Learning Objectives: - Learn about the latest developments in AWS security - Help you structure security controls across your organization - Awareness of tools that will help you to secure your AWS environment

1. © 2017, Amazon Web Services, Inc. or its Affiliates.
Michael Fuller
Amazon GuardDuty
AWS Security
Services

2. © 2017, Amazon Web Services, Inc. or its Affiliates.
Amazon GuardDuty
Amazon GuardDuty is a fully managed intelligent threat detection service that
provides you with an easy way to continuously monitor and protect your AWS
accounts and workloads.
1. Intelligent threat detection at scale
Fully managed detections, integrated threat
intelligence, anomaly detection, and machine learning
2. Single-click enablement and fully managed
No agents, sensors, or network appliances to deploy
-- you are up and running in minutes
3. Broad coverage
No agents, sensors, or network appliances to deploy
-- you are up and running in minutes
4. No performance or availability impact
Absolutely no footprint in your accounts, meaning there is no risk
of performance or availability impact to your workloads
5. Enterprise ready
Multi-account support allows security teams to manage & monitor
many AWS accounts from a single security owned account.
Supports CloudWatch Events for easy integration into existing
event management or workflow systems
6. Cost effective
Architected to be cost efficient for enablement across all accounts
as a security best practice

3. © 2017, Amazon Web Services, Inc. or its Affiliates.
Amazon GuardDuty (detections)
Reconnaissance
Instance recon:
• Port probe / accepted comm
• Port scan (intra-VPC)
• Bruteforce attack (IP)
• Drop point (IP)
• Tor communications
Account recon:
• Tor API call (failed)
Instance compromise
• C&C activity
• Malicious domain request
• EC2 on threat list
• Drop point IP
• Malicious comms (ASIS)
• Cryptocurrency mining
• Spambot activity
• Outbound SSH bruteforce
• EC2 Credential Exfiltration
• Unusual network port
• Unusual traffic volume/direction
• Unusual DNS requests
• Domain generated algorithms
Account compromise
• Malicious API call (bad IP)
• Tor API call (accepted)
• CloudTrail disabled
• Password policy change
• Instance launch unusual
• Region activity unusual
• Suspicious console login
• Unusual ISP caller
• Mutating API calls (create, update,
delete)
• High volume of describe calls
• Unusual IAM user added
• Detections in black are signature based, state-less findings
• Detections in blue are behavioral, state-full findings / anomaly detections

4. © 2017, Amazon Web Services, Inc. or its Affiliates.
Amazon GuardDuty (detection flywheel)
AWS Security
Investigation of threats and patterns
Produce threat intelligence
Provide guidance to all service teams
Amazon GuardDuty
Learns of new threats and patterns
Consumes threat intelligence
Develops new analytics
Deploys new & updated detections
AWS Field Organizations
AWS Support / TAM
Solutions Architects
Professional Services
Customers & Partners
Receive steady stream of new detections
All benefit from learnings of any one
Develops new detections

5. © 2017, Amazon Web Services, Inc. or its Affiliates.
Availability (14 regions & all new regions going forward)
U S E a s t ( N . V i r g i n i a )
U S E a s t ( O h i o )
U S W e s t ( N . C a l i f o r n i a )
U S W e s t ( O r e g o n )
C a n a d a ( C e n t r a l )
E U ( I r e l a n d )
E U ( F r a n k f u r t )
E U ( L o n d o n )
A s i a P a c i f i c ( S i n g a p o r e )
A s i a P a c i f i c ( S y d n e y )
A s i a P a c i f i c ( S e o u l )
A s i a P a c i f i c ( To k y o )
A s i a P a c i f i c ( M u m b a i )
S o u t h A m e r i c a ( S a o P a u l o )

6. © 2017, Amazon Web Services, Inc. or its Affiliates.
Partners

7. © 2017, Amazon Web Services, Inc. or its Affiliates.
Pricing
AWS CloudTrail analysis
• $4.00 per 1,000,000 events
VPC Flow Log + DNS Query Log Analysis
• First 500 GB/month $1.00 per GB
• Next 2000 GB/month $0.50 per GB
• Over 2500 GB/month $0.25 per GB
30-day free usage for all new accounts to Amazon GuardDuty

8. © 2017, Amazon Web Services, Inc. or its Affiliates.
Demo

9. © 2017, Amazon Web Services, Inc. or its Affiliates.
Thank you!
Michael Fuller, AWS Security Services