SlideShare a Scribd company logo

Detecting s3 breaches with panther slide deck

K
Kartikey Pandey

Learn practical techniques for eliminating common vulnerabilities and securing S3 buckets.

Technology
1 of 35
Jack Naglieri | Founder & CEO | jack.naglieri@runpanther.io Detecting S3 Breaches with Panther
Detecting S3 Breaches | Panther Your Host ● Originally from D.C. area, now based in SF ● Ex Security Engineer/Manager at Yahoo & Airbnb ● Co-creator and core developer of StreamAlert Jack Naglieri
Detecting S3 Breaches | Panther Agenda 1. Background 2. S3 Deep-Dive 3. Creating Detections 4. Bucket Hardening 5. Q&A
Detecting S3 Breaches | Panther Monitor access to your S3 buckets Understand your S3 security posture Search your catalog of S3 data Goals
Detecting S3 Breaches | Panther Organizations struggle to implement proper cloud security–more than 33 billion records were exposed in 2018 and 2019. 33 BILLION RECORDS EXPOSED
Detecting S3 Breaches | Panther Our mission is to stop security breaches by providing cloud-scale visibility
Detecting S3 Breaches | Panther End-to-End Visibility Real-TimeMonitoring Alert Destinations Parse Normalize Analyze Cloud Security Scans Security Logs S3 CloudTrail Storage
Detecting S3 Breaches | Panther Monitoring Options CloudTrail is a service to monitor all API calls focused around infrastructure changes and management. S3 Server Access Logs provide a more detailed, web-style log on traffic to our objects and buckets.
Detecting S3 Breaches | Panther Monitoring Options Pros Cons CloudTrail ● Low latency (15 minutes) ● Lower overhead to configure ● Flexible on monitoring buckets/prefixes ● Pay for data events and S3 storage cost S3 Server Access Logs ● Only pay S3 storage cost ● Fields for HTTP referer, total request time, object size ● Track auth failures and lifecycle transitions ● Higher latency (1+ hours) ● Requires per-bucket configurations
Detecting S3 Breaches | Panther S3 Server Access Log Configuration Single AWS Region Source Buckets Access Logs bucket-1 Prefix: bucket-1/2019-12-31-03-21-21.txt Prefix: bucket-2/2019-12-31-03-21-21.txt Log Files bucket-2
Detecting S3 Breaches | Panther CloudTrail S3 Configuration
Detecting S3 Breaches | Panther Use CloudTrail for lower latency/overhead Choosing an Approach Use S3 Server Access Logs by default Or Both! +( )
Detecting S3 Breaches | Panther Example S3 Server Access Log 66cc22229999cccc6666eaaa333388888 test-public-bucket [11/May/2020:00:52:45 +0000] 184.72.185.254 arn:aws:sts::123456789012:assumed-role/PantherAuditRole- us-east-1/1589158343562318259 19D3A798F843E581 REST.GET.PUBLIC_ACCESS_BLOCK - "GET /?publicAccessBlock= HTTP/1.1" 404 NoSuchPublicAccessBlockConfiguration 375 - 4 - "-" "aws-sdk-go/1.30.7 (go1.13.6; linux; amd64) exec- env/AWS_Lambda_go1.x" - 5x5+sskYHUpl1/3W4mCDeoS95dEFEWliPpv1cuhUb+Zbdwt0Inlq8ZvQ44eQJI42VUqanS7YlbM= SigV4 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader test-public- bucket.s3.amazonaws.com TLSv1.2 Raw Version
CloudTrail S3 Access Logs
Detecting S3 Breaches | Panther What do we need to know? 1. Who accessed our bucket? 2. What data was accessed? 3. When did they access it? What should we monitor? 1. Model our “known-good” traffic flows 2. Finding insecure access to buckets 3. Access errors on buckets Open source rules: bit.ly/panther-s3-rules
Detecting S3 Breaches | Panther
Errors
Errors
Errors
Detecting S3 Breaches | Panther Known Good Traffic (IP/Role) VPC: 10.0.1.0/24 IAM Role Instances Data Buckets
Detecting S3 Breaches | Panther Known Good Traffic (Role)
Detecting S3 Breaches | Panther Known Good Traffic (Role)
Detecting S3 Breaches | Panther Known Good Traffic (IP)
Detecting S3 Breaches | Panther Insecure Access
Detecting S3 Breaches | Panther Improving CloudSec Posture
Detecting S3 Breaches | Panther Open Source Policies Bucket Encryption Secure the data at rest with AWS SSE or KMS MFA Delete Require multi-factor authentication prior to deleting objects Bucket Logging Monitor all traffic in and out of the bucket Public Access Blocks Prevent buckets from becoming publicly accessible Public Read or Write ACLs Detect buckets with publicly-accessible ACLs Bucket Versioning Provides multiple variants of bucket objects Secure Access Enforce encrypted connections to buckets bit.ly/panther-s3-policies
28
Detecting S3 Breaches | Panther Custom S3 Policy
Detecting S3 Breaches | Panther Use S3 Server Access Logs for a lower price and a very high scale. Use CloudTrail for lower latency/overhead and easy centralization of data. Ensure your buckets have encryption, logging, no public access, etc. Turn on logging as soon as possible! Recap!
Detecting S3 Breaches | Panther 1. Panther provides visibility into your S3 traffic at scale 2. Python-based rules and policies detect threats/vulns 3. Alerts notify your team to investigate 4. All data can be queried with SQL
Detecting S3 Breaches | Panther https://bit.ly/runpanther
Detecting S3 Breaches | Panther
Detecting S3 Breaches | Panther Subscription Tiers SaaS Real-Time Log Analysis Cloud Security and Remediation Real-Time Alerting Historical Search of Log Data Powerful User Interface 200+ pre-built Rules and Policies —Get Started— Data Explorer SaaS Data Role-Based Access Control Higher-Scale 24 x 7 Support & Live Chat 150+ Premium Analysis Packs —Contact Us— Fully hosted platform Community github.com/panther-labs/panther
Q & A

