SlideShare une entreprise Scribd logo

Detecting and mitigating threats with AWS - SEC301 - Chicago AWS Summit

Amazon Web Services
Amazon Web Services

Rarely does a day go by that we’re not reminded about the importance of the security of our online assets. Bad actors are continuously probing and looking for ways to compromise organizations’ defenses to gain access to valuable data or cause disruptions. In this session, learn how to address threat detection and remediation with AWS. We summarize the challenges of traditional threat detection efforts and explain how AWS helps you address them in a cloud environment. We also provide an overview of the key AWS services that detect and remediate threats, such as Amazon GuardDuty.

1  sur  52
Télécharger pour lire hors ligne
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Detecting and mitigating threats with AWS Nathan Case Solutions architect Security S E C 3 0 1
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Identity & Access Management (IAM) AWS Organizations Amazon Cognito AWS Directory Service AWS Single Sign-On AWS CloudTrail AWS Config Amazon CloudWatch Amazon GuardDuty VPC Flow Logs Amazon EC2 Systems Manager AWS Shield AWS Web Application Firewall (AWS WAF) Amazon Inspector Amazon Virtual Private Cloud (Amazon VPC) AWS Key Management Service (AWS KMS) AWS CloudHSM Amazon Macie AWS Certificate Manager Server-side encryption AWS Config rules AWS Lambda AWS Enterprise Support Identity Detective control Infrastructure security Incident response Data protection AWS security solutions
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why is traditional threat detection so hard? CostSignal to noiseLarge datasets
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Humans and data don’t mix
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS CloudTrail Track user activity and API usage Threat detection: Log data inputs VPC Flow Logs IP traffic to/from network interfaces in your VPC CloudWatch Logs Monitor apps using log data, store & access log files DNS logs Log of DNS queries in a VPC when using the VPC DNS resolver
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS CloudTrail
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Detect with VPC Flow Logs AWS account Source IP Destination IP Source port Destination port Interface Protocol Packets Bytes Start and end time Accept or reject
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Real-time feed of log events • Delivered to an AWS Lambda function or an Amazon Kinesis Data Stream • Supports custom processing, analysis, loading into other systems • Cross-account data sharing for centralized log processing Amazon CloudWatch Logs subscriptions
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Threat detection Amazon GuardDuty Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon GuardDuty threat detection and notification
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Rabbit hole! What can you detect using AWS services? Infrastructure VPC resources Connectivity On instance ... Service IAM S3 buckets Billing ... Application Patching Coding hole ... Other?
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Availability Zone C Availability Zone B VPC CIDR: 10.0.0.0/16 Availability Zone A 10.0.0.0/19 Public subnet 10.0.32.0/20 Private subnet 10.0.48.0/21 Sensitive subnet Security groups Route table NACLs Internet gateway Instance Amazon S3 Amazon RDS AWS CloudHSM AWSKMS AWS Directory Service Infrastructure and application domains AWS Organizations IAM
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Services DomainServices domains Availability Zone C Availability Zone B VPC CIDR: 10.0.0.0/16 Availability Zone A 10.0.0.0/19 Public subnet 10.0.32.0/20 Private subnet 10.0.48.0/21 Sensitive subnet Security groups Route table NACLs Instance Amazon S3 Amazon RDS AWS CloudHSM AWSKMS AWS Directory Service AWS Organizations IAM Internet gateway
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. All DomainsWhat can you detect using AWS services? Availability Zone C Availability Zone B VPC CIDR: 10.0.0.0/16 Availability Zone A 10.0.0.0/19 Public subnet 10.0.32.0/20 Private subnet 10.0.48.0/21 Sensitive subnet Security groups Route table NACLs Internet gateway Instance Amazon S3 Amazon RDS AWS CloudHSM AWSKMS AWS Directory Service AWS Organizations IAM
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Detecting unknown threats Anomaly detection • Algorithms to detect unusual behavior o Inspecting signal patterns for signatures o Profiling normal activity and looking at deviations o Machine learning classifiers
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Visibility to answer the tough questions • What data do I have in the cloud? • Where is it located? • Where does my sensitive data exist? • What’s sensitive about the data? • What PII/PHI is possibly exposed? • How is data being shared and stored? • How and where is my data accessed? • How can I classify data in near-real time? • How do I build workflow remediation for my security and compliance needs?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Visibility to answer the tough questions Amazon Web Services has opened case ******** on your behalf. The details of the case are as follows: Case ID: ******** Subject: Your AWS account ******** is compromised Severity: Urgent Correspondence: Dear AWS Customer, Your AWS Account is compromised! Please review the following notice and take immediate action to secure your account. Your security is important to us. We have become aware that the AWS Access Key ******** along with the corresponding Secret Key is publicly available online at ********….
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Threat detection: Triggers Amazon CloudWatch Events Delivers a near real-time stream of system events that describe changes in AWS resources AWS Config rules Continuously tracks your resource configuration changes and if they violate any of the conditions in your rules
