Uploaded byCloudVillage
6,327 views

Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture

This document discusses using Splunk/ELK to audit the security posture of cloud environments like AWS, GCP, and Azure. It introduces Rod Soto and José Hernandez, security researchers at Splunk. It then outlines common cloud attack vectors and targets. It proposes common criteria for auditing cloud security across compute, management, storage, security, and network areas. Finally, it introduces the Cloud Security Suite tool for unified auditing across clouds and how outputs can be integrated with Splunk/ELK for analysis and alerting.

Embed presentation

Downloaded 22 times
Using Splunk/ELK for Auditing AWS/GCP/Azure Security Posture By Rod Soto and José Hernandez
$Whoami José Hernandez Principal Security Researcher at Splunk. He started his professional career at Prolexic Technologies (now Akamai), fighting DDOS attacks against Fortune 100 companies perpetrated by “anonymous” and “lulzsec.” As a engineering co-founder of Zenedge Inc. (acquired by Oracle Inc.), José helped build technologies to fight bots and web-application attacks. He has also built security operation centers and run a public threat-intelligence service. Rod Soto Principal Security Research Engineer at Splunk. Worked at Prolexic Technologies (now Akamai), and Caspida. Cofounder of Hackmiami and Pacific Hackers meetups and conferences. Creator of Kommand && KonTroll / NoQrtr-CTF.
Security in the Cloud... ● The cloud is prevalent and pervasive in all that we do. ● Cloud providers are not invulnerable and attacks against them affect our lives. ● As cloud adoption expands, there are an increasing number of new technologies and unknowns. ● Cloud security is not an exact translation of inside-the-perimeter security. ● Every provider has its own set of technologies, features, and security items. ● While there are several cloud-security initiatives, it is still an ongoing effort. ● There are a range of emerging tools designed to assess the cloud. We chose CS Suite because it helps analysts assess Azure, AWS, and GCP.
...Security in the Cloud
The Imaginary Line Between Provider And Customer
The Imaginary Line Is Not That Imaginary… AWS
Azure
GCP
Cloud Attacks Highlights ● Sony (2011): 77M users ● ICloud (2014): The Fappening ● CloudHopper: (2014 - 2016 - )(IBM, Fujitsu, NTT Data, Tata, HP, DXC, Dimension, CSC) ● Ashley Madison: (2015) / AFF (2015/2016) ● Equifax (2017): 143M customers ● HBO (2017): 1.5 TB of data stolen, including unreleased GoT ● Marriott (2018): 327M accounts ● Kubernetes: CVE-2018-1002105 (PrivEsc) ● Yup…2019 Capital One: 100M accounts
Main Cloud Attack Vectors CSA: "Treacherous 12" 1. Data breaches 2. Insufficient identity, credential, and access management 3. Insecure interfaces and application-programming interfaces (APIs) 4. System vulnerabilities 5. Account hijacking 6. Malicious insiders
Main Cloud Attack Vectors CSA: Treacherous 12 7. Advanced persistent threats (APTs) 8. Data loss 9. Insufficient due diligence 10. Abuse and nefarious use of cloud services 11. Denial of Service (DoS) 12. Shared technology vulnerabilities
Main Targets of Cloud Attacks ● Users: ATO, key exfil, phishing ● Providers: AZ, AWS, GCP ● Admins: Like Domain Admin, they have access to all ● Resources: Cryptomining, DDoS for rent ● Data: Everyone's private life and work information ● Third parties Partner or co-tenant gets hacked, actor pivots to your cloud, attacks affecting IdP
DevOps Attack Surface (CI/CD Pipeline) ● Source code repository: Bitbucket, Beanstalk, Github, Gitlab, SVN, S3 buckets ● CI/CD platform: TravisCI, Jenkins, CircleCI, Gitlab ● Container repository: Docker, Vagrant ● IaaS Provider: Kubernetes flavor, OpenStack (this may also be local in some private, hybrid environments) ● IaC Ansible, Terraform, Chef, Cloudformation
Main Cloud Attack Surface Segments HTTP, API, web services, web sockets Compute backend, distributed processing CLAN/CWAN Databases SQL/NOSQL Storage (block, object, file) Internet/intranet client
Can We Create Common Criteria For Cloud Security?
