SlideShare a Scribd company logo

Threat Detection and Mitigation at Scale on AWS - SID301 - Toronto AWS Summit

Amazon Web Services
Amazon Web Services

In this session, you learn how AWS handles threat detection and remediation. We summarize the challenges of traditional threat detection efforts, and we explain how AWS helps to address these challenges. We also provide an overview of key AWS services that detect and remediate threats, such as Amazon GuardDuty.

1 of 53
Download to read offline
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Nathan Case Security Geek SID301 Threat Detection and Mitigation at Scale on AWS
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS Identity & Access Management (IAM) AWS Organizations AWS Cognito AWS Directory Service AWS Single Sign-On AWS CloudTrail AWS Config Amazon CloudWatch Amazon GuardDuty VPC Flow Logs Amazon EC2 Systems Manager AWS Shield AWS Web Application Firewall (WAF) Amazon Inspector Amazon Virtual Private Cloud (VPC) AWS Key Management Service (KMS) AWS CloudHSM Amazon Macie Certificate Manager Server Side Encryption AWS Config Rules AWS Lambda AWS Enterprise Support Identity Detective control Infrastructure security Incident response Data protection AWS security solutions
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Why is traditional threat detection so hard? CostSignal to noiseLarge datasets
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Humans and data don’t mix
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS CloudTrail Track user activity and API usage Threat Detection: Log Data Inputs VPC Flow Logs IP traffic to/from network interfaces in your VPC CloudWatch Logs Monitor apps using log data, store & access log files DNS Logs Log of DNS queries in a VPC when using the VPC DNS resolver
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS CloudTrail
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Detect with VPC Flow Logs AWS account Source IP Destination IP Source port Destination port Interface Protocol Packets Bytes Start & end time Accept or Reject
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Amazon CloudWatch Logs Subscriptions • Real-time feed of log events • Delivered to an AWS Lambda function or an Amazon Kinesis Data Stream • Supports custom processing, analysis, loading into other systems • Cross-account data sharing for centralized log processing
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Threat Detection Amazon GuardDuty Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. What Can Amazon GuardDuty Detect? RDP brute force RAT Installed Crypto Currency Potential Account Breach Exfiltrate temp IAM creds over DNS Probe API with temp creds Attempt to compromise account
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Rabbit Hole! What Can You Detect using AWS services? RDP brute force RAT Installed Potential Account Breach Exfiltrate temp IAM creds over DNS Probe API with temp creds Attempt to compromise account
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Infrastructure Domain Availability Zone C Availability Zone B VPC CIDR: 10.0.0.0/16 Availability Zone A 10.0.0.0/19 Public subnet 10.0.32.0/20 Private subnet 10.0.48.0/21 Sensitive subnet Security groups Route table NACLs Internet Gateway Instance compromise Amazon S3 Amazon RDS IAM AWS CloudHSM AWS Organization s AWSKMS AWS Directory Service
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Infrastructure Domain Availability Zone C Availability Zone B VPC CIDR: 10.0.0.0/16 Availability Zone A 10.0.0.0/19 Public subnet 10.0.32.0/20 Private subnet 10.0.48.0/21 Sensitive subnet Security groups Route table NACLs Internet Gateway Instance compromise Amazon S3 Amazon RDS IAM AWS CloudHSM AWS Organization s AWSKMS AWS Directory Service
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Infrastructure Domain Availability Zone C Availability Zone B VPC CIDR: 10.0.0.0/16 Availability Zone A 10.0.0.0/19 Public subnet 10.0.32.0/20 Private subnet 10.0.48.0/21 Sensitive subnet Security groups Route table NACLs Internet Gateway Instance compromise Amazon S3 Amazon RDS IAM AWS CloudHSM AWS Organization s AWSKMS AWS Directory Service
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Rabbit Hole! What Can You Detect Using AWS Services? Infrastructure VPC Resources Connectivity On-instance ... Service IAM S3 buckets Billing ... Application Patching Coding hole ... Other?
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Amazon GuardDuty Threat Detection and Notification
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Detecting Known Threats Threat intelligence • Feeds: o AWS Security o Commercial - CrowdStrike, Proofpoint o Open source o Customer provided - "format": "[TXT|STIX|OTX_CSV|ALIEN_VAULT|PROOF_POINT|FIRE_EYE]", • Known malware infected hosts • Anonymizing proxies • Sites hosting malware and hacker tools • Cryptocurrency mining pools and wallets