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Config rules A continuous recording and assessment service Changing resources AWS Config AWS Config rules History snapshot Notifications API access Normalized • How are my resources configured over time? • Is a change that just occurred to a resource compliant?
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon CloudWatch Events { "source": [ "aws.guardduty" ] } CloudWatch Event GuardDuty findings Lambda function
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Threat remediation: Automation AWS Systems Manager Automates patching and proactively mitigates threats at the instance level AWS Lambda Captures info about the IP traffic going to and from network interfaces in your VPC
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. High-level playbook Adversary or intern Your environment Lambda responder CloudWatch Events Step Function
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon CloudWatch AWS CloudTrail AWS Config Lambda function AWS APIs AWS WAF AWS Shield Detection Alerting Remediation Countermeasures Forensics Team collaboration (Slack etc.) Amazon GuardDuty VPC Flow Logs AWS Step Functions Amazon EC2 Systems Manager Amazon EC2 Responding to findings: Remediation
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS Landing Zone structure: Basic Amazon S3 Bucket (manifest file) AWS CodePipeline AWS Service Catalog Account baseline Core OU AWS SSOAWS Organizations AWS Organizations account Shared services account Log archive account Account baseline Security account Network baseline Account baseline Aggregate CloudTrail and Config logs Account baseline Security cross- account roles Security notifications Organizations account • Account Provisioning • Account Access (SSO) Shared Services account • Active Directory • Log Analytics Log archive • Security logs Security account • Audit/break-glassAmazon GuardDuty master Parameter store
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T The AWS Landing Zone pipeline Source Validate/build/test Deploy core account structure Deploy core resources Deploy Service Catalog portfolio/products Deploy baseline resources Launch AVM for core accounts AWS Organizations AWS Account Baseline StackSets Logging Security credentials AWS Service Catalog StackSet AWS Service Catalog Core Amazon S3 bucket Vended accounts AWS CloudFormation templates Manifest fileAWS Landing Zone .zip file AWS CodeBuild
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions GuardDuty findings
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS Communications Manual action
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS Communications Manual action Via Amazon API Gateway*
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS Instance:~ ec2-user$ Elastic network interface Security group EBS volume IAM profile EC2 instance contents
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS EC2 instance contents Instance:~ ec2-user$ Elastic network interface Security group EBS volume IAM profile EBS snapshot
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS EC2 instance contents Instance:~ ec2-user$ Elastic network interface Security group EBS volume IAM profile EBS snapshot Amazon S3 bucket AWS CloudTrail
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS EC2 instance contents Instance:~ ec2-user$ Elastic network interface Security group EBS volume IAM profile EBS snapshot Amazon S3 bucket AWS CloudTrail Forensics account
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS EC2 instance contents Instance:~ ec2-user$
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS EC2 instance contents Instance:~ ec2-user$ Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime Instance:~ ec2-user$ dd EBS volume IAM profile
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS EC2 instance contents Instance:~ ec2-user$ Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime Instance:~ ec2-user$ dd EBS volume IAM profile Forensics EBS
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS Forensics EBS EBS snapshot Amazon S3 bucket Forensics account
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS Forensics EBS EBS snapshot Amazon S3 bucket Forensics account
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS Forensics EBS EBS snapshot Amazon S3 bucket Forensics account Easier done than said
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Responding to findings: Remediation Amazon CloudWatch AWS CloudTrail AWS Config Lambda function AWS APIs AWS WAF AWS Shield Detection Alerting Remediation Countermeasures Forensics Team collaboration (Slack, etc.) Amazon GuardDuty VPC Flow Logs AWS Step Functions Amazon EC2 Systems Manager Amazon EC2
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Remediating threats on Amazon EC2 instances • Asynchronously execute commands • No need to SSH/RDP • Commands and output logged Amazon EC2 Systems Manager: Run command EC2 instances Lambda function AWS Systems Manager Amazon EC2
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Threat detection and remediation partner solutions Consulting, data analysis, threat detection, and managed security operations
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Open source resources ThreatResponse https://threatresponse.cloud Cloud Custodian https://github.com/capitalone/cloud-custodian Security Monkey https://github.com/Netflix/security_monkey Scout 2 https://github.com/nccgroup/Scout2 StreamAlert https://github.com/airbnb/streamalert AWS CIS Foundation Framework https://github.com/awslabs/aws-security-benchmark AWS IR https://github.com/ThreatResponse/aws_ir
Thank you! S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Nathan Case Contact information

Recommandé

AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...Amazon Web Services
 
Using automation to drive continuous-compliance best practices - SVC309 - Chi...
Using automation to drive continuous-compliance best practices - SVC309 - Chi...Using automation to drive continuous-compliance best practices - SVC309 - Chi...
Using automation to drive continuous-compliance best practices - SVC309 - Chi...Amazon Web Services
 