Common Criteria For Cloud Security 1. Network: External access, VLAN/VWAN, VPN, routing 2. Security: CIA → heavy emphasis in IAM, encryption, and FWs 3. Compute: Artifacts such as virtual machines, containers, apps, microservices 4. Database: SQL, NOSQL 5. Storage: Basically buckets and file type storage (block, object, file) 6. Management: Kubernetes flavor, logging setup, Management access
Common Criteria for Cloud Security Audits Compute AWS: EC2, Lightsail, Lambda, Elastic Beanstalk, ECS, EKS, Batch, ECR, Kubernetes Azure: Virtual machines (VMs), load balancers, app services, batch, Mesh, disks, Kubernetes GCP: VM Instances, disks, snapshots, images, TPUs, metadata, zones, Kubernetes, "big data"
Common Criteria for Cloud Security Audits Management AWS: Console, CloudTrail, Config, OpsWorks, Systems Manager, CloudFormation, Kubernetes Azure: Console, Monitor, Advisor, activity log, metrics, manage applications, solutions, Kubernetes GCP: Console, StackDriver, audit logs, cloud tasks
Common Criteria for Cloud Security Audits Storage AWS: S3, EFS, FSx, S3 Glacier, storage gateway, AWS backup Azure: Data Box, Storage explorer, StorSimple, Data Lake Storage GCP: Bigtable, Buckets, DataStore, FireStore, Filestore, Spanner, Memorystore
Common Criteria for Cloud Security Audits Security AWS: IAM, Resource Access Manager, Secrets Manager, GuardDuty, AWS SSO, Certificate Manager, Key Management Service, Dir Service, WAF & Shield, Security Hub Azure: Azure AD, Security Center (encryption, FW, WAF, etc.), Azure Vault GCP: Security Command Center, Cloud Identity-Aware Proxy, Access Context Manager, VPC, Binary Authorization, Data Loss Prevention, cryptographic keys, Access Approval, Web Security Scanner
Common Criteria for Cloud Security Audits Network AWS: VPC, CloudFront, Route53, API Gateway, Direct Connect, AWS App Mesh, AWS Cloud Map, Global Accelerator Azure: Virtual Networks, Load Balancers, DNS zones, CDN, Traffic Manager, ExpressRoutes, IPs, route tables/filters, Virtual WANS, Network Interfaces GCP: Virtual Private Cloud network, Network Services, Hybrid Connectivity, Network Service Tiers, network security
Common Criteria for Cloud Security Audits Database AWS: RDS, DynamoDB, ElastiCache, Neptune, Amazon Redshift, Amazon QLDB, Amazon DocumentDB Azure: SQL DB, Azure DB for PostGres/MariaDB, Redis, SQL Elastic pools, Cosmos DB GCP: Datastore, BigQuery, MongoDB, PostgreSQL
Enter Cloud Security Suite One-stop tool for auditing the security posture of AWS/GCP/Azure infrastructure Gathers and presents unified information from the following tools: ● GScout ● Scout2 ● Prowler ● Lynis ● Azure Audit template
Installation Github https://github.com/SecurityFTW/cs-suite ● We modified the original project to produce output logs that can be ingested by major SIEM frameworks. ● You will need CLI tools, accounts with read privileges, and an API token for authentication, in some cases. ● Your vision may vary, depending on segmented resources and organizational architecture. ● The tool, however, presents a nice report category interface.
Azure Security Benchmarks
GCP Security Benchmark
AWS Security Benchmarks
The Challenge Of Getting All These Sources Together... ● Logging in the cloud costs $ and requires time for setup. It is not provided by default (CloudTrail, Stackdriver, Azure Monitor, GCP Stackdriver). ● A log indexing and data streaming pipeline infrastructure (Splunk/ELK) needs to be present. ● Architecture of streaming and storage ● A framework that allows analysis and further knowledge operation (basically SIEM). ● Most of the cloud providers have JSON output. Not all monitoring logs are in JSON file, but enough to get a first comprehensive approach.
Architectural Diagram
Integration with popular SIEMS Splunk/ELK - Based on the common criteria items we can create knowledge objects that can allow the analyst have a better vision on cloud security resources - Things such as dashboards, reports can help analysts make sense of the onslaught of logs coming from such disparate sources - We can then create alerts, lookups and even SOAR playbooks that can help us automate from the onslaught of logs.
ELK
ELK Logstash
Kibana slide
Splunk
SPLUNK
SPLUNK
SPLUNK
Splunk Alerts on Results
Q&A Thank You! Rod Soto @rodsoto rod@rodsoto.net Jose Hernandez @d1vious josehelps.com

