SlideShare a Scribd company logo
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security
Henrik Johansson
AWS Security
SID306
Evolve Your Incident Response Process and
Powers for AWS
Don “Beetle” Bailey
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What to Expect from This Session
• Quick sync on incident response, how runbooks support
• Overview of empowering AWS capabilities for IR process
• Discussion of traditional IR analogs in AWS environments
• Reminder of key IR pre-reqs for AWS-oriented IR success
• High-level runbook example, evolved for AWS
• Additional resources for security heroes
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Incident Response (IR) at a Glance
Establish
control
Determine
impact
Recover as
needed
Investigate
root cause
Improve
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Process, People, and … Powers
• Process = The How
• Informal knowledge -> Runbooks
• People = The Who
• Security Army of One -> Security Operations Team
• Powers = Capabilities / Tools
• COTS / OSS for low #s -> Bespoke / Automated / Scalable
This will vary ... And that’s OK!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IR Where / How?
• Nowadays, IR should not be a manual process
• Effective incident response blends automation and manual
abilities where applicable.
• Re-evaluate any manual process for automation opportunities
• Natural efficiencies of cloud-based IR for cloud concerns
• Also look for opportunities to leverage powers of the cloud for
on-premises IR
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reality of now vs. ….?
You (likely | hopefully) have established
IR runbooks
You are using AWS
Your IR process, people, powers needs
to be informed and account for that!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
This talk is new, but this topic is not!
• Previous related talks …
• YouTube search “automating event response AWS”
• AWS specific features & empowering capabilities
• Event detection, logging, automation triggers, rollback
• Various pre-requisite knowledge
• What security team access to enable, what to turn on, where
Let’s go over some of that!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Empowering AWS Capabilities
Let’s make IR easier!
• Amazon GuardDuty
• AWS CloudTrail
• Amazon CloudWatch
• AWS Config
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon GuardDuty
Intelligent threat detection and
continuous monitoring to protect
your AWS accounts and
workloads
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What Can GuardDuty Detect?
RDP brute
force
RAT Installed
Exfiltrate temp
IAM creds over
DNS
Probe API with
temp creds
Attempt to
compromise
account
Malicious or
suspicious IP
Unusual ports
DNS exfiltration
Unusual traffic volume
Connect to blacklisted site
Recon
Anonymizing proxy
Temp credentials
used off-instance
Unusual ISP caller
Bitcoin activity
Unusual instance launch
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Finding Types
Recon
• Port probe on unprotected port
• Outbound port scans
• Callers from anonymizing proxies
Backdoor
• Spambot or C&C activity
• Exfiltration over DNS channel
• Suspicious domain request
Trojan
• Domain Generation Algorithm (DGA)
domain request
• Blackhole traffic
• Drop point
Unauthorized Access
• Unusual ISP caller
• SSH/RDP brute force
Stealth
• Password policy change
• AWS CloudTrail logging disabled
• Amazon GuardDuty disabled in member
account
Cryptocurrency
• Communication with bitcoin DNS pools
• Cryptocurrency related DNS calls
• Connections to bitcoin mining pool
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-Account Support
Account B Account C
Security team account
Account A
CloudWatch Events
GuardDuty GuardDuty GuardDuty
GuardDuty
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudTrail
• CloudTrail is a service that enables governance, compliance,
operational auditing, and risk auditing of your AWS account
• Captures account activity and events for supported services
made in your AWS account and sends the event log files to
Amazon Simple Storage Service (Amazon S3), CloudWatch Logs,
and CloudWatch Events.
• Visibility Into User and Resource Activity
• Log File Encryption, Integrity Validation, other features
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudTrail Example
{
"detail-type": [ "AWS API Call via CloudTrail" ],
"detail": {
"eventSource": [ "cloudtrail.amazonaws.com" ],
"eventName": [ "StopLogging" ]
}
}
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon CloudWatch
CloudWatch Events delivers a near real-time stream of system
events that describe changes in AWS resources.
CloudWatch Events becomes aware of operational changes as
they occur and allows you to direct them to suitable targets.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudWatch Events
{
"source": [
"aws.guardduty"
]
}
CloudWatch
Event
GuardDuty
findings
Lambda
function
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Config / AWS Config Rules
Continuously tracks your resource
configuration changes and if they violate
any of the conditions in your rules
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Config Rules
A continuous recording and assessment service
Changing resources
AWS Config
AWS Config rules
History
snapshot
Notifications
API access
Normalized
• How are my resources configured over time?
• Is a change that just occurred to a resource, compliant?
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IR via AWS … Traditional Analogs
• Log gathering
• Write once media
• Network isolation
• Disk capture
Can you do all of this in AWS environments? YES!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Based IR Triggers ... DIY or aaS!
• DIY anomaly detection
• FlowLogs, CloudTrail, CloudWatch Logs
• Managed services
• GuardDuty, AWS Trusted Advisor, Amazon Macie, CloudWatch
Events, AWS Config
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon
CloudWatch
CloudTrail
AWS Config