Managing Enterprise security in the Cloud
Managing Enterprise security in the CloudManaging Enterprise security in the Cloud
Managing Enterprise security in the CloudAmazon Web Services
 
How Millennium Management achieves provable security with AWS Zelkova - FSV30...
How Millennium Management achieves provable security with AWS Zelkova - FSV30...How Millennium Management achieves provable security with AWS Zelkova - FSV30...
How Millennium Management achieves provable security with AWS Zelkova - FSV30...Amazon Web Services
 
Networking and Edge Services on AWS
Networking and Edge Services on AWSNetworking and Edge Services on AWS
Networking and Edge Services on AWSAmazon Web Services
 
Migrating Business Critical Applications to AWS
Migrating Business Critical Applications to AWSMigrating Business Critical Applications to AWS
Migrating Business Critical Applications to AWSAmazon Web Services
 
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...Amazon Web Services
 
Take action on your security & compliance alerts with AWS Security Hub - SEC2...
Take action on your security & compliance alerts with AWS Security Hub - SEC2...Take action on your security & compliance alerts with AWS Security Hub - SEC2...
Take action on your security & compliance alerts with AWS Security Hub - SEC2...Amazon Web Services
 

Recommandé

AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...Amazon Web Services
 
Using automation to drive continuous-compliance best practices - SVC309 - Chi...
Using automation to drive continuous-compliance best practices - SVC309 - Chi...Using automation to drive continuous-compliance best practices - SVC309 - Chi...
Using automation to drive continuous-compliance best practices - SVC309 - Chi...Amazon Web Services
 
Managing Enterprise security in the Cloud
Managing Enterprise security in the CloudManaging Enterprise security in the Cloud
Managing Enterprise security in the CloudAmazon Web Services
 
How Millennium Management achieves provable security with AWS Zelkova - FSV30...
How Millennium Management achieves provable security with AWS Zelkova - FSV30...How Millennium Management achieves provable security with AWS Zelkova - FSV30...
How Millennium Management achieves provable security with AWS Zelkova - FSV30...Amazon Web Services
 
Networking and Edge Services on AWS
Networking and Edge Services on AWSNetworking and Edge Services on AWS
Networking and Edge Services on AWSAmazon Web Services
 
Migrating Business Critical Applications to AWS
Migrating Business Critical Applications to AWSMigrating Business Critical Applications to AWS
Migrating Business Critical Applications to AWSAmazon Web Services
 
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...
Aligning to the NIST Cybersecurity Framework in the AWS Cloud - SEC204 - Chic...Amazon Web Services
 
Take action on your security & compliance alerts with AWS Security Hub - SEC2...
Take action on your security & compliance alerts with AWS Security Hub - SEC2...Take action on your security & compliance alerts with AWS Security Hub - SEC2...
Take action on your security & compliance alerts with AWS Security Hub - SEC2...Amazon Web Services
 
Detecting and responding to critical events with AWS IoT Events - SVC205 - Ch...
Detecting and responding to critical events with AWS IoT Events - SVC205 - Ch...Detecting and responding to critical events with AWS IoT Events - SVC205 - Ch...
Detecting and responding to critical events with AWS IoT Events - SVC205 - Ch...Amazon Web Services
 
Introduction to AWS OutIntroduction to AWS Outposts - CMP203 - Chicago AWS Su...
Introduction to AWS OutIntroduction to AWS Outposts - CMP203 - Chicago AWS Su...Introduction to AWS OutIntroduction to AWS Outposts - CMP203 - Chicago AWS Su...
Introduction to AWS OutIntroduction to AWS Outposts - CMP203 - Chicago AWS Su...Amazon Web Services
 
Top Cloud Security Myths Dispelled
Top Cloud Security Myths DispelledTop Cloud Security Myths Dispelled
Top Cloud Security Myths DispelledAmazon Web Services
 
Threat detection and mitigation at AWS - SEC201 - New York AWS Summit
Threat detection and mitigation at AWS - SEC201 - New York AWS SummitThreat detection and mitigation at AWS - SEC201 - New York AWS Summit
Threat detection and mitigation at AWS - SEC201 - New York AWS SummitAmazon Web Services
 
Getting started with AWS IoT Core - SVC306 - New York AWS Summit
Getting started with AWS IoT Core - SVC306 - New York AWS SummitGetting started with AWS IoT Core - SVC306 - New York AWS Summit
Getting started with AWS IoT Core - SVC306 - New York AWS SummitAmazon Web Services
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Amazon Web Services
 
