SlideShare a Scribd company logo

Security Incident Response and Forensics on AWS

Amazon Web Services
Amazon Web Services

To find out more about training on AWS, visit: https://www.qa.com/amazon AWS Pop-up Loft | London April 19, 2016

Technology
1 of 22
Download to read offline
AWS Pop-up Loft London
Dave Walker Specialist Solutions Architect, Security and Compliance 19/04/16 Incident Response and Forensics on AWS
Agenda • "Expect to be Hacked" • "Be Prepared" (and "Playing the SIRS Game") • "That looks Weird..." • Initial Response Actions • "Decisions, Decisions..." • Preserving Evidence, by Service • Analysis • Conclusions
“Be Prepared” • Be Contactable by AWS • Build an Incident Response Handbook • Train your People • Know who to Contact, about What and When • CloudFormation Everything • Maintain “Intellectual Property Holding” • Templates, golden AMIs, Database snapshots
“If it Moves, Log It” • CloudTrail • Config • CloudWatch Logs • VPC Flow Logs • ELB logs • API Endpoint Logs • Redshift Logs • …
Identification • Plenty of logging sources, what to do with them: Level 1: Log • Primarily for ‘look back’ analysis. Level 2: Alarm • Basic monitoring based in triggers Level 3: Aggregate, analyze and learn • Monitor, ingest, analyze and derive • AWS as a source of event data
Identification – Level 1: Log Resource stack Actors AWS CloudTrail Amazon S3 Captures all API interaction AWS CloudWatch Monitors AWS & application AWS Config Actions on Captures resource changes
Identification – Level 2: Alarm Resource stack Actors AWS CloudTrail Amazon S3 monitors Captures all API interaction AWS CloudWatch Monitors AWS & application AWS Config Actions on Captures resource changes alarm initiates AWS Config rules Admin alarm
Identification – Level 3: Aggregate Resource stack Actors AWS CloudTrail Amazon S3 monitors Captures all API interaction AWS CloudWatch Monitors AWS & application AWS Config Actions on Captures resource changes alarm initiates AWS Config rules Admin alarm Aggregate/analyze Admin
CloudWatch Logs • What works well • Simple to set up : http://docs.aws.amazon.com/awscloudtrail/latest/userguide/use -cloudformation-template-to-create-cloudwatch-alarms.html • Limitations • Only match terms, phrases, or values in log events. • No complex matches or regular expressions
CloudWatch Logs • "ConsoleSignInAnomalyMetricFilter": { • "Type": "AWS::Logs::MetricFilter", • "Properties": { • "LogGroupName": { "Ref" : "LogGroupName" }, • "FilterPattern": "{ ($.eventName = ConsoleLogin) && ($.sourceIPAddress != 55.55.*) }", • "MetricTransformations": [ • { • "MetricNamespace": "CloudTrailMetrics", • "MetricName": "ConsoleSignInAnomalyCount", • "MetricValue": "1" • } • ] • } • },
Config Rules • What works well • Pre-packaged rules • Easy to create new rules • “Config is essentially a CMDB” • Limitations • Currently subset of EC2, EBS, VPC, CloudTrail, IAM
“Please, SIRS” • An Exercise with AWS • Injection of Events into Logs • You choose What and When • Ask your Account Manager
Initial Response Actions • Get the Right People Involved • AWS • Auditors, Regulators • Forensic Investigators (QIRAs, CESG-recommended firms)? • Police?
“Decisions, Decisions…” • “Manage and Mitigate” or “Pursue and Prosecute”? • First closes open doors, but destroys evidence • Second (in traditional environments) is a lot more hassle • Why not do both?
“Decisions, Decisions…” • Replicate • Repair • Redirect • Ringfence
Preserving Evidence, by Service Infrastructure services Container services Abstracted services Configuration plus operation Configuration  Source: “AWS Security Best Practices,” Nov 2013, p7
Best practices: EC2 & VPC • Create forensic subnets in all VPCs • All routes black-holed; all traffic stays within • Create “isolate” security groups to seal off potentially compromised hosts • Configure all AMIs to automatically mount ENIs when signalled by events
Best practices: EC2 & VPC… • Configure investigation hosts • All forensics tools installed and ready to go • Protect with deny-all SGs on forensics subnet • Set up write blockers, eg https://github.com/msuhanov/Linux- write-blocker • Additional VM help available from AWS on request
Analysis • EIR - Mandiant - EnCase - FTK - GRR • Network - Wireshark - Moloch • Memory Capture - Fastdump - FTK Imager - LiME (see Re:Invent, “Incident Response in the Cloud”)
Subnet 10.1.1.0/24 Analysis Virtual router Web server 10.1.1.60 Internet gateway Workstation 10.1.1.101 Change security group to “Isolate” Attach Elastic Network Interface with security group “forensics-target” Elastic Network Interface 10.1.201.60 Security group: “Forensics-target” (forensics target security group) Attach Elastic Network Interface with security group “forensics-target” Completely isolated subnet 10.1.201.0/24 Elastic Network Interface 10.1.201.101 Security group: “Forensics-source” (forensics source security group) Attach Elastic Network Interface with security group “forensics-source” Attach Elastic Network Interface with security group “forensics-source”
Conclusion • Many best practices are free; the rest are cheap • Configure IAM thoughtfully • Set up alarms; “snapshot” frequently • Use rich data emitted by “cloud container” for greater visibility and control • Use programmable infrastructure to automate detection (and potentially mitigation) • Always get the right people involved, at the outset • …and that includes AWS

