Get hands on with AWS IoT Device Defender Detect. In this workshop, we enable AWS IoT Device Defender support on an IoT-connected device, and we simulate a series of attacks against our devices. We also simulate compromised devices to learn how to create behavior profiles that detect anomalous behavior, and we discuss techniques for responding to alerts and profile violations.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Monitoring IoT Device Behavior with
AWS IoT Device Defender Detect
Dan Miller
Sr SW Dev Engineer
Device Defender Group
AWS
Rob Marano
Principal Consultant
Professional Services
AWS
I O T 3 6 0

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
1. Overview of AWS IoT Device Defender
2. Today’s workshop environment setup
3. Detect, generate event, report
4. “Hands on keyboard”
5. Review & wrap-up

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
1. Overview of AWS IoT Device Defender
2. Today’s workshop environment setup
3. Detect, generate event, report
4. “Hands on keyboard”
5. Review & wrap-up
• Overview of AWS IoT
Device Defender – 300
level
• Set up AWS IoT Device
Defender on a device
• Create behavior profile
• View and respond to alerts,
triggered by simulated
event

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
1. Overview of AWS IoT Device Defender
2. Today’s workshop environment setup
3. Detect, generate event, report
4. “Hands on keyboard”
5. Review & wrap-up
• Instructions on how to use
pre-built environment
• How to get and set up local
Vagrant
• How to use the basic tools

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
1. Overview of AWS IoT Device Defender
2. Today’s workshop environment setup
3. Detect, generate event, report
4. “Hands on keyboard”
5. Review & wrap-up
• Walk-through
• Detection
• Event generation
• Reporting
• Viewing violations on the
console
• Using Amazon Simple
Notification Service
(Amazon SNS) to take an
action, like send an email

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
1. Overview of AWS IoT Device Defender
2. Today’s workshop environment setup
3. Detect, generate event, report
4. “Hands on keyboard”
5. Review & wrap-up
• Your turn!
• Code up
• Detection
• Event generation
• Alert reporting

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
1. Overview of AWS IoT Device Defender
2. Today’s workshop environment setup
3. Detect, generate event, report
4. “Hands on keyboard”
5. Review & wrap-up
• Time to ask questions
• What is next for your
journey with AWS IoT
Device Defender

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Related breakouts
Wednesday, November 28
Audit Your Device Fleet with AWS IoT Device Defender (Builders Session)
2:30 PM – 3:30 PM | Mirage, Grand Ballroom B, Table 9
Thursday, November 29
Managing Security of Large IoT Fleets (Chalk Talk)
12:15 PM – 1:15 PM | ARIA East, Level 2, Mariposa 8
Friday, November 30
Detect Abnormal Device Behavior with AWS IoT Device Defender (Builders Session)
11:30 AM – 12:30 PM | Mirage, Grand Ballroom B, Table 10

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How we think of IoT architecture @ AWS
Endpoints
Fleet onboarding,
management, and
SW updates
Fleet
audit and
protection
IoT data analytics
and intelligence
Gateway
Things
Sense & act
Cloud
Storage & compute
Secure local
triggers, actions,
and data sync
Intelligence
Insights & logic → Action
Secure device
connectivity
and messaging
AWS Greengrass
AWS IoT Core
AWS IoT
Device Management
Amazon
FreeRTOS
AWS IoT Device
Defender AWS IoT Analytics

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Audit device
configurations, define and monitor
device behavior
Identify drifts in security
settings and detect device
anomalies
Generate alerts Patch security vulnerabilities
AWS IoT Device Defender
Keep your fleet secure
AWS IoT Device Defender is a fully managed IoT security service that
enables you to secure your fleet of connected devices on an ongoing basis

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Audit device
configurations
Monitor device
behavior
Generate
alerts
Patch security
vulnerabilities
AWS IoT Device Defender
Keep your fleet secure
Identify
anomalies

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
GitHub Repository
https://github.com/aws-samples/aws-iot-device-defender-workshop.git
Workshop Instructions
AWS CloudFormation Template
Attack Simulation Scripts

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Workshop CloudFormation Stack
Amazon Elastic Compute Cloud
(Amazon EC2) Instances
• Simulated Device
• Attack Target
AWS Cloud9 IDE
• Run agent and attack scripts
AWS IoT Thing
• Includes certificates and polices
AWS IoT Thing Group
• “DeviceDefenderWorkshop”
Subnet
Device
Defender
Agent
AWS
Cloud9
EC2 Instance
Target
AWS IoT
EC2 Instance

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Cloud9 Development Environment
We will use AWS Cloud9 as
our development & ”device”
environment
• Run the Device Defender Agent
• Run attack simulation scripts
• Interact with Device Defender APIs
via CLI (optional)

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Device Defender: Detect Key Components
Metrics
• Device-side and Cloud Side
Behavior Profiles
Violations
Alerts

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Behavior Profile
Defines Desired Device Behavior
• Create a behavior profile in Device
Defender that defines normal
network traffic from a device
Behavior Outside of Profile
Generates a Violation
• Generate abnormal network traffic on
our device, triggering a violation

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Alerts
In AWS IoT Device Defender
Console
• View past and current violations
Amazon SNS Notifications
• We will use Amazon SNS to send an
email when violation is detected

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Walkthrough Instructions
Instructions.pdf in the docs
folder of the GitHub repository

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What we covered
• Overview of AWS IoT Device Defender
• Today’s workshop environment setup
• Detect, generate event, report
• “Hands on keyboard”

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
And if you need support …
• GitHub repo for this workshop
• Amazon Web Services Discussion Forums
• https://docs.aws.amazon.com/iot-device-defender

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Related breakouts
Wednesday, November 28
Audit Your Device Fleet with AWS IoT Device Defender (Builders Session)
2:30 PM – 3:30 PM | Mirage, Grand Ballroom B, Table 9
Thursday, November 29
Managing Security of Large IoT Fleets (Chalk Talk)
12:15 PM – 1:15 PM | ARIA East, Level 2, Mariposa 8
Friday, November 30
Detect Abnormal Device Behavior with AWS IoT Device Defender (Builders Session)
11:30 AM – 12:30 PM | Mirage, Grand Ballroom B, Table 10

28. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Dan Miller
damiller@lab126.com
Rob Marano
maranoro@amazon.com

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.