Recommended

Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)
Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)
Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)Panther Labs
 
Cloud Security 101 (Webinar Deck)
Cloud Security 101 (Webinar Deck)Cloud Security 101 (Webinar Deck)
Cloud Security 101 (Webinar Deck)Panther Labs
 
Threat Hunting at Scale
Threat Hunting at ScaleThreat Hunting at Scale
Threat Hunting at ScalePanther Labs
 
Writing Custom Python Detection with Panther (Part 1)
Writing Custom Python Detection with Panther (Part 1)Writing Custom Python Detection with Panther (Part 1)
Writing Custom Python Detection with Panther (Part 1)Panther Labs
 
IoT Discovery GE: An Introduction
IoT Discovery GE: An IntroductionIoT Discovery GE: An Introduction
IoT Discovery GE: An IntroductionTarek Elsaleh
 
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Sumo Logic
 
501 ch 3 network technologies and tools
501 ch 3 network technologies and tools501 ch 3 network technologies and tools
501 ch 3 network technologies and toolsgocybersec
 
Builders' Day - Best Practises for S3 - BL
Builders' Day - Best Practises for S3 - BLBuilders' Day - Best Practises for S3 - BL
Builders' Day - Best Practises for S3 - BLAmazon Web Services LATAM
 

Recommended

Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)
Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)
Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)Panther Labs
 
Cloud Security 101 (Webinar Deck)
Cloud Security 101 (Webinar Deck)Cloud Security 101 (Webinar Deck)
Cloud Security 101 (Webinar Deck)Panther Labs
 
Threat Hunting at Scale
Threat Hunting at ScaleThreat Hunting at Scale
Threat Hunting at ScalePanther Labs
 
Writing Custom Python Detection with Panther (Part 1)
Writing Custom Python Detection with Panther (Part 1)Writing Custom Python Detection with Panther (Part 1)
Writing Custom Python Detection with Panther (Part 1)Panther Labs
 
IoT Discovery GE: An Introduction
IoT Discovery GE: An IntroductionIoT Discovery GE: An Introduction
IoT Discovery GE: An IntroductionTarek Elsaleh
 
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Sumo Logic
 
501 ch 3 network technologies and tools
501 ch 3 network technologies and tools501 ch 3 network technologies and tools
501 ch 3 network technologies and toolsgocybersec
 
