SlideShare a Scribd company logo

Threat Detection and Remediation Workshop

Amazon Web Services
Amazon Web Services

This workshop is designed to expose you to a number of AWS services that can be part of a threat detection and remediation strategy. We will cover the following services: Amazon GuardDuty, Amazon Macie, Amazon Inspector, Amazon CloudWatch (Events & Logs), AWS Lambda, Amazon SNS, Amazon S3, VPC Flow Logs, DNS Logs and AWS CloudTrail. You will learn how to use these services to set up a notification and remediation pipeline, to investigate threats during and after an attack, and how to evaluate what additional alerts and automated remediations should be deployed. We will go through a simulated attack scenario that will generate real GuardDuty findings and Macie alerts. We will investigate the attack, examine the threats, remediate the attack and investigate additional automated remediations that can be used in the future. Level: 200 Speaker: Sean Leviseur - Security Architect, AWS Professional Services

1 of 36
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sean Leviseur, Senior Security Consultant October 24th 2018 Threat Detection and Remediation Workshop Module 1
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Workshop agenda • Quick introduction to the workshop • Module 1: Environment build and configuration (20 min) • Run CloudFormation template and some setup • Module 2: Attack simulation (and presentation) (40 min) • Run CloudFormation template • Presentation • Module 3: Detection and remediation (45 min) • Investigate the attack • Module 4: Review and discussion (15 min) • Presentation / group Q&A • Cleanup
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Verizon Report Source: 2018 Data Breach Investigation Report, Verizon, 11th edition 2018 Verizon - 2018 Data Breach Investigations Report Data Breach Patterns
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What could possibly go wrong here?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Start module 1 https://tinyurl.com/y84cc3pj (https://github.com/aws-samples/aws-security-workshops/tree/master/threat-detection-wksp) Directions: • Browse to https://tinyurl.com/y84cc3pj • Read through the workshop scenario • Click on Environment Build and Configuration at the end • Complete module (~15 min) then stop • We will later start module 2 and do a presentation use us-west-2
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Start module 1 – Important! https://tinyurl.com/y84cc3pj (https://github.com/aws-samples/aws-security-workshops/tree/master/threat-detection-wksp) use us-west-2
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sean Leviseur, Senior Security Consultant October 24th 2018 Threat Detection and Remediation Workshop Module 2
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda • Module 2: Run the CloudFormation template (~5 min) • Threat detection and remediation intro presentation (~25 min) • Workshop walkthrough (~10 min)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Start module 2 https://tinyurl.com/y84cc3pj (https://github.com/aws-samples/aws-security-workshops/tree/master/threat-detection-wksp) Directions: • Browse to https://tinyurl.com/y84cc3pj • Click on Attack Simulation at the end • Complete this module (~5 min) then stop • We will then do a presentation use us-west-2
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Detection and Remediation Intro
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why is threat detection so hard? Skills shortageSignal to noiseLarge datasets
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Get humans away from the data and analysis AWS CISO Stephen Schmidt, at re:Invent 2017: “It's people who make mistakes, it's people who have good intentions but get phished, it's people who use the same credentials in multiple locations and don't use a hardware token for a multi-factor authentication… Get the humans away from the data.”
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detecting breaches Source: 2018 Data Breach Investigation Report, Verizon, 11th edition 2018
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Top Actions Taken to Address Security Issues Source: 2017 Forbes Insights – “Enterprises Reengineer Security in the Age of Digital Transformation” 2017 Forbes Insights – “Enterprises Reengineer Security in the Age of Digital Transformation” Source: 2017 Forbes Insights – “Enterprises Reengineer Security in the Age of Digital Transformation”
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudTrail AWS Config Rules Amazon CloudWatch Logs Amazon GuardDuty VPC Flow Logs Amazon Macie AWS Shield AWS WAF AWS Systems Manager Amazon Inspector VPC KMS AWS CloudHSM IAM AWS Organizations AWS Cognito AWS Directory Service AWS Single Sign-On Certificate Manager Amazon Inspector AWS Config Rules AWS Lambda AWS Systems Manager Amazon CloudWatch Events Pro Services Raptor Protect RespondDetect RecoverIdentify AWS Lambda AWS DR and Backup Solutions AWS Systems Manager AWS Config AWS Security Solutions https://www.nist.gov/cyberframework
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Detection Services
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Detection: Log Data Inputs AWS CloudTrail VPC Flow Logs CloudWatch Logs DNS Logs Track user activity and API usage IP traffic to/from network interfaces in your VPC Monitor apps using log data, store & access log files Log of DNS queries in a VPC when using the VPC DNS resolver
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Detection: Machine Learning Amazon GuardDuty Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads Amazon Macie Machine learning-powered security service to discover, classify & protect sensitive data
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What Can Amazon GuardDuty Detect? RDP brute force RAT Installed Exfiltrate data over DNS Probe API with temp creds Attempt to compromise account Malicious or suspicious IP Unusual ports DNS exfiltration Unusual traffic volume Connect to blacklisted site Recon Anonymizing proxy Temp credentials used off-instance Unusual ISP caller Bitcoin activity Unusual instance launch
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Detection: Evocations/Triggers Amazon CloudWatch Events Delivers a near real-time stream of system events that describe changes in AWS resources AWS Config rules Continuously tracks your resource configuration changes and if they violate any of the conditions in your rules
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon CloudWatch Events { "source": [ "aws.guardduty" ] } CloudWatch Event GuardDuty findings Lambda function
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Remediation Services
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Remediation Services AWS Systems Manager AWS Lambda Amazon Inspector Run code for virtually any kind of application or backend service – zero administration Gain operational insights and take action on AWS resources Automate security assessments of EC2 instances
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. High-Level Playbook Adversary or intern Your environment Lambda function CloudWatch Events
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Workshop walkthrough
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The initial setup
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Module 1 setup
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Start module 3 https://tinyurl.com/y84cc3pj (https://github.com/aws-samples/aws-security-workshops/tree/master/threat-detection-wksp) Directions: • Browse to https://tinyurl.com/y84cc3pj • Click on Detection & Remediation at the end • Run through this module (~45 min) • We will then finish up with module 4 and cleanup use us-west-2
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sean Leviseur, Senior Security Consultant October 24th 2018 Threat Detection and Remediation Workshop Module 4 – Review, Discussion, Questions & Cleanup
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda • Review & Discussion – 5 min • Questions – 15 min • Cleanup
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Review & Discussion
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Attack
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Module 2 setup
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What really happened?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Questions