Recommended

(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014Amazon Web Services
 
Grabbing Forensic Images from EC2/Rackspace
Grabbing Forensic Images from EC2/RackspaceGrabbing Forensic Images from EC2/Rackspace
Grabbing Forensic Images from EC2/RackspaceJP Bourget
 
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodHow-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodYurii Bilyk
 
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response SimulationsAmazon Web Services
 
Crypto Options in AWS
Crypto Options in AWSCrypto Options in AWS
Crypto Options in AWSAmazon Web Services
 
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014Amazon Web Services
 
Protecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSProtecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSAmazon Web Services
 
AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to ...
AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to ...AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to ...
AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to ...Amazon Web Services
 

Recommended

(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014Amazon Web Services
 
Grabbing Forensic Images from EC2/Rackspace
Grabbing Forensic Images from EC2/RackspaceGrabbing Forensic Images from EC2/Rackspace
Grabbing Forensic Images from EC2/RackspaceJP Bourget
 
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodHow-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodYurii Bilyk
 
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response SimulationsAmazon Web Services
 
Crypto Options in AWS
Crypto Options in AWSCrypto Options in AWS
Crypto Options in AWSAmazon Web Services
 
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014Amazon Web Services
 
Protecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSProtecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSAmazon Web Services
 
AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to ...
AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to ...AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to ...
AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to ...Amazon Web Services
 
Intrusion Detection in the Cloud (SEC402) | AWS re:Invent 2013
Intrusion Detection in the Cloud (SEC402) | AWS re:Invent 2013Intrusion Detection in the Cloud (SEC402) | AWS re:Invent 2013
Intrusion Detection in the Cloud (SEC402) | AWS re:Invent 2013Amazon Web Services
 
How to Fast Track your AppExchange App
How to Fast Track your AppExchange AppHow to Fast Track your AppExchange App
How to Fast Track your AppExchange AppCodeScience
 
(BAC202) Introducing AWS Solutions for Backup and Archiving | AWS re:Invent 2014
(BAC202) Introducing AWS Solutions for Backup and Archiving | AWS re:Invent 2014(BAC202) Introducing AWS Solutions for Backup and Archiving | AWS re:Invent 2014
(BAC202) Introducing AWS Solutions for Backup and Archiving | AWS re:Invent 2014Amazon Web Services
 
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014Amazon Web Services
 
(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...
(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...
(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...Amazon Web Services
 
(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...
(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...
(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...Amazon Web Services
 
Enforcing Your Security Policy at Scale - Technical 301
Enforcing Your Security Policy at Scale - Technical 301Enforcing Your Security Policy at Scale - Technical 301
Enforcing Your Security Policy at Scale - Technical 301Amazon Web Services
 