Builders' Day - Best Practises for S3 - BL
Builders' Day - Best Practises for S3 - BLBuilders' Day - Best Practises for S3 - BL
Builders' Day - Best Practises for S3 - BLAmazon Web Services LATAM
 
(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR
(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR
(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMRAmazon Web Services
 
SRV301 Latest Updates & Best Practices for Amazon S3
SRV301 Latest Updates & Best Practices for Amazon S3 SRV301 Latest Updates & Best Practices for Amazon S3
SRV301 Latest Updates & Best Practices for Amazon S3Amazon Web Services
 
S3 Bucket Policies
S3 Bucket PoliciesS3 Bucket Policies
S3 Bucket PoliciesJiří Pihík
 
Deep Dive on Amazon S3 - AWS Online Tech Talks
Deep Dive on Amazon S3 - AWS Online Tech TalksDeep Dive on Amazon S3 - AWS Online Tech Talks
Deep Dive on Amazon S3 - AWS Online Tech TalksAmazon Web Services
 
Deep Dive on Amazon S3 - March 2017 AWS Online Tech Talks
Deep Dive on Amazon S3 - March 2017 AWS Online Tech TalksDeep Dive on Amazon S3 - March 2017 AWS Online Tech Talks
Deep Dive on Amazon S3 - March 2017 AWS Online Tech TalksAmazon Web Services
 
Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018
Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018
Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018Amazon Web Services
 
Native cloud security monitoring
Native cloud security monitoringNative cloud security monitoring
Native cloud security monitoringJohn Varghese
 
"How to" Webinar: Sending Data to Sumo Logic
"How to" Webinar: Sending Data to Sumo Logic"How to" Webinar: Sending Data to Sumo Logic
"How to" Webinar: Sending Data to Sumo LogicSumo Logic
 
AWS re:Invent 2016: Workshop: AWS S3 Deep-Dive Hands-On Workshop: Deploying a...
AWS re:Invent 2016: Workshop: AWS S3 Deep-Dive Hands-On Workshop: Deploying a...AWS re:Invent 2016: Workshop: AWS S3 Deep-Dive Hands-On Workshop: Deploying a...
AWS re:Invent 2016: Workshop: AWS S3 Deep-Dive Hands-On Workshop: Deploying a...Amazon Web Services
 
SRV403 Deep Dive on Object Storage: Amazon S3 and Amazon Glacier
SRV403 Deep Dive on Object Storage: Amazon S3 and Amazon GlacierSRV403 Deep Dive on Object Storage: Amazon S3 and Amazon Glacier
SRV403 Deep Dive on Object Storage: Amazon S3 and Amazon GlacierAmazon Web Services
 
Compliance-Data-Archival
Compliance-Data-ArchivalCompliance-Data-Archival
Compliance-Data-ArchivalAmazon Web Services
 
2017 AWS DB Day | Amazon Athena 서비스 최신 기능 소개
2017 AWS DB Day | Amazon Athena 서비스 최신 기능 소개 2017 AWS DB Day | Amazon Athena 서비스 최신 기능 소개
2017 AWS DB Day | Amazon Athena 서비스 최신 기능 소개 Amazon Web Services Korea
 
Using Sumo Logic - Apr 2018
Using Sumo Logic - Apr 2018Using Sumo Logic - Apr 2018
Using Sumo Logic - Apr 2018Sumo Logic
 
Data Storage for the Long Haul: Compliance and Archive
Data Storage for the Long Haul: Compliance and ArchiveData Storage for the Long Haul: Compliance and Archive
Data Storage for the Long Haul: Compliance and ArchiveAmazon Web Services
 
Using CloudTrail to Enhance Compliance and Governance of S3 - AWS Online Tech...
Using CloudTrail to Enhance Compliance and Governance of S3 - AWS Online Tech...Using CloudTrail to Enhance Compliance and Governance of S3 - AWS Online Tech...
Using CloudTrail to Enhance Compliance and Governance of S3 - AWS Online Tech...Amazon Web Services
 
Building A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for ScaleBuilding A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for ScaleChris Farris
 
