This document discusses using AWS services to automate intrusion detection and response. It provides examples of using AWS services like EC2, CloudFormation, and VPC to deploy resources and configure them with security features. Code examples are given to start EC2 instances, deploy templates to AWS, and monitor VPC flow logs to detect threats and take actions like snapshotting or terminating instances in response. The document argues that AWS services can improve security operations when best practices are followed, as AWS provides capabilities like built-in logging, inventory, and tools that facilitate automated detection and response.
When organizations start using AWS, they may initially use a single VPC and a very simple network implementation. In many cases, however, companies are leveraging multiple VPCs, regions and accounts. Companies are also connecting cloud networks to corporate headquarters and remote locations. They may even be connecting different cloud providers. This presentation will consider some of these use cases and the implications of connecting different networks. Material covered will include security considerations, sample architectures and tools that can help protect your account and your data.
Using Splunk/ELK for auditing AWS/GCP/Azure security postureJose Hernandez
In this talk Rod Soto and I propose a common set of categories use to audit the security posture of multiple cloud providers. Then we proceed to show how we have implemented the security checks using cs-suite using ELK and Splunk.
Packet Capture on AWS. Simple explanation of why security people like to capture packets, how it can be done, potential architectures, and a POC using a WatchGuard Firebox Cloud, the CLI, a bucket, bucket policy, etc. and a lambda function to show that packet capture is possible. Next steps for an actual production solution.
Caveat: these slides were written in about one hour. Please refer to the paper for details.
"Automating cloud security operations takes a little more than slapping together a quick lambda to fix an open S3 bucket (but that isn't a bad start). In this workshop we will cover the major categories of security automations and present practical implementation techniques. Come prepared to build your own (or use our starter scripts) as we:
Review the three major categories of automations- guardrails, workflows, and orchestrations.
Build demo versions of each (in AWS, bring your own account), incorporating techniques including assessments, event-driven guardrails, and an incident response workflow.
See demonstrations of cross-product orchestrations that integrate commercial tools.
Learn the tricks of the trade, based on 10 years of hands-on research and implementation (for realz, check the intertubes if you don't believe us).
See what it takes to implement automations at global scale."
Scaling Security in the Cloud With Open SourceCloudVillage
The programmability of the cloud has revolutionized infrastructure deployments at scale and, at the same time, has enabled the automation of both the attack and defense of these deployments. In this talk, I will discuss the open-source tools and the techniques that my organization has used to scale security in the cloud to keep pace with our deployments. I’ll also cover how we’ve used automation to adapt security processes to cloud strategies such as immutable servers. Some topics include: temporal leasing of API access keys and database credentials, automation of patching groups and scans, and automated enforcement of configuration policy.
When organizations start using AWS, they may initially use a single VPC and a very simple network implementation. In many cases, however, companies are leveraging multiple VPCs, regions and accounts. Companies are also connecting cloud networks to corporate headquarters and remote locations. They may even be connecting different cloud providers. This presentation will consider some of these use cases and the implications of connecting different networks. Material covered will include security considerations, sample architectures and tools that can help protect your account and your data.
Using Splunk/ELK for auditing AWS/GCP/Azure security postureJose Hernandez
In this talk Rod Soto and I propose a common set of categories use to audit the security posture of multiple cloud providers. Then we proceed to show how we have implemented the security checks using cs-suite using ELK and Splunk.
Packet Capture on AWS. Simple explanation of why security people like to capture packets, how it can be done, potential architectures, and a POC using a WatchGuard Firebox Cloud, the CLI, a bucket, bucket policy, etc. and a lambda function to show that packet capture is possible. Next steps for an actual production solution.
Caveat: these slides were written in about one hour. Please refer to the paper for details.
"Automating cloud security operations takes a little more than slapping together a quick lambda to fix an open S3 bucket (but that isn't a bad start). In this workshop we will cover the major categories of security automations and present practical implementation techniques. Come prepared to build your own (or use our starter scripts) as we:
Review the three major categories of automations- guardrails, workflows, and orchestrations.
Build demo versions of each (in AWS, bring your own account), incorporating techniques including assessments, event-driven guardrails, and an incident response workflow.