Lambda
function
AWS APIs
AWS WAF
AWS Shield
Detection
Alerting
Remediation
Countermeasures
Forensics
Team
collaboration
(Slack etc.)
GuardDuty
VPC Flow Logs
AWS-Oriented IR at A High Level
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Host-Based Cloud Triggers
Integrate cloud controls with host-based IDS/IDP
Trigger visible events
Doesn’t require native cloud support
Use Amazon EC2 roles
Example:
SSH PAM modules
Agents with script support
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Host-Based Cloud Triggers - Example
Host script in SSH PAM module:
#!/bin/bash
INSTANCE_ID=$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id)
REGION=$(wget -q -O - http://169.254.169.254/latest/meta-data/placement/availability-zone|sed
's/.{1}$//')DATE=$(date)
aws ec2 --region $REGION create-tags --resources $INSTANCE_ID --tags "Key=Tainted,Value=$DATE
{
"detail-type": [ "AWS API Call via CloudTrail" ],
"detail": {
"eventSource": [ "ec2.amazonaws.com" ],
"eventName": [ "CreateTags" ],
"errorCode": [ "Client.UnauthorizedOperation" ]
}
CloudTrail event:
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
On-premises vs. Cloud IR …
All the same, right?
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
On-Premises Network Isolation Options
Switches/Routers
Centralized management/logs?
Tamper evident?
Mixed vendor/brand?
Firewalls
Brand knowledge requirements?
Running shoes, a scissor and CAT5 cables
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network Isolation in AWS
VPC – 100% API based – Centralized integrity validated logging
Security Groups
Network ACL
PrivateLink
Private Endpoints
Non-AWS constructs
Proxies
Gateways
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
On-Premises Disk Capture Options
- Require physical (snapshot)
+ Established industry processes
+ Tool driven (Lime, require trigger engine)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Disk Capture in AWS
- New method for many companies
+ Fully remote
+ Snapshot (AWS API) or tool driven (Lime)
+ Trigger using automation (AWS Step Functions / AWS Lambda)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IR via AWS Advantage
• Never run out of disk space, compute
• Never feel guilty about not using it, either
• Streaming data processing
• Reduce event -> response, MTTR
• Automation
• API driven with complete audit trail
• Allow rapid response, isolation of resources
• Self-healing capabilities for availability
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data Gathering / Fusion / Analysis / Query
Systems Manager
documents
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ top
Instance:~ ec2-user$ pcap
Instance:~ ec2-user$ lime
LambdaGuardDuty
Elastic Network
Adapter
Elastic Network
Adapter
Lambda
function
EBS Volume
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Detach instance from Auto Scaling Group (self-heal) and isolate
# Detach instance from autoscaling group
CLIENT_AS.detach_instances(
InstanceIds=[instances[i]['instanceId’]], AutoScalingGroupName=instances[i]['asGroup’], ShouldDecrementDesiredCapacity=False
)
# Get correct security group
response = CLIENT_EC2.describe_instances(InstanceIds=[instances[i]['instanceId']])
vpcId = response['Reservations'][0]['Instances'][0]['NetworkInterfaces'][0]['VpcId’]
# Get Security Group groupID for the Isolation group
CLIENT_EC2.describe_security_groups(
DryRun=False,
Filters=[
{'Name': 'description','Values': ['SG-Isolation']},
{'Name': 'vpc-id','Values': [vpcId]}
]
)
try:
# Remove egress rule on security group if exists
if response['SecurityGroups'][0]['IpPermissionsEgress'][0]:
client.revoke_security_group_egress(GroupId=sg['SecurityGroups'][0]['GroupId’], 
IpPermissions=sg['SecurityGroups'][0]['IpPermissionsEgress’])
except:
pass
try:
sgGroup = response['SecurityGroups'][0]['GroupId’]
# Isolate instance by applying empty security group
CLIENT_EC2.modify_instance_attribute(InstanceId=instances[i]['instanceId’], Groups=[sgGroup])
print "Isolating instance: ", instances[i]['instanceId']
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
# Detach instance from autoscaling group
CLIENT_AS.detach_instances(
InstanceIds=[instances[i]['instanceId’]], AutoScalingGroupName=instances[i]['asGroup’], ShouldDecrementDesiredCapacity=False
)
# Get correct security group
response = CLIENT_EC2.describe_instances(InstanceIds=[instances[i]['instanceId']])
vpcId = response['Reservations'][0]['Instances'][0]['NetworkInterfaces'][0]['VpcId’]
# Get Security Group groupID for the Isolation group
CLIENT_EC2.describe_security_groups(
DryRun=False,
Filters=[
{'Name': 'description','Values': ['SG-Isolation']},
{'Name': 'vpc-id','Values': [vpcId]}
]
)
try:
# Remove egress rule on security group if exists
if response['SecurityGroups'][0]['IpPermissionsEgress'][0]:
client.revoke_security_group_egress(GroupId=sg['SecurityGroups'][0]['GroupId’], 
IpPermissions=sg['SecurityGroups'][0]['IpPermissionsEgress’])
except:
pass
try:
sgGroup = response['SecurityGroups'][0]['GroupId’]
# Isolate instance by applying empty security group
CLIENT_EC2.modify_instance_attribute(InstanceId=instances[i]['instanceId’], Groups=[sgGroup])
print "Isolating instance: ", instances[i]['instanceId']
Important!
Rate limit / Guardrails
Don’t nuke yourself!
Detach instance from Auto Scaling Group (self-heal) and isolate
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Wait! Did you make sure to …? AWS IR Pre-Reqs
• Audit / IR role
• CloudTrail “On”
• Centralized logging / Alerting
• Amazon S3 bucket logging (do we need this with Amazon S3
event access > CloudTrail?)
• Resource backup / versioning
• Pre-built IR environments
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Enforcing Security Policy at Scale
Use managed services to offload
GuardDuty, Trusted Advisor
Serverless for rapid scalability
Doesn’t require cold resources
Multi-account
CloudWatch Events Hub