Protect & Manage Amazon S3 & Amazon Glacier Objects at Scale (STG316-R1) - AW...
Protect & Manage Amazon S3 & Amazon Glacier Objects at Scale (STG316-R1) - AW...Protect & Manage Amazon S3 & Amazon Glacier Objects at Scale (STG316-R1) - AW...
Protect & Manage Amazon S3 & Amazon Glacier Objects at Scale (STG316-R1) - AW...Amazon Web Services
 
Getting started with S3
Getting started with S3Getting started with S3
Getting started with S3AWS UG PK
 
Deep Dive On Object Storage: Amazon S3 and Amazon Glacier - AWS PS Summit Can...
Deep Dive On Object Storage: Amazon S3 and Amazon Glacier - AWS PS Summit Can...Deep Dive On Object Storage: Amazon S3 and Amazon Glacier - AWS PS Summit Can...
Deep Dive On Object Storage: Amazon S3 and Amazon Glacier - AWS PS Summit Can...Amazon Web Services
 
Core strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSCore strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSShane Peden
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

More Related Content

Similar to Detecting s3 breaches with panther slide deck

(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR
(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR
(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMRAmazon Web Services
 
SRV301 Latest Updates & Best Practices for Amazon S3
SRV301 Latest Updates & Best Practices for Amazon S3 SRV301 Latest Updates & Best Practices for Amazon S3
SRV301 Latest Updates & Best Practices for Amazon S3Amazon Web Services
 
Deep Dive on Amazon S3 - AWS Online Tech Talks
Deep Dive on Amazon S3 - AWS Online Tech TalksDeep Dive on Amazon S3 - AWS Online Tech Talks
Deep Dive on Amazon S3 - AWS Online Tech TalksAmazon Web Services
 
Deep Dive on Amazon S3 - March 2017 AWS Online Tech Talks
Deep Dive on Amazon S3 - March 2017 AWS Online Tech TalksDeep Dive on Amazon S3 - March 2017 AWS Online Tech Talks
Deep Dive on Amazon S3 - March 2017 AWS Online Tech TalksAmazon Web Services
 
Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018
Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018
Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018Amazon Web Services
 
Native cloud security monitoring
Native cloud security monitoringNative cloud security monitoring
Native cloud security monitoringJohn Varghese
 
"How to" Webinar: Sending Data to Sumo Logic
"How to" Webinar: Sending Data to Sumo Logic"How to" Webinar: Sending Data to Sumo Logic
"How to" Webinar: Sending Data to Sumo LogicSumo Logic
 
AWS re:Invent 2016: Workshop: AWS S3 Deep-Dive Hands-On Workshop: Deploying a...
AWS re:Invent 2016: Workshop: AWS S3 Deep-Dive Hands-On Workshop: Deploying a...AWS re:Invent 2016: Workshop: AWS S3 Deep-Dive Hands-On Workshop: Deploying a...
AWS re:Invent 2016: Workshop: AWS S3 Deep-Dive Hands-On Workshop: Deploying a...Amazon Web Services
 
SRV403 Deep Dive on Object Storage: Amazon S3 and Amazon Glacier
SRV403 Deep Dive on Object Storage: Amazon S3 and Amazon GlacierSRV403 Deep Dive on Object Storage: Amazon S3 and Amazon Glacier
SRV403 Deep Dive on Object Storage: Amazon S3 and Amazon GlacierAmazon Web Services
 
2017 AWS DB Day | Amazon Athena 서비스 최신 기능 소개
2017 AWS DB Day | Amazon Athena 서비스 최신 기능 소개 2017 AWS DB Day | Amazon Athena 서비스 최신 기능 소개
2017 AWS DB Day | Amazon Athena 서비스 최신 기능 소개 Amazon Web Services Korea
 
Using Sumo Logic - Apr 2018
Using Sumo Logic - Apr 2018Using Sumo Logic - Apr 2018
Using Sumo Logic - Apr 2018Sumo Logic
 
Data Storage for the Long Haul: Compliance and Archive
Data Storage for the Long Haul: Compliance and ArchiveData Storage for the Long Haul: Compliance and Archive
Data Storage for the Long Haul: Compliance and ArchiveAmazon Web Services
 