More Related Content

PDF
Battle in the Clouds - Attacker vs Defender on AWS
byCloudVillage
 
PPTX
Scaling Security in the Cloud With Open Source
byCloudVillage
 
PDF
Pragmatic Cloud Security Automation
byCloudVillage
 
PDF
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
byCloudVillage
 
PPTX
Native cloud security monitoring
byJohn Varghese
 
PDF
Serverless security - how to protect what you don't see?
bySqreen
 
PDF
Mining Malevolence: Cryptominers in the Cloud
byCloudVillage
 
PDF
MozDef Workshop slide
byCloudVillage
 
Battle in the Clouds - Attacker vs Defender on AWS
byCloudVillage
 
Scaling Security in the Cloud With Open Source
byCloudVillage
 
Pragmatic Cloud Security Automation
byCloudVillage
 
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
byCloudVillage
 
Native cloud security monitoring
byJohn Varghese
 
Serverless security - how to protect what you don't see?
bySqreen
 
Mining Malevolence: Cryptominers in the Cloud
byCloudVillage
 
MozDef Workshop slide
byCloudVillage
 

What's hot

PPTX
AWS Security Strategy
by2nd Sight Lab
 
PDF
Practical Guide to Securing Kubernetes
byLacework
 
PDF
Phishing in the cloud era
byCloudVillage
 
PDF
Securing aws workloads with embedded application security
byJohn Varghese
 
PDF
Securing your AWS Deployments with Spinnaker and Armory Enterprise
byDevOps.com
 
PPTX
Crypto Miners in the Cloud
by2nd Sight Lab
 
PPTX
Lacework Kubernetes Meetup | August 28, 2018
byLacework
 
PPTX
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
byLacework
 
PDF
Security threats with Kubernetes - Igor Khoroshchenko
byKuberton
 
PPTX
How to implement DevSecOps on AWS for startups
byAleksandr Maklakov
 
PDF
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
byEvident.io
 
PDF
The AWS Shared Responsibility Model in Practice
byAlert Logic
 
PDF
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
byHashiCorp
 
PPTX
Lacework Overview: Security Redefined for Cloud Scale
byLacework
 
PPTX
Lacework for AWS Security Overview
byLacework
 
PPTX
Security for Complex Networks on AWS
by2nd Sight Lab
 
AWS Security Strategy
by2nd Sight Lab
 
Practical Guide to Securing Kubernetes
byLacework
 
Phishing in the cloud era
byCloudVillage
 
Securing aws workloads with embedded application security
byJohn Varghese
 
Securing your AWS Deployments with Spinnaker and Armory Enterprise
byDevOps.com
 
Crypto Miners in the Cloud
by2nd Sight Lab
 
Lacework Kubernetes Meetup | August 28, 2018
byLacework
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
byLacework
 
Security threats with Kubernetes - Igor Khoroshchenko
byKuberton
 
How to implement DevSecOps on AWS for startups
byAleksandr Maklakov
 
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
byEvident.io
 
The AWS Shared Responsibility Model in Practice
byAlert Logic
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
byHashiCorp
 
Lacework Overview: Security Redefined for Cloud Scale
byLacework
 
Lacework for AWS Security Overview
byLacework
 
Security for Complex Networks on AWS
by2nd Sight Lab
 

Similar to Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture

PDF
Practical Cloud Security A Guide For Secure Design And Deployment 1st Edition...
byjaromdembo
 
PDF
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
byPriyanka Aash
 
PDF
Practical Cloud Security A Guide for Secure Design and Deployment 1st Edition...
byomorialeksi5
 