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Detecting Unknown Threats Anomaly detection • Algorithms to detect unusual behavior o Inspecting signal patterns for signatures o Profiling normal activity and looking at deviations o Machine learning classifiers
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Finding Types Recon • Port probe on unprotected port • Outbound port scans • Callers from anonymizing proxies Backdoor • Spambot or C&C activity • Exfiltration over DNS channel • Suspicious domain request Trojan • Domain Generation Algorithm (DGA) domain request • Blackhole traffic • Drop point Unauthorized Access • Unusual ISP caller • SSH/RDP brute force Stealth • Password policy change • AWS CloudTrail logging disabled • Amazon GuardDuty disabled in member account Cryptocurrency • Communication with bitcoin DNS pools • Cryptocurrency related DNS calls • Connections to bitcoin mining pool
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Visibility to Answer the Tough Questions • What data do I have in the cloud? • Where is it located? • Where does my sensitive data exist? • What’s sensitive about the data? • What PII/PHI is possibly exposed? • How is data being shared and stored? • How and where is my data accessed? • How can I classify data in near-real time? • How do I build workflow remediation for my security and compliance needs?
Example Walkthrough: CloudWatch Events Your AWS Account, GuardDuty generates Finding and sends to CloudWatch Events. CloudWatch Events forwards to CloudWatch Event Bus in the Master Account. { "account": "123456789012", "region": "us-west-2", "detail": { "description": "EC2 instance i-99999999 is querying a domain name that is associated with Bitcoin-related activity.", "resource": { "resourceType": "Instance", "instanceDetails": { ... "instanceId": "i-99999999", "instanceState": "running", ... "instanceType": "p2.xlarge”}, ... "title": "Bitcoin-related domain name queried by EC2 instance i-99999999.", ... }
In the the Master Account, CloudWatch Events triggers the Response Handler Lambda function to analyze the event by processing signature logic for conditional evaluation. { "account": "123456789012", "region": "us-west-2", "detail": { "description": "EC2 instance i-99999999... with Bitcoin-related activity.", "resource": { "resourceType": "Instance", "instanceDetails": { ... "instanceId": "i-99999999", "instanceState": "running", ... "instanceType": "p2.xlarge”}, ... “type": “CryptoCurrency:EC2/Bitcoin...” ... } Example Walkthrough: Lambda Trigger "account": "123456789012", "region": "us-west-2", "instanceId": "i-99999999", “type": “CryptoCurrency:EC2/Bitcoin...”
In the AWS, the Response Handler Lambda function analyzes the event by processing conditional logic to determine responsive Action, which in this case is to terminate the instance(s). Example Walkthrough: Response Handler "account": "123456789012", "region": "us-west-2", "instanceId": "i-99999999", “type": “CryptoCurrency:EC2/Bitcoin...” TerminateInstanceTest: cloudwatch.event: - name: guardduty - identifier: “CryptoCurrency:EC2/Bitcoin...” - actions: - "ec2:TerminateInstance" - onlyif: - and: - region: 'us-west-2' - or: - account: 123456789012 - account: 123456789013
In the Master Account, if the event matches a signature the Response Handler Lambda function initiates a StepFunction execution of the Response Action State Machine. Example Walkthrough: Response Handler TerminateInstanceTest: cloudwatch.event: - name: guardduty - identifier: “CryptoCurrency:EC2/Bitcoin...” - actions: - "ec2:TerminateInstance" - onlyif: - and: - region: 'us-west-2' - or: - account: 123456789012 - account: 123456789013 { "Account": “123456789012", "SnsNotification": true, "ec2": { "RemoveEip": false, "ApplySecurityGroup": false, "SecurityGroupName": null, "instanceId": [“i-99999999”], "region": “us-west-2”, "Snapshot": { "ShareSnap": null }, "StopInstance": false, "CreateSnapshot": false, "TerminateInstance": true }, "sns": {...} }
In the Master Account, the Response Action State Machine invokes a Lambda Response function to assume a role in the Member AWS Account to take the responsive action of terminating the EC2 instance(s). Example Walkthrough: Response Handler { "Account": “123456789012", "SnsNotification": true, "ec2": { "RemoveEip": false, "ApplySecurityGroup": false, "SecurityGroupName": null, "instanceId": [“i-99999999”], "region": “us-west-2”, "Snapshot": { "ShareSnap": null }, "StopInstance": false, "CreateSnapshot": false, "TerminateInstance": true }, "sns": {...} }
In the Master Account, the Response Action State Machine concludes by triggering Logging Handler Lambda Functions to log and notify. Example Walkthrough: Response Handler { "Account": “123456789012", "SnsNotification": true, "ec2": { "RemoveEip": false, "ApplySecurityGroup": false, "SecurityGroupName": null, "instanceId": [“i-99999999”], "region": “us-west-2”, "Snapshot": { "ShareSnap": null }, "StopInstance": false, "CreateSnapshot": false, "TerminateInstance": true }, "sns": {...} } { "Account": "", "PrincipalUserName": "45732-update", "SourceType": "aws.guardduty", "EventType": "CryptoCurrency:EC2/Bitcoin...", "Region": "us-west-2", "Time": "2018-05-30T20:07:55Z", "Identifier": "CryptoCurrency:EC2/Bitcoin...", "Resources": [“i-99999999”] }
