SlideShare une entreprise Scribd logo

Deep Dive on Amazon GuardDuty - AWS Online Tech Talks

Amazon Web Services
Amazon Web Services

Learning Objectives: - Learn how GuardDuty continuously monitors for unauthorized behavior to help protect AWS accounts and workloads - Understand how GuardDuty uses machine learning to detect anomalous account and network activities - See how a SOC team can triage threats from a single console and automate security responses

1  sur  36
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Nathan Case Deep Dive on Amazon GuardDuty Needle.needle.needle…wait these are all needles… February, 2018
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Deep Dive on Amazon GuardDuty 1. Intro 2. Discussion of the Services Used • Amazon GuardDuty • Amazon CloudWatch • AWS Lambda 3. Inspection of the Needles 4. What to do about them 5. What to do with the Red Needle 6. Auto Remediation Amazon GuardDuty
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Find the Needle, Skip the Haystack GuardDuty helps security professionals quickly find the threats (needle) to their environments in the sea of log data (haystack) so they can focus on hardening their AWS environments and responding quickly to malicious or suspicious behavior. Amazon GuardDuty: All Signal, No Noise
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Threat Detection and Notification
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Account Relationships • Adding accounts to the services is simple and done via the console or API. • Invites accepted from an account will be designated as “Member” accounts. The requestor will be the “Master” account. Master Account Can Do the Following to ALL accounts: • Generate Sample Findings • Configure and View/Manage Findings • Suspend GuardDuty Service • Upload and Manage Trusted IP and Threat IP Lists (coming soon!) Can only disable own account. Member accounts must all be removed first and by the member account.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Threat Detection and Notification
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Data Sources VPC Flow Logs VPC flow logs • Flow Logs for VPCs Do Not Need to Be Turned On to Generate Findings, data is consumed through independent duplicate stream. • Suggested Turning On VPC Flow Logs to Augment Data Analysis (charges apply). DNS Logs DNS Logs • DNS Logs are based on queries made from EC2 instances to known questionable domains. • DNS Logs are in addition to Route 53 query logs. Route 53 is not required for GuardDuty to generate DNS based findings. CloudTrail Events CloudTrail Events • CloudTrail history of AWS API calls used to access the Management Console, SDKs , CLI, etc. presented by GuardDuty. • Identification of user and account activity including source IP address used to make the calls. Capture and save all event data via CWE or API Call for long term retention. Additional charges apply.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Threat Detection and Notification
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Findings: Threat Purpose Details • Backdoor: resource compromised and capable of contacting source home • Behavior: activity that differs from established baseline • Crypto Currency::detected software associated with Crypto currencies • Pentest::activity detected similar to that generated by known pen testing tools • Recon: attack scoping vulnerabilities by probing ports, listening, database tables, etc. • Stealth::attack trying to hide actions / tracks • Trojan::program detected carrying out suspicious activity • Unauthorized Access::suspicious activity / pattern by unauthorized user Describes the primary purpose of the threat. Available at launch, more coming!
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CONFIDENTIAL - © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Findings: Console / API AWS Management Console API / JSON Format Quickly See Threat Information Including: • Severity • Region • Count/Frequency • Threat Type • Affected Resource • Source Information • Viewable via CloudWatch Events Export Finding Data for Further Analysis Including: • Ingest into SIEM • Data Enrichment • Programmatic Response • Additional Information • ARN • Span of Time • Resource Info
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Findings: Severity Levels LOW MEDIUM HIGH Suspicious or malicious activity blocked before it compromised a resource. Suspicious activity deviating from normally observed behavior. Resource compromised and actively being used for unauthorized purpose. Suggestion: Take Immediate Action(s) • Terminate instance(s) • Rotate IAM access keys Suggestion: Investigate Further • Check new software that changed the behavior of a resource • Check changes to settings • AV scan on resource (detect unauthorized software) • Examine permissions attached to IAM entity implicated Suggestion: Take Immediate Action(s) • No immediate recommended steps – but take note of info as something to address in the future
