Continuous security monitoring
49
Transcript of Continuous security monitoring
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Continuous security monitoring and threat detection with AWS
S E C 3 2 1 - R
Ross Warren
Security Specialist
AWS WWCS Geo Solutions Architect
Amazon Web Services
Brandon Baxter
Solutions Architect, ESS Security Specialist
Amazon Web Services
Ice breakers
Is this your first re:Invent?
Is security in your job title?
Whose job is security?
Have you been to a chalk talk before?
What to expect?
Questions from YOU!
Lots of talking
Great whiteboard drawings!
And possibly some bad jokes
Ross and Brandon You
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Attacker lifecycle: Stages
ReconnaissanceEstablish foothold
Escalate privileges
Internal reconnaissance
Maintain persistence
Attacker lifecycle: Attacker actions
RDP brute force
RAT installed
Exfiltrate data over
DNS
Probe API with temp
creds
Attempt to compromise
account
Attacker lifecycle: Amazon GuardDuty findings
RDP brute force
RAT installed
Exfiltrate data over
DNS
Probe API with temp
creds
Attempt to compromise
account
Malicious or
suspicious IP
Unusual ports
DNS exfiltration
Unusual traffic volume
Connect to blacklisted site
Recon:EC2/PortProbeUnprotectedPort
Anonymizing proxy
Temp credentials
used off-instance
Unusual ISP caller
Bitcoin activity
Unusual instance launch
You have lots of findings. What are we going to do?
Best practices for initial GuardDuty deployment
• Whitelist approved ASN for AWS Security Token Service (STS) findings
• Whitelist approved vulnerability scanners for brute force findings
• Whitelist approved recon-based findings based on port (VPC flow-based)
• Change the Amazon CloudWatch Events update time to 15 minutes
• Creating filters for high-fidelity findings
• In the console for initial visibility
• Create custom Amazon CloudWatch Event rules
• Create notifications (Amazon Simple Notification Service (SNS)) from events
Lessons learned from incident responseUse a strong tagging strategy
Lessons learned from incident response
Questions to ask during the investigation• Is this finding a true positive?
• Is the event an unusual activity or more?
• Where did the incident occur?
• Who reported or discovered the incident?
• How was it discovered?
• Are there any other areas that have been compromised by the incident? If so what are they and when were they discovered?
• What is the scope of the impact?
• What is the business impact?
• Have the source(s) of the incident been located? If so, where, when, and what are they?
Lessons learned from incident response
Enrich findings and get the full picture of your environment• Network intrusion detection
• Firewall alerts
• AWS WAF alerts
• Identity - user behaviors
• Endpoint and compute events (AV, EDR)
• OS-level Information
• Application level logs
Centralize findings into a SIEM
Educate
Prepare
Simulate
Iterate
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
30+ free digital courses cover topics related to cloud security, including Introduction to Amazon GuardDuty and Deep Dive on Container Security
Learn security with AWS Training and Certification
Visit aws.amazon.com/training/paths-specialty/
Classroom offerings, like AWS Security Engineering on AWS, feature AWS expert instructors and hands-on activities
Validate expertise with the AWS Certified Security - Specialty exam
Resources created by the experts at AWS to help you build and validate cloud security skills
Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Best practices for Amazon GuardDuty