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Enough! Gimme runbooks.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What’s in a runbook?
Wikipedia:
In a computer system or network, a runbook is a compilation of
routine procedures and operations that the system administrator
or operator carries out. System administrators in IT departments
and NOCs use runbooks as a reference. Runbooks can be in either
electronic or in physical book form.
Or…
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
On-premises vs. AWS vs. Hybrid IR Runbooks
• Relies on multiple control
planes
• Possible physical access
required
• Certain resources allow
automation
On-premises
• Single API driven control
plane
• 100% network-based control
• All resources allow
automation
AWS
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What’s in a runbook?
In terms for today:
1. Definition of Application Normal
2. Statement of Problem or Event
3. Response for Problem or event
Or…
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What’s in a runbook?
In terms for today:
A place for the beginning of:
• automation and process
• Security Incident Response Simulations
and…in the event of an emergency
A place to start corrective action.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What’s in a runbook?
In terms for today:
A runbook provides needed confidence and stability in a moment
that would normally be chaotic.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What’s in a runbook - Reality
Process – Written to be tested and modified, Not set in stone.
People – Trained on those processes and in the tools to provide stability and
confidence
Capabilities / Tools - built and tested with the people and processes
routinely
=
Power
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
On-Premises IR
• Focused on infrastructure or
application surfaces
• Focused on utilization of
internal resources, system
that were pre-defined, and
limited by cost and
maintenance
• Limited ability to automate a
response.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud IR Runbook
• Services-based threat detection
and automated remediation.
• Focused on multiple surface
interaction.
• Forensics automation is
possible.
• System recovery and regional DR
is possible with automated
procedures.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Hybrid IR Runbook
• Working with cloud tools, server
automation is possible.
• (VMWare, SSM)
• Centralized SIEM is possible in the
cloud, expanding as it is needed.
• SSM is able to automate the forensics
of systems on premises and copy
them to the forensics environments in
the cloud
• Allowing for safe and secure review
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
On-premises IR Runbook: Botnet computer detected
Source: Log/traffic analysis or abuse alert
Process:
1. Go to computer/server
2. Unplug network
3. Image hard drive
1. If Lime/process present: Live snapshot
2. If no Lime/process present: Processes terminated
4. Inventory credentials at risk
5. Rotate/re-issue credentials
6. Re-issue clean computer/server
7. Extract credential usage from local/central/identified logs
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud IR Runbook: Botnet instance detected
Source: GuardDuty automatic alert
Process:
1. Describe instance
2. Isolate instance (Isolate script: Security group, network ACL, ALB
remove)
1. Auto Scaling group self-heals with new clean instance
3. Snapshot live/isolated instance
4. Inventory credentials used
5. Rotate credentials
6. Extract all credential activities (Aurora script for AWS CloudTrail)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud IR Runbook: Botnet instance detected
Source: GuardDuty automatic alert
Process:
1. Describe instance
2. Isolate instance (Isolate script: Security group, NACL, ALB remove)
1. AutoScalingGroup self heals with new clean instance
3. Snapshot live/isolated instance
4. Inventory credentials used
5. Rotate credentials
6. Extract all credential activities (Aurora script for CloudTrail)
Note:
Step 1-6 can be fully automated with
GuardDuty -> CloudWatch Events -> Lambda/Step Functions
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Hybrid IR Runbook: Botnet instance detected
Source: <Depends on hybrid model>
1. If On-premises resources
1. Inventory credentials used
2. Rotate credentials
3. Extract all credential activities (Aurora script for CloudTrail)
Follows suitable runbook but contains AWS specific parts like IAM
credential management
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IR-Related Partner Solutions
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Open-Source IR Solutions
• AWS Security Automation
https://github.com/awslabs/aws-security-automation
• ThreatResponse
https://threatresponse.cloud
https://github.com/ThreatResponse/aws_ir
• Wazuh
https://documentation.wazuh.com/current/amazon/
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Open Source IR Solutions, Continued
• Cloud Custodian
https://github.com/capitalone/cloud-custodian
• Fido
https://github.com/Netflix/Fido
• Security Monkey
https://github.com/Netflix/security_monkey
• StreamAlert
https://github.com/airbnb/streamalert
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Community / Industry Resources
• FIRST
https://first.org/
• Cloud.gov
https://cloud.gov/docs/ops/security-ir/
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Summary
• If you don’t have runbooks, write them. If you already have
runbooks, ensure they account for AWS.
• Leverage AWS-specific capabilities for basic -> advanced IR,
including automation.
• Challenges are opportunities to learn more about the platform
and partner solutions, perhaps next-level IR
• Practice, and engage AWS Support, as needed
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Submit session feedback
1. Tap the Schedule icon.
2. Select the session you
attended.
3. Tap Session Evaluation to
submit your feedback.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thanks!