Using CloudTrail to Enhance Compliance and Governance of S3 - AWS Online Tech...
Using CloudTrail to Enhance Compliance and Governance of S3 - AWS Online Tech...Using CloudTrail to Enhance Compliance and Governance of S3 - AWS Online Tech...
Using CloudTrail to Enhance Compliance and Governance of S3 - AWS Online Tech...Amazon Web Services
 
Building A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for ScaleBuilding A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for ScaleChris Farris
 
Protect & Manage Amazon S3 & Amazon Glacier Objects at Scale (STG316-R1) - AW...
Protect & Manage Amazon S3 & Amazon Glacier Objects at Scale (STG316-R1) - AW...Protect & Manage Amazon S3 & Amazon Glacier Objects at Scale (STG316-R1) - AW...
Protect & Manage Amazon S3 & Amazon Glacier Objects at Scale (STG316-R1) - AW...Amazon Web Services
 
Getting started with S3
Getting started with S3Getting started with S3
Getting started with S3AWS UG PK
 
Deep Dive On Object Storage: Amazon S3 and Amazon Glacier - AWS PS Summit Can...
Deep Dive On Object Storage: Amazon S3 and Amazon Glacier - AWS PS Summit Can...Deep Dive On Object Storage: Amazon S3 and Amazon Glacier - AWS PS Summit Can...
Deep Dive On Object Storage: Amazon S3 and Amazon Glacier - AWS PS Summit Can...Amazon Web Services
 
Core strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSCore strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSShane Peden
 

Similar to Detecting s3 breaches with panther slide deck (20)

(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR
(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR
(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR
 
SRV301 Latest Updates & Best Practices for Amazon S3
SRV301 Latest Updates & Best Practices for Amazon S3 SRV301 Latest Updates & Best Practices for Amazon S3
SRV301 Latest Updates & Best Practices for Amazon S3
 
S3 Bucket Policies
S3 Bucket PoliciesS3 Bucket Policies
S3 Bucket Policies
 
Deep Dive on Amazon S3 - AWS Online Tech Talks
Deep Dive on Amazon S3 - AWS Online Tech TalksDeep Dive on Amazon S3 - AWS Online Tech Talks
Deep Dive on Amazon S3 - AWS Online Tech Talks
 
Deep Dive on Amazon S3 - March 2017 AWS Online Tech Talks
Deep Dive on Amazon S3 - March 2017 AWS Online Tech TalksDeep Dive on Amazon S3 - March 2017 AWS Online Tech Talks
Deep Dive on Amazon S3 - March 2017 AWS Online Tech Talks
 
Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018
Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018
Best Practices for Amazon S3 and Amazon Glacier (STG203-R2) - AWS re:Invent 2018
 
Native cloud security monitoring
Native cloud security monitoringNative cloud security monitoring
Native cloud security monitoring
 
"How to" Webinar: Sending Data to Sumo Logic
"How to" Webinar: Sending Data to Sumo Logic"How to" Webinar: Sending Data to Sumo Logic
"How to" Webinar: Sending Data to Sumo Logic
 
AWS re:Invent 2016: Workshop: AWS S3 Deep-Dive Hands-On Workshop: Deploying a...
AWS re:Invent 2016: Workshop: AWS S3 Deep-Dive Hands-On Workshop: Deploying a...AWS re:Invent 2016: Workshop: AWS S3 Deep-Dive Hands-On Workshop: Deploying a...
AWS re:Invent 2016: Workshop: AWS S3 Deep-Dive Hands-On Workshop: Deploying a...
 