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...Amazon Web Services
 
Next generation intelligent data lakes, powered by GraphQL & AWS AppSync - MA...
Next generation intelligent data lakes, powered by GraphQL & AWS AppSync - MA...Next generation intelligent data lakes, powered by GraphQL & AWS AppSync - MA...
Next generation intelligent data lakes, powered by GraphQL & AWS AppSync - MA...Amazon Web Services
 
Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...
Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...
Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...Amazon Web Services
 
Building APIs from front to back - MAD314 - Chicago AWS Summit
Building APIs from front to back - MAD314 - Chicago AWS SummitBuilding APIs from front to back - MAD314 - Chicago AWS Summit
Building APIs from front to back - MAD314 - Chicago AWS SummitAmazon Web Services
 
Fraud detection using machine learning with Amazon SageMaker - AIM306 - New Y...
Fraud detection using machine learning with Amazon SageMaker - AIM306 - New Y...Fraud detection using machine learning with Amazon SageMaker - AIM306 - New Y...
Fraud detection using machine learning with Amazon SageMaker - AIM306 - New Y...Amazon Web Services
 
Network visibility into the traffic traversing your AWS infrastructure - SVC2...
Network visibility into the traffic traversing your AWS infrastructure - SVC2...Network visibility into the traffic traversing your AWS infrastructure - SVC2...
Network visibility into the traffic traversing your AWS infrastructure - SVC2...Amazon Web Services
 
Continuous security monitoring and threat detection with AWS services - SEC20...
Continuous security monitoring and threat detection with AWS services - SEC20...Continuous security monitoring and threat detection with AWS services - SEC20...
Continuous security monitoring and threat detection with AWS services - SEC20...Amazon Web Services
 
Introduction to AWS Global Accelerator - SVC211 - Chicago AWS Summit
Introduction to AWS Global Accelerator - SVC211 - Chicago AWS SummitIntroduction to AWS Global Accelerator - SVC211 - Chicago AWS Summit
Introduction to AWS Global Accelerator - SVC211 - Chicago AWS SummitAmazon Web Services
 
Exploring the fundamentals of AWS networking - SVC210 - Chicago AWS Summit
Exploring the fundamentals of AWS networking - SVC210 - Chicago AWS SummitExploring the fundamentals of AWS networking - SVC210 - Chicago AWS Summit
Exploring the fundamentals of AWS networking - SVC210 - Chicago AWS SummitAmazon Web Services
 
Planning advanced AWS networking architectures - SVC304 - Chicago AWS Summit
Planning advanced AWS networking architectures - SVC304 - Chicago AWS SummitPlanning advanced AWS networking architectures - SVC304 - Chicago AWS Summit
Planning advanced AWS networking architectures - SVC304 - Chicago AWS SummitAmazon Web Services
 
Driving performance & security across your industrial facility with AWS - SVC...
Driving performance & security across your industrial facility with AWS - SVC...Driving performance & security across your industrial facility with AWS - SVC...
Driving performance & security across your industrial facility with AWS - SVC...Amazon Web Services
 
從業人員指南-如何像技術專家一樣守護您的雲端安全
從業人員指南-如何像技術專家一樣守護您的雲端安全從業人員指南-如何像技術專家一樣守護您的雲端安全
從業人員指南-如何像技術專家一樣守護您的雲端安全Amazon Web Services
 
Connecting low-power devices to the cloud with Amazon FreeRTOS BLE - SVC206 -...
Connecting low-power devices to the cloud with Amazon FreeRTOS BLE - SVC206 -...Connecting low-power devices to the cloud with Amazon FreeRTOS BLE - SVC206 -...
Connecting low-power devices to the cloud with Amazon FreeRTOS BLE - SVC206 -...Amazon Web Services
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Amazon Web Services
 
Threat detection and mitigation at AWS
Threat detection and mitigation at AWSThreat detection and mitigation at AWS
Threat detection and mitigation at AWSNathan Case
 
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS SummitThreat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS SummitAmazon Web Services
 

Contenu connexe

Tendances

Detecting and responding to critical events with AWS IoT Events - SVC205 - Ch...
Detecting and responding to critical events with AWS IoT Events - SVC205 - Ch...Detecting and responding to critical events with AWS IoT Events - SVC205 - Ch...
Detecting and responding to critical events with AWS IoT Events - SVC205 - Ch...Amazon Web Services
 
Introduction to AWS OutIntroduction to AWS Outposts - CMP203 - Chicago AWS Su...
Introduction to AWS OutIntroduction to AWS Outposts - CMP203 - Chicago AWS Su...Introduction to AWS OutIntroduction to AWS Outposts - CMP203 - Chicago AWS Su...
Introduction to AWS OutIntroduction to AWS Outposts - CMP203 - Chicago AWS Su...Amazon Web Services
 
Top Cloud Security Myths Dispelled
Top Cloud Security Myths DispelledTop Cloud Security Myths Dispelled
Top Cloud Security Myths DispelledAmazon Web Services
 
Threat detection and mitigation at AWS - SEC201 - New York AWS Summit
Threat detection and mitigation at AWS - SEC201 - New York AWS SummitThreat detection and mitigation at AWS - SEC201 - New York AWS Summit
Threat detection and mitigation at AWS - SEC201 - New York AWS SummitAmazon Web Services
 
Getting started with AWS IoT Core - SVC306 - New York AWS Summit
Getting started with AWS IoT Core - SVC306 - New York AWS SummitGetting started with AWS IoT Core - SVC306 - New York AWS Summit
Getting started with AWS IoT Core - SVC306 - New York AWS SummitAmazon Web Services
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Amazon Web Services
 
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...Amazon Web Services
 
Next generation intelligent data lakes, powered by GraphQL & AWS AppSync - MA...
Next generation intelligent data lakes, powered by GraphQL & AWS AppSync - MA...Next generation intelligent data lakes, powered by GraphQL & AWS AppSync - MA...
Next generation intelligent data lakes, powered by GraphQL & AWS AppSync - MA...Amazon Web Services
 
Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...
Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...
Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...Amazon Web Services
 
Building APIs from front to back - MAD314 - Chicago AWS Summit
Building APIs from front to back - MAD314 - Chicago AWS SummitBuilding APIs from front to back - MAD314 - Chicago AWS Summit
Building APIs from front to back - MAD314 - Chicago AWS SummitAmazon Web Services
 
Fraud detection using machine learning with Amazon SageMaker - AIM306 - New Y...
Fraud detection using machine learning with Amazon SageMaker - AIM306 - New Y...Fraud detection using machine learning with Amazon SageMaker - AIM306 - New Y...
Fraud detection using machine learning with Amazon SageMaker - AIM306 - New Y...Amazon Web Services
 
Network visibility into the traffic traversing your AWS infrastructure - SVC2...
Network visibility into the traffic traversing your AWS infrastructure - SVC2...Network visibility into the traffic traversing your AWS infrastructure - SVC2...
Network visibility into the traffic traversing your AWS infrastructure - SVC2...Amazon Web Services
 
Continuous security monitoring and threat detection with AWS services - SEC20...
Continuous security monitoring and threat detection with AWS services - SEC20...Continuous security monitoring and threat detection with AWS services - SEC20...
Continuous security monitoring and threat detection with AWS services - SEC20...Amazon Web Services
 
Introduction to AWS Global Accelerator - SVC211 - Chicago AWS Summit
Introduction to AWS Global Accelerator - SVC211 - Chicago AWS SummitIntroduction to AWS Global Accelerator - SVC211 - Chicago AWS Summit
Introduction to AWS Global Accelerator - SVC211 - Chicago AWS SummitAmazon Web Services
 
Exploring the fundamentals of AWS networking - SVC210 - Chicago AWS Summit
Exploring the fundamentals of AWS networking - SVC210 - Chicago AWS SummitExploring the fundamentals of AWS networking - SVC210 - Chicago AWS Summit
Exploring the fundamentals of AWS networking - SVC210 - Chicago AWS SummitAmazon Web Services
 
Planning advanced AWS networking architectures - SVC304 - Chicago AWS Summit
Planning advanced AWS networking architectures - SVC304 - Chicago AWS SummitPlanning advanced AWS networking architectures - SVC304 - Chicago AWS Summit
Planning advanced AWS networking architectures - SVC304 - Chicago AWS SummitAmazon Web Services
 
Driving performance & security across your industrial facility with AWS - SVC...
Driving performance & security across your industrial facility with AWS - SVC...Driving performance & security across your industrial facility with AWS - SVC...
Driving performance & security across your industrial facility with AWS - SVC...Amazon Web Services
 
從業人員指南-如何像技術專家一樣守護您的雲端安全
從業人員指南-如何像技術專家一樣守護您的雲端安全從業人員指南-如何像技術專家一樣守護您的雲端安全
從業人員指南-如何像技術專家一樣守護您的雲端安全Amazon Web Services
 
Connecting low-power devices to the cloud with Amazon FreeRTOS BLE - SVC206 -...
Connecting low-power devices to the cloud with Amazon FreeRTOS BLE - SVC206 -...Connecting low-power devices to the cloud with Amazon FreeRTOS BLE - SVC206 -...
Connecting low-power devices to the cloud with Amazon FreeRTOS BLE - SVC206 -...Amazon Web Services
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Amazon Web Services
 

Tendances (20)

Detecting and responding to critical events with AWS IoT Events - SVC205 - Ch...
Detecting and responding to critical events with AWS IoT Events - SVC205 - Ch...Detecting and responding to critical events with AWS IoT Events - SVC205 - Ch...
Detecting and responding to critical events with AWS IoT Events - SVC205 - Ch...
 
Introduction to AWS OutIntroduction to AWS Outposts - CMP203 - Chicago AWS Su...
Introduction to AWS OutIntroduction to AWS Outposts - CMP203 - Chicago AWS Su...Introduction to AWS OutIntroduction to AWS Outposts - CMP203 - Chicago AWS Su...
Introduction to AWS OutIntroduction to AWS Outposts - CMP203 - Chicago AWS Su...
 
Top Cloud Security Myths Dispelled
Top Cloud Security Myths DispelledTop Cloud Security Myths Dispelled
Top Cloud Security Myths Dispelled
 
Threat detection and mitigation at AWS - SEC201 - New York AWS Summit
Threat detection and mitigation at AWS - SEC201 - New York AWS SummitThreat detection and mitigation at AWS - SEC201 - New York AWS Summit
Threat detection and mitigation at AWS - SEC201 - New York AWS Summit
 
Getting started with AWS IoT Core - SVC306 - New York AWS Summit
Getting started with AWS IoT Core - SVC306 - New York AWS SummitGetting started with AWS IoT Core - SVC306 - New York AWS Summit
Getting started with AWS IoT Core - SVC306 - New York AWS Summit
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...
 
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
 
Next generation intelligent data lakes, powered by GraphQL & AWS AppSync - MA...
Next generation intelligent data lakes, powered by GraphQL & AWS AppSync - MA...Next generation intelligent data lakes, powered by GraphQL & AWS AppSync - MA...
Next generation intelligent data lakes, powered by GraphQL & AWS AppSync - MA...
 
Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...
Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...
Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...
 
Building APIs from front to back - MAD314 - Chicago AWS Summit
Building APIs from front to back - MAD314 - Chicago AWS SummitBuilding APIs from front to back - MAD314 - Chicago AWS Summit
Building APIs from front to back - MAD314 - Chicago AWS Summit
 
Fraud detection using machine learning with Amazon SageMaker - AIM306 - New Y...
Fraud detection using machine learning with Amazon SageMaker - AIM306 - New Y...Fraud detection using machine learning with Amazon SageMaker - AIM306 - New Y...
Fraud detection using machine learning with Amazon SageMaker - AIM306 - New Y...
 
Network visibility into the traffic traversing your AWS infrastructure - SVC2...
Network visibility into the traffic traversing your AWS infrastructure - SVC2...Network visibility into the traffic traversing your AWS infrastructure - SVC2...
Network visibility into the traffic traversing your AWS infrastructure - SVC2...
 
Continuous security monitoring and threat detection with AWS services - SEC20...
Continuous security monitoring and threat detection with AWS services - SEC20...Continuous security monitoring and threat detection with AWS services - SEC20...
Continuous security monitoring and threat detection with AWS services - SEC20...
 
Introduction to AWS Global Accelerator - SVC211 - Chicago AWS Summit
Introduction to AWS Global Accelerator - SVC211 - Chicago AWS SummitIntroduction to AWS Global Accelerator - SVC211 - Chicago AWS Summit
Introduction to AWS Global Accelerator - SVC211 - Chicago AWS Summit
 
Exploring the fundamentals of AWS networking - SVC210 - Chicago AWS Summit
Exploring the fundamentals of AWS networking - SVC210 - Chicago AWS SummitExploring the fundamentals of AWS networking - SVC210 - Chicago AWS Summit
Exploring the fundamentals of AWS networking - SVC210 - Chicago AWS Summit
 
Planning advanced AWS networking architectures - SVC304 - Chicago AWS Summit
Planning advanced AWS networking architectures - SVC304 - Chicago AWS SummitPlanning advanced AWS networking architectures - SVC304 - Chicago AWS Summit
Planning advanced AWS networking architectures - SVC304 - Chicago AWS Summit
 
Driving performance & security across your industrial facility with AWS - SVC...
Driving performance & security across your industrial facility with AWS - SVC...Driving performance & security across your industrial facility with AWS - SVC...
Driving performance & security across your industrial facility with AWS - SVC...
 
從業人員指南-如何像技術專家一樣守護您的雲端安全
從業人員指南-如何像技術專家一樣守護您的雲端安全從業人員指南-如何像技術專家一樣守護您的雲端安全
從業人員指南-如何像技術專家一樣守護您的雲端安全
 
Connecting low-power devices to the cloud with Amazon FreeRTOS BLE - SVC206 -...
Connecting low-power devices to the cloud with Amazon FreeRTOS BLE - SVC206 -...Connecting low-power devices to the cloud with Amazon FreeRTOS BLE - SVC206 -...
Connecting low-power devices to the cloud with Amazon FreeRTOS BLE - SVC206 -...
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
 

Similaire à Detecting and mitigating threats with AWS - SEC301 - Chicago AWS Summit

Threat detection and mitigation at AWS
Threat detection and mitigation at AWSThreat detection and mitigation at AWS
Threat detection and mitigation at AWSNathan Case
 
