Additional Security Services on...
Transcript of Additional Security Services on...
![Page 1: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/1.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Bertram Dorn
Specialized Solutions Architect
Security / Compliance / DataProtection
AWS EMEA
Additional Security Services on AWS
![Page 2: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/2.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The Landscape
![Page 3: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/3.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The Paths
CloudData Path Command Path
Application Path
Managed by Customer
![Page 4: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/4.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Services Command Path
Amazon Macie
Amazon CloudWatch
AWSCloudTrail
AWSConfig
IAMAWSOrganizations
AWS KMS
flow logs
Amazon ESEBSS3SQSWork*SSM
Guard Duty
![Page 5: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/5.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Services Data Path
AWS Shield
AWS WAF
Elastic Load Balancing*
AWS Direct Connect
Amazon CloudFront
AmazonRoute 53
Amazon Inspector
AWS Certificate Manager
Amazon API Gateway
AWSLambda
virtual private cloud
customer gateway
Internet gateway
VPCpeering
VPN gateway
Amazon EC2 Systems Manager
AWSCloudHSM
![Page 6: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/6.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Four Pillars of our approach toProtection
AWS IntegrationDDoS protection without infrastructure changes
AffordableDon’t force unnecessary trade-offs between cost
and availability
FlexibleCustomize protections for your applications
Always-On Detectionand Mitigation
Minimize impact on application latency
![Page 7: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/7.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Guard Duty
![Page 8: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/8.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Find the Needle, Skip the Haystack
GuardDuty helps security professionals quickly find the threats (needle) to their environments in the sea of log data (haystack) so they can focus on hardening their AWS environments and responding quickly to malicious or suspicious behavior.
Amazon GuardDuty: All Signal, No Noise
![Page 9: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/9.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
GuardDuty Data SourcesVPC Flow Logs
VPC flow logs
• Flow Logs for VPCs Do Not Need to
Be Turned On to Generate Findings,
data is consumed through
independent duplicate stream.
• Suggested Turning On VPC Flow
Logs to Augment Data Analysis
(charges apply).
DNS Logs
DNS Logs
• DNS Logs are based on queries made
from EC2 instances to known
questionable domains.
• DNS Logs are in addition to Route 53
query logs. Route 53 is not required
for GuardDuty to generate DNS based
findings.
CloudTrail Events
CloudTrail Events
• CloudTrail history of AWS API calls
used to access the Management
Console, SDKs , CLI, etc. presented by
GuardDuty.
• Identification of user and account
activity including source IP address
used to make the calls.
Capture and save all event data via CWE or API Call for long term retention. Additional charges apply.
![Page 10: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/10.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
GuardDuty Findings: Threat Purpose Details
• Backdoor: resource compromised and capable of contacting source home
• Behavior: activity that differs from established baseline
• Crypto Currency: detected software associated with Crypto currencies
• Pentest: activity detected similar to that generated by known pen testing tools
• Recon: attack scoping vulnerabilities by probing ports, listening, database tables, etc.
• Stealth: attack trying to hide actions / tracks
• Trojan: program detected carrying out suspicious activity
• Unauthorized Access: suspicious activity / pattern by unauthorized user
Describes the primary purpose of the threat. Available at launch, more coming!
![Page 11: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/11.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
GuardDuty Demo
![Page 12: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/12.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Macies
![Page 13: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/13.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Understand Your DataNatural Language Processing (NLP)
Understand Data AccessPredictive User Behavior Analytics(UBA)
Macie Overview
![Page 14: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/14.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Macie User Behavior Analytics
We use behavioral analytics to baseline normal behavior patterns.
Contextualize by value of data being accessed.
Goals:• Go to crazy lengths to avoid false
positives• Features, features• Compare peers
• Tell a narrative
![Page 15: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/15.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• PII and personal data• Source code• SSL certificates, private keys• iOS and Android app signing keys• Database backups• OAuth and Cloud SAAS API Keys
Macie Content Classification
![Page 16: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/16.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Macies Demo
![Page 17: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/17.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
WAF/Shield
![Page 18: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/18.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
![Page 19: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/19.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
0
200
400
600
800
1000
1200
1400
1600
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
Largest DDoS Attacks (Gbps)Memcached Attacks
Mirai Attacks
DDoS Size Trend
![Page 20: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/20.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DDoS Threats and Trends
AWS Shield detects and mitigates 1,000’s of DDoS Attacks Daily
Source: AWS Global Threat Dashboard (Available for AWS Shield Advanced customers)
![Page 21: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/21.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Layer 3/4 Protection for Everyoneü Automatic defense against the most common network and transport
layer DDoS attacks for any AWS resource, in any AWS Regionü Comprehensive defense against all known network and transport
layer attacks when using Amazon CloudFront and Amazon Route 53ü SYN Floods, UDP Floods, Reflection Attacks, etc.
Layer 7 Protection Available via AWS WAFü Self-service & pay-as-you-goü Flexible rule languageü Fast rule propagation
AWS ShieldStandard
AWS WAF
AWS ShieldStandard
![Page 22: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/22.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Shield Advanced:Enhanced Protection
• Layer 7 attack detection (HTTP Floods, DNS Query Floods)
• Baselining and Anomaly detection
• Enhanced Layer 3 attack detection
• Granular detection thresholds (for regional services EC2/ELB only)
• Proprietary packet filtering stacks
• Suspicion-based filtering
• Advanced mitigations like SYN Throttling
• Pre-configured mitigations according to resource type
• Customer defined Mitigations
• Traffic Engineering for Large DDoS Attacks
• Network ACLs executed at the border for EIPs
Detect ion Mit igat ion
![Page 23: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/23.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Shield Advanced:DDoS Response Team (DRT)
• DDoS Architecture Review
• Fire Drills and basic DDoS WAF rules consultation
• Custom mitigation templates for EIPs (EC2/NLBs)
• Automatically engaged for availability impacting L3/4 events
• Customer driven support cases through AWS Support or AWS Shield Engagement Lambda
• Incident triaging
• Manual traffic engineering
For more sophist icated and complex attacks
Pre-emptive Engagements
24x7 Incident Response
![Page 24: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/24.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Built-in DDoS Protection for
Everyone
Enhanced Protection
24x7 access to DDoS Response
Team (DRT)
CloudWatch Metrics Attack DiagnosticsGlobal threat environment dashboard
AWS WAF at no additional cost for protected resources
Cost Protection for scaling
DDoS Expertise
Visibility & Compliance
Economic Benefits
AWS ShieldStandard & Advanced
![Page 25: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/25.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is AWS WAF
Web traffic filtering with custom rules
Malicious request blocking
Active monitoringand tuning
![Page 26: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/26.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Biggest Threats to Applications today
ApplicationLayer
Bad BotsDDoS OWASP Top 10
HTTP floods
Abusive usersContent scrapers
Scanners & probes
CrawlersSQL injection
XSS
Application exploits
![Page 27: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/27.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What can we do with an AWS WAF?
• Rate based rules• IP Match & Geo-IP filters• Regex & String Match• Size constraints• Action: Allow/Block
• CloudWatch Metrics/Alarms
• Sampled Logs• Count Action mode
• SQLi• XSS• IP Blacklists
1. Malicious traffic blocking
2. Web traffic filtering 3. Active monitoring & tuning
![Page 28: Additional Security Services on AWSaws-de-media.s3.amazonaws.com/images/AWS_Summit_2018/June7/Coral... · • CloudTrail history of AWS API calls used to access the Management Console,](https://reader030.fdocuments.net/reader030/viewer/2022040515/5e7055d04423ed3b016c84f6/html5/thumbnails/28.jpg)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.