Example Walkthrough: Conclusion • By identifying the conditional logic and the Predefined Action, the security event triggered an automated response from your automated remediation. • The response required no human intervention. • Humans are free to move up the value chain to continually improve conditional logic and Predefined Actions. • Time to remediation is exponentially reduced when compared to manual response.
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Threat Detection: Triggers Amazon CloudWatch Events Delivers a near real-time stream of system events that describe changes in AWS resources AWS Config rules Continuously tracks your resource configuration changes and if they violate any of the conditions in your rules
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS Config Rules A continuous recording and assessment service Changing resources AWS Config AWS Config rules History snapshot Notifications API access Normalized • How are my resources configured over time? • Is a change that just occurred to a resource, compliant?
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Amazon CloudWatch Events { "source": [ "aws.guardduty" ] } CloudWatch Event GuardDuty findings Lambda function
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Threat Remediation: Automation AWS Systems Manager Automate patching and proactively mitigate threats at the instance level AWS Lambda Capture info about the IP traffic going to and from network interfaces in your VPC
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Amazon CloudWatch AWS CloudTrail AWS Config Lambda function AWS APIs AWS WAF AWS Shield Detection Alerting Remediation Countermeasures Forensics Team collaboration (Slack etc.) Amazon GuardDuty VPC Flow Logs AWS Step functions Responding to Findings: Remediation Amazon EC2 Systems Manager Amazon EC2
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. High-Level Playbook Adversary or intern Your environment Lambda responder CloudWatch Events
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Demo
Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network interface elastic network interface Lambda function
Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network interface elastic network interface Lambda function EBS Volume
Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network interface elastic network interface Lambda function EBS Volume 80, 443->DataSG
Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network interface elastic network interface Lambda function EBS Volume 3389 -> 0.0.0.0/0 80, 443->DataSG
Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network interface Lambda function EBS Volume 80, 443->DataSG
Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty elastic network interface elastic network interface Lambda function EBS Volume
Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty Lambda function EBS Volume EBS Forensics
Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty Lambda function EBS Volume
Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule AWS Lambda Amazon GuardDuty Lambda function EBS Volume Amazon EBS snapshot
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS Lambda: Run Code in Response to Events Function Services Changes in data state Requests to endpoints Changes in resource state Node Python Java C# Event source
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. • Asynchronously execute commands • No need to SSH/RDP • Commands and output logged Remediating Threats on Amazon EC2 Instances Amazon EC2 Systems Manager - Run Command EC2 Instances Lambda function AWS Systems Manager Amazon EC2
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Threat Detection and Remediation Partner Solutions Consulting, data analysis, threat detection, and managed security operations
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Open Source Resources ThreatResponse https://threatresponse.cloud Cloud Custodian https://github.com/capitalone/cloud-custodian Security Monkey https://github.com/Netflix/security_monkey CloudSploit https://github.com/cloudsploit StreamAlert https://github.com/airbnb/streamalert AWS CIS Foundation Framework https://github.com/awslabs/aws-security-benchmark AWS IR https://github.com/ThreatResponse/aws_ir
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Please complete the session survey in the summit mobile app.
Submit Session Feedback 1. Tap the Schedule icon. 2. Select the session you attended. 3. Tap Session Evaluation to submit your feedback.
Thank you!