Recommended

Threat Detection & Remediation Workshop
Threat Detection & Remediation WorkshopThreat Detection & Remediation Workshop
Threat Detection & Remediation WorkshopAmazon Web Services
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Amazon Web Services
 
Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4Amazon Web Services
 
Automating Incident Response and Forensics in AWS - AWS Summit Sydney 2018
Automating Incident Response and Forensics in AWS - AWS Summit Sydney 2018Automating Incident Response and Forensics in AWS - AWS Summit Sydney 2018
Automating Incident Response and Forensics in AWS - AWS Summit Sydney 2018Amazon Web Services
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAmazon Web Services
 
Automating Threat Detection and Remediation at ZocDoc
Automating Threat Detection and Remediation at ZocDocAutomating Threat Detection and Remediation at ZocDoc
Automating Threat Detection and Remediation at ZocDocAmazon Web Services
 
Incident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of NeedlesIncident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of NeedlesAmazon Web Services
 
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...Amazon Web Services
 

Recommended

Threat Detection & Remediation Workshop
Threat Detection & Remediation WorkshopThreat Detection & Remediation Workshop
Threat Detection & Remediation WorkshopAmazon Web Services
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Amazon Web Services
 
Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4Amazon Web Services
 
Automating Incident Response and Forensics in AWS - AWS Summit Sydney 2018
Automating Incident Response and Forensics in AWS - AWS Summit Sydney 2018Automating Incident Response and Forensics in AWS - AWS Summit Sydney 2018
Automating Incident Response and Forensics in AWS - AWS Summit Sydney 2018Amazon Web Services
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAmazon Web Services
 
Automating Threat Detection and Remediation at ZocDoc
Automating Threat Detection and Remediation at ZocDocAutomating Threat Detection and Remediation at ZocDoc
Automating Threat Detection and Remediation at ZocDocAmazon Web Services
 