Splunk Live - Security Best Practices for AWS
Splunk Live - Security Best Practices for AWSSplunk Live - Security Best Practices for AWS
Splunk Live - Security Best Practices for AWSAmazon Web Services
 
Escape From Amazon: Tips/Techniques for Reducing AWS Dependencies
Escape From Amazon: Tips/Techniques for Reducing AWS DependenciesEscape From Amazon: Tips/Techniques for Reducing AWS Dependencies
Escape From Amazon: Tips/Techniques for Reducing AWS DependenciesSoam Acharya
 
AWS December 2015 Webinar Series - Introducing Amazon Inspector
AWS December 2015 Webinar Series - Introducing Amazon InspectorAWS December 2015 Webinar Series - Introducing Amazon Inspector
AWS December 2015 Webinar Series - Introducing Amazon InspectorAmazon Web Services
 
12 best practices for virtualizing active directory DCs
12 best practices for virtualizing active directory DCs12 best practices for virtualizing active directory DCs
12 best practices for virtualizing active directory DCsVeeam Software
 
Enhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWSEnhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWSAmazon Web Services
 
(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR
(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR
(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMRAmazon Web Services
 
Security Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsSecurity Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsIgor Beliaiev
 
(SEC313) Updating Security Operations for the Cloud | AWS re:Invent 2014
(SEC313) Updating Security Operations for the Cloud | AWS re:Invent 2014(SEC313) Updating Security Operations for the Cloud | AWS re:Invent 2014
(SEC313) Updating Security Operations for the Cloud | AWS re:Invent 2014Amazon Web Services
 
[AWS Days Microsoft-LA 2015]: Software Licensing Considerations for Enterpris...
[AWS Days Microsoft-LA 2015]: Software Licensing Considerations for Enterpris...[AWS Days Microsoft-LA 2015]: Software Licensing Considerations for Enterpris...
[AWS Days Microsoft-LA 2015]: Software Licensing Considerations for Enterpris...Amazon Web Services
 
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWS
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWSAWS Webcast - Implementing Windows and SQL Server for High Availability on AWS
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWSAmazon Web Services
 
AWS Partner Webcast - Step by Step Plan to Update and Migrate Microsoft Wind...
AWS Partner Webcast - Step by Step Plan to Update and Migrate Microsoft Wind...AWS Partner Webcast - Step by Step Plan to Update and Migrate Microsoft Wind...
AWS Partner Webcast - Step by Step Plan to Update and Migrate Microsoft Wind...Amazon Web Services
 
AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”Amazon Web Services
 
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPASecurity & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPAAmazon Web Services
 
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 

More Related Content

Viewers also liked

Intrusion Detection in the Cloud (SEC402) | AWS re:Invent 2013
Intrusion Detection in the Cloud (SEC402) | AWS re:Invent 2013Intrusion Detection in the Cloud (SEC402) | AWS re:Invent 2013
Intrusion Detection in the Cloud (SEC402) | AWS re:Invent 2013Amazon Web Services
 
How to Fast Track your AppExchange App
How to Fast Track your AppExchange AppHow to Fast Track your AppExchange App
How to Fast Track your AppExchange AppCodeScience
 
(BAC202) Introducing AWS Solutions for Backup and Archiving | AWS re:Invent 2014
(BAC202) Introducing AWS Solutions for Backup and Archiving | AWS re:Invent 2014(BAC202) Introducing AWS Solutions for Backup and Archiving | AWS re:Invent 2014
(BAC202) Introducing AWS Solutions for Backup and Archiving | AWS re:Invent 2014Amazon Web Services
 
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014Amazon Web Services
 
(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...
(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...
(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...Amazon Web Services
 
(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...
(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...
(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...Amazon Web Services
 
Enforcing Your Security Policy at Scale - Technical 301
Enforcing Your Security Policy at Scale - Technical 301Enforcing Your Security Policy at Scale - Technical 301
Enforcing Your Security Policy at Scale - Technical 301Amazon Web Services
 