More Related Content

What's hot

Design, Deploy, & Optimize SQL Server Workloads
Design, Deploy, & Optimize SQL Server Workloads Design, Deploy, & Optimize SQL Server Workloads
Design, Deploy, & Optimize SQL Server Workloads
Amazon Web Services
 
re:Invent Recap: Security Week at the SF Loft
re:Invent Recap: Security Week at the SF Loftre:Invent Recap: Security Week at the SF Loft
re:Invent Recap: Security Week at the SF Loft
Amazon Web Services
 
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF Loft
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF LoftAdding the Sec to Your DevOps Pipelines: AWS Security Week at the SF Loft
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF Loft
Amazon Web Services
 
Develop Containerized Apps with AWS Fargate
Develop Containerized Apps with AWS Fargate Develop Containerized Apps with AWS Fargate
Develop Containerized Apps with AWS Fargate
Amazon Web Services
 
Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS
Amazon Web Services
 
Amazon S3_Updates and Best Practices
Amazon S3_Updates and Best Practices Amazon S3_Updates and Best Practices
Amazon S3_Updates and Best Practices
Amazon Web Services
 
Enterprise Security
Enterprise SecurityEnterprise Security
Enterprise Security
Amazon Web Services
 
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Amazon Web Services
 
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
Amazon Web Services
 
AWS Lambda use cases and best practices - Builders Day Israel
AWS Lambda use cases and best practices - Builders Day IsraelAWS Lambda use cases and best practices - Builders Day Israel
AWS Lambda use cases and best practices - Builders Day Israel
Amazon Web Services
 
DEM09 [Repeat] Fearless: From Monolith to Serverless with Dynatrace
DEM09 [Repeat] Fearless: From Monolith to Serverless with DynatraceDEM09 [Repeat] Fearless: From Monolith to Serverless with Dynatrace
DEM09 [Repeat] Fearless: From Monolith to Serverless with Dynatrace
Amazon Web Services
 
Workshop: Building Serverless Real-time Data Processing (Now with Unicorns!)
Workshop: Building Serverless Real-time Data Processing (Now with Unicorns!)Workshop: Building Serverless Real-time Data Processing (Now with Unicorns!)
Workshop: Building Serverless Real-time Data Processing (Now with Unicorns!)
Amazon Web Services
 
SID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CASID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CA
Amazon Web Services
 
Build and Deploy Serverless Applications with AWS SAM
Build and Deploy Serverless Applications with AWS SAM Build and Deploy Serverless Applications with AWS SAM
Build and Deploy Serverless Applications with AWS SAM
Amazon Web Services
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing Zone
Amazon Web Services
 
ENT304 Enabling Self Service for Data Scientists with AWS Service Catalog
ENT304 Enabling Self Service for Data Scientists with AWS Service CatalogENT304 Enabling Self Service for Data Scientists with AWS Service Catalog
ENT304 Enabling Self Service for Data Scientists with AWS Service Catalog
Amazon Web Services
 
Your road to a Well Architected solution in the Cloud - Tel Aviv Summit 2018
Your road to a Well Architected solution in the Cloud - Tel Aviv Summit 2018Your road to a Well Architected solution in the Cloud - Tel Aviv Summit 2018
Your road to a Well Architected solution in the Cloud - Tel Aviv Summit 2018
Amazon Web Services
 
Secure Your Customers' Data From Day One
Secure Your Customers' Data From Day OneSecure Your Customers' Data From Day One
Secure Your Customers' Data From Day One
Amazon Web Services
 
Big Data and Alexa_Voice-Enabled Analytics
Big Data and Alexa_Voice-Enabled Analytics Big Data and Alexa_Voice-Enabled Analytics
Big Data and Alexa_Voice-Enabled Analytics
Amazon Web Services
 
DEM04 Fearless: From Monolith to Serverless with Dynatrace
DEM04 Fearless: From Monolith to Serverless with DynatraceDEM04 Fearless: From Monolith to Serverless with Dynatrace
DEM04 Fearless: From Monolith to Serverless with Dynatrace
Amazon Web Services
 

What's hot (20)