Incident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of NeedlesIncident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of NeedlesAmazon Web Services
 
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...Amazon Web Services
 
Automating Incident Response and Forensics in AWS
Automating Incident Response and Forensics in AWSAutomating Incident Response and Forensics in AWS
Automating Incident Response and Forensics in AWSAmazon Web Services
 
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Amazon Web Services
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty LabAmazon Web Services
 
Incident Response - Eyes Everywhere
Incident Response - Eyes EverywhereIncident Response - Eyes Everywhere
Incident Response - Eyes EverywhereAmazon Web Services
 
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...Amazon Web Services
 
AWS Security Week: Threat Detection & Remediation Workshop
AWS Security Week: Threat Detection & Remediation WorkshopAWS Security Week: Threat Detection & Remediation Workshop
AWS Security Week: Threat Detection & Remediation WorkshopAmazon Web Services
 
Incident Response: Eyes Everywhere - AWS Security Week at the SF Loft
Incident Response: Eyes Everywhere - AWS Security Week at the SF LoftIncident Response: Eyes Everywhere - AWS Security Week at the SF Loft
Incident Response: Eyes Everywhere - AWS Security Week at the SF LoftAmazon Web Services
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWSAmazon Web Services
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Teri Radichel
 
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAleksandr Maklakov
 
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Amazon Web Services
 
A 360-Degree Cloud-Native Approach to Secure Your AWS Cloud Stack (SEC313-S) ...
A 360-Degree Cloud-Native Approach to Secure Your AWS Cloud Stack (SEC313-S) ...A 360-Degree Cloud-Native Approach to Secure Your AWS Cloud Stack (SEC313-S) ...
A 360-Degree Cloud-Native Approach to Secure Your AWS Cloud Stack (SEC313-S) ...Amazon Web Services
 
MozDef Workshop slide
MozDef Workshop slideMozDef Workshop slide
MozDef Workshop slideCloudVillage
 
AWS Security Week: Why Your Customers Care About Compliance
AWS Security Week: Why Your Customers Care About ComplianceAWS Security Week: Why Your Customers Care About Compliance
AWS Security Week: Why Your Customers Care About ComplianceAmazon Web Services
 
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018Amazon Web Services
 
AWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & RemediationAWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & RemediationAmazon Web Services
 
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018Amazon Web Services
 
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Teri Radichel
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...CloudVillage
 
Amazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and RemediationAmazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and RemediationAmazon Web Services
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWSAmazon Web Services
 

More Related Content

What's hot

Automating Incident Response and Forensics in AWS
Automating Incident Response and Forensics in AWSAutomating Incident Response and Forensics in AWS
Automating Incident Response and Forensics in AWSAmazon Web Services
 
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Amazon Web Services
 
Incident Response - Eyes Everywhere
Incident Response - Eyes EverywhereIncident Response - Eyes Everywhere
Incident Response - Eyes EverywhereAmazon Web Services
 
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...Amazon Web Services
 
AWS Security Week: Threat Detection & Remediation Workshop
AWS Security Week: Threat Detection & Remediation WorkshopAWS Security Week: Threat Detection & Remediation Workshop
AWS Security Week: Threat Detection & Remediation WorkshopAmazon Web Services
 
Incident Response: Eyes Everywhere - AWS Security Week at the SF Loft
Incident Response: Eyes Everywhere - AWS Security Week at the SF LoftIncident Response: Eyes Everywhere - AWS Security Week at the SF Loft
Incident Response: Eyes Everywhere - AWS Security Week at the SF LoftAmazon Web Services
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Teri Radichel
 
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon Web Services
 
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Amazon Web Services
 
A 360-Degree Cloud-Native Approach to Secure Your AWS Cloud Stack (SEC313-S) ...
A 360-Degree Cloud-Native Approach to Secure Your AWS Cloud Stack (SEC313-S) ...A 360-Degree Cloud-Native Approach to Secure Your AWS Cloud Stack (SEC313-S) ...
A 360-Degree Cloud-Native Approach to Secure Your AWS Cloud Stack (SEC313-S) ...Amazon Web Services
 
MozDef Workshop slide
MozDef Workshop slideMozDef Workshop slide
MozDef Workshop slideCloudVillage
 