See demonstrations of cross-product orchestrations that integrate commercial tools.
Learn the tricks of the trade, based on 10 years of hands-on research and implementation (for realz, check the intertubes if you don't believe us).
See what it takes to implement automations at global scale."
Scaling Security in the Cloud With Open SourceCloudVillage
The programmability of the cloud has revolutionized infrastructure deployments at scale and, at the same time, has enabled the automation of both the attack and defense of these deployments. In this talk, I will discuss the open-source tools and the techniques that my organization has used to scale security in the cloud to keep pace with our deployments. I’ll also cover how we’ve used automation to adapt security processes to cloud strategies such as immutable servers. Some topics include: temporal leasing of API access keys and database credentials, automation of patching groups and scans, and automated enforcement of configuration policy.
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...Lacework
Join the Lacework team for AWS Security Week at the AWS Loft in New York for a hands-on demonstration of Lacework. See how behavioral analysis can be applied at scale for continuous security and compliance monitoring of your AWS infrastructure. Chris Pedigo, Senior SE at Lacework, will walk attendees through Lacework with a specific focus on how we automatically analyze AWS CloudTrail and AWS Config data to ensure that security best practices are in place and that data anomalies are detected to help prevent ransomware, Bitcoin mining, or container security issues. The session will be interactive; attendees should come prepared for hands-on work on AWS accounts and console and have a Linux shell available in order to get the most from the workshop. Attendees will have access to the Lacework team to get individual attention for trial account set-up after the session.
Battle in the Clouds - Attacker vs Defender on AWSCloudVillage
"The interaction between attackers and defenders is like a ping pong game, and that is exactly how we did this research. On the offensive Mo will share his tools and tactics attacking AWS Infrastructures from Recon to Attacks to Post Exploitation on different services with a focus on Elastic Container Service(ECS). After each attack step, Dani will explain the defensive side and tools and tactics for hardening the AWS Infrastructure from Designing a secure Cloud Architecture to Detection to Hardening specific services like Docker containers on ECS. After the battle, we will both walk-through common misconfiguration problems, one-click solutions for monitoring and attack detection, and workflows for pentesters on AWS. One of the most important lessons from our research is the importance of the interaction between pentesters and developers/DevOps engineers, and how a few days of working side by side can help us secure our current systems and learn to develop future systems with security in mind.
Dani and Mohsan will demonstrate an entire kill chain on a hypothetical organization operating in an AWS environment and pivoting into their internal Active Directory network. The demonstration will cover reconnaissance methods for a cloud environment, an attack on a AWS hosted webserver that results in compromise of access keys. The access keys will be utilized to access a separate AWS service, followed by escalation of privileges to administrator. We will further demonstrate exfiltration methods, setting up persistence in AWS, and last but not least pivoting to the internal AD environment and obtaining Domain Admin privileges.
Many open source tools will be used as well as some custom python scripts on the offensive side, for example: TruffleHog for scanning for leaked keys on github, S3Scanner for enumerating S3 buckets, amass for DNS Mapping and Subdomain Enumeration, Cloud Mapper for reconnaissance and auditing, Prowler for assessing security, Pacu and Metasploit for exploitation, and more.
On the defensive side, we will introduce Open Source tools like HashiCorp Vault and AWS Parameter Store for secret management, NAXSI as an open source WAF, Vulnerability scanners for Docker, AWS KMS for creating and rotating keys for in-transit and at-rest data encryption, CloudTrail and CloudWatch for detection of suspicious activity and alarming, and more."
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityCloudVillage
The cloud is compelling and in many cases necessary for organizations to effectively operate.
Cloud security, on the other hand, is not as clear. Many cloud services need a hook into the on-premises environment in order to synchronize users and groups. Additionally, cloud security controls vary by the provider in availability, capability, and cost. This results in a disjointed view of user authentication, security, and potential configuration issues.
This talk explores some common cloud configuration scenarios and associated security issues.
Validate code on the way into the cloud and verify code remains security after deployment. Leverage monitoring, segregation of duties and account architecture to enhance security in AWS and other cloud providers.