Design, Deploy, & Optimize SQL Server Workloads
Design, Deploy, & Optimize SQL Server Workloads Design, Deploy, & Optimize SQL Server Workloads
Design, Deploy, & Optimize SQL Server Workloads
 
re:Invent Recap: Security Week at the SF Loft
re:Invent Recap: Security Week at the SF Loftre:Invent Recap: Security Week at the SF Loft
re:Invent Recap: Security Week at the SF Loft
 
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF Loft
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF LoftAdding the Sec to Your DevOps Pipelines: AWS Security Week at the SF Loft
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF Loft
 
Develop Containerized Apps with AWS Fargate
Develop Containerized Apps with AWS Fargate Develop Containerized Apps with AWS Fargate
Develop Containerized Apps with AWS Fargate
 
Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS
 
Amazon S3_Updates and Best Practices
Amazon S3_Updates and Best Practices Amazon S3_Updates and Best Practices
Amazon S3_Updates and Best Practices
 
Enterprise Security
Enterprise SecurityEnterprise Security
Enterprise Security
 
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...
 
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
 
AWS Lambda use cases and best practices - Builders Day Israel
AWS Lambda use cases and best practices - Builders Day IsraelAWS Lambda use cases and best practices - Builders Day Israel
AWS Lambda use cases and best practices - Builders Day Israel
 
DEM09 [Repeat] Fearless: From Monolith to Serverless with Dynatrace
DEM09 [Repeat] Fearless: From Monolith to Serverless with DynatraceDEM09 [Repeat] Fearless: From Monolith to Serverless with Dynatrace
DEM09 [Repeat] Fearless: From Monolith to Serverless with Dynatrace
 
Workshop: Building Serverless Real-time Data Processing (Now with Unicorns!)
Workshop: Building Serverless Real-time Data Processing (Now with Unicorns!)Workshop: Building Serverless Real-time Data Processing (Now with Unicorns!)
Workshop: Building Serverless Real-time Data Processing (Now with Unicorns!)
 
SID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CASID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CA
 
Build and Deploy Serverless Applications with AWS SAM
Build and Deploy Serverless Applications with AWS SAM Build and Deploy Serverless Applications with AWS SAM
Build and Deploy Serverless Applications with AWS SAM
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing Zone
 
ENT304 Enabling Self Service for Data Scientists with AWS Service Catalog
ENT304 Enabling Self Service for Data Scientists with AWS Service CatalogENT304 Enabling Self Service for Data Scientists with AWS Service Catalog
ENT304 Enabling Self Service for Data Scientists with AWS Service Catalog
 
Your road to a Well Architected solution in the Cloud - Tel Aviv Summit 2018
Your road to a Well Architected solution in the Cloud - Tel Aviv Summit 2018Your road to a Well Architected solution in the Cloud - Tel Aviv Summit 2018
Your road to a Well Architected solution in the Cloud - Tel Aviv Summit 2018
 
Secure Your Customers' Data From Day One
Secure Your Customers' Data From Day OneSecure Your Customers' Data From Day One
Secure Your Customers' Data From Day One
 
Big Data and Alexa_Voice-Enabled Analytics
Big Data and Alexa_Voice-Enabled Analytics Big Data and Alexa_Voice-Enabled Analytics
Big Data and Alexa_Voice-Enabled Analytics
 
DEM04 Fearless: From Monolith to Serverless with Dynatrace
DEM04 Fearless: From Monolith to Serverless with DynatraceDEM04 Fearless: From Monolith to Serverless with Dynatrace
DEM04 Fearless: From Monolith to Serverless with Dynatrace
 

Similar to Evolve Your Incident Response Process and Powers for AWS

Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Amazon Web Services
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
Amazon Web Services
 
Security@Scale
Security@ScaleSecurity@Scale
Security@Scale
Amazon Web Services
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your Applications
Amazon Web Services
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Amazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
Amazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
Amazon Web Services
 
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Amazon Web Services
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
Alert Logic
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
Alert Logic
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS Account
Amazon Web Services
 
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
Amazon Web Services
 
How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfHow to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdf
Amazon Web Services
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
Amazon Web Services
 
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Amazon Web Services
 
Security & Compliance in the Cloud
Security & Compliance in the CloudSecurity & Compliance in the Cloud
Security & Compliance in the Cloud
Amazon Web Services
 
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
Amazon Web Services
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
Amazon Web Services
 
Deep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignDeep Dive - AWS Security by Design
Deep Dive - AWS Security by Design
Amazon Web Services
 

Similar to Evolve Your Incident Response Process and Powers for AWS (20)

Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
Security@Scale
Security@ScaleSecurity@Scale
Security@Scale
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your Applications
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS Account
 
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
 
How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfHow to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdf
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
 
Security & Compliance in the Cloud
Security & Compliance in the CloudSecurity & Compliance in the Cloud
Security & Compliance in the Cloud
 
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
Crash Course in Security Best Practices, AWS Startup Day Cape Town 2018
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
 