AWS Security Week: Why Your Customers Care About Compliance
AWS Security Week: Why Your Customers Care About ComplianceAWS Security Week: Why Your Customers Care About Compliance
AWS Security Week: Why Your Customers Care About ComplianceAmazon Web Services
 
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018Amazon Web Services
 
AWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & RemediationAWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & RemediationAmazon Web Services
 
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018Amazon Web Services
 
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Teri Radichel
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...CloudVillage
 

What's hot (20)

Automating Incident Response and Forensics in AWS
Automating Incident Response and Forensics in AWSAutomating Incident Response and Forensics in AWS
Automating Incident Response and Forensics in AWS
 
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty Lab
 
Incident Response - Eyes Everywhere
Incident Response - Eyes EverywhereIncident Response - Eyes Everywhere
Incident Response - Eyes Everywhere
 
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
 
AWS Security Week: Threat Detection & Remediation Workshop
AWS Security Week: Threat Detection & Remediation WorkshopAWS Security Week: Threat Detection & Remediation Workshop
AWS Security Week: Threat Detection & Remediation Workshop
 
Incident Response: Eyes Everywhere - AWS Security Week at the SF Loft
Incident Response: Eyes Everywhere - AWS Security Week at the SF LoftIncident Response: Eyes Everywhere - AWS Security Week at the SF Loft
Incident Response: Eyes Everywhere - AWS Security Week at the SF Loft
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?
 
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
 
A 360-Degree Cloud-Native Approach to Secure Your AWS Cloud Stack (SEC313-S) ...
A 360-Degree Cloud-Native Approach to Secure Your AWS Cloud Stack (SEC313-S) ...A 360-Degree Cloud-Native Approach to Secure Your AWS Cloud Stack (SEC313-S) ...
A 360-Degree Cloud-Native Approach to Secure Your AWS Cloud Stack (SEC313-S) ...
 
MozDef Workshop slide
MozDef Workshop slideMozDef Workshop slide
MozDef Workshop slide
 
AWS Security Week: Why Your Customers Care About Compliance
AWS Security Week: Why Your Customers Care About ComplianceAWS Security Week: Why Your Customers Care About Compliance
AWS Security Week: Why Your Customers Care About Compliance
 
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
 
AWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & RemediationAWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & Remediation
 
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018
 
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
 

Similar to Threat Detection and Remediation Workshop

Amazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and RemediationAmazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and RemediationAmazon Web Services
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWSAmazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Amazon Web Services
 
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...Amazon Web Services
 
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018Amazon Web Services
 
SID304 Threat Detection and Remediation with Amazon GuardDuty
SID304 Threat Detection and Remediation with Amazon GuardDuty SID304 Threat Detection and Remediation with Amazon GuardDuty
SID304 Threat Detection and Remediation with Amazon GuardDutyAmazon Web Services
 
Building a security knowledge management platform for AWS - FND224 - AWS re:I...
Building a security knowledge management platform for AWS - FND224 - AWS re:I...Building a security knowledge management platform for AWS - FND224 - AWS re:I...
Building a security knowledge management platform for AWS - FND224 - AWS re:I...Amazon Web Services
 
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...Amazon Web Services
 
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...Amazon Web Services
 
Monitoring IoT Device Behavior with AWS IoT Device Defender Detect (IOT360) -...
Monitoring IoT Device Behavior with AWS IoT Device Defender Detect (IOT360) -...Monitoring IoT Device Behavior with AWS IoT Device Defender Detect (IOT360) -...
Monitoring IoT Device Behavior with AWS IoT Device Defender Detect (IOT360) -...Amazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Designing for Operability: Getting the Last Nines in Five-Nines Availability ...
Designing for Operability: Getting the Last Nines in Five-Nines Availability ...Designing for Operability: Getting the Last Nines in Five-Nines Availability ...
Designing for Operability: Getting the Last Nines in Five-Nines Availability ...Amazon Web Services
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseAmazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Amazon Web Services
 