PDF
Practical Cloud Security A Guide for Secure Design and Deployment 1st Edition...
bybvpxmqwie0546
 
PPTX
Cloud computing and Cloud security fundamentals
byViresh Suri
 
PDF
Unified Protection for Multi-Cloud Infrastructure
byMarketingArrowECS_CZ
 
PDF
The 3 Recommendations for Cloud Security
byVAST
 
PDF
Cumulonimbus fortification-secure-your-data-in-the-cloud
byDavid Busby, CISSP
 
PDF
AWS Pentesting
byMichaelRodriguesdosS1
 
PDF
Top 10 cloud security tools to adopt in 2024.pdf
byJohn David
 
PPTX
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
byOutpost24
 
PDF
Presd1 10
byNiels Groeneveld
 
PDF
A Cloud Security Ghost Story Craig Balding
bycraigbalding
 
PDF
DEF CON 25 - Gerald-Steere-and-Sean-Metcalf-Hacking-the-Cloud.pdf
bywerhkr1
 
PDF
AWS Cloud Security
byAmazon Web Services LATAM
 
PPTX
Cloud Security Zen: Principles to Meditate On
bySamuel Reed
 
PPTX
Hack proof your aws cloud cloudcheckr_040416
byJarrett Plante
 
PPTX
Hackproof Your Cloud: Responding to 2016 Threats
byCloudCheckr
 
PDF
Lab 5.1 Architecture + Threat Modeling Exercise - 2nd Sight Lab Cloud Securit...
by2nd Sight Lab
 
PPTX
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
byRootedCON
 
Practical Cloud Security A Guide For Secure Design And Deployment 1st Edition...
byjaromdembo
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
byPriyanka Aash
 
Practical Cloud Security A Guide for Secure Design and Deployment 1st Edition...
byomorialeksi5
 
Practical Cloud Security A Guide for Secure Design and Deployment 1st Edition...
bybvpxmqwie0546
 
Cloud computing and Cloud security fundamentals
byViresh Suri
 
Unified Protection for Multi-Cloud Infrastructure
byMarketingArrowECS_CZ
 
The 3 Recommendations for Cloud Security
byVAST
 
Cumulonimbus fortification-secure-your-data-in-the-cloud
byDavid Busby, CISSP
 
AWS Pentesting
byMichaelRodriguesdosS1
 
Top 10 cloud security tools to adopt in 2024.pdf
byJohn David
 
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
byOutpost24
 
Presd1 10
byNiels Groeneveld
 
A Cloud Security Ghost Story Craig Balding
bycraigbalding
 
DEF CON 25 - Gerald-Steere-and-Sean-Metcalf-Hacking-the-Cloud.pdf
bywerhkr1
 
AWS Cloud Security
byAmazon Web Services LATAM
 
Cloud Security Zen: Principles to Meditate On
bySamuel Reed
 
Hack proof your aws cloud cloudcheckr_040416
byJarrett Plante
 
Hackproof Your Cloud: Responding to 2016 Threats
byCloudCheckr
 
Lab 5.1 Architecture + Threat Modeling Exercise - 2nd Sight Lab Cloud Securit...
by2nd Sight Lab
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
byRootedCON
 

Recently uploaded

PDF
Role of Training and Development in Enhancing Safety Performance in Opencast ...
byRathin Biswas
 
PPTX
ME3592 - Metrology and Measurements - Unit - 1 - Lecture Notes
bypprakash21252
 
PPTX
Batch-1(End Semester) Student Of Shree Durga Tech. PPT.pptx
byrashesw1122s
 
PDF
PROBLEM SLOVING AND PYTHON PROGRAMMING UNIT 3.pdf
byA R SIVANESH M.E., QIP-PG (Cyber Security)., (Ph.D)
 
PDF
Industrial Tools Manufacturers In India : Torso Tools
bytorsotools8
 
PDF
Shear Strength of Soil (Direct shear test).pdf
byMahmoodKhalid11
 
PDF
DAA Lab Manual ssit -kavya r.pdf or Digital Design and Analysis of Algorithm ...
bykavya R
 