Deep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignDeep Dive - AWS Security by Design
Deep Dive - AWS Security by Design
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
Amazon Web Services
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
Amazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Evolve Your Incident Response Process and Powers for AWS

  • 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Henrik Johansson AWS Security SID306 Evolve Your Incident Response Process and Powers for AWS Don “Beetle” Bailey
  • 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What to Expect from This Session • Quick sync on incident response, how runbooks support • Overview of empowering AWS capabilities for IR process • Discussion of traditional IR analogs in AWS environments • Reminder of key IR pre-reqs for AWS-oriented IR success • High-level runbook example, evolved for AWS • Additional resources for security heroes
  • 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Incident Response (IR) at a Glance Establish control Determine impact Recover as needed Investigate root cause Improve
  • 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Process, People, and … Powers • Process = The How • Informal knowledge -> Runbooks • People = The Who • Security Army of One -> Security Operations Team • Powers = Capabilities / Tools • COTS / OSS for low #s -> Bespoke / Automated / Scalable This will vary ... And that’s OK!
  • 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IR Where / How? • Nowadays, IR should not be a manual process • Effective incident response blends automation and manual abilities where applicable. • Re-evaluate any manual process for automation opportunities • Natural efficiencies of cloud-based IR for cloud concerns • Also look for opportunities to leverage powers of the cloud for on-premises IR
  • 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Reality of now vs. ….? You (likely | hopefully) have established IR runbooks You are using AWS Your IR process, people, powers needs to be informed and account for that!
  • 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. This talk is new, but this topic is not! • Previous related talks … • YouTube search “automating event response AWS” • AWS specific features & empowering capabilities • Event detection, logging, automation triggers, rollback • Various pre-requisite knowledge • What security team access to enable, what to turn on, where Let’s go over some of that!
  • 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Empowering AWS Capabilities Let’s make IR easier! • Amazon GuardDuty • AWS CloudTrail • Amazon CloudWatch • AWS Config
  • 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon GuardDuty Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads
  • 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What Can GuardDuty Detect? RDP brute force RAT Installed Exfiltrate temp IAM creds over DNS Probe API with temp creds Attempt to compromise account Malicious or suspicious IP Unusual ports DNS exfiltration Unusual traffic volume Connect to blacklisted site Recon Anonymizing proxy Temp credentials used off-instance Unusual ISP caller Bitcoin activity Unusual instance launch
  • 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Finding Types Recon • Port probe on unprotected port • Outbound port scans • Callers from anonymizing proxies Backdoor • Spambot or C&C activity • Exfiltration over DNS channel • Suspicious domain request Trojan • Domain Generation Algorithm (DGA) domain request • Blackhole traffic • Drop point Unauthorized Access • Unusual ISP caller • SSH/RDP brute force Stealth • Password policy change • AWS CloudTrail logging disabled • Amazon GuardDuty disabled in member account Cryptocurrency • Communication with bitcoin DNS pools • Cryptocurrency related DNS calls • Connections to bitcoin mining pool
  • 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-Account Support Account B Account C Security team account Account A CloudWatch Events GuardDuty GuardDuty GuardDuty GuardDuty
  • 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS CloudTrail • CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account • Captures account activity and events for supported services made in your AWS account and sends the event log files to Amazon Simple Storage Service (Amazon S3), CloudWatch Logs, and CloudWatch Events. • Visibility Into User and Resource Activity • Log File Encryption, Integrity Validation, other features
  • 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CloudTrail Example { "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "cloudtrail.amazonaws.com" ], "eventName": [ "StopLogging" ] } }
  • 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon CloudWatch CloudWatch Events delivers a near real-time stream of system events that describe changes in AWS resources. CloudWatch Events becomes aware of operational changes as they occur and allows you to direct them to suitable targets.
  • 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CloudWatch Events { "source": [ "aws.guardduty" ] } CloudWatch Event GuardDuty findings Lambda function
  • 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Config / AWS Config Rules Continuously tracks your resource configuration changes and if they violate any of the conditions in your rules
  • 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Config Rules A continuous recording and assessment service Changing resources AWS Config AWS Config rules History snapshot Notifications API access Normalized • How are my resources configured over time? • Is a change that just occurred to a resource, compliant?
  • 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IR via AWS … Traditional Analogs • Log gathering • Write once media • Network isolation • Disk capture Can you do all of this in AWS environments? YES!
  • 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Based IR Triggers ... DIY or aaS! • DIY anomaly detection • FlowLogs, CloudTrail, CloudWatch Logs • Managed services • GuardDuty, AWS Trusted Advisor, Amazon Macie, CloudWatch Events, AWS Config
