Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Detecting S3 Breaches with Panther


Published on

In this webinar, we walk you through strategies to monitor your most sensitive data in S3 using Panther.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Detecting S3 Breaches with Panther

  1. 1. Jack Naglieri | Founder & CEO | Detecting S3 Breaches with Panther
  2. 2. Detecting S3 Breaches | Panther Your Host ● Originally from D.C. area, now based in SF ● Ex Security Engineer/Manager at Yahoo & Airbnb ● Co-creator and core developer of StreamAlert Jack Naglieri
  3. 3. Detecting S3 Breaches | Panther Agenda 1. Background 2. S3 Deep-Dive 3. Creating Detections 4. Bucket Hardening 5. Q&A
  4. 4. Detecting S3 Breaches | Panther Monitor access to your S3 buckets Understand your S3 security posture Search your catalog of S3 data Goals
  5. 5. Detecting S3 Breaches | Panther Organizations struggle to implement proper cloud security–more than 33 billion records were exposed in 2018 and 2019. 33 BILLION RECORDS EXPOSED
  6. 6. Detecting S3 Breaches | Panther Our mission is to stop security breaches by providing cloud-scale visibility
  7. 7. Detecting S3 Breaches | Panther End-to-End Visibility Real-TimeMonitoring Alert Destinations Parse Normalize Analyze Cloud Security Scans Security Logs S3 CloudTrail Storage
  8. 8. Detecting S3 Breaches | Panther Monitoring Options CloudTrail is a service to monitor all API calls focused around infrastructure changes and management. S3 Server Access Logs provide a more detailed, web-style log on traffic to our objects and buckets.
  9. 9. Detecting S3 Breaches | Panther Monitoring Options Pros Cons CloudTrail ● Low latency (15 minutes) ● Lower overhead to configure ● Flexible on monitoring buckets/prefixes ● Pay for data events and S3 storage cost S3 Server Access Logs ● Only pay S3 storage cost ● Fields for HTTP referer, total request time, object size ● Track auth failures and lifecycle transitions ● Higher latency (1+ hours) ● Requires per-bucket configurations
  10. 10. Detecting S3 Breaches | Panther S3 Server Access Log Configuration Single AWS Region Source Buckets Access Logs bucket-1 Prefix: bucket-1/2019-12-31-03-21-21.txt Prefix: bucket-2/2019-12-31-03-21-21.txt Log Files bucket-2
  11. 11. Detecting S3 Breaches | Panther CloudTrail S3 Configuration
  12. 12. Detecting S3 Breaches | Panther Use CloudTrail for lower latency/overhead Choosing an Approach Use S3 Server Access Logs by default Or Both! +( )
  13. 13. Detecting S3 Breaches | Panther Example S3 Server Access Log 66cc22229999cccc6666eaaa333388888 test-public-bucket [11/May/2020:00:52:45 +0000] arn:aws:sts::123456789012:assumed-role/PantherAuditRole- us-east-1/1589158343562318259 19D3A798F843E581 REST.GET.PUBLIC_ACCESS_BLOCK - "GET /?publicAccessBlock= HTTP/1.1" 404 NoSuchPublicAccessBlockConfiguration 375 - 4 - "-" "aws-sdk-go/1.30.7 (go1.13.6; linux; amd64) exec- env/AWS_Lambda_go1.x" - 5x5+sskYHUpl1/3W4mCDeoS95dEFEWliPpv1cuhUb+Zbdwt0Inlq8ZvQ44eQJI42VUqanS7YlbM= SigV4 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader test-public- TLSv1.2 Raw Version
  14. 14. CloudTrail S3 Access Logs
  15. 15. Detecting S3 Breaches | Panther What do we need to know? 1. Who accessed our bucket? 2. What data was accessed? 3. When did they access it? What should we monitor? 1. Model our “known-good” traffic flows 2. Finding insecure access to buckets 3. Access errors on buckets Open source rules:
  16. 16. Detecting S3 Breaches | Panther
  17. 17. Errors
  18. 18. Errors
  19. 19. Errors
  20. 20. Detecting S3 Breaches | Panther Known Good Traffic (IP/Role) VPC: IAM Role Instances Data Buckets
  21. 21. Detecting S3 Breaches | Panther Known Good Traffic (Role)
  22. 22. Detecting S3 Breaches | Panther Known Good Traffic (Role)
  23. 23. Detecting S3 Breaches | Panther Known Good Traffic (IP)
  24. 24. Detecting S3 Breaches | Panther Insecure Access
  25. 25. Detecting S3 Breaches | Panther Improving CloudSec Posture
  26. 26. Detecting S3 Breaches | Panther Open Source Policies Bucket Encryption Secure the data at rest with AWS SSE or KMS MFA Delete Require multi-factor authentication prior to deleting objects Bucket Logging Monitor all traffic in and out of the bucket Public Access Blocks Prevent buckets from becoming publicly accessible Public Read or Write ACLs Detect buckets with publicly-accessible ACLs Bucket Versioning Provides multiple variants of bucket objects Secure Access Enforce encrypted connections to buckets
  27. 27. 28
  28. 28. Detecting S3 Breaches | Panther Custom S3 Policy
  29. 29. Detecting S3 Breaches | Panther Use S3 Server Access Logs for a lower price and a very high scale. Use CloudTrail for lower latency/overhead and easy centralization of data. Ensure your buckets have encryption, logging, no public access, etc. Turn on logging as soon as possible! Recap!
  30. 30. Detecting S3 Breaches | Panther 1. Panther provides visibility into your S3 traffic at scale 2. Python-based rules and policies detect threats/vulns 3. Alerts notify your team to investigate 4. All data can be queried with SQL
  31. 31. Detecting S3 Breaches | Panther
  32. 32. Detecting S3 Breaches | Panther
  33. 33. Detecting S3 Breaches | Panther Subscription Tiers SaaS Real-Time Log Analysis Cloud Security and Remediation Real-Time Alerting Historical Search of Log Data Powerful User Interface 200+ pre-built Rules and Policies —Get Started— Data Explorer SaaS Data Role-Based Access Control Higher-Scale 24 x 7 Support & Live Chat 150+ Premium Analysis Packs —Contact Us— Fully hosted platform Community
  34. 34. Q & A