PDF
Unit-I Process Management 1.9 Scheduling Criteria, Scheduling Algorithms
bySanjay Gunjal
 
PPTX
How Does LNG Regasification Work | INOXCVA
byINOXCVA
 
PPTX
This Bearing Didn’t Fail Suddenly — How Vibration Data Predicts Failure Month...
byMaintWiz Technologies Private Limited
 
PDF
Plasticity and Structure of Soil/Atterberg Limits.pdf
byMahmoodKhalid11
 
PPTX
traffic safety section seven (Traffic Control and Management) of Act
byazeRakeshSunariMagar
 
PDF
Rajesh Prasad- Brief Profile with educational, professional highlights
byRajesh Prasad
 
PPTX
Presentation-WPS Office.pptx afgouvhyhgfccf
byEndaleTimerga
 
PDF
engineering management chapter 5 ppt presentation
byericaangelatoledo06
 
PDF
AWS Re:Invent 2025 Recap by FivexL - Guilherme, Vladimir, Andrey
byAndrey Devyatkin
 
PDF
Model QP 2025 scheme Q &A- Module 1 and 2.pdf
bySURESHA V
 
PPTX
uADPF Topology_SFP requirements_locked slides.pptx
byMd Bellal Hossain
 
PDF
NS unit wise unit wise 1 -5 so prepare,.
bykumaransudhan1512
 
PPTX
Designing Work for Humans, Not Machines: Human-Centered Maintenance Excellence
byMaintWiz Technologies Private Limited
 
Role of Training and Development in Enhancing Safety Performance in Opencast ...
byRathin Biswas
 
ME3592 - Metrology and Measurements - Unit - 1 - Lecture Notes
bypprakash21252
 
Batch-1(End Semester) Student Of Shree Durga Tech. PPT.pptx
byrashesw1122s
 
PROBLEM SLOVING AND PYTHON PROGRAMMING UNIT 3.pdf
byA R SIVANESH M.E., QIP-PG (Cyber Security)., (Ph.D)
 
Industrial Tools Manufacturers In India : Torso Tools
bytorsotools8
 
Shear Strength of Soil (Direct shear test).pdf
byMahmoodKhalid11
 
DAA Lab Manual ssit -kavya r.pdf or Digital Design and Analysis of Algorithm ...
bykavya R
 
Unit-I Process Management 1.9 Scheduling Criteria, Scheduling Algorithms
bySanjay Gunjal
 
How Does LNG Regasification Work | INOXCVA
byINOXCVA
 
This Bearing Didn’t Fail Suddenly — How Vibration Data Predicts Failure Month...
byMaintWiz Technologies Private Limited
 
Plasticity and Structure of Soil/Atterberg Limits.pdf
byMahmoodKhalid11
 
traffic safety section seven (Traffic Control and Management) of Act
byazeRakeshSunariMagar
 
Rajesh Prasad- Brief Profile with educational, professional highlights
byRajesh Prasad
 
Presentation-WPS Office.pptx afgouvhyhgfccf
byEndaleTimerga
 
engineering management chapter 5 ppt presentation
byericaangelatoledo06
 
AWS Re:Invent 2025 Recap by FivexL - Guilherme, Vladimir, Andrey
byAndrey Devyatkin
 
Model QP 2025 scheme Q &A- Module 1 and 2.pdf
bySURESHA V
 
uADPF Topology_SFP requirements_locked slides.pptx
byMd Bellal Hossain
 
NS unit wise unit wise 1 -5 so prepare,.
bykumaransudhan1512
 
Designing Work for Humans, Not Machines: Human-Centered Maintenance Excellence
byMaintWiz Technologies Private Limited
 

Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture

  • 1.
    Using Splunk/ELK forAuditing AWS/GCP/Azure Security Posture By Rod Soto and José Hernandez
  • 2.
    $Whoami José Hernandez Principal SecurityResearcher at Splunk. He started his professional career at Prolexic Technologies (now Akamai), fighting DDOS attacks against Fortune 100 companies perpetrated by “anonymous” and “lulzsec.” As a engineering co-founder of Zenedge Inc. (acquired by Oracle Inc.), José helped build technologies to fight bots and web-application attacks. He has also built security operation centers and run a public threat-intelligence service. Rod Soto Principal Security Research Engineer at Splunk. Worked at Prolexic Technologies (now Akamai), and Caspida. Cofounder of Hackmiami and Pacific Hackers meetups and conferences. Creator of Kommand && KonTroll / NoQrtr-CTF.
  • 3.
    Security in theCloud... ● The cloud is prevalent and pervasive in all that we do. ● Cloud providers are not invulnerable and attacks against them affect our lives. ● As cloud adoption expands, there are an increasing number of new technologies and unknowns. ● Cloud security is not an exact translation of inside-the-perimeter security. ● Every provider has its own set of technologies, features, and security items. ● While there are several cloud-security initiatives, it is still an ongoing effort. ● There are a range of emerging tools designed to assess the cloud. We chose CS Suite because it helps analysts assess Azure, AWS, and GCP.
  • 4.
  • 5.
    The Imaginary LineBetween Provider And Customer
  • 6.
    The Imaginary LineIs Not That Imaginary… AWS
  • 7.
  • 8.
  • 9.
    Cloud Attacks Highlights ●Sony (2011): 77M users ● ICloud (2014): The Fappening ● CloudHopper: (2014 - 2016 - )(IBM, Fujitsu, NTT Data, Tata, HP, DXC, Dimension, CSC) ● Ashley Madison: (2015) / AFF (2015/2016) ● Equifax (2017): 143M customers ● HBO (2017): 1.5 TB of data stolen, including unreleased GoT ● Marriott (2018): 327M accounts ● Kubernetes: CVE-2018-1002105 (PrivEsc) ● Yup…2019 Capital One: 100M accounts
  • 10.
    Main Cloud AttackVectors CSA: "Treacherous 12" 1. Data breaches 2. Insufficient identity, credential, and access management 3. Insecure interfaces and application-programming interfaces (APIs) 4. System vulnerabilities 5. Account hijacking 6. Malicious insiders
  • 11.
    Main Cloud AttackVectors CSA: Treacherous 12 7. Advanced persistent threats (APTs) 8. Data loss 9. Insufficient due diligence 10. Abuse and nefarious use of cloud services 11. Denial of Service (DoS) 12. Shared technology vulnerabilities
  • 12.
    Main Targets ofCloud Attacks ● Users: ATO, key exfil, phishing ● Providers: AZ, AWS, GCP ● Admins: Like Domain Admin, they have access to all ● Resources: Cryptomining, DDoS for rent ● Data: Everyone's private life and work information ● Third parties Partner or co-tenant gets hacked, actor pivots to your cloud, attacks affecting IdP
  • 13.
    DevOps Attack Surface(CI/CD Pipeline) ● Source code repository: Bitbucket, Beanstalk, Github, Gitlab, SVN, S3 buckets ● CI/CD platform: TravisCI, Jenkins, CircleCI, Gitlab ● Container repository: Docker, Vagrant ● IaaS Provider: Kubernetes flavor, OpenStack (this may also be local in some private, hybrid environments) ● IaC Ansible, Terraform, Chef, Cloudformation
  • 14.
    Main Cloud AttackSurface Segments HTTP, API, web services, web sockets Compute backend, distributed processing CLAN/CWAN Databases SQL/NOSQL Storage (block, object, file) Internet/intranet client
  • 15.
    Can We CreateCommon Criteria For Cloud Security?
  • 16.
    Common Criteria ForCloud Security 1. Network: External access, VLAN/VWAN, VPN, routing 2. Security: CIA → heavy emphasis in IAM, encryption, and FWs 3. Compute: Artifacts such as virtual machines, containers, apps, microservices 4. Database: SQL, NOSQL 5. Storage: Basically buckets and file type storage (block, object, file) 6. Management: Kubernetes flavor, logging setup, Management access