Get Started with Deep Learning and Computer Vision Using AWS DeepLens (AIM316...
Get Started with Deep Learning and Computer Vision Using AWS DeepLens (AIM316...Get Started with Deep Learning and Computer Vision Using AWS DeepLens (AIM316...
Get Started with Deep Learning and Computer Vision Using AWS DeepLens (AIM316...Amazon Web Services
 
Automating Incident Response and Forensics
Automating Incident Response and ForensicsAutomating Incident Response and Forensics
Automating Incident Response and ForensicsAmazon Web Services
 

Similar to Threat Detection and Remediation Workshop (20)

Amazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and RemediationAmazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and Remediation
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWS
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
 
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
 
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
SID304 Threat Detection and Remediation with Amazon GuardDuty
SID304 Threat Detection and Remediation with Amazon GuardDuty SID304 Threat Detection and Remediation with Amazon GuardDuty
SID304 Threat Detection and Remediation with Amazon GuardDuty
 
Building a security knowledge management platform for AWS - FND224 - AWS re:I...
Building a security knowledge management platform for AWS - FND224 - AWS re:I...Building a security knowledge management platform for AWS - FND224 - AWS re:I...
Building a security knowledge management platform for AWS - FND224 - AWS re:I...
 
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
 
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
 
Security@Scale
Security@ScaleSecurity@Scale
Security@Scale
 
Monitoring IoT Device Behavior with AWS IoT Device Defender Detect (IOT360) -...
Monitoring IoT Device Behavior with AWS IoT Device Defender Detect (IOT360) -...Monitoring IoT Device Behavior with AWS IoT Device Defender Detect (IOT360) -...
Monitoring IoT Device Behavior with AWS IoT Device Defender Detect (IOT360) -...
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
Designing for Operability: Getting the Last Nines in Five-Nines Availability ...
Designing for Operability: Getting the Last Nines in Five-Nines Availability ...Designing for Operability: Getting the Last Nines in Five-Nines Availability ...
Designing for Operability: Getting the Last Nines in Five-Nines Availability ...
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat Response
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWS
 
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
 
Get Started with Deep Learning and Computer Vision Using AWS DeepLens (AIM316...
Get Started with Deep Learning and Computer Vision Using AWS DeepLens (AIM316...Get Started with Deep Learning and Computer Vision Using AWS DeepLens (AIM316...
Get Started with Deep Learning and Computer Vision Using AWS DeepLens (AIM316...
 
Automating Incident Response and Forensics
Automating Incident Response and ForensicsAutomating Incident Response and Forensics
Automating Incident Response and Forensics
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Threat Detection and Remediation Workshop