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridCloudVillage
"Cloud infrastructure design is complex and makes even the most straight-forward topics, such as Identity and Access Management (IAM), non-trivial and confusing and therefore, full of security risk. While AWS IAM provides for access via console and API/CLI using access keys, there is also a temporary security tokens feature, designed for secure temporary access. However, temporary tokens have multiple security pot-holes that can lead to exploits.
I'll explore the limitations of temporary tokens including:
- the lack of visibility/management
- minimal logging
- limited remediation options
and how this can be taken advantage of, especially in combination with other techniques such as assuming of roles, pre-signed URLs, log attacks, and serverless functions to achieve persistence, lateral movement, and obfuscation.
In addition, I’ll look at common defensive techniques and best practices around lockdown, provisioning, logging and alerting to see whether these are practical and can shift the field."
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...CloudVillage
Speaker 1: Olaf Hartong
Speaker 2: Edoardo Gerosa
Azure Sentinel, Microsoft's new cloud SIEM solution, was recently released on the market. Notwithstanding its strengths Sentinel offers limited threat hunting capabilities out of the box and setting up an effective hunting solution is not straightforward. The Sentinel ATT&CK GitHub project is designed to provide guidance on setting up an ATT&CK-driven process monitoring solution within Sentinel; giving DFIR professionals a tool to effectively hunt in the Azure cloud.
The project, building on previous work from the open source DFIR community, provides instructions on how to properly configure Sysmon to monitor and detect specific processes in alignment with MITRE's ATT&CK framework. Secondly it provides clarity on how to onboard Sysmon logs from Windows virtual machines, shedding light on some poorly documented areas, while also offering an open source parser to correctly ingest Sysmon data in conformity with the Open Source Security Event Metadata information model. Thirdly it offers around 120 open source Kusto Query Language alerts ready for deployment; each mapped to a unique MITRE ATT&CK technique. Fourthly it provides a dedicated threat hunting dashboard to help DFIR professionals monitor their environment and execute precise hunts. Finally, Sentinel ATT&CK provides ready-made hunting queries to be leveraged when responding to alert notifications raised by the threat hunting dashboard.
This talk delivers an overview of how the Sentinel ATT&CK project can help organisations establish an effective threat hunting capability in Azure as well as an opportunity to share with the community the strengths and shortcomings of Sentinel when it comes to hunting adversaries within the Microsoft cloud.
Auditors can have a significant positive impact on Cybersecurity. This slide deck is from a sold out presentation on Azure for Auditors for ISACA and IIA in Seattle. How can auditors help cloud security? What should auditors and those performing cloud security assessments consider when evaluating cloud security on Azure? If you'd like to learn more check out my cybersecurity classes at https://2ndsightlab.com
Speaker 1: Ashwin Vamshi
Speaker 2: Abhinav Singh
Cloud services are built for increased collaboration and productivity, and provide capabilities like auto sync and API level communication. This has led enterprises to exclusively use SaaS, PaaS and IaaS services for storing and sharing critical and confidential data. End users as well as security products tend to place implicit trust in cloud vendors such as Microsoft, AWS, Google, and SaaS app vendors such as Box, Salesforce, DropBox. As a result, cybercriminals have started launching their attacks from these trusted cloud services. This talk will focus on how attackers are abusing these trusted cloud services to create Phishing attacks that are highly effective and hard to detect.
AWS re:Invent 2016: Deploying and Managing .NET Pipelines and Microsoft Workl...Amazon Web Services
In this session, we’ll look at the AWS services that customers are using to build and deploy Microsoft-based solutions that use technologies like Windows, .NET, SQL Server, and PowerShell. We’ll start by showing you how to build a Windows-based CI/CD pipeline on AWS using AWS CodeDeploy, AWS CodePipeline, AWS CloudFormation, and PowerShell using an AWS Quick Start. We’ll also cover best practices for how you can create templates that let you automatically deploy ready-to-use Windows products by leveraging services and tools like AWS CloudFormation, PowerShell, and Git. Woot, an online retailer for electronics, will share how it moved from using a complex mix of custom PowerShell code for its DevOps processes to using services like Amazon EC2 Simple Systems Manager (SSM), AWS CodeDeploy, and AWS Directory Service. This migration eliminated the need for complex PowerShell scripts and reduced the operational complexity of performing operational tasks like renaming servers, joining domains, and securely handling keys.