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Threat Detection Type by API group Backdoor CryptoRecon Stealth Recon UnauthorizedAccess EC2/XORDDOS EC2/Spambot EC2/C&CActivity.B!DNS :EC2/PortProbeUnprotectedPort :IAMUser/TorIPCaller :IAMUser/MaliciousIPCaller.Custom :IAMUser/MaliciousIPCaller :EC2/Portscan :EC2/BitcoinTool.B!DNS Trojan :EC2/PortProbeUnprotectedPort :IAMUser/TorIPCaller :IAMUser/MaliciousIPCaller.Custom :IAMUser/MaliciousIPCaller :EC2/Portscan :IAMUser/PasswordPolicyChange :IAMUser/CloudTrailLoggingDisabled Behavior :IAMUser/TorIPCaller :IAMUser/MaliciousIPCaller.Custom :IAMUser/ConsoleLoginSuccess.B :IAMUser/MaliciousIPCaller :IAMUser/UnusualASNCaller :EC2/TorIPCaller :EC2/MaliciousIPCaller.Custom :EC2/SSHBruteForce :EC2/RDPBruteForce :IAMUser/InstanceCredentialExfiltration :IAMUser/InstanceLaunchUnusual :EC2/NetworkPortUnusual :EC2/TrafficVolumeUnusual PenTest:IAMUser/KaliLinux :EC2/BlackholeTraffic :EC2/DropPoint :EC2/BlackholeTraffic!DNS :EC2/DriveBySourceTraffic!DNS :EC2/DropPoint!DNS :EC2/DGADomainRequest.B :EC2/DNSDataExfiltration :EC2PhishingDomainRequest :EC2/BlackholeTraffic!DNS :EC2/DGADomainRequest.C!DNS
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Threat Detection and Notification
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Remediate a Compromised Instance • Remediate Compromised AWS Credentials Responding to Findings: Remediation Automatic Remediation GuardDuty CloudWatch Events Lambda Amazon GuardDuty Amazon CloudWatch CloudWatch Event Lambda Function AWS Lambda
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume 80, 443->DataSG
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume 3389 -> 0.0.0.0/0 80, 443->DataSG
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter Lambda function EBS Volume 80, 443->DataSG
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty Lambda function EBS Volume EBS Forensics
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty Lambda function EBS Volume
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule AWS Lambda Amazon GuardDuty Lambda function EBS Volume Amazon EBS snapshot
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account Planning Production Account Region of Choice Availability Zone A Availability Zone B Forensics Account EBS Forensics EBS Forensics
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account Planning Production Account Region of Choice Availability Zone A Availability Zone B Forensics Account EBS Forensics EBS Forensics EBS Forensics
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM Policies LAMBDA POLICY
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM Policies LAMBDA POLICY
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch Rules CloudWatch Dashboard POLICY
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch Rules CloudWatch Dashboard POLICY
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Remediation Actions C: Remediate AWS credentials PenTest:IAMUser/KaliLinux Recon:IAMUser/TorIPCaller Recon:IAMUser/MaliciousIPCaller Recon:IAMUser/MaliciousIPCaller.Custom Stealth:IAMUser/PasswordPolicyChange Stealth:IAMUser/CloudTrailLoggingDisabled UnauthorizedAccess:IAMUser/TorIPCaller UnauthorizedAccess:IAMUser/MaliciousIPCaller UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration D: Investigate before Credential Remediation Behavior:IAMUser/InstanceLaunchUnusual UnauthorizedAccess:IAMUser/UnusualASNCaller E: Architecture Change Recon:EC2/PortProbeUnprotectedPort A: Remediate Compromised Instances Backdoor:EC2/XORDDOS Backdoor:EC2/Spambot (spam) Backdoor:EC2/C&CActivity.B!DNS CryptoCurrency:EC2/BitcoinTool.B!DNS Recon:EC2/Portscan Trojan:EC2/BlackholeTraffic Trojan:EC2/DropPoint Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DriveBySourceTraffic!DNS Trojan:EC2/DropPoint!DNS Trojan:EC2/DGADomainRequest.B Trojan:EC2/DNSDataExfiltration UnauthorizedAccess:EC2/TorIPCaller UnauthorizedAccess:EC2/MaliciousIPCaller.Custom UnauthorizedAccess:EC2/SSHBruteForce UnauthorizedAccess:EC2/RDPBruteForce B: Investigate before EC2 Remediate Behavior:EC2/NetworkPortUnusual Behavior:EC2/TrafficVolumeUnusual
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty Call to Action Enable GuardDuty - monitor the cost and findings during the 30 day free period – assess after 30 days where GuardDuty will sit in your overall security strategy. https://aws.amazon.com/guardduty/
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS

Recommandé

Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon Web Services
 
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty LabAmazon Web Services
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on LabAmazon Web Services
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design Amazon Web Services
 

Recommandé

Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon Web Services
 
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty LabAmazon Web Services
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on LabAmazon Web Services
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design Amazon Web Services
 
Security on AWS :: 이경수 솔루션즈아키텍트
Security on AWS :: 이경수 솔루션즈아키텍트Security on AWS :: 이경수 솔루션즈아키텍트
Security on AWS :: 이경수 솔루션즈아키텍트Amazon Web Services Korea
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: SecurityAmazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWSAmazon Web Services
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAmazon Web Services
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing ZoneAmazon Web Services
 
AWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAmazon Web Services
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security FundamentalsAmazon Web Services
 
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...Amazon Web Services
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS OrganizationsAmazon Web Services
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerAmazon Web Services
 
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Amazon Web Services
 
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018Amazon Web Services
 
Automating AWS security and compliance
Automating AWS security and compliance Automating AWS security and compliance
Automating AWS security and compliance John Varghese
 
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...Amazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
 
AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar Amazon Web Services
 
AWS Technical Essentials Day
AWS Technical Essentials DayAWS Technical Essentials Day
AWS Technical Essentials DayAmazon Web Services
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitAmazon Web Services
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS SummitAmazon Web Services
 

Contenu connexe

Tendances

Security on AWS :: 이경수 솔루션즈아키텍트
Security on AWS :: 이경수 솔루션즈아키텍트Security on AWS :: 이경수 솔루션즈아키텍트
Security on AWS :: 이경수 솔루션즈아키텍트Amazon Web Services Korea
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAmazon Web Services
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...Amazon Web Services
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS OrganizationsAmazon Web Services
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerAmazon Web Services
 
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Amazon Web Services
 
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018Amazon Web Services
 
Automating AWS security and compliance
Automating AWS security and compliance Automating AWS security and compliance
Automating AWS security and compliance John Varghese
 
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...Amazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
 
AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar Amazon Web Services
 

Tendances (20)

Security on AWS :: 이경수 솔루션즈아키텍트
Security on AWS :: 이경수 솔루션즈아키텍트Security on AWS :: 이경수 솔루션즈아키텍트
Security on AWS :: 이경수 솔루션즈아키텍트
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best Practices
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing Zone
 
AWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAWS Cloud Security Fundamentals
AWS Cloud Security Fundamentals
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control Tower
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
 
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS Organizations
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control Tower
 
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
 
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
 
Automating AWS security and compliance
Automating AWS security and compliance Automating AWS security and compliance
Automating AWS security and compliance
 
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
 
AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar
 
AWS Technical Essentials Day
AWS Technical Essentials DayAWS Technical Essentials Day
AWS Technical Essentials Day
 

Similaire à Deep Dive on Amazon GuardDuty - AWS Online Tech Talks

Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitAmazon Web Services
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS SummitAmazon Web Services
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS SummitAmazon Web Services
 
SID301 Threat Detection and Mitigation
SID301 Threat Detection and Mitigation SID301 Threat Detection and Mitigation
SID301 Threat Detection and MitigationAmazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Secure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation SecuritySecure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation SecurityAmazon Web Services
 
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Amazon Web Services
 
Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Amazon Web Services
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Amazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsAmazon Web Services
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountAmazon Web Services
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAmazon Web Services
 
Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Amazon Web Services
 
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Amazon Web Services
 
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Amazon Web Services
 
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018Amazon Web Services
 
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018Amazon Web Services
 

Similaire à Deep Dive on Amazon GuardDuty - AWS Online Tech Talks (20)

Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
 
SID301 Threat Detection and Mitigation
SID301 Threat Detection and Mitigation SID301 Threat Detection and Mitigation
SID301 Threat Detection and Mitigation
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
Secure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation SecuritySecure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation Security
 
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
 
Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS Account
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your Applications
 
Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS
 
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
 
Security@Scale
Security@ScaleSecurity@Scale
Security@Scale
 
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
 
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
 
Mitigating techniques
Mitigating techniquesMitigating techniques
Mitigating techniques
 
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
 

Plus de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Plus de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Deep Dive on Amazon GuardDuty - AWS Online Tech Talks