  • 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon CloudWatch CloudTrail AWS Config Lambda function AWS APIs AWS WAF AWS Shield Detection Alerting Remediation Countermeasures Forensics Team collaboration (Slack etc.) GuardDuty VPC Flow Logs AWS-Oriented IR at A High Level
  • 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Host-Based Cloud Triggers Integrate cloud controls with host-based IDS/IDP Trigger visible events Doesn’t require native cloud support Use Amazon EC2 roles Example: SSH PAM modules Agents with script support
  • 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Host-Based Cloud Triggers - Example Host script in SSH PAM module: #!/bin/bash INSTANCE_ID=$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id) REGION=$(wget -q -O - http://169.254.169.254/latest/meta-data/placement/availability-zone|sed 's/.{1}$//')DATE=$(date) aws ec2 --region $REGION create-tags --resources $INSTANCE_ID --tags "Key=Tainted,Value=$DATE { "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "ec2.amazonaws.com" ], "eventName": [ "CreateTags" ], "errorCode": [ "Client.UnauthorizedOperation" ] } CloudTrail event:
  • 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. On-premises vs. Cloud IR … All the same, right?
  • 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. On-Premises Network Isolation Options Switches/Routers Centralized management/logs? Tamper evident? Mixed vendor/brand? Firewalls Brand knowledge requirements? Running shoes, a scissor and CAT5 cables
  • 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Network Isolation in AWS VPC – 100% API based – Centralized integrity validated logging Security Groups Network ACL PrivateLink Private Endpoints Non-AWS constructs Proxies Gateways
  • 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. On-Premises Disk Capture Options - Require physical (snapshot) + Established industry processes + Tool driven (Lime, require trigger engine)
  • 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Disk Capture in AWS - New method for many companies + Fully remote + Snapshot (AWS API) or tool driven (Lime) + Trigger using automation (AWS Step Functions / AWS Lambda)
  • 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IR via AWS Advantage • Never run out of disk space, compute • Never feel guilty about not using it, either • Streaming data processing • Reduce event -> response, MTTR • Automation • API driven with complete audit trail • Allow rapid response, isolation of resources • Self-healing capabilities for availability
  • 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Data Gathering / Fusion / Analysis / Query Systems Manager documents CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime LambdaGuardDuty Elastic Network Adapter Elastic Network Adapter Lambda function EBS Volume
  • 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Detach instance from Auto Scaling Group (self-heal) and isolate # Detach instance from autoscaling group CLIENT_AS.detach_instances( InstanceIds=[instances[i]['instanceId’]], AutoScalingGroupName=instances[i]['asGroup’], ShouldDecrementDesiredCapacity=False ) # Get correct security group response = CLIENT_EC2.describe_instances(InstanceIds=[instances[i]['instanceId']]) vpcId = response['Reservations'][0]['Instances'][0]['NetworkInterfaces'][0]['VpcId’] # Get Security Group groupID for the Isolation group CLIENT_EC2.describe_security_groups( DryRun=False, Filters=[ {'Name': 'description','Values': ['SG-Isolation']}, {'Name': 'vpc-id','Values': [vpcId]} ] ) try: # Remove egress rule on security group if exists if response['SecurityGroups'][0]['IpPermissionsEgress'][0]: client.revoke_security_group_egress(GroupId=sg['SecurityGroups'][0]['GroupId’], IpPermissions=sg['SecurityGroups'][0]['IpPermissionsEgress’]) except: pass try: sgGroup = response['SecurityGroups'][0]['GroupId’] # Isolate instance by applying empty security group CLIENT_EC2.modify_instance_attribute(InstanceId=instances[i]['instanceId’], Groups=[sgGroup]) print "Isolating instance: ", instances[i]['instanceId']
  • 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. # Detach instance from autoscaling group CLIENT_AS.detach_instances( InstanceIds=[instances[i]['instanceId’]], AutoScalingGroupName=instances[i]['asGroup’], ShouldDecrementDesiredCapacity=False ) # Get correct security group response = CLIENT_EC2.describe_instances(InstanceIds=[instances[i]['instanceId']]) vpcId = response['Reservations'][0]['Instances'][0]['NetworkInterfaces'][0]['VpcId’] # Get Security Group groupID for the Isolation group CLIENT_EC2.describe_security_groups( DryRun=False, Filters=[ {'Name': 'description','Values': ['SG-Isolation']}, {'Name': 'vpc-id','Values': [vpcId]} ] ) try: # Remove egress rule on security group if exists if response['SecurityGroups'][0]['IpPermissionsEgress'][0]: client.revoke_security_group_egress(GroupId=sg['SecurityGroups'][0]['GroupId’], IpPermissions=sg['SecurityGroups'][0]['IpPermissionsEgress’]) except: pass try: sgGroup = response['SecurityGroups'][0]['GroupId’] # Isolate instance by applying empty security group CLIENT_EC2.modify_instance_attribute(InstanceId=instances[i]['instanceId’], Groups=[sgGroup]) print "Isolating instance: ", instances[i]['instanceId'] Important! Rate limit / Guardrails Don’t nuke yourself! Detach instance from Auto Scaling Group (self-heal) and isolate
  • 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Wait! Did you make sure to …? AWS IR Pre-Reqs • Audit / IR role • CloudTrail “On” • Centralized logging / Alerting • Amazon S3 bucket logging (do we need this with Amazon S3 event access > CloudTrail?) • Resource backup / versioning • Pre-built IR environments
  • 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enforcing Security Policy at Scale Use managed services to offload GuardDuty, Trusted Advisor Serverless for rapid scalability Doesn’t require cold resources Multi-account CloudWatch Events Hub
  • 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enough! Gimme runbooks.