Self Service Agile Infrastructure for Product Teams - Pop-up Loft Tel AvivAmazon Web Services
Today’s modern infrastructure allows product teams to take full advantage of “infrastructure-as-code” and deliver value to their customers faster through a seamless & smart delivery pipeline.This delivery pipeline is built using AWS and 3rd party tools such as CloudFormation, Lambda, Terraform, Jenkins, Beanstalk, CodeDeploy, Ansible, and Docker. In the presentation we will walk you through the best practices of combining all the above into a “smart-delivery-pipeline” for your team. By Oron Adam, Emind CTO
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...Lacework
Join the Lacework team for AWS Security Week at the AWS Loft in New York for a hands-on demonstration of Lacework. See how behavioral analysis can be applied at scale for continuous security and compliance monitoring of your AWS infrastructure. Chris Pedigo, Senior SE at Lacework, will walk attendees through Lacework with a specific focus on how we automatically analyze AWS CloudTrail and AWS Config data to ensure that security best practices are in place and that data anomalies are detected to help prevent ransomware, Bitcoin mining, or container security issues. The session will be interactive; attendees should come prepared for hands-on work on AWS accounts and console and have a Linux shell available in order to get the most from the workshop. Attendees will have access to the Lacework team to get individual attention for trial account set-up after the session.
Battle in the Clouds - Attacker vs Defender on AWSCloudVillage
"The interaction between attackers and defenders is like a ping pong game, and that is exactly how we did this research. On the offensive Mo will share his tools and tactics attacking AWS Infrastructures from Recon to Attacks to Post Exploitation on different services with a focus on Elastic Container Service(ECS). After each attack step, Dani will explain the defensive side and tools and tactics for hardening the AWS Infrastructure from Designing a secure Cloud Architecture to Detection to Hardening specific services like Docker containers on ECS. After the battle, we will both walk-through common misconfiguration problems, one-click solutions for monitoring and attack detection, and workflows for pentesters on AWS. One of the most important lessons from our research is the importance of the interaction between pentesters and developers/DevOps engineers, and how a few days of working side by side can help us secure our current systems and learn to develop future systems with security in mind.
Dani and Mohsan will demonstrate an entire kill chain on a hypothetical organization operating in an AWS environment and pivoting into their internal Active Directory network. The demonstration will cover reconnaissance methods for a cloud environment, an attack on a AWS hosted webserver that results in compromise of access keys. The access keys will be utilized to access a separate AWS service, followed by escalation of privileges to administrator. We will further demonstrate exfiltration methods, setting up persistence in AWS, and last but not least pivoting to the internal AD environment and obtaining Domain Admin privileges.
Many open source tools will be used as well as some custom python scripts on the offensive side, for example: TruffleHog for scanning for leaked keys on github, S3Scanner for enumerating S3 buckets, amass for DNS Mapping and Subdomain Enumeration, Cloud Mapper for reconnaissance and auditing, Prowler for assessing security, Pacu and Metasploit for exploitation, and more.
On the defensive side, we will introduce Open Source tools like HashiCorp Vault and AWS Parameter Store for secret management, NAXSI as an open source WAF, Vulnerability scanners for Docker, AWS KMS for creating and rotating keys for in-transit and at-rest data encryption, CloudTrail and CloudWatch for detection of suspicious activity and alarming, and more."
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityCloudVillage
The cloud is compelling and in many cases necessary for organizations to effectively operate.
Cloud security, on the other hand, is not as clear. Many cloud services need a hook into the on-premises environment in order to synchronize users and groups. Additionally, cloud security controls vary by the provider in availability, capability, and cost. This results in a disjointed view of user authentication, security, and potential configuration issues.
This talk explores some common cloud configuration scenarios and associated security issues.
Validate code on the way into the cloud and verify code remains security after deployment. Leverage monitoring, segregation of duties and account architecture to enhance security in AWS and other cloud providers.
