools
• Crypto-currency mining pools and wallets
• Great catch-all for suspicious & malicious activity
23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Detecting Unknown Threats
Anomaly detection
• Algorithms to detect unusual behavior
• Inspecting signal patterns for signatures
• Profiling normal and looking at deviations
• Machine learning classifiers
• Larger R&D effort
• Highly skilled data scientists to study data
• Develop theoretical detection models
• Experiment with implementations
• Testing, tuning, and validation
24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
What can the service detect?
RDP brute
force
RAT Installed
Exfiltrate
temp IAM
creds over
DNS
Probe API
with temp
creds
Attempt to
compromise
account
Malicious or
suspicious IP
Unusual ports DNS exfiltration
RDP brute force
Unusual traffic volumeConnect to blacklisted site
Recon
Anonymizing proxy
Temp credentials
used off-instance
Unusual ISP caller
Bitcoin activity
Unusual instance launch
25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
• Recon
• Port Probe on unprotected port
• Outbound port scans
• Callers from anonymizing proxies
• Backdoor
• Spambot or C&C activity detected
• Exfiltration over DNS channel
• Suspicious domain request
• Trojan
• DGA Domain Request
• Blackhole traffic
• DropPoint
• Unauthorized Access
• Unusual ISP caller
• SSH BruteForce
• RDP Brute Force
• Stealth
• Password Policy Change
• CloudTrail Logging Disabled
• GuardDuty Disabled in member account
• CryptoCurrency
• Communication with Bitcoin DNS pools
• CryptoCurrency related DNS calls
• Connections to Bitcoin mining pools
Finding Type Categories
26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
• AMAZON MACIE
• ML-POWERED VISIBILITY SERVICE IDENTIFIES
SENSITIVE INFORMATION TO HELP AUTOMATE
SECURITY AND COMPLIANCE
27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Macie overview
Understand
your data
Natural Language
Processing (NLP)
Understand data
access
Predictive User
Behavior Analytics
(UBA)
28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Macie Content Classification
• PII and personal data
• Source code
• SSL certificates, private keys
• iOS and Android app signing keys
• Database backups
• OAuth and Cloud SAAS API Keys
• Generates findings
29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Automated actions on alerts/findings
• Take action using AWS Lambda
• Delete the object
• Revoke access—bucket or object
• Perimeter guard
• Update IAM policies
• Suspend user
30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cost-effective and
efficient
No infrastructure
to manage
Pay only for what you use
Bring your
own code
Productivity-focused compute service to build powerful, dynamic, modular
applications in the cloud
Run code in standard
languages
Focus on business logic
Benefits of AWS Lambda
1 2 3
31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Lambda: Run Code in Response to Events
FUNCTION TAKE ACTION
Changes in
data state
Requests to
endpoints
Changes in
resource state
Node
Python
Java
C#
EVENT SOURCE
32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
• A W S C o n f i g a n d
• A W S C o n f i g R u l e s
• A W S C l o u d T r a i l a n d
• A m a z o n C l o u d W a t c h L o g s
Active Auditing with AWS Lambda
33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS Config & AWS Config Rules
• A continuous recording and continuous assessment service
Changing resources
AWS Config
Config Rules
History
Snapshot
Actions/
Notifications
API Access
Answer the questions:
How are my resources configured over time?
Did a changes that occurred to a resource break a rule?
Multi-Account, Multi-Region Data Aggregation
34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS Lambda as Auditor
Changing resources
Remediation
35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Use the Cloud
to
Protect the Cloud
36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Amazon Inspector
• Vulnerability Assessment Service
– Built from the ground up to support DevSecOps
– Automatable via APIs
– Integrates with CI/CD tools
– On-Demand Pricing model
– Static & Dynamic Rules Packages
– Generates Findings
37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Amazon Inspector
• Rules Packages
– Common Vulnerabilities & Exposures
– CIS Operating System Security Configuration Benchmarks
– Security Best Practices
– Runtime Behavior Analysis
38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Automating Remediation
• Findings are JSON formatted and taggable
• Name of assessment target & template
• Start time, end time, status
• Name of rule packages
• Name & severity of the finding
• Description & remediation steps
• Lamd-ify your incident response
• Integrate with Jira-like services
• Integrate with Pagerduty-like services
39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS Systems Manager – Ongoing Management
• A set of capabilities that:
• enable automated configuration
• support ongoing management of systems at scale
• work across all of your Windows and Linux workloads
• run in Amazon EC2 or on-premises
• carry no additional charge to use
40. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Why should I care?
Support for hybrid
Architecture
Cross-platform Scalable
Secure Easy-to-write
automation
Expected Reduction
in Total Cost of
Ownership (TCO)
41. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS Systems Manager capabilities
state manager maintenance
window
inventory
automation parameter store
run command
patch manager
42. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Introducing AWS Secrets Manager
Lifecycle management for secrets such as database
credentials and API keys.