Recommended

Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitAmazon Web Services
 
Secure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation SecuritySecure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation SecurityAmazon Web Services
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS SummitAmazon Web Services
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS SummitAmazon Web Services
 
AWS Security for Technical Decision Makers
AWS Security for Technical Decision MakersAWS Security for Technical Decision Makers
AWS Security for Technical Decision MakersAmazon Web Services
 
Easily Transform Compliance to Code using AWS Config, Config Rules, and the R...
Easily Transform Compliance to Code using AWS Config, Config Rules, and the R...Easily Transform Compliance to Code using AWS Config, Config Rules, and the R...
Easily Transform Compliance to Code using AWS Config, Config Rules, and the R...Amazon Web Services
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfAmazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 

Recommended

Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitAmazon Web Services
 
Secure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation SecuritySecure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation SecurityAmazon Web Services
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS SummitAmazon Web Services
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS SummitAmazon Web Services
 
AWS Security for Technical Decision Makers
AWS Security for Technical Decision MakersAWS Security for Technical Decision Makers
AWS Security for Technical Decision MakersAmazon Web Services
 
Easily Transform Compliance to Code using AWS Config, Config Rules, and the R...
Easily Transform Compliance to Code using AWS Config, Config Rules, and the R...Easily Transform Compliance to Code using AWS Config, Config Rules, and the R...
Easily Transform Compliance to Code using AWS Config, Config Rules, and the R...Amazon Web Services
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfAmazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 
Real World Cloud Compromise
Real World Cloud CompromiseReal World Cloud Compromise
Real World Cloud CompromiseTeri Radichel
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
The FaaS and the Curious™
The FaaS and the Curious™The FaaS and the Curious™
The FaaS and the Curious™Bryan McAninch
 
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdfJeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdfJean-François LOMBARDO
 
(MBL311) NEW! AWS IoT: Securely Building, Provisioning, & Using Things
(MBL311) NEW! AWS IoT: Securely Building, Provisioning, & Using Things(MBL311) NEW! AWS IoT: Securely Building, Provisioning, & Using Things
(MBL311) NEW! AWS IoT: Securely Building, Provisioning, & Using ThingsAmazon Web Services
 
Incident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of NeedlesIncident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of NeedlesAmazon Web Services
 
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...Amazon Web Services
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup SlidesJacksonMorgan9
 
February 2016 Webinar Series - Best Practices for IoT Security in the Cloud
February 2016 Webinar Series - Best Practices for IoT Security in the CloudFebruary 2016 Webinar Series - Best Practices for IoT Security in the Cloud
February 2016 Webinar Series - Best Practices for IoT Security in the CloudAmazon Web Services
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWSAmazon Web Services
 
Automating Threat Detection and Remediation at ZocDoc
Automating Threat Detection and Remediation at ZocDocAutomating Threat Detection and Remediation at ZocDoc
Automating Threat Detection and Remediation at ZocDocAmazon Web Services
 
Moving the needle on cloud security - AWS Summit Atlanta
Moving the needle on cloud security - AWS Summit AtlantaMoving the needle on cloud security - AWS Summit Atlanta
Moving the needle on cloud security - AWS Summit AtlantaChris Farris
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudAmazon Web Services
 
GDPR and Automation Overview
GDPR and Automation OverviewGDPR and Automation Overview
GDPR and Automation OverviewAmazon Web Services
 
Kms cryptographic-details (1)
Kms cryptographic-details (1)Kms cryptographic-details (1)
Kms cryptographic-details (1)saifam
 
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyAWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyChris Farris
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Amazon Web Services
 
Incident Response: Eyes Everywhere
Incident Response: Eyes EverywhereIncident Response: Eyes Everywhere
Incident Response: Eyes EverywhereAmazon Web Services
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAmazon Web Services
 
Modernize Your Threat Detection and Remediation Process Using Cloud Services
Modernize Your Threat Detection and Remediation Process Using Cloud ServicesModernize Your Threat Detection and Remediation Process Using Cloud Services
Modernize Your Threat Detection and Remediation Process Using Cloud ServicesAmazon Web Services
 
SID301 Threat Detection and Mitigation
SID301 Threat Detection and Mitigation SID301 Threat Detection and Mitigation
SID301 Threat Detection and MitigationAmazon Web Services
 

More Related Content

What's hot

Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 
Real World Cloud Compromise
Real World Cloud CompromiseReal World Cloud Compromise
Real World Cloud CompromiseTeri Radichel
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
The FaaS and the Curious™
The FaaS and the Curious™The FaaS and the Curious™
The FaaS and the Curious™Bryan McAninch
 
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdfJeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdfJean-François LOMBARDO
 
(MBL311) NEW! AWS IoT: Securely Building, Provisioning, & Using Things
(MBL311) NEW! AWS IoT: Securely Building, Provisioning, & Using Things(MBL311) NEW! AWS IoT: Securely Building, Provisioning, & Using Things
(MBL311) NEW! AWS IoT: Securely Building, Provisioning, & Using ThingsAmazon Web Services
 
Incident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of NeedlesIncident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of NeedlesAmazon Web Services
 
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...Amazon Web Services
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup SlidesJacksonMorgan9
 
February 2016 Webinar Series - Best Practices for IoT Security in the Cloud
February 2016 Webinar Series - Best Practices for IoT Security in the CloudFebruary 2016 Webinar Series - Best Practices for IoT Security in the Cloud
February 2016 Webinar Series - Best Practices for IoT Security in the CloudAmazon Web Services
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWSAmazon Web Services
 