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridCloudVillage
"Cloud infrastructure design is complex and makes even the most straight-forward topics, such as Identity and Access Management (IAM), non-trivial and confusing and therefore, full of security risk. While AWS IAM provides for access via console and API/CLI using access keys, there is also a temporary security tokens feature, designed for secure temporary access. However, temporary tokens have multiple security pot-holes that can lead to exploits.
I'll explore the limitations of temporary tokens including:
- the lack of visibility/management
- minimal logging
- limited remediation options
and how this can be taken advantage of, especially in combination with other techniques such as assuming of roles, pre-signed URLs, log attacks, and serverless functions to achieve persistence, lateral movement, and obfuscation.
In addition, I’ll look at common defensive techniques and best practices around lockdown, provisioning, logging and alerting to see whether these are practical and can shift the field."
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...CloudVillage
Speaker 1: Olaf Hartong
Speaker 2: Edoardo Gerosa
Azure Sentinel, Microsoft's new cloud SIEM solution, was recently released on the market. Notwithstanding its strengths Sentinel offers limited threat hunting capabilities out of the box and setting up an effective hunting solution is not straightforward. The Sentinel ATT&CK GitHub project is designed to provide guidance on setting up an ATT&CK-driven process monitoring solution within Sentinel; giving DFIR professionals a tool to effectively hunt in the Azure cloud.
The project, building on previous work from the open source DFIR community, provides instructions on how to properly configure Sysmon to monitor and detect specific processes in alignment with MITRE's ATT&CK framework. Secondly it provides clarity on how to onboard Sysmon logs from Windows virtual machines, shedding light on some poorly documented areas, while also offering an open source parser to correctly ingest Sysmon data in conformity with the Open Source Security Event Metadata information model. Thirdly it offers around 120 open source Kusto Query Language alerts ready for deployment; each mapped to a unique MITRE ATT&CK technique. Fourthly it provides a dedicated threat hunting dashboard to help DFIR professionals monitor their environment and execute precise hunts. Finally, Sentinel ATT&CK provides ready-made hunting queries to be leveraged when responding to alert notifications raised by the threat hunting dashboard.
This talk delivers an overview of how the Sentinel ATT&CK project can help organisations establish an effective threat hunting capability in Azure as well as an opportunity to share with the community the strengths and shortcomings of Sentinel when it comes to hunting adversaries within the Microsoft cloud.
Auditors can have a significant positive impact on Cybersecurity. This slide deck is from a sold out presentation on Azure for Auditors for ISACA and IIA in Seattle. How can auditors help cloud security? What should auditors and those performing cloud security assessments consider when evaluating cloud security on Azure? If you'd like to learn more check out my cybersecurity classes at https://2ndsightlab.com
Speaker 1: Ashwin Vamshi
Speaker 2: Abhinav Singh
Cloud services are built for increased collaboration and productivity, and provide capabilities like auto sync and API level communication. This has led enterprises to exclusively use SaaS, PaaS and IaaS services for storing and sharing critical and confidential data. End users as well as security products tend to place implicit trust in cloud vendors such as Microsoft, AWS, Google, and SaaS app vendors such as Box, Salesforce, DropBox. As a result, cybercriminals have started launching their attacks from these trusted cloud services. This talk will focus on how attackers are abusing these trusted cloud services to create Phishing attacks that are highly effective and hard to detect.
AWS re:Invent 2016: Deploying and Managing .NET Pipelines and Microsoft Workl...Amazon Web Services
In this session, we’ll look at the AWS services that customers are using to build and deploy Microsoft-based solutions that use technologies like Windows, .NET, SQL Server, and PowerShell. We’ll start by showing you how to build a Windows-based CI/CD pipeline on AWS using AWS CodeDeploy, AWS CodePipeline, AWS CloudFormation, and PowerShell using an AWS Quick Start. We’ll also cover best practices for how you can create templates that let you automatically deploy ready-to-use Windows products by leveraging services and tools like AWS CloudFormation, PowerShell, and Git. Woot, an online retailer for electronics, will share how it moved from using a complex mix of custom PowerShell code for its DevOps processes to using services like Amazon EC2 Simple Systems Manager (SSM), AWS CodeDeploy, and AWS Directory Service. This migration eliminated the need for complex PowerShell scripts and reduced the operational complexity of performing operational tasks like renaming servers, joining domains, and securely handling keys.