SRV403 Deep Dive on Object Storage: Amazon S3 and Amazon Glacier
SRV403 Deep Dive on Object Storage: Amazon S3 and Amazon GlacierSRV403 Deep Dive on Object Storage: Amazon S3 and Amazon Glacier
SRV403 Deep Dive on Object Storage: Amazon S3 and Amazon Glacier
 
Compliance-Data-Archival
Compliance-Data-ArchivalCompliance-Data-Archival
Compliance-Data-Archival
 
2017 AWS DB Day | Amazon Athena 서비스 최신 기능 소개
2017 AWS DB Day | Amazon Athena 서비스 최신 기능 소개 2017 AWS DB Day | Amazon Athena 서비스 최신 기능 소개
2017 AWS DB Day | Amazon Athena 서비스 최신 기능 소개
 
Using Sumo Logic - Apr 2018
Using Sumo Logic - Apr 2018Using Sumo Logic - Apr 2018
Using Sumo Logic - Apr 2018
 
Data Storage for the Long Haul: Compliance and Archive
Data Storage for the Long Haul: Compliance and ArchiveData Storage for the Long Haul: Compliance and Archive
Data Storage for the Long Haul: Compliance and Archive
 
Using CloudTrail to Enhance Compliance and Governance of S3 - AWS Online Tech...
Using CloudTrail to Enhance Compliance and Governance of S3 - AWS Online Tech...Using CloudTrail to Enhance Compliance and Governance of S3 - AWS Online Tech...
Using CloudTrail to Enhance Compliance and Governance of S3 - AWS Online Tech...
 
Building A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for ScaleBuilding A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for Scale
 
Protect & Manage Amazon S3 & Amazon Glacier Objects at Scale (STG316-R1) - AW...
Protect & Manage Amazon S3 & Amazon Glacier Objects at Scale (STG316-R1) - AW...Protect & Manage Amazon S3 & Amazon Glacier Objects at Scale (STG316-R1) - AW...
Protect & Manage Amazon S3 & Amazon Glacier Objects at Scale (STG316-R1) - AW...
 
Getting started with S3
Getting started with S3Getting started with S3
Getting started with S3
 
Deep Dive On Object Storage: Amazon S3 and Amazon Glacier - AWS PS Summit Can...
Deep Dive On Object Storage: Amazon S3 and Amazon Glacier - AWS PS Summit Can...Deep Dive On Object Storage: Amazon S3 and Amazon Glacier - AWS PS Summit Can...
Deep Dive On Object Storage: Amazon S3 and Amazon Glacier - AWS PS Summit Can...
 
Core strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSCore strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWS
 