Splunk Live - Security Best Practices for AWS
Splunk Live - Security Best Practices for AWSSplunk Live - Security Best Practices for AWS
Splunk Live - Security Best Practices for AWSAmazon Web Services
 
Escape From Amazon: Tips/Techniques for Reducing AWS Dependencies
Escape From Amazon: Tips/Techniques for Reducing AWS DependenciesEscape From Amazon: Tips/Techniques for Reducing AWS Dependencies
Escape From Amazon: Tips/Techniques for Reducing AWS DependenciesSoam Acharya
 
AWS December 2015 Webinar Series - Introducing Amazon Inspector
AWS December 2015 Webinar Series - Introducing Amazon InspectorAWS December 2015 Webinar Series - Introducing Amazon Inspector
AWS December 2015 Webinar Series - Introducing Amazon InspectorAmazon Web Services
 
12 best practices for virtualizing active directory DCs
12 best practices for virtualizing active directory DCs12 best practices for virtualizing active directory DCs
12 best practices for virtualizing active directory DCsVeeam Software
 
Enhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWSEnhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWSAmazon Web Services
 
(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR
(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR
(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMRAmazon Web Services
 
Security Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsSecurity Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsIgor Beliaiev
 
(SEC313) Updating Security Operations for the Cloud | AWS re:Invent 2014
(SEC313) Updating Security Operations for the Cloud | AWS re:Invent 2014(SEC313) Updating Security Operations for the Cloud | AWS re:Invent 2014
(SEC313) Updating Security Operations for the Cloud | AWS re:Invent 2014Amazon Web Services
 
[AWS Days Microsoft-LA 2015]: Software Licensing Considerations for Enterpris...
[AWS Days Microsoft-LA 2015]: Software Licensing Considerations for Enterpris...[AWS Days Microsoft-LA 2015]: Software Licensing Considerations for Enterpris...
[AWS Days Microsoft-LA 2015]: Software Licensing Considerations for Enterpris...Amazon Web Services
 
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWS
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWSAWS Webcast - Implementing Windows and SQL Server for High Availability on AWS
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWSAmazon Web Services
 
AWS Partner Webcast - Step by Step Plan to Update and Migrate Microsoft Wind...
AWS Partner Webcast - Step by Step Plan to Update and Migrate Microsoft Wind...AWS Partner Webcast - Step by Step Plan to Update and Migrate Microsoft Wind...
AWS Partner Webcast - Step by Step Plan to Update and Migrate Microsoft Wind...Amazon Web Services
 
AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”Amazon Web Services
 
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPASecurity & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPAAmazon Web Services
 

Viewers also liked (20)

Intrusion Detection in the Cloud (SEC402) | AWS re:Invent 2013
Intrusion Detection in the Cloud (SEC402) | AWS re:Invent 2013Intrusion Detection in the Cloud (SEC402) | AWS re:Invent 2013
Intrusion Detection in the Cloud (SEC402) | AWS re:Invent 2013
 
How to Fast Track your AppExchange App
How to Fast Track your AppExchange AppHow to Fast Track your AppExchange App
How to Fast Track your AppExchange App
 
(BAC202) Introducing AWS Solutions for Backup and Archiving | AWS re:Invent 2014
(BAC202) Introducing AWS Solutions for Backup and Archiving | AWS re:Invent 2014(BAC202) Introducing AWS Solutions for Backup and Archiving | AWS re:Invent 2014
(BAC202) Introducing AWS Solutions for Backup and Archiving | AWS re:Invent 2014
 
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
 
(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...
(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...
(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...
 
(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...
(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...
(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...
 