  • 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Nathan Case Deep Dive on Amazon GuardDuty Needle.needle.needle…wait these are all needles… February, 2018
  • 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Deep Dive on Amazon GuardDuty 1. Intro 2. Discussion of the Services Used • Amazon GuardDuty • Amazon CloudWatch • AWS Lambda 3. Inspection of the Needles 4. What to do about them 5. What to do with the Red Needle 6. Auto Remediation Amazon GuardDuty
  • 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Find the Needle, Skip the Haystack GuardDuty helps security professionals quickly find the threats (needle) to their environments in the sea of log data (haystack) so they can focus on hardening their AWS environments and responding quickly to malicious or suspicious behavior. Amazon GuardDuty: All Signal, No Noise
  • 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Threat Detection and Notification
  • 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Account Relationships • Adding accounts to the services is simple and done via the console or API. • Invites accepted from an account will be designated as “Member” accounts. The requestor will be the “Master” account. Master Account Can Do the Following to ALL accounts: • Generate Sample Findings • Configure and View/Manage Findings • Suspend GuardDuty Service • Upload and Manage Trusted IP and Threat IP Lists (coming soon!) Can only disable own account. Member accounts must all be removed first and by the member account.
  • 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Threat Detection and Notification
  • 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Data Sources VPC Flow Logs VPC flow logs • Flow Logs for VPCs Do Not Need to Be Turned On to Generate Findings, data is consumed through independent duplicate stream. • Suggested Turning On VPC Flow Logs to Augment Data Analysis (charges apply). DNS Logs DNS Logs • DNS Logs are based on queries made from EC2 instances to known questionable domains. • DNS Logs are in addition to Route 53 query logs. Route 53 is not required for GuardDuty to generate DNS based findings. CloudTrail Events CloudTrail Events • CloudTrail history of AWS API calls used to access the Management Console, SDKs , CLI, etc. presented by GuardDuty. • Identification of user and account activity including source IP address used to make the calls. Capture and save all event data via CWE or API Call for long term retention. Additional charges apply.
  • 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Threat Detection and Notification
  • 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Findings: Threat Purpose Details • Backdoor: resource compromised and capable of contacting source home • Behavior: activity that differs from established baseline • Crypto Currency::detected software associated with Crypto currencies • Pentest::activity detected similar to that generated by known pen testing tools • Recon: attack scoping vulnerabilities by probing ports, listening, database tables, etc. • Stealth::attack trying to hide actions / tracks • Trojan::program detected carrying out suspicious activity • Unauthorized Access::suspicious activity / pattern by unauthorized user Describes the primary purpose of the threat. Available at launch, more coming!
  • 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CONFIDENTIAL - © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Findings: Console / API AWS Management Console API / JSON Format Quickly See Threat Information Including: • Severity • Region • Count/Frequency • Threat Type • Affected Resource • Source Information • Viewable via CloudWatch Events Export Finding Data for Further Analysis Including: • Ingest into SIEM • Data Enrichment • Programmatic Response • Additional Information • ARN • Span of Time • Resource Info
  • 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Findings: Severity Levels LOW MEDIUM HIGH Suspicious or malicious activity blocked before it compromised a resource. Suspicious activity deviating from normally observed behavior. Resource compromised and actively being used for unauthorized purpose. Suggestion: Take Immediate Action(s) • Terminate instance(s) • Rotate IAM access keys Suggestion: Investigate Further • Check new software that changed the behavior of a resource • Check changes to settings • AV scan on resource (detect unauthorized software) • Examine permissions attached to IAM entity implicated Suggestion: Take Immediate Action(s) • No immediate recommended steps – but take note of info as something to address in the future