Automating Threat Detection and Remediation at ZocDoc
Automating Threat Detection and Remediation at ZocDocAutomating Threat Detection and Remediation at ZocDoc
Automating Threat Detection and Remediation at ZocDocAmazon Web Services
 
Moving the needle on cloud security - AWS Summit Atlanta
Moving the needle on cloud security - AWS Summit AtlantaMoving the needle on cloud security - AWS Summit Atlanta
Moving the needle on cloud security - AWS Summit AtlantaChris Farris
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudAmazon Web Services
 
Kms cryptographic-details (1)
Kms cryptographic-details (1)Kms cryptographic-details (1)
Kms cryptographic-details (1)saifam
 
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyAWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyChris Farris
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Amazon Web Services
 
Incident Response: Eyes Everywhere
Incident Response: Eyes EverywhereIncident Response: Eyes Everywhere
Incident Response: Eyes EverywhereAmazon Web Services
 

What's hot (19)

Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation Overview
 
Real World Cloud Compromise
Real World Cloud CompromiseReal World Cloud Compromise
Real World Cloud Compromise
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
The FaaS and the Curious™
The FaaS and the Curious™The FaaS and the Curious™
The FaaS and the Curious™
 
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdfJeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
 
(MBL311) NEW! AWS IoT: Securely Building, Provisioning, & Using Things
(MBL311) NEW! AWS IoT: Securely Building, Provisioning, & Using Things(MBL311) NEW! AWS IoT: Securely Building, Provisioning, & Using Things
(MBL311) NEW! AWS IoT: Securely Building, Provisioning, & Using Things
 
Incident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of NeedlesIncident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of Needles
 
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup Slides
 
February 2016 Webinar Series - Best Practices for IoT Security in the Cloud
February 2016 Webinar Series - Best Practices for IoT Security in the CloudFebruary 2016 Webinar Series - Best Practices for IoT Security in the Cloud
February 2016 Webinar Series - Best Practices for IoT Security in the Cloud
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWS
 
Automating Threat Detection and Remediation at ZocDoc
Automating Threat Detection and Remediation at ZocDocAutomating Threat Detection and Remediation at ZocDoc
Automating Threat Detection and Remediation at ZocDoc
 
Moving the needle on cloud security - AWS Summit Atlanta
Moving the needle on cloud security - AWS Summit AtlantaMoving the needle on cloud security - AWS Summit Atlanta
Moving the needle on cloud security - AWS Summit Atlanta
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
 
GDPR and Automation Overview
GDPR and Automation OverviewGDPR and Automation Overview
GDPR and Automation Overview
 
Kms cryptographic-details (1)
Kms cryptographic-details (1)Kms cryptographic-details (1)
Kms cryptographic-details (1)
 
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyAWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
 
Incident Response: Eyes Everywhere
Incident Response: Eyes EverywhereIncident Response: Eyes Everywhere
Incident Response: Eyes Everywhere
 

Similar to Threat Detection and Mitigation at Scale on AWS - SID301 - Toronto AWS Summit

An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAmazon Web Services
 
Modernize Your Threat Detection and Remediation Process Using Cloud Services
Modernize Your Threat Detection and Remediation Process Using Cloud ServicesModernize Your Threat Detection and Remediation Process Using Cloud Services
Modernize Your Threat Detection and Remediation Process Using Cloud ServicesAmazon Web Services
 
SID301 Threat Detection and Mitigation
SID301 Threat Detection and Mitigation SID301 Threat Detection and Mitigation
SID301 Threat Detection and MitigationAmazon Web Services
 
Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Amazon Web Services
 
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Amazon Web Services
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksAmazon Web Services
 
Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Amazon Web Services
 
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Amazon Web Services
 
How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...
How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...
How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...Amazon Web Services
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountAmazon Web Services
 
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Amazon Web Services
 
Automating Incident Response and Forensics in AWS
Automating Incident Response and Forensics in AWSAutomating Incident Response and Forensics in AWS
Automating Incident Response and Forensics in AWSAmazon Web Services
 
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Amazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018Amazon Web Services
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 

Similar to Threat Detection and Mitigation at Scale on AWS - SID301 - Toronto AWS Summit (20)

An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your Applications
 
Modernize Your Threat Detection and Remediation Process Using Cloud Services
Modernize Your Threat Detection and Remediation Process Using Cloud ServicesModernize Your Threat Detection and Remediation Process Using Cloud Services
Modernize Your Threat Detection and Remediation Process Using Cloud Services
 