  • 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sean Leviseur, Senior Security Consultant October 24th 2018 Threat Detection and Remediation Workshop Module 1
  • 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Workshop agenda • Quick introduction to the workshop • Module 1: Environment build and configuration (20 min) • Run CloudFormation template and some setup • Module 2: Attack simulation (and presentation) (40 min) • Run CloudFormation template • Presentation • Module 3: Detection and remediation (45 min) • Investigate the attack • Module 4: Review and discussion (15 min) • Presentation / group Q&A • Cleanup
  • 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Verizon Report Source: 2018 Data Breach Investigation Report, Verizon, 11th edition 2018 Verizon - 2018 Data Breach Investigations Report Data Breach Patterns
  • 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What could possibly go wrong here?
  • 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Start module 1 https://tinyurl.com/y84cc3pj (https://github.com/aws-samples/aws-security-workshops/tree/master/threat-detection-wksp) Directions: • Browse to https://tinyurl.com/y84cc3pj • Read through the workshop scenario • Click on Environment Build and Configuration at the end • Complete module (~15 min) then stop • We will later start module 2 and do a presentation use us-west-2
  • 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Start module 1 – Important! https://tinyurl.com/y84cc3pj (https://github.com/aws-samples/aws-security-workshops/tree/master/threat-detection-wksp) use us-west-2
  • 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sean Leviseur, Senior Security Consultant October 24th 2018 Threat Detection and Remediation Workshop Module 2
  • 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda • Module 2: Run the CloudFormation template (~5 min) • Threat detection and remediation intro presentation (~25 min) • Workshop walkthrough (~10 min)
  • 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Start module 2 https://tinyurl.com/y84cc3pj (https://github.com/aws-samples/aws-security-workshops/tree/master/threat-detection-wksp) Directions: • Browse to https://tinyurl.com/y84cc3pj • Click on Attack Simulation at the end • Complete this module (~5 min) then stop • We will then do a presentation use us-west-2
  • 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Detection and Remediation Intro
  • 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why is threat detection so hard? Skills shortageSignal to noiseLarge datasets
  • 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Get humans away from the data and analysis AWS CISO Stephen Schmidt, at re:Invent 2017: “It's people who make mistakes, it's people who have good intentions but get phished, it's people who use the same credentials in multiple locations and don't use a hardware token for a multi-factor authentication… Get the humans away from the data.”
  • 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detecting breaches Source: 2018 Data Breach Investigation Report, Verizon, 11th edition 2018
  • 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Top Actions Taken to Address Security Issues Source: 2017 Forbes Insights – “Enterprises Reengineer Security in the Age of Digital Transformation” 2017 Forbes Insights – “Enterprises Reengineer Security in the Age of Digital Transformation” Source: 2017 Forbes Insights – “Enterprises Reengineer Security in the Age of Digital Transformation”
  • 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudTrail AWS Config Rules Amazon CloudWatch Logs Amazon GuardDuty VPC Flow Logs Amazon Macie AWS Shield AWS WAF AWS Systems Manager Amazon Inspector VPC KMS AWS CloudHSM IAM AWS Organizations AWS Cognito AWS Directory Service AWS Single Sign-On Certificate Manager Amazon Inspector AWS Config Rules AWS Lambda AWS Systems Manager Amazon CloudWatch Events Pro Services Raptor Protect RespondDetect RecoverIdentify AWS Lambda AWS DR and Backup Solutions AWS Systems Manager AWS Config AWS Security Solutions https://www.nist.gov/cyberframework
  • 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Detection Services
  • 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Detection: Log Data Inputs AWS CloudTrail VPC Flow Logs CloudWatch Logs DNS Logs Track user activity and API usage IP traffic to/from network interfaces in your VPC Monitor apps using log data, store & access log files Log of DNS queries in a VPC when using the VPC DNS resolver
  • 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Detection: Machine Learning Amazon GuardDuty Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads Amazon Macie Machine learning-powered security service to discover, classify & protect sensitive data
  • 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty
  • 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What Can Amazon GuardDuty Detect? RDP brute force RAT Installed Exfiltrate data over DNS Probe API with temp creds Attempt to compromise account Malicious or suspicious IP Unusual ports DNS exfiltration Unusual traffic volume Connect to blacklisted site Recon Anonymizing proxy Temp credentials used off-instance Unusual ISP caller Bitcoin activity Unusual instance launch
  • 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Detection: Evocations/Triggers Amazon CloudWatch Events Delivers a near real-time stream of system events that describe changes in AWS resources AWS Config rules Continuously tracks your resource configuration changes and if they violate any of the conditions in your rules
  • 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon CloudWatch Events { "source": [ "aws.guardduty" ] } CloudWatch Event GuardDuty findings Lambda function
  • 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Remediation Services
  • 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Remediation Services AWS Systems Manager AWS Lambda Amazon Inspector Run code for virtually any kind of application or backend service – zero administration Gain operational insights and take action on AWS resources Automate security assessments of EC2 instances
  • 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. High-Level Playbook Adversary or intern Your environment Lambda function CloudWatch Events
  • 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Workshop walkthrough
  • 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The initial setup
  • 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Module 1 setup
  • 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Start module 3 https://tinyurl.com/y84cc3pj (https://github.com/aws-samples/aws-security-workshops/tree/master/threat-detection-wksp) Directions: • Browse to https://tinyurl.com/y84cc3pj • Click on Detection & Remediation at the end • Run through this module (~45 min) • We will then finish up with module 4 and cleanup use us-west-2
  • 30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sean Leviseur, Senior Security Consultant October 24th 2018 Threat Detection and Remediation Workshop Module 4 – Review, Discussion, Questions & Cleanup
  • 31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda • Review & Discussion – 5 min • Questions – 15 min • Cleanup
  • 32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Review & Discussion
  • 33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Attack
  • 34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Module 2 setup
  • 35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What really happened?
  • 36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Questions