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS SummitThreat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS SummitAmazon Web Services
 
Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...
Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...
Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...Amazon Web Services
 
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in awsAWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in awsAWS Riyadh User Group
 
Sicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practiceSicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practiceAmazon Web Services
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSAmazon Web Services
 
Proteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSProteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSAmazon Web Services
 
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...Amazon Web Services
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsAmazon Web Services
 
Threat detection - SEC207 - New York AWS Summit
Threat detection - SEC207 - New York AWS SummitThreat detection - SEC207 - New York AWS Summit
Threat detection - SEC207 - New York AWS SummitAmazon Web Services
 
Security & Compliance in the Cloud
Security & Compliance in the CloudSecurity & Compliance in the Cloud
Security & Compliance in the CloudAmazon Web Services
 
So You've Got ATO - Are You Sure You are Secure?
So You've Got ATO - Are You Sure You are Secure?So You've Got ATO - Are You Sure You are Secure?
So You've Got ATO - Are You Sure You are Secure?Amazon Web Services
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAmazon Web Services
 
AWS PROTECTED: Why This Matters for Australia - AWS Summit Sydney
AWS PROTECTED: Why This Matters for Australia - AWS Summit SydneyAWS PROTECTED: Why This Matters for Australia - AWS Summit Sydney
AWS PROTECTED: Why This Matters for Australia - AWS Summit SydneyAmazon Web Services
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 
AWS PROTECTED Certification - Lunch & Learn
AWS PROTECTED Certification - Lunch & Learn AWS PROTECTED Certification - Lunch & Learn
AWS PROTECTED Certification - Lunch & LearnAmazon Web Services
 
Find all the threats - AWS threat detection and remediation - SEC202 - Atlant...
Find all the threats - AWS threat detection and remediation - SEC202 - Atlant...Find all the threats - AWS threat detection and remediation - SEC202 - Atlant...
Find all the threats - AWS threat detection and remediation - SEC202 - Atlant...Amazon Web Services
 

Similaire à Detecting and mitigating threats with AWS - SEC301 - Chicago AWS Summit (20)

Threat detection and mitigation at AWS
Threat detection and mitigation at AWSThreat detection and mitigation at AWS
Threat detection and mitigation at AWS
 
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS SummitThreat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
 
Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...
Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...
Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...
 
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in awsAWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
 
Sicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practiceSicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practice
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
 
Proteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSProteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWS
 
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
 
Threat detection - SEC207 - New York AWS Summit
Threat detection - SEC207 - New York AWS SummitThreat detection - SEC207 - New York AWS Summit
Threat detection - SEC207 - New York AWS Summit
 
Security & Compliance in the Cloud
Security & Compliance in the CloudSecurity & Compliance in the Cloud
Security & Compliance in the Cloud
 
So You've Got ATO - Are You Sure You are Secure?
So You've Got ATO - Are You Sure You are Secure?So You've Got ATO - Are You Sure You are Secure?
So You've Got ATO - Are You Sure You are Secure?
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your Applications
 
AWS PROTECTED: Why This Matters for Australia - AWS Summit Sydney
AWS PROTECTED: Why This Matters for Australia - AWS Summit SydneyAWS PROTECTED: Why This Matters for Australia - AWS Summit Sydney
AWS PROTECTED: Why This Matters for Australia - AWS Summit Sydney
 
Security@Scale
Security@ScaleSecurity@Scale
Security@Scale
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
 
AWS PROTECTED Certification - Lunch & Learn
AWS PROTECTED Certification - Lunch & Learn AWS PROTECTED Certification - Lunch & Learn
AWS PROTECTED Certification - Lunch & Learn
 
Find all the threats - AWS threat detection and remediation - SEC202 - Atlant...
Find all the threats - AWS threat detection and remediation - SEC202 - Atlant...Find all the threats - AWS threat detection and remediation - SEC202 - Atlant...
Find all the threats - AWS threat detection and remediation - SEC202 - Atlant...
 

Plus de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Plus de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Detecting and mitigating threats with AWS - SEC301 - Chicago AWS Summit