SID301 Threat Detection and Mitigation
SID301 Threat Detection and Mitigation SID301 Threat Detection and Mitigation
SID301 Threat Detection and Mitigation
 
Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS
 
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
 
Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS
 
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
 
How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...
How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...
How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS Account
 
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
 
Automating Incident Response and Forensics in AWS
Automating Incident Response and Forensics in AWSAutomating Incident Response and Forensics in AWS
Automating Incident Response and Forensics in AWS
 
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
Security@Scale
Security@ScaleSecurity@Scale
Security@Scale
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Threat Detection and Mitigation at Scale on AWS - SID301 - Toronto AWS Summit

  • 1. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Nathan Case Security Geek SID301 Threat Detection and Mitigation at Scale on AWS
  • 2. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS Identity & Access Management (IAM) AWS Organizations AWS Cognito AWS Directory Service AWS Single Sign-On AWS CloudTrail AWS Config Amazon CloudWatch Amazon GuardDuty VPC Flow Logs Amazon EC2 Systems Manager AWS Shield AWS Web Application Firewall (WAF) Amazon Inspector Amazon Virtual Private Cloud (VPC) AWS Key Management Service (KMS) AWS CloudHSM Amazon Macie Certificate Manager Server Side Encryption AWS Config Rules AWS Lambda AWS Enterprise Support Identity Detective control Infrastructure security Incident response Data protection AWS security solutions
  • 3. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Why is traditional threat detection so hard? CostSignal to noiseLarge datasets
  • 4. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Humans and data don’t mix
  • 5. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS CloudTrail Track user activity and API usage Threat Detection: Log Data Inputs VPC Flow Logs IP traffic to/from network interfaces in your VPC CloudWatch Logs Monitor apps using log data, store & access log files DNS Logs Log of DNS queries in a VPC when using the VPC DNS resolver
  • 6. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS CloudTrail
  • 7. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Detect with VPC Flow Logs AWS account Source IP Destination IP Source port Destination port Interface Protocol Packets Bytes Start & end time Accept or Reject
  • 8. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Amazon CloudWatch Logs Subscriptions • Real-time feed of log events • Delivered to an AWS Lambda function or an Amazon Kinesis Data Stream • Supports custom processing, analysis, loading into other systems • Cross-account data sharing for centralized log processing
  • 9. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Threat Detection Amazon GuardDuty Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads
  • 10. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. What Can Amazon GuardDuty Detect? RDP brute force RAT Installed Crypto Currency Potential Account Breach Exfiltrate temp IAM creds over DNS Probe API with temp creds Attempt to compromise account
  • 11. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Rabbit Hole! What Can You Detect using AWS services? RDP brute force RAT Installed Potential Account Breach Exfiltrate temp IAM creds over DNS Probe API with temp creds Attempt to compromise account
  • 12. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Infrastructure Domain Availability Zone C Availability Zone B VPC CIDR: 10.0.0.0/16 Availability Zone A 10.0.0.0/19 Public subnet 10.0.32.0/20 Private subnet 10.0.48.0/21 Sensitive subnet Security groups Route table NACLs Internet Gateway Instance compromise Amazon S3 Amazon RDS IAM AWS CloudHSM AWS Organization s AWSKMS AWS Directory Service
  • 13. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Infrastructure Domain Availability Zone C Availability Zone B VPC CIDR: 10.0.0.0/16 Availability Zone A 10.0.0.0/19 Public subnet 10.0.32.0/20 Private subnet 10.0.48.0/21 Sensitive subnet Security groups Route table NACLs Internet Gateway Instance compromise Amazon S3 Amazon RDS IAM AWS CloudHSM AWS Organization s AWSKMS AWS Directory Service
  • 14. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Infrastructure Domain Availability Zone C Availability Zone B VPC CIDR: 10.0.0.0/16 Availability Zone A 10.0.0.0/19 Public subnet 10.0.32.0/20 Private subnet 10.0.48.0/21 Sensitive subnet Security groups Route table NACLs Internet Gateway Instance compromise Amazon S3 Amazon RDS IAM AWS CloudHSM AWS Organization s AWSKMS AWS Directory Service
  • 15. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Rabbit Hole! What Can You Detect Using AWS Services? Infrastructure VPC Resources Connectivity On-instance ... Service IAM S3 buckets Billing ... Application Patching Coding hole ... Other?
  • 16. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Amazon GuardDuty Threat Detection and Notification