1. Apply trusted IP list to corp owned IP space or auto archive (whitelist based on filter) by ASN
2. To ensure faster updates to findings, change the finding update time to 15 minutes.
Best practices for Amazon GuardDuty
3. Create filter for high fidelity findings
Best practices for Amazon GuardDuty
4. Create filter for high fidelity findings using CloudWatch Events.
Best practices for Amazon GuardDuty
Best practices for operational Amazon GuardDuty
• Machine learning findings filter (behavior-based findings)
• Network port unusual (VPC Flow based)
• Unusual console logins
• Suspicious recon based findings (CloudTrail based)
• Persistence based findings (CloudTrail based)
AWS CloudTrail AWS Lambda
(post processor)
PutEvent triggers
Lambda function
Amazon DynamoDB
Pull in metadata
Amazon
S3 Bucket
CloudTrail delivers logs to
S3 bucket
Amazon
Elasticsearch
Push post processed logs to
Elasticsearch
Security Team
Analysis Logs
Detection and response at scaleEnriching AWS CloudTrail logs
Amazon VPC
Flow LogsAWS Lambda
(ingester function)
Logs are streamed
to Lambda
Amazon
CloudWatch Logs
VPC Flow Logs deliver logs
to CloudWatch
Logs are passed
to Kinesis Data Firehose
Amazon Kinesis
Data Firehose
Amazon Elasticsearch Service
Push post processed
logs to Elasticsearch
Security Team
Analysis Logs
AWS Lambda
(ingestor function)
Data enrichment
3rd Party Data
Pull in additional
metadata
https://github.com/aws-samples/aws-vpc-flow-log-appender/
Detection and response at scale
Enriching VPC Flow Logs
Amazon MacieAmazon
CloudWatch
Event Rule
Macie alert triggers a
CloudWatch Event Rule
Event Pattern
{"source": [
"aws.macie"],"detail": [
“Macie Alert”]
}
CloudWatch Event rule
triggers Lambda Function
Lambda Function
removes global
read rights
AWS Lambda
Function
Amazon S3
Bucket
Detection and response at scale
https://github.com/aws-samples/amazon-guardduty-waf-acl/
Amazon GuardDuty Amazon
CloudWatch
Event rule
SSH brute force finding triggers
CloudWatch Event Rule
AWS Lambda
CloudWatch Event Rule triggers
Lambda function
AWS WAF
AWS WAF IP condition is created
and added to an active Web ACL
Amazon DynamoDB
IP List is added
to tables
Amazon VPC
Network access
control list (ACL)
Network ACL rule is added to block
IP
Amazon SNS Topic
Publishes to a
SNS topic
Security team is notified
Detection and response at scale
GuardDuty response with AWS Lambda
https://scaling-threat-detection.awssecworkshops.com/
Amazon GuardDuty Amazon
CloudWatch
Event rule
SSH brute force finding triggers
CloudWatch Event Rule
AWS Lambda
CloudWatch Event Rule triggers
Lambda function
Slack Channel
Publishes to a
Slack Channel
Security team
is notified
Amazon VPC
Network Access
Control List
Network ACL rule is added
to block IP
AWS Lambda
AWS Lambda Amazon EC2
Instance
Function adds a unique
tag to the EC2 instance
Function creates and
initiates an Amazon Inspector scan Amazon Inspector scans
EC2 instance
Amazon Inspector
Detection and response at scale: GuardDuty response with AWS Lambda
Amazon GuardDuty Amazon
CloudWatch
Event rule
Cryptocurrency finding triggers
CloudWatch Event Rule
AWS Systems
Manager Run
Command
CloudWatch Event Rule
triggers targetsShutdown services and
capture memory
Amazon EC2
instance
Remove instance from
Auto Scaling group and
snapshot EBS
AWS Systems
Manager
Automation
AWS Lambda
Push memory and
Amazon EBS snapshot to
a separate account
Forensics
AWS Account
Detection and response at scale:GuardDuty response with different targets
Amazon GuardDuty
Publish Event
START
Finding Type
EC2/C&Cactivity.B!DNS IAM/InstanceCredentialExfiltrationEC2/TorIPCaller
END
Publish Remediation
Amazon
CloudWatch
Event Rule
GuardDuty finding triggers
CloudWatch Event Rule
AWS Step FunctionsCloudWatch Event Rule triggers
State Machine
Detection and response at scale: GuardDuty response with AWS Step Functions
Attackers
Valid UsersApplication
Load
Balancer
CloudFront
Distribution
Web Application ResourcesApplication Requests (Static/Dynamic)
https://aws.amazon.com/answers/security/aws-waf-security-automations/
Cross-site scripting protection
SQL injection protection
Bad bot and scraper
protection
IP address whitelist/blacklist
Scanner and probe protection
HTTP flood protection
Known-attacker protection
X
AWS WAF
Requests to the Honeypot Endpoint
AWS Lambda
Access
Handler
Amazon API
Gateway
AWS Lambda
IP List Parser
Amazon
CloudWatch
Event Rule
3rd Party IP
Reputation
lists
Hourly
New Access Log Files
AWS Lambda
Log Parser
Amazon S3
Bucket
Detection and response at scale:Active AWS WAF response
Use case 1: Centralized security and compliance workspace
GoalHave a single pane of glass to view, triage, and take action on AWS
security and compliance issues across accounts
PersonasSecOps, compliance, and/or DevSecOps teams focused on AWS,
Cloud Centers of Excellence, the first security hire
Key processes
example
1. Ingest findings from finding providers
2. High volume and well-known findings are programmatically
routed to remediation workflows, which include updating the
status of the finding
3. Remaining findings are routed to analysts via an on-call
management system, and they use ticketing and chat systems to
resolve them
“Taking action”
integrationsTicketing systems, chat systems, on-call management systems, SOAR
platforms, customer-built remediation playbooks
Use case 2: Centralized routing to a SIEM
GoalEasily route all AWS security and compliance findings in a normalized
format to a centralized SIEM or log management tool
Personas SecOps, compliance, and/or DevSecOps teams
Key processes
example
1. Ingest findings from finding providers
2. All findings are routed via Amazon CloudWatch Events to a
central SIEM that stores AWS and on-premises security and
compliance data
3. Analyst workflows are linked to the central SIEM
“Taking action”
integrationsSIEM
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat response: A playbook outline
Amazon
CloudWatch
Events
AWS
CloudTrail
AWS Config
Lambda
function
AWS
APIs
Detect
Investigate
Respond
Team
collaboration
(Slack, etc.)
Amazon
GuardDuty
VPC Flow
Logs
Amazon
Inspector
Amazon
Macie
AWS Security Hub
Custom actions in AWS Security Hub
Taking action on all findings
Event pattern examples{
“source”: [
“aws.securityhub”
],
“detail-type”: [
“Security Hub Findings”
],
“detail”: {
“findings”: {
“Resources”: {
“Tags”: {
“Environment”: [
“PCI”
]
}
}
}
}
}
Filter by tags
Event pattern examples
Filter by severity
{
“source”: [
“aws.securityhub”
],
“detail-type”: [
“Security Hub Findings”
],
“detail”: {
“findings”: {
“Severity”: {
“Normalized”: [
95,
96,
97,
98,
99,
100
]
}}}}
Custom actions in AWS Security Hub
Custom actions in AWS Security Hub
RuleEvent
{
"source": [
"aws.securityhub"
],
"resources": [
"arn:aws:securityhub:us-west-
2:xxxxxxxxxxxx:action/custom/send_to_email"
]
}
Custom actions in AWS Security Hub
RuleEvent
RuleEvent
RuleEvent
Run
command
AWS Identity & Access
Management (IAM)
AWS Single Sign-On
AWS Directory Service
Amazon Cognito
AWS Organizations
AWS Secrets Manager
AWS Resource Access
Manager
AWS Security Hub
Amazon GuardDuty
AWS Config
AWS CloudTrail
Amazon
CloudWatch
VPC Flow Logs
AWS Systems Manager
AWS Shield
AWS WAF
AWS Firewall Manager
Amazon Inspector
Amazon Virtual Private
Cloud (Amazon VPC)
AWS Key Management
Service (AWS KMS)
AWS CloudHSM
AWS Certificate Manager
Amazon Macie
Server-Side Encryption
AWS Config Rules
AWS Lambda
AWS Systems Manager
Identity DetectInfrastructure
protectionRespond
Data
protection
Deep set of security tools
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
30+ free digital courses cover topics related to cloud security, including Introduction to Amazon GuardDuty and Deep Dive on Container Security
Learn security with AWS Training and Certification
Visit aws.amazon.com/training/paths-specialty/
Classroom offerings, like AWS Security Engineering on AWS, feature AWS expert instructors and hands-on activities
Validate expertise with the AWS Certified Security - Specialty exam
Resources created by the experts at AWS to help you build and validate cloud security skills
Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