Recently uploaded

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 

Recently uploaded (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 

Detecting s3 breaches with panther slide deck

  • 1. Jack Naglieri | Founder & CEO | jack.naglieri@runpanther.io Detecting S3 Breaches with Panther
  • 2. Detecting S3 Breaches | Panther Your Host ● Originally from D.C. area, now based in SF ● Ex Security Engineer/Manager at Yahoo & Airbnb ● Co-creator and core developer of StreamAlert Jack Naglieri
  • 3. Detecting S3 Breaches | Panther Agenda 1. Background 2. S3 Deep-Dive 3. Creating Detections 4. Bucket Hardening 5. Q&A
  • 4. Detecting S3 Breaches | Panther Monitor access to your S3 buckets Understand your S3 security posture Search your catalog of S3 data Goals
  • 5. Detecting S3 Breaches | Panther Organizations struggle to implement proper cloud security–more than 33 billion records were exposed in 2018 and 2019. 33 BILLION RECORDS EXPOSED
  • 6. Detecting S3 Breaches | Panther Our mission is to stop security breaches by providing cloud-scale visibility
  • 7. Detecting S3 Breaches | Panther End-to-End Visibility Real-TimeMonitoring Alert Destinations Parse Normalize Analyze Cloud Security Scans Security Logs S3 CloudTrail Storage
  • 8. Detecting S3 Breaches | Panther Monitoring Options CloudTrail is a service to monitor all API calls focused around infrastructure changes and management. S3 Server Access Logs provide a more detailed, web-style log on traffic to our objects and buckets.
  • 9. Detecting S3 Breaches | Panther Monitoring Options Pros Cons CloudTrail ● Low latency (15 minutes) ● Lower overhead to configure ● Flexible on monitoring buckets/prefixes ● Pay for data events and S3 storage cost S3 Server Access Logs ● Only pay S3 storage cost ● Fields for HTTP referer, total request time, object size ● Track auth failures and lifecycle transitions ● Higher latency (1+ hours) ● Requires per-bucket configurations
  • 10. Detecting S3 Breaches | Panther S3 Server Access Log Configuration Single AWS Region Source Buckets Access Logs bucket-1 Prefix: bucket-1/2019-12-31-03-21-21.txt Prefix: bucket-2/2019-12-31-03-21-21.txt Log Files bucket-2
  • 11. Detecting S3 Breaches | Panther CloudTrail S3 Configuration
  • 12. Detecting S3 Breaches | Panther Use CloudTrail for lower latency/overhead Choosing an Approach Use S3 Server Access Logs by default Or Both! +( )
  • 13. Detecting S3 Breaches | Panther Example S3 Server Access Log 66cc22229999cccc6666eaaa333388888 test-public-bucket [11/May/2020:00:52:45 +0000] 184.72.185.254 arn:aws:sts::123456789012:assumed-role/PantherAuditRole- us-east-1/1589158343562318259 19D3A798F843E581 REST.GET.PUBLIC_ACCESS_BLOCK - "GET /?publicAccessBlock= HTTP/1.1" 404 NoSuchPublicAccessBlockConfiguration 375 - 4 - "-" "aws-sdk-go/1.30.7 (go1.13.6; linux; amd64) exec- env/AWS_Lambda_go1.x" - 5x5+sskYHUpl1/3W4mCDeoS95dEFEWliPpv1cuhUb+Zbdwt0Inlq8ZvQ44eQJI42VUqanS7YlbM= SigV4 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader test-public- bucket.s3.amazonaws.com TLSv1.2 Raw Version
  • 15. Detecting S3 Breaches | Panther What do we need to know? 1. Who accessed our bucket? 2. What data was accessed? 3. When did they access it? What should we monitor? 1. Model our “known-good” traffic flows 2. Finding insecure access to buckets 3. Access errors on buckets Open source rules: bit.ly/panther-s3-rules
  • 17.
  • 21. Detecting S3 Breaches | Panther Known Good Traffic (IP/Role) VPC: 10.0.1.0/24 IAM Role Instances Data Buckets
  • 22. Detecting S3 Breaches | Panther Known Good Traffic (Role)
  • 23. Detecting S3 Breaches | Panther Known Good Traffic (Role)
  • 24. Detecting S3 Breaches | Panther Known Good Traffic (IP)
  • 25. Detecting S3 Breaches | Panther Insecure Access
  • 26. Detecting S3 Breaches | Panther Improving CloudSec Posture
  • 27. Detecting S3 Breaches | Panther Open Source Policies Bucket Encryption Secure the data at rest with AWS SSE or KMS MFA Delete Require multi-factor authentication prior to deleting objects Bucket Logging Monitor all traffic in and out of the bucket Public Access Blocks Prevent buckets from becoming publicly accessible Public Read or Write ACLs Detect buckets with publicly-accessible ACLs Bucket Versioning Provides multiple variants of bucket objects Secure Access Enforce encrypted connections to buckets bit.ly/panther-s3-policies
  • 28. 28
  • 29. Detecting S3 Breaches | Panther Custom S3 Policy
  • 30. Detecting S3 Breaches | Panther Use S3 Server Access Logs for a lower price and a very high scale. Use CloudTrail for lower latency/overhead and easy centralization of data. Ensure your buckets have encryption, logging, no public access, etc. Turn on logging as soon as possible! Recap!
  • 31. Detecting S3 Breaches | Panther 1. Panther provides visibility into your S3 traffic at scale 2. Python-based rules and policies detect threats/vulns 3. Alerts notify your team to investigate 4. All data can be queried with SQL
  • 32. Detecting S3 Breaches | Panther https://bit.ly/runpanther
  • 34. Detecting S3 Breaches | Panther Subscription Tiers SaaS Real-Time Log Analysis Cloud Security and Remediation Real-Time Alerting Historical Search of Log Data Powerful User Interface 200+ pre-built Rules and Policies —Get Started— Data Explorer SaaS Data Role-Based Access Control Higher-Scale 24 x 7 Support & Live Chat 150+ Premium Analysis Packs —Contact Us— Fully hosted platform Community github.com/panther-labs/panther
  • 35. Q & A