  • 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What’s in a runbook? Wikipedia: In a computer system or network, a runbook is a compilation of routine procedures and operations that the system administrator or operator carries out. System administrators in IT departments and NOCs use runbooks as a reference. Runbooks can be in either electronic or in physical book form. Or…
  • 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. On-premises vs. AWS vs. Hybrid IR Runbooks • Relies on multiple control planes • Possible physical access required • Certain resources allow automation On-premises • Single API driven control plane • 100% network-based control • All resources allow automation AWS
  • 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What’s in a runbook? In terms for today: 1. Definition of Application Normal 2. Statement of Problem or Event 3. Response for Problem or event Or…
  • 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What’s in a runbook? In terms for today: A place for the beginning of: • automation and process • Security Incident Response Simulations and…in the event of an emergency A place to start corrective action.
  • 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What’s in a runbook? In terms for today: A runbook provides needed confidence and stability in a moment that would normally be chaotic.
  • 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What’s in a runbook - Reality Process – Written to be tested and modified, Not set in stone. People – Trained on those processes and in the tools to provide stability and confidence Capabilities / Tools - built and tested with the people and processes routinely = Power
  • 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. On-Premises IR • Focused on infrastructure or application surfaces • Focused on utilization of internal resources, system that were pre-defined, and limited by cost and maintenance • Limited ability to automate a response.
  • 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud IR Runbook • Services-based threat detection and automated remediation. • Focused on multiple surface interaction. • Forensics automation is possible. • System recovery and regional DR is possible with automated procedures.
  • 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Hybrid IR Runbook • Working with cloud tools, server automation is possible. • (VMWare, SSM) • Centralized SIEM is possible in the cloud, expanding as it is needed. • SSM is able to automate the forensics of systems on premises and copy them to the forensics environments in the cloud • Allowing for safe and secure review
  • 48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. On-premises IR Runbook: Botnet computer detected Source: Log/traffic analysis or abuse alert Process: 1. Go to computer/server 2. Unplug network 3. Image hard drive 1. If Lime/process present: Live snapshot 2. If no Lime/process present: Processes terminated 4. Inventory credentials at risk 5. Rotate/re-issue credentials 6. Re-issue clean computer/server 7. Extract credential usage from local/central/identified logs
  • 49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud IR Runbook: Botnet instance detected Source: GuardDuty automatic alert Process: 1. Describe instance 2. Isolate instance (Isolate script: Security group, network ACL, ALB remove) 1. Auto Scaling group self-heals with new clean instance 3. Snapshot live/isolated instance 4. Inventory credentials used 5. Rotate credentials 6. Extract all credential activities (Aurora script for AWS CloudTrail)
  • 50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud IR Runbook: Botnet instance detected Source: GuardDuty automatic alert Process: 1. Describe instance 2. Isolate instance (Isolate script: Security group, NACL, ALB remove) 1. AutoScalingGroup self heals with new clean instance 3. Snapshot live/isolated instance 4. Inventory credentials used 5. Rotate credentials 6. Extract all credential activities (Aurora script for CloudTrail) Note: Step 1-6 can be fully automated with GuardDuty -> CloudWatch Events -> Lambda/Step Functions
  • 51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Hybrid IR Runbook: Botnet instance detected Source: <Depends on hybrid model> 1. If On-premises resources 1. Inventory credentials used 2. Rotate credentials 3. Extract all credential activities (Aurora script for CloudTrail) Follows suitable runbook but contains AWS specific parts like IAM credential management
  • 52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IR-Related Partner Solutions
  • 53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Open-Source IR Solutions • AWS Security Automation https://github.com/awslabs/aws-security-automation • ThreatResponse https://threatresponse.cloud https://github.com/ThreatResponse/aws_ir • Wazuh https://documentation.wazuh.com/current/amazon/
  • 54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Open Source IR Solutions, Continued • Cloud Custodian https://github.com/capitalone/cloud-custodian • Fido https://github.com/Netflix/Fido • Security Monkey https://github.com/Netflix/security_monkey • StreamAlert https://github.com/airbnb/streamalert
  • 55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Community / Industry Resources • FIRST https://first.org/ • Cloud.gov https://cloud.gov/docs/ops/security-ir/
  • 56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 59. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 60. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 61. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 62. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Summary • If you don’t have runbooks, write them. If you already have runbooks, ensure they account for AWS. • Leverage AWS-specific capabilities for basic -> advanced IR, including automation. • Challenges are opportunities to learn more about the platform and partner solutions, perhaps next-level IR • Practice, and engage AWS Support, as needed
  • 63. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Submit session feedback 1. Tap the Schedule icon. 2. Select the session you attended. 3. Tap Session Evaluation to submit your feedback.
  • 64. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thanks!