Rotate Secrets
Safely
Pay as you goManage access
with fine-grained
policies
Secure and
audit secrets
centrally
43. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS Secrets Manager Key Features
Safe rotation of
secrets
Built-in integrations,
extensible with
Lambda
On-demand or
automatic rotation with
versioning
Fine-grained access
policies
Encrypted storage Logging and
monitoring
44. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
CloudWatch Events
• Delivers a near real-time stream of system events that describe changes in
Amazon Web Services (AWS) resources.
• Using simple rules, you can match events and route them to one or more target
functions or streams.
• CloudWatch Events becomes aware of operational changes as they occur and
responds to these operational changes and takes corrective action as
necessary, by sending messages to respond to the environment, activating
functions, making changes, and capturing state information.
45. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Supported Services
• AWS CodeStar
• AWS Console Sign-In
• Auto Scaling
• Batch
• Certificate Manager
• Chime
• Cloud Directory
• CloudFormation
• CloudFront
• CloudHSM
• CloudSearch
• CloudTrail
• CloudWatch Events
• CloudWatch Logs
• CodeBuild
• CodeCommit
• CodeDeploy
• CodePipeline
• Cognito Identity
• Cognito Sync
• Cognito User Pool
• Config
• Data Pipeline
• Database Migration Service
• Direct Connect
• Directory Service
• DynamoDB
• EC2
• EC2 Container Registry
• EC2 Container Service (ECS)
• EC2 Simple Systems Manager (SSM)
• EMR
• ElastiCache
• Elastic Beanstalk
• Elastic File System (EFS)
• Elastic Load Balancing
• Elastic Map Reduce (EMR)
• Elastic Transcoder
• Elasticsearch
• Gamelift
• Glacier
• Glue
• GuardDuty
• Health
• IAM
• Inspector
• IoT
• Key Management Service (KMS)
• Kinesis
• Kinesis Firehose
• Lambda
• Machine Learning
• Macie
• Managed Services
• MediaConvert
• MediaLive
• Metering Marketplace
• Monitoring
• OpsWorks
• OpsWorks for Chef Automate
• Organizations
• Polly
• RedShift
• Relational Database Service (RDS)
• Route 53
• Security Token Service (STS)
• Server Migration Service (SMS)
• Service Catalog
• Simple Email Service (SES)
• Simple Notification Service (SNS)
• Simple Queue Service (SQS)
• Simple Storage Service (S3)
• Simple Workflow Service (SWF)
• Step Functions
• Storage Gateway
• Support
• Trusted Advisor
• WAF Regional
• Web Application Firewall (WAF)
• WorkDocs
• WorkSpaces
* As of 2/20/18
46. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Supported Targets
• Amazon EC2 instances
• AWS Lambda functions
• Streams in Amazon Kinesis Data Streams
• Delivery streams in Amazon Kinesis Data Firehose
• Amazon ECS tasks
• AWS Batch Jobs
• SSM Run Command
• SSM Automation
• Step Functions state machines
• Pipelines in AWS CodePipeline
• AWS CodeBuild projects
• Amazon Inspector assessment templates
• Amazon SNS topics
• Amazon SQS queues
• Built-in targets
• The default event bus of another AWS account
47. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Not just API
48. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Putting it all together
49. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Service Outputs
Service Outputs
WAF CloudWatch Metrics
Shield CloudWatch Metrics
GuardDuty CloudWatch Events
Macie CloudWatch Events
Lambda CloudWatch Logs
Config Config Rules
Inspector CloudWatch Events
Systems Manager CloudWatch Events
50. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Remediation through CloudWatch Events and Lambda
Macie Finding
Remediation
Lambda
function
CloudWatch
Event
51. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Remediation through CloudWatch Events and Lambda
Remediation
Lambda
function
GuardDuty
Finding
CloudWatch
Event
52. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Multiple Accounts and Aggregation
53. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Threat Detection and Remediation in Multiple Accounts
• GuardDuty and Macie Support Master / Member accounts
– Centralized Console for many accounts, per region
• CloudWatch Events supports receiving events from multiple accounts through
the Event Bus feature
– All CloudWatch Events across your organization can be sent to an Event Bus owned
by your InfoSec team
• CloudFormation
– All services discussed today support CloudFormation directly or through custom
Lambda resources
– CloudFormation allows you to deploy services discussed today as code
– CloudFormation StackSets allows you to centrally deploy templates across accounts
and regions
54. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Automation and Aggregation
AWS Lambda
Amazon
CloudWatch Events
GuardDuty
Finding
Amazon
Kinesis Firehose
Amazon ES
Macie
Finding
Inspector
Finding
Amazon S3
Amazon
Athena
55. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Security Event Pipeline
Kinesis Firehose
Amazon ES
Security
Analysis
SNS Topic
Central Processing
Lambda
Central
CloudWatch
EventBus
Account C
Account B
Account A
Amazon S3
Notification
56. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Pop-up Loft
What problem can we help you solve?
Q & A