Self Service Agile Infrastructure for Product Teams - Pop-up Loft Tel AvivAmazon Web Services
Today’s modern infrastructure allows product teams to take full advantage of “infrastructure-as-code” and deliver value to their customers faster through a seamless & smart delivery pipeline.This delivery pipeline is built using AWS and 3rd party tools such as CloudFormation, Lambda, Terraform, Jenkins, Beanstalk, CodeDeploy, Ansible, and Docker. In the presentation we will walk you through the best practices of combining all the above into a “smart-delivery-pipeline” for your team. By Oron Adam, Emind CTO
A New Perspective on Resource-Level Cloud ForensicsChristopher Doman
AWS classifies cloud incidents across three domains: Service, Infrastructure and Application. There has been much previous discussion across the Service and Application domains, see for example the excellent SANS DFIR 2022 Keynote. This talk will focus on the unique challenges and opportunities of responding to incidents in the Infrastructure domain. Cloud Service Providers, such as AWS, GCP and Azure, often introduce artifacts of forensic value when developing features for automation and monitoring of resources. Typically, these artifacts are undocumented and exist purely for the provider's own troubleshooting, but they also provide valuable insight to an investigator analyzing malicious activity on a system. Frequently, this insight surpasses that of “provider-supported” forensic data sources. Most of the discourse around performing forensics in the cloud focuses on provider-level logging. While this is undoubtedly useful, practitioners understand that resource-level forensic analysis is crucial when responding to incidents affecting cloud infrastructure. And much of this knowledge remains opaque and undocumented. In this presentation, Chris Doman, CTO of Cado Security will present novel research of undocumented forensic artifacts from cloud service provider specific operating systems and tools. He will provide the audience with an overview of forensic techniques across cloud compute and serverless environments. He will also discuss native operating system artifacts, contrast them with their cloud equivalents and consider their usefulness in the context of the cloud. Attendees can expect to gain a unique perspective on resource-level cloud forensics and should leave the talk with a host of new data sources and knowledge for performing forensic analysis of cloud resources.
In this presentation you will learn about:
• CloudFormation 101
– The building block of Infrastructure as Code
• CodePipeline and CodeCommit 101
– Tools for our IaC pipeline
• Review of an example IaC Pipeline
– Automated validation
– Least privilege enforcement
– Manual review/approval
This presentation covers the basics of using the Go programming language and the Serverless Framework in AWS to optimize performance of time sensitive applications, such as building for voice.
This also covers the basics of using Go's context package to implement tracing and how to handle context when running concurrent goroutines using the same parent context. For a code example application (in active development) see the repository in the link on the final slide.
Presentation By: Brandon Hunter - 1904labs
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...Amazon Web Services
This session covers what a real-world production deployment of a fully automated deployment pipeline looks like with instances that are deployed without SSH keys. By leveraging AWS CloudFormation along with Docker and AWS CodeDeploy, we show how we achieved semi-immutable and fully immutable infrastructures, and what the challenges and remediations were.
Infrastructure as Code: Manage your Architecture with GitDanilo Poccia
With the AWS Cloud you have an on-demand, programmable infrastructure that you can manage using tools and practices from software development. You can create resources when you need and dispose of them when you don’t. Using Amazon CloudFormation you can describe your architecture in text files. To change your infrastructure, you edit those files. Having application and infrastructure code in a single, robust, versioned repository like Git gives a lot of advantages. Using AWS Elastic Beanstalk you can link your Git branches to different infrastructure environments (e.g. test, production) and automate deployments. You can create test environments on-demand, even for a short time. Instead of continuously update your resources, you can recreate them quickly from scratch, simplifying lifecycle management and making deployments immutable. As a result, you have more time to focus on the unique features of your application.