  • 17.
    Common Criteria forCloud Security Audits Compute AWS: EC2, Lightsail, Lambda, Elastic Beanstalk, ECS, EKS, Batch, ECR, Kubernetes Azure: Virtual machines (VMs), load balancers, app services, batch, Mesh, disks, Kubernetes GCP: VM Instances, disks, snapshots, images, TPUs, metadata, zones, Kubernetes, "big data"
  • 18.
    Common Criteria forCloud Security Audits Management AWS: Console, CloudTrail, Config, OpsWorks, Systems Manager, CloudFormation, Kubernetes Azure: Console, Monitor, Advisor, activity log, metrics, manage applications, solutions, Kubernetes GCP: Console, StackDriver, audit logs, cloud tasks
  • 19.
    Common Criteria forCloud Security Audits Storage AWS: S3, EFS, FSx, S3 Glacier, storage gateway, AWS backup Azure: Data Box, Storage explorer, StorSimple, Data Lake Storage GCP: Bigtable, Buckets, DataStore, FireStore, Filestore, Spanner, Memorystore
  • 20.
    Common Criteria forCloud Security Audits Security AWS: IAM, Resource Access Manager, Secrets Manager, GuardDuty, AWS SSO, Certificate Manager, Key Management Service, Dir Service, WAF & Shield, Security Hub Azure: Azure AD, Security Center (encryption, FW, WAF, etc.), Azure Vault GCP: Security Command Center, Cloud Identity-Aware Proxy, Access Context Manager, VPC, Binary Authorization, Data Loss Prevention, cryptographic keys, Access Approval, Web Security Scanner
  • 21.
    Common Criteria forCloud Security Audits Network AWS: VPC, CloudFront, Route53, API Gateway, Direct Connect, AWS App Mesh, AWS Cloud Map, Global Accelerator Azure: Virtual Networks, Load Balancers, DNS zones, CDN, Traffic Manager, ExpressRoutes, IPs, route tables/filters, Virtual WANS, Network Interfaces GCP: Virtual Private Cloud network, Network Services, Hybrid Connectivity, Network Service Tiers, network security
  • 22.
    Common Criteria forCloud Security Audits Database AWS: RDS, DynamoDB, ElastiCache, Neptune, Amazon Redshift, Amazon QLDB, Amazon DocumentDB Azure: SQL DB, Azure DB for PostGres/MariaDB, Redis, SQL Elastic pools, Cosmos DB GCP: Datastore, BigQuery, MongoDB, PostgreSQL
  • 23.
    Enter Cloud SecuritySuite One-stop tool for auditing the security posture of AWS/GCP/Azure infrastructure Gathers and presents unified information from the following tools: ● GScout ● Scout2 ● Prowler ● Lynis ● Azure Audit template
  • 24.
    Installation Github https://github.com/SecurityFTW/cs-suite ● Wemodified the original project to produce output logs that can be ingested by major SIEM frameworks. ● You will need CLI tools, accounts with read privileges, and an API token for authentication, in some cases. ● Your vision may vary, depending on segmented resources and organizational architecture. ● The tool, however, presents a nice report category interface.
  • 25.
  • 26.
  • 27.
  • 28.
    The Challenge OfGetting All These Sources Together... ● Logging in the cloud costs $ and requires time for setup. It is not provided by default (CloudTrail, Stackdriver, Azure Monitor, GCP Stackdriver). ● A log indexing and data streaming pipeline infrastructure (Splunk/ELK) needs to be present. ● Architecture of streaming and storage ● A framework that allows analysis and further knowledge operation (basically SIEM). ● Most of the cloud providers have JSON output. Not all monitoring logs are in JSON file, but enough to get a first comprehensive approach.
  • 29.
  • 30.
    Integration with popularSIEMS Splunk/ELK - Based on the common criteria items we can create knowledge objects that can allow the analyst have a better vision on cloud security resources - Things such as dashboards, reports can help analysts make sense of the onslaught of logs coming from such disparate sources - We can then create alerts, lookups and even SOAR playbooks that can help us automate from the onslaught of logs.
  • 31.
  • 33.
  • 34.
  • 35.
  • 36.
  • 38.
  • 39.
  • 40.
  • 41.
    Q&A Thank You! Rod Soto@rodsoto rod@rodsoto.net Jose Hernandez @d1vious josehelps.com