Enforcing Your Security Policy at Scale - Technical 301
Enforcing Your Security Policy at Scale - Technical 301Enforcing Your Security Policy at Scale - Technical 301
Enforcing Your Security Policy at Scale - Technical 301
 
Splunk Live - Security Best Practices for AWS
Splunk Live - Security Best Practices for AWSSplunk Live - Security Best Practices for AWS
Splunk Live - Security Best Practices for AWS
 
Escape From Amazon: Tips/Techniques for Reducing AWS Dependencies
Escape From Amazon: Tips/Techniques for Reducing AWS DependenciesEscape From Amazon: Tips/Techniques for Reducing AWS Dependencies
Escape From Amazon: Tips/Techniques for Reducing AWS Dependencies
 
AWS December 2015 Webinar Series - Introducing Amazon Inspector
AWS December 2015 Webinar Series - Introducing Amazon InspectorAWS December 2015 Webinar Series - Introducing Amazon Inspector
AWS December 2015 Webinar Series - Introducing Amazon Inspector
 
12 best practices for virtualizing active directory DCs
12 best practices for virtualizing active directory DCs12 best practices for virtualizing active directory DCs
12 best practices for virtualizing active directory DCs
 
Enhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWSEnhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWS
 
(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR
(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR
(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR
 
Security Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsSecurity Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and Results
 
(SEC313) Updating Security Operations for the Cloud | AWS re:Invent 2014
(SEC313) Updating Security Operations for the Cloud | AWS re:Invent 2014(SEC313) Updating Security Operations for the Cloud | AWS re:Invent 2014
(SEC313) Updating Security Operations for the Cloud | AWS re:Invent 2014
 
[AWS Days Microsoft-LA 2015]: Software Licensing Considerations for Enterpris...
[AWS Days Microsoft-LA 2015]: Software Licensing Considerations for Enterpris...[AWS Days Microsoft-LA 2015]: Software Licensing Considerations for Enterpris...
[AWS Days Microsoft-LA 2015]: Software Licensing Considerations for Enterpris...
 
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWS
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWSAWS Webcast - Implementing Windows and SQL Server for High Availability on AWS
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWS
 
AWS Partner Webcast - Step by Step Plan to Update and Migrate Microsoft Wind...
AWS Partner Webcast - Step by Step Plan to Update and Migrate Microsoft Wind...AWS Partner Webcast - Step by Step Plan to Update and Migrate Microsoft Wind...
AWS Partner Webcast - Step by Step Plan to Update and Migrate Microsoft Wind...
 
AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”
 
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPASecurity & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Recently uploaded

TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform EngineeringMarcus Vechiato
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfalexjohnson7307
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingScyllaDB
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Hiroshi SHIBATA
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...FIDO Alliance
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Skynet Technologies
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideStefan Dietze
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...panagenda
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...ScyllaDB
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfFIDO Alliance
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandIES VE
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuidePixlogix Infotech
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfFIDO Alliance
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Patrick Viafore
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfFIDO Alliance
 

Recently uploaded (20)

TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 

Security Incident Response and Forensics on AWS

  • 2. Dave Walker Specialist Solutions Architect, Security and Compliance 19/04/16 Incident Response and Forensics on AWS
  • 3. Agenda • "Expect to be Hacked" • "Be Prepared" (and "Playing the SIRS Game") • "That looks Weird..." • Initial Response Actions • "Decisions, Decisions..." • Preserving Evidence, by Service • Analysis • Conclusions
  • 4. “Be Prepared” • Be Contactable by AWS • Build an Incident Response Handbook • Train your People • Know who to Contact, about What and When • CloudFormation Everything • Maintain “Intellectual Property Holding” • Templates, golden AMIs, Database snapshots
  • 5. “If it Moves, Log It” • CloudTrail • Config • CloudWatch Logs • VPC Flow Logs • ELB logs • API Endpoint Logs • Redshift Logs • …
  • 6. Identification • Plenty of logging sources, what to do with them: Level 1: Log • Primarily for ‘look back’ analysis. Level 2: Alarm • Basic monitoring based in triggers Level 3: Aggregate, analyze and learn • Monitor, ingest, analyze and derive • AWS as a source of event data
  • 7. Identification – Level 1: Log Resource stack Actors AWS CloudTrail Amazon S3 Captures all API interaction AWS CloudWatch Monitors AWS & application AWS Config Actions on Captures resource changes
  • 8. Identification – Level 2: Alarm Resource stack Actors AWS CloudTrail Amazon S3 monitors Captures all API interaction AWS CloudWatch Monitors AWS & application AWS Config Actions on Captures resource changes alarm initiates AWS Config rules Admin alarm
  • 9. Identification – Level 3: Aggregate Resource stack Actors AWS CloudTrail Amazon S3 monitors Captures all API interaction AWS CloudWatch Monitors AWS & application AWS Config Actions on Captures resource changes alarm initiates AWS Config rules Admin alarm Aggregate/analyze Admin
  • 10. CloudWatch Logs • What works well • Simple to set up : http://docs.aws.amazon.com/awscloudtrail/latest/userguide/use -cloudformation-template-to-create-cloudwatch-alarms.html • Limitations • Only match terms, phrases, or values in log events. • No complex matches or regular expressions
  • 11. CloudWatch Logs • "ConsoleSignInAnomalyMetricFilter": { • "Type": "AWS::Logs::MetricFilter", • "Properties": { • "LogGroupName": { "Ref" : "LogGroupName" }, • "FilterPattern": "{ ($.eventName = ConsoleLogin) && ($.sourceIPAddress != 55.55.*) }", • "MetricTransformations": [ • { • "MetricNamespace": "CloudTrailMetrics", • "MetricName": "ConsoleSignInAnomalyCount", • "MetricValue": "1" • } • ] • } • },
  • 12. Config Rules • What works well • Pre-packaged rules • Easy to create new rules • “Config is essentially a CMDB” • Limitations • Currently subset of EC2, EBS, VPC, CloudTrail, IAM
  • 13. “Please, SIRS” • An Exercise with AWS • Injection of Events into Logs • You choose What and When • Ask your Account Manager
  • 14. Initial Response Actions • Get the Right People Involved • AWS • Auditors, Regulators • Forensic Investigators (QIRAs, CESG-recommended firms)? • Police?
  • 15. “Decisions, Decisions…” • “Manage and Mitigate” or “Pursue and Prosecute”? • First closes open doors, but destroys evidence • Second (in traditional environments) is a lot more hassle • Why not do both?
  • 16. “Decisions, Decisions…” • Replicate • Repair • Redirect • Ringfence
  • 17. Preserving Evidence, by Service Infrastructure services Container services Abstracted services Configuration plus operation Configuration  Source: “AWS Security Best Practices,” Nov 2013, p7
  • 18. Best practices: EC2 & VPC • Create forensic subnets in all VPCs • All routes black-holed; all traffic stays within • Create “isolate” security groups to seal off potentially compromised hosts • Configure all AMIs to automatically mount ENIs when signalled by events
  • 19. Best practices: EC2 & VPC… • Configure investigation hosts • All forensics tools installed and ready to go • Protect with deny-all SGs on forensics subnet • Set up write blockers, eg https://github.com/msuhanov/Linux- write-blocker • Additional VM help available from AWS on request
  • 20. Analysis • EIR - Mandiant - EnCase - FTK - GRR • Network - Wireshark - Moloch • Memory Capture - Fastdump - FTK Imager - LiME (see Re:Invent, “Incident Response in the Cloud”)
  • 21. Subnet 10.1.1.0/24 Analysis Virtual router Web server 10.1.1.60 Internet gateway Workstation 10.1.1.101 Change security group to “Isolate” Attach Elastic Network Interface with security group “forensics-target” Elastic Network Interface 10.1.201.60 Security group: “Forensics-target” (forensics target security group) Attach Elastic Network Interface with security group “forensics-target” Completely isolated subnet 10.1.201.0/24 Elastic Network Interface 10.1.201.101 Security group: “Forensics-source” (forensics source security group) Attach Elastic Network Interface with security group “forensics-source” Attach Elastic Network Interface with security group “forensics-source”
  • 22. Conclusion • Many best practices are free; the rest are cheap • Configure IAM thoughtfully • Set up alarms; “snapshot” frequently • Use rich data emitted by “cloud container” for greater visibility and control • Use programmable infrastructure to automate detection (and potentially mitigation) • Always get the right people involved, at the outset • …and that includes AWS