Infrastructure as Code: Manage your Architecture with GitDanilo Poccia
Containers make packaging and distribution of your application easy. With the AWS Cloud you have an on-demand, programmable infrastructure that you can manage using tools and practices from software development. You can create resources when you need and dispose of them when you don’t. Using Amazon CloudFormation you can describe your architecture in text files. To change your infrastructure, you edit those files. Having application and infrastructure code in a single, robust, versioned repository like Git gives a lot of advantages. Using AWS Elastic Beanstalk you can link your Git branches to different infrastructure environments (e.g. test, production) and automate deployments. You can create test environments on-demand, even for a short time. Instead of continuously update your resources, you can recreate them quickly from scratch, simplifying lifecycle management and making deployments immutable. Using Amazon EC2 Container Service (ECS) you can manage containers at scale. As a result, you have more time to focus on the unique features of your application.
This was the supporting presentation from our DevOps Virtual Office Hours session.
We asked customers to bring their questions – technical or otherwise – that they would like answered about DevOps on AWS.
Check out the recording of the session on the AWS Webinars YouTube Channel here: http://youtu.be/pw9hlPqtHAA
By David Smith. Presented at Microsoft Build (Seattle), May 7 2018.
Your data scientists have created predictive models using open-source tools, proprietary software, or some combination of both, and now you are interested in lifting and shifting those models to the cloud. In this talk, I'll describe how data scientists can transition their existing workflows — while using mostly the same tools and processes — to train and deploy machine learning models based on open source frameworks to Azure. I'll provide guidance on keeping connections to data sources up-to-date, evaluating and monitoring models, and deploying applications that make use of those models.
(ARC401) Cloud First: New Architecture for New InfrastructureAmazon Web Services
What do companies with internal platforms have to change to succeed in the cloud? The five pillars at the heart of IT solutions in the cloud are automation, fault tolerance, horizontal scalability, security, and cost-effectiveness. This talk discusses tools that facilitate the development and automate the deployment of secure, highly available microservices. The tools were developed using AWS CloudFormation, AWS SDKs, AWS CLI, Amazon RDS, and various open-source software such as Docker. The talk provides concrete examples of how these tools can help developers and architects move from beginning/intermediate AWS practitioners to cloud deployment experts.
Much has been said about DevOps and SecDevOps for security automation and integration. However, to many in the security community, this is still a buzzword. There are many practical applications of automation in cloud security controls, however, across all security-related disciplines. This talk will delve into concrete examples of security automation in the cloud, with metrics examples, as well.
(Source : RSA Conference USA 2017)
Similar to Automated Intrusion Detection and Response on AWS (20)
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022Teri Radichel
Security controls you might not be using but you should consider. In June 2021, an Ermetic report found that most of the companies surveyed experienced a cloud data breach in the prior 18 months. AWS has a number of security controls that can help prevent common data breaches and security incidents. Find out what these controls are and how they can help you secure your data.
Top Priorities for Cloud Application SecurityTeri Radichel
Are you trying to make sure your cloud applications are secure? You might think the biggest thing you need to worry about is S3 buckets, but you can actually leverage the cloud and DevSecOps in much more powerful ways to secure your applications. This talk was first presented at Countermeasure IT in Ottawa, Canada in November 2018
If your company is moving to the cloud, or you are auditing a company using cloud technology, what's different? What stays the same? ~ Keynote presentation for Bienvenue au congrès ISACA Québec 2019 ~ Copyright 2nd Sight Lab, LLC https://2ndsightlab.com
Is your company in need of a cloud penetration test on AWS, Azure, or Google? Here are some things you might want to consider before starting your cloud pentest. Also tips for pentesters getting started in the cloud.
Red Team vs. Blue Team on AWS ~ re:Invent 2018Teri Radichel
Red Teaming and Pen Testing steps taken on a vulnerable account followed by Blue Teaming and cloud security defensive strategies. Teri Radichel and Kolby Allen at re:Invent 2018
Five concepts to help companies get a handle on cloud security. Create a base upon which you can recover from security incidents faster and bake security into every application from the start. Create reporting that helps appropriately prioritize, assign, and attribute security problems to the person who can and should fix them.
Presentation on current security trends, prevention and detection. This presentation was initially given at a WatchGuard partner event for Equinox IT. http://www.equinoxits.com/
Security ideas to help you operate more securely in the cloud. Use the AWS platform and CICD as a mechanism to monitor security of what is being deployed. Limit risk with proper security controls, network implementation and logging mechanisms.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
Automated Intrusion Detection and Response on AWS
1. 1SANS Technology Institute - Candidate for Master of Science Degree 1
Automated Intrusion Detection and
Response on Amazon Web Services
Teri Radichel
September 2016
GIAC GSEC, GCIH and GCIA
2. SANS Technology Institute - Candidate for Master of Science Degree 2
Can AWS Improve
Security Operations?
• Whitepaper: Overview of AWS Security
Processes – Are Yours Better?
• Shared Responsibility Model
• Separation of duties
• Built in inventory and scalable logging
• DevSecOps: Write code to configure
infrastructure and respond to events
3. SANS Technology Institute - Candidate for Master of Science Degree 3
What Is AWS?
• Platform for
infrastructure
management
• Start, stop and
configure
resources via
console or code
• Automated scaling
4. SANS Technology Institute - Candidate for Master of Science Degree 4
Start Instance From Console
EC2 instances (virtual machines) can be
managed via the web console
5. SANS Technology Institute - Candidate for Master of Science Degree 5
Start Instance Via Code
Better: Write code to manage instances
Start an instance:
$ aws ec2 run-instances --image-id ami-xxxxxx
View details about an instance:
$ aws ec2 describe-instances --instance-id ixxxxxxxx
Terminate an instance:
$ aws ec2 terminate-instances --instance-id ixxxxxxxx
6. SANS Technology Institute - Candidate for Master of Science Degree 6
CloudFormation Templates
• Configuration files for AWS resources
• Store configuration in source control
• Decouple configuration and deployment
• Handles dependency management
• Deploy via AWS tools such as AWS CLI:
$ aws cloudformation create-stack –template-url [path]
7. SANS Technology Institute - Candidate for Master of Science Degree 7
AWS Networking
• VPC (Virtual Private Cloud)
• Subnets and Security Groups
• Internet Gateway
• Virtual Private Gateway
• Direct Connect, VPN
• VPC Flow Logs
8. SANS Technology Institute - Candidate for Master of Science Degree 8
Sample Code
• Follow instructions in README.md
https://github.com/tradichel/AWSSecurityAutomationFramework
• Execute run.sh and specify mode:
– CREATE will create cloud resources
– PINGTEST generates unwanted traffic and
triggers a response
– DELETE will delete resources created by
either CREATE or PINGTEST
10. SANS Technology Institute - Candidate for Master of Science Degree 10
PINGTEST Mode
One instance is configured to ping other
"UserData":
{ "Fn::If" :
[
"PingMe",
{ "Fn::Base64":
{ "Fn::Join": [ "", [
"#!/bin/bash -en",
"echo ping ",
{"Fn::GetAtt" : [ "Ec2Instance1" , "PrivateIp" ]},
" > /tmp/ping.shn",
"cd /tmpn",
"chmod 777 ping.shn",
"nohup ./ping.sh &n"
] ] } },
{"Ref" : "AWS::NoValue"}
]
}
11. SANS Technology Institute - Candidate for Master of Science Degree 11
Click a Log Group to see Log Streams
VPC Flow Logs
12. SANS Technology Institute - Candidate for Master of Science Degree 12
CloudWatch Log Stream
• Click on ENI to see related logs
13. SANS Technology Institute - Candidate for Master of Science Degree 13
Code Evaluates Logged Events
Function monitors VPC flow logs for
REJECTs and logs statistics
14. SANS Technology Institute - Candidate for Master of Science Degree 14
REJECT Triggers Response
Snapshot Instance
Terminate Instance
15. SANS Technology Institute - Candidate for Master of Science Degree 15
AWS Security Benefits
• Comprehensive inventory
• Built in, scalable logging
• Infrastructure as code
• Tools that facilitate automated intrusion
detection and response
• Augmented security for some ~ if you
follow AWS security best practices.