  • 17. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Detecting Known Threats Threat intelligence • Feeds: o AWS Security o Commercial - CrowdStrike, Proofpoint o Open source o Customer provided - "format": "[TXT|STIX|OTX_CSV|ALIEN_VAULT|PROOF_POINT|FIRE_EYE]", • Known malware infected hosts • Anonymizing proxies • Sites hosting malware and hacker tools • Cryptocurrency mining pools and wallets
  • 18. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Detecting Unknown Threats Anomaly detection • Algorithms to detect unusual behavior o Inspecting signal patterns for signatures o Profiling normal activity and looking at deviations o Machine learning classifiers
  • 19. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Finding Types Recon • Port probe on unprotected port • Outbound port scans • Callers from anonymizing proxies Backdoor • Spambot or C&C activity • Exfiltration over DNS channel • Suspicious domain request Trojan • Domain Generation Algorithm (DGA) domain request • Blackhole traffic • Drop point Unauthorized Access • Unusual ISP caller • SSH/RDP brute force Stealth • Password policy change • AWS CloudTrail logging disabled • Amazon GuardDuty disabled in member account Cryptocurrency • Communication with bitcoin DNS pools • Cryptocurrency related DNS calls • Connections to bitcoin mining pool
  • 20. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Visibility to Answer the Tough Questions • What data do I have in the cloud? • Where is it located? • Where does my sensitive data exist? • What’s sensitive about the data? • What PII/PHI is possibly exposed? • How is data being shared and stored? • How and where is my data accessed? • How can I classify data in near-real time? • How do I build workflow remediation for my security and compliance needs?
  • 21. Example Walkthrough: CloudWatch Events Your AWS Account, GuardDuty generates Finding and sends to CloudWatch Events. CloudWatch Events forwards to CloudWatch Event Bus in the Master Account. { "account": "123456789012", "region": "us-west-2", "detail": { "description": "EC2 instance i-99999999 is querying a domain name that is associated with Bitcoin-related activity.", "resource": { "resourceType": "Instance", "instanceDetails": { ... "instanceId": "i-99999999", "instanceState": "running", ... "instanceType": "p2.xlarge”}, ... "title": "Bitcoin-related domain name queried by EC2 instance i-99999999.", ... }
  • 22. In the the Master Account, CloudWatch Events triggers the Response Handler Lambda function to analyze the event by processing signature logic for conditional evaluation. { "account": "123456789012", "region": "us-west-2", "detail": { "description": "EC2 instance i-99999999... with Bitcoin-related activity.", "resource": { "resourceType": "Instance", "instanceDetails": { ... "instanceId": "i-99999999", "instanceState": "running", ... "instanceType": "p2.xlarge”}, ... “type": “CryptoCurrency:EC2/Bitcoin...” ... } Example Walkthrough: Lambda Trigger "account": "123456789012", "region": "us-west-2", "instanceId": "i-99999999", “type": “CryptoCurrency:EC2/Bitcoin...”
  • 23. In the AWS, the Response Handler Lambda function analyzes the event by processing conditional logic to determine responsive Action, which in this case is to terminate the instance(s). Example Walkthrough: Response Handler "account": "123456789012", "region": "us-west-2", "instanceId": "i-99999999", “type": “CryptoCurrency:EC2/Bitcoin...” TerminateInstanceTest: cloudwatch.event: - name: guardduty - identifier: “CryptoCurrency:EC2/Bitcoin...” - actions: - "ec2:TerminateInstance" - onlyif: - and: - region: 'us-west-2' - or: - account: 123456789012 - account: 123456789013
  • 24. In the Master Account, if the event matches a signature the Response Handler Lambda function initiates a StepFunction execution of the Response Action State Machine. Example Walkthrough: Response Handler TerminateInstanceTest: cloudwatch.event: - name: guardduty - identifier: “CryptoCurrency:EC2/Bitcoin...” - actions: - "ec2:TerminateInstance" - onlyif: - and: - region: 'us-west-2' - or: - account: 123456789012 - account: 123456789013 { "Account": “123456789012", "SnsNotification": true, "ec2": { "RemoveEip": false, "ApplySecurityGroup": false, "SecurityGroupName": null, "instanceId": [“i-99999999”], "region": “us-west-2”, "Snapshot": { "ShareSnap": null }, "StopInstance": false, "CreateSnapshot": false, "TerminateInstance": true }, "sns": {...} }
  • 25. In the Master Account, the Response Action State Machine invokes a Lambda Response function to assume a role in the Member AWS Account to take the responsive action of terminating the EC2 instance(s). Example Walkthrough: Response Handler { "Account": “123456789012", "SnsNotification": true, "ec2": { "RemoveEip": false, "ApplySecurityGroup": false, "SecurityGroupName": null, "instanceId": [“i-99999999”], "region": “us-west-2”, "Snapshot": { "ShareSnap": null }, "StopInstance": false, "CreateSnapshot": false, "TerminateInstance": true }, "sns": {...} }