  • 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Threat Detection Type by API group Backdoor CryptoRecon Stealth Recon UnauthorizedAccess EC2/XORDDOS EC2/Spambot EC2/C&CActivity.B!DNS :EC2/PortProbeUnprotectedPort :IAMUser/TorIPCaller :IAMUser/MaliciousIPCaller.Custom :IAMUser/MaliciousIPCaller :EC2/Portscan :EC2/BitcoinTool.B!DNS Trojan :EC2/PortProbeUnprotectedPort :IAMUser/TorIPCaller :IAMUser/MaliciousIPCaller.Custom :IAMUser/MaliciousIPCaller :EC2/Portscan :IAMUser/PasswordPolicyChange :IAMUser/CloudTrailLoggingDisabled Behavior :IAMUser/TorIPCaller :IAMUser/MaliciousIPCaller.Custom :IAMUser/ConsoleLoginSuccess.B :IAMUser/MaliciousIPCaller :IAMUser/UnusualASNCaller :EC2/TorIPCaller :EC2/MaliciousIPCaller.Custom :EC2/SSHBruteForce :EC2/RDPBruteForce :IAMUser/InstanceCredentialExfiltration :IAMUser/InstanceLaunchUnusual :EC2/NetworkPortUnusual :EC2/TrafficVolumeUnusual PenTest:IAMUser/KaliLinux :EC2/BlackholeTraffic :EC2/DropPoint :EC2/BlackholeTraffic!DNS :EC2/DriveBySourceTraffic!DNS :EC2/DropPoint!DNS :EC2/DGADomainRequest.B :EC2/DNSDataExfiltration :EC2PhishingDomainRequest :EC2/BlackholeTraffic!DNS :EC2/DGADomainRequest.C!DNS
  • 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Threat Detection and Notification
  • 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Remediate a Compromised Instance • Remediate Compromised AWS Credentials Responding to Findings: Remediation Automatic Remediation GuardDuty CloudWatch Events Lambda Amazon GuardDuty Amazon CloudWatch CloudWatch Event Lambda Function AWS Lambda
  • 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
  • 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
  • 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
  • 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function
  • 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume
  • 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume 80, 443->DataSG
  • 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume 3389 -> 0.0.0.0/0 80, 443->DataSG
  • 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter Lambda function EBS Volume 80, 443->DataSG
  • 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume
  • 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty Lambda function EBS Volume EBS Forensics
  • 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty Lambda function EBS Volume
  • 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule AWS Lambda Amazon GuardDuty Lambda function EBS Volume Amazon EBS snapshot
  • 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account Planning Production Account Region of Choice Availability Zone A Availability Zone B Forensics Account EBS Forensics EBS Forensics
  • 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account Planning Production Account Region of Choice Availability Zone A Availability Zone B Forensics Account EBS Forensics EBS Forensics EBS Forensics
  • 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM Policies LAMBDA POLICY
  • 30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM Policies LAMBDA POLICY
  • 31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch Rules CloudWatch Dashboard POLICY
  • 32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch Rules CloudWatch Dashboard POLICY
  • 33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo
  • 34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Remediation Actions C: Remediate AWS credentials PenTest:IAMUser/KaliLinux Recon:IAMUser/TorIPCaller Recon:IAMUser/MaliciousIPCaller Recon:IAMUser/MaliciousIPCaller.Custom Stealth:IAMUser/PasswordPolicyChange Stealth:IAMUser/CloudTrailLoggingDisabled UnauthorizedAccess:IAMUser/TorIPCaller UnauthorizedAccess:IAMUser/MaliciousIPCaller UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration D: Investigate before Credential Remediation Behavior:IAMUser/InstanceLaunchUnusual UnauthorizedAccess:IAMUser/UnusualASNCaller E: Architecture Change Recon:EC2/PortProbeUnprotectedPort A: Remediate Compromised Instances Backdoor:EC2/XORDDOS Backdoor:EC2/Spambot (spam) Backdoor:EC2/C&CActivity.B!DNS CryptoCurrency:EC2/BitcoinTool.B!DNS Recon:EC2/Portscan Trojan:EC2/BlackholeTraffic Trojan:EC2/DropPoint Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DriveBySourceTraffic!DNS Trojan:EC2/DropPoint!DNS Trojan:EC2/DGADomainRequest.B Trojan:EC2/DNSDataExfiltration UnauthorizedAccess:EC2/TorIPCaller UnauthorizedAccess:EC2/MaliciousIPCaller.Custom UnauthorizedAccess:EC2/SSHBruteForce UnauthorizedAccess:EC2/RDPBruteForce B: Investigate before EC2 Remediate Behavior:EC2/NetworkPortUnusual Behavior:EC2/TrafficVolumeUnusual
  • 35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty Call to Action Enable GuardDuty - monitor the cost and findings during the 30 day free period – assess after 30 days where GuardDuty will sit in your overall security strategy. https://aws.amazon.com/guardduty/
  • 36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS