Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Alert Logic

439 vues

Publié le

by Ryan Holland, Sr. Director, Alert Logic

Learn how Alert Logic has integrated with Amazon GuardDuty.

  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Alert Logic

  1. 1. ALERTLOGIC’SINTEGRATION WITHAMAZONGUARDDUTY RyanHolland SrDirector,CloudPlatforms
  2. 2. Outline •ServicesOverview •GuardDutyIntegration •TopFindings,ConfigurationErrors,andCVEs •Demo
  3. 3. SERVICES OVERVIEW
  4. 4. AmazonGuardDuty •AWSthreatdetectionservice(launchedatre:Invent2017)that monitorsyourenvironmentforsuspiciousbehavior -AWSCloudTraileventlogs -VPCFlowLogs -DNSLogs •GuardDutyidentifiespotentialsecurityissuescalled“Findings” -Reconnaissance(e.g.,EC2instancebeingprobed) -Instancecompromise(e.g.,EC2instancequeryingphishingdomains) -Accountcompromise(e.g.,Credentialsusedfrommultiplelocations)
  5. 5. CloudInsightEssentials •AlertLogicservice(alsolaunchedatre:Invent2017)thatidentifies configurationsthatgoagainstAWSBestSecurityPracticesand GuardDutyfindingsenrichmentandmanagagment. •UsesanIAMrole/policytomonitorCloudTraillogsandidentify riskyconfigurationslike: -UsernotconfiguredtouseMFA -S3buckethasaglobalACL -Passwordsnotconfiguredtoexpire •Candeployvulnerabilityscanners(CloudInsight)toidentify CommonVulnerabilityExposures(CVEs)insoftware •AvailableonAWSMarketplacewith30dayfreetrail -https://aws.amazon.com/marketplace/pp/B0764JH55Q
  6. 6. CloudInsightEssentialsTopologyView
  7. 7. GUARDDUTY INTEGRATION
  8. 8. CloudFormationTemplate •CloudFormationtemplatethatdeploysaKinesisStreamand LambdafunctionthatactasaCloudWatchEventscollector. •CloudWatchEventscollectorgathersallCloudWatchEvents associatedtoGuardDutyFindingsandforwardsthoseeventsto CloudInsightEssentials. •CloudInsightEssentialsaugmentsFindingsbyprovidingmore, detailedinformation,whattodowithFindings,andtrackshistorical trends. •AvailableonGithub(https://github.com/alertlogic/cwe-collector/)
  9. 9. Amazon GuardDuty AWS CloudTrail VPC FlowLogs DNSLogs CloudWatch Event GuardDuty Finding CloudWatch EventsCollector LambdaFunction GuardDuty Trends Remediations CloudInsight Essentials CloudFormation Template GuardDutyIntegrationArchitecture
  10. 10. EC2 InstancesAmazon Inspector Enumerates Findings Inspector Findings Exposures Remediations CloudInsight Essentials InspectorIntegrationArchitecture LambdaFunction Scheduled Event
  11. 11. AWS Config NewSnapshot RulecompletesCloudInsight Exposures Remediations CloudInsight Essentials ConfigRulesIntegrationArchitecture LambdaFunction Converts results
  12. 12. IncidentSummaries •IncidentSummarygivesyouanoverviewofGuardDutyprimary detectioncategories
  13. 13. IncidentList •IncidentListgivesyouanInvestigationReport(summaryof Findingwithlinkstoindustryknowledge)
  14. 14. GuardDutyRecommendations •Recommendationsprovideshort-termactions(withlinksonhowto investigatecompromises)andlinkstoAWSconsoletoconduct furtherinvestigation
  15. 15. GuardDutyEvidence •EvidencerecordsthefullGuardDutyFindingandthelasttimeseen
  16. 16. GuardDutyRemediations •StepstohelpscustomersenableGuardDutyanddeployour CloudWatchEventcollectors
  17. 17. TOPFINDINGS, MISCONFIGURATIONS,&CVES
  18. 18. TheTerribleTen #GuardDutyFinding 1Recon:EC2/PortProbeUnprotectedPort 2Recon:EC2/Portscan 3UnauthorizedAccess:EC2/SSHBruteForce 4UnauthorizedAccess:EC2/RDPBruteForce 5CrytpoCurrency:EC2/BitcoinTool.B!DNS 6Stealth:IAMUser/PasswordPolicyChange 7UnauthorizedAccess:EC2/TorIPCaller 8Behavior:EC2/NetworkPortUnusual 9Trojan:EC2/DropPoint!DNS 10PenTest:IAM/User/KaliLInux #Misconfigurations 1UnencryptedAMIDiscovered 2UnencryptedEBSVolume 3S3LoggingnotEnabled 4SinglePOFornoAutoScaling 5S3ObjectVersioningnotEnabled 6UsernotconfiguredtouseMFA 7UserAccessKeysnotRotating 8IAMPoliciesDirectlyAttachedtoUser 9DangerousUserPrivilegedAccesstoS3 10DangerousIAMRoleforS3 #CVEs 1RC4Ciphers 2MD5Hash-collision 3OpenSSHSecurityBypass 4OpenSSHDoS 5TLSLogjamIssue 6OpenSSHBufferOverflow 7OpenSSHInfoDisclosure 8OpenSSHMemoryCorrupt 9OpenBSDDoS 10OpenBSDSecurityBypass
  19. 19. Conclusions •“By202095%ofcloudsecurityfailureswillbethecustomer’s fault.”* •MostfrequentGuardDutyFindingsareduetocustomersleaving portsopenornotrestrictingaccesstoports •Mostfrequentconfigurationissuesareduetocustomersnot encryptingAMIs/volumes,enablingloggingandIAMpermissisons •MostfrequentCVEsareduetocustomersrunningout-of-date opensourcesoftware *GartnerRevealsTopPredicationsforITOrganizationsandUsersfor2016andBeyond: https://www.gartner.com/newsroom/id/3143718
  20. 20. DEMO
  21. 21. Thankyou.

×