  • 26. In the Master Account, the Response Action State Machine concludes by triggering Logging Handler Lambda Functions to log and notify. Example Walkthrough: Response Handler { "Account": “123456789012", "SnsNotification": true, "ec2": { "RemoveEip": false, "ApplySecurityGroup": false, "SecurityGroupName": null, "instanceId": [“i-99999999”], "region": “us-west-2”, "Snapshot": { "ShareSnap": null }, "StopInstance": false, "CreateSnapshot": false, "TerminateInstance": true }, "sns": {...} } { "Account": "", "PrincipalUserName": "45732-update", "SourceType": "aws.guardduty", "EventType": "CryptoCurrency:EC2/Bitcoin...", "Region": "us-west-2", "Time": "2018-05-30T20:07:55Z", "Identifier": "CryptoCurrency:EC2/Bitcoin...", "Resources": [“i-99999999”] }
  • 27. Example Walkthrough: Conclusion • By identifying the conditional logic and the Predefined Action, the security event triggered an automated response from your automated remediation. • The response required no human intervention. • Humans are free to move up the value chain to continually improve conditional logic and Predefined Actions. • Time to remediation is exponentially reduced when compared to manual response.
  • 28. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Threat Detection: Triggers Amazon CloudWatch Events Delivers a near real-time stream of system events that describe changes in AWS resources AWS Config rules Continuously tracks your resource configuration changes and if they violate any of the conditions in your rules
  • 29. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS Config Rules A continuous recording and assessment service Changing resources AWS Config AWS Config rules History snapshot Notifications API access Normalized • How are my resources configured over time? • Is a change that just occurred to a resource, compliant?
  • 30. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Amazon CloudWatch Events { "source": [ "aws.guardduty" ] } CloudWatch Event GuardDuty findings Lambda function
  • 31. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Threat Remediation: Automation AWS Systems Manager Automate patching and proactively mitigate threats at the instance level AWS Lambda Capture info about the IP traffic going to and from network interfaces in your VPC
  • 32. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Amazon CloudWatch AWS CloudTrail AWS Config Lambda function AWS APIs AWS WAF AWS Shield Detection Alerting Remediation Countermeasures Forensics Team collaboration (Slack etc.) Amazon GuardDuty VPC Flow Logs AWS Step functions Responding to Findings: Remediation Amazon EC2 Systems Manager Amazon EC2
  • 33. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. High-Level Playbook Adversary or intern Your environment Lambda responder CloudWatch Events
  • 34. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Demo
  • 35. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
  • 36. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
  • 37. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
  • 38. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network interface elastic network interface Lambda function
  • 39. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network interface elastic network interface Lambda function EBS Volume
  • 40. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network interface elastic network interface Lambda function EBS Volume 80, 443->DataSG
  • 41. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network interface elastic network interface Lambda function EBS Volume 3389 -> 0.0.0.0/0 80, 443->DataSG
  • 42. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network interface Lambda function EBS Volume 80, 443->DataSG
  • 43. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty elastic network interface elastic network interface Lambda function EBS Volume
  • 44. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty Lambda function EBS Volume EBS Forensics
  • 45. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty Lambda function EBS Volume
  • 46. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule AWS Lambda Amazon GuardDuty Lambda function EBS Volume Amazon EBS snapshot
  • 47. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS Lambda: Run Code in Response to Events Function Services Changes in data state Requests to endpoints Changes in resource state Node Python Java C# Event source
  • 48. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. • Asynchronously execute commands • No need to SSH/RDP • Commands and output logged Remediating Threats on Amazon EC2 Instances Amazon EC2 Systems Manager - Run Command EC2 Instances Lambda function AWS Systems Manager Amazon EC2
  • 49. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Threat Detection and Remediation Partner Solutions Consulting, data analysis, threat detection, and managed security operations
  • 50. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Open Source Resources ThreatResponse https://threatresponse.cloud Cloud Custodian https://github.com/capitalone/cloud-custodian Security Monkey https://github.com/Netflix/security_monkey CloudSploit https://github.com/cloudsploit StreamAlert https://github.com/airbnb/streamalert AWS CIS Foundation Framework https://github.com/awslabs/aws-security-benchmark AWS IR https://github.com/ThreatResponse/aws_ir
  • 51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Please complete the session survey in the summit mobile app.
  • 52. Submit Session Feedback 1. Tap the Schedule icon. 2. Select the session you attended. 3. Tap Session Evaluation to submit your feedback.