  • 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Detecting and mitigating threats with AWS Nathan Case Solutions architect Security S E C 3 0 1
  • 2. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Identity & Access Management (IAM) AWS Organizations Amazon Cognito AWS Directory Service AWS Single Sign-On AWS CloudTrail AWS Config Amazon CloudWatch Amazon GuardDuty VPC Flow Logs Amazon EC2 Systems Manager AWS Shield AWS Web Application Firewall (AWS WAF) Amazon Inspector Amazon Virtual Private Cloud (Amazon VPC) AWS Key Management Service (AWS KMS) AWS CloudHSM Amazon Macie AWS Certificate Manager Server-side encryption AWS Config rules AWS Lambda AWS Enterprise Support Identity Detective control Infrastructure security Incident response Data protection AWS security solutions
  • 3. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why is traditional threat detection so hard? CostSignal to noiseLarge datasets
  • 4. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Humans and data don’t mix
  • 5. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS CloudTrail Track user activity and API usage Threat detection: Log data inputs VPC Flow Logs IP traffic to/from network interfaces in your VPC CloudWatch Logs Monitor apps using log data, store & access log files DNS logs Log of DNS queries in a VPC when using the VPC DNS resolver
  • 6. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS CloudTrail
  • 7. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Detect with VPC Flow Logs AWS account Source IP Destination IP Source port Destination port Interface Protocol Packets Bytes Start and end time Accept or reject
  • 8. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Real-time feed of log events • Delivered to an AWS Lambda function or an Amazon Kinesis Data Stream • Supports custom processing, analysis, loading into other systems • Cross-account data sharing for centralized log processing Amazon CloudWatch Logs subscriptions
  • 9. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Threat detection Amazon GuardDuty Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads
  • 10. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon GuardDuty threat detection and notification
  • 11. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Rabbit hole! What can you detect using AWS services? Infrastructure VPC resources Connectivity On instance ... Service IAM S3 buckets Billing ... Application Patching Coding hole ... Other?
  • 12. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Availability Zone C Availability Zone B VPC CIDR: 10.0.0.0/16 Availability Zone A 10.0.0.0/19 Public subnet 10.0.32.0/20 Private subnet 10.0.48.0/21 Sensitive subnet Security groups Route table NACLs Internet gateway Instance Amazon S3 Amazon RDS AWS CloudHSM AWSKMS AWS Directory Service Infrastructure and application domains AWS Organizations IAM
  • 13. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Services DomainServices domains Availability Zone C Availability Zone B VPC CIDR: 10.0.0.0/16 Availability Zone A 10.0.0.0/19 Public subnet 10.0.32.0/20 Private subnet 10.0.48.0/21 Sensitive subnet Security groups Route table NACLs Instance Amazon S3 Amazon RDS AWS CloudHSM AWSKMS AWS Directory Service AWS Organizations IAM Internet gateway
  • 14. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. All DomainsWhat can you detect using AWS services? Availability Zone C Availability Zone B VPC CIDR: 10.0.0.0/16 Availability Zone A 10.0.0.0/19 Public subnet 10.0.32.0/20 Private subnet 10.0.48.0/21 Sensitive subnet Security groups Route table NACLs Internet gateway Instance Amazon S3 Amazon RDS AWS CloudHSM AWSKMS AWS Directory Service AWS Organizations IAM
  • 15. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Detecting unknown threats Anomaly detection • Algorithms to detect unusual behavior o Inspecting signal patterns for signatures o Profiling normal activity and looking at deviations o Machine learning classifiers
  • 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Visibility to answer the tough questions • What data do I have in the cloud? • Where is it located? • Where does my sensitive data exist? • What’s sensitive about the data? • What PII/PHI is possibly exposed? • How is data being shared and stored? • How and where is my data accessed? • How can I classify data in near-real time? • How do I build workflow remediation for my security and compliance needs?
  • 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Visibility to answer the tough questions Amazon Web Services has opened case ******** on your behalf. The details of the case are as follows: Case ID: ******** Subject: Your AWS account ******** is compromised Severity: Urgent Correspondence: Dear AWS Customer, Your AWS Account is compromised! Please review the following notice and take immediate action to secure your account. Your security is important to us. We have become aware that the AWS Access Key ******** along with the corresponding Secret Key is publicly available online at ********….
  • 18. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Threat detection: Triggers Amazon CloudWatch Events Delivers a near real-time stream of system events that describe changes in AWS resources AWS Config rules Continuously tracks your resource configuration changes and if they violate any of the conditions in your rules
  • 19. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Config rules A continuous recording and assessment service Changing resources AWS Config AWS Config rules History snapshot Notifications API access Normalized • How are my resources configured over time? • Is a change that just occurred to a resource compliant?
  • 20. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon CloudWatch Events { "source": [ "aws.guardduty" ] } CloudWatch Event GuardDuty findings Lambda function
  • 21. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Threat remediation: Automation AWS Systems Manager Automates patching and proactively mitigates threats at the instance level AWS Lambda Captures info about the IP traffic going to and from network interfaces in your VPC
  • 22. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. High-level playbook Adversary or intern Your environment Lambda responder CloudWatch Events Step Function
  • 23. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon CloudWatch AWS CloudTrail AWS Config Lambda function AWS APIs AWS WAF AWS Shield Detection Alerting Remediation Countermeasures Forensics Team collaboration (Slack etc.) Amazon GuardDuty VPC Flow Logs AWS Step Functions Amazon EC2 Systems Manager Amazon EC2 Responding to findings: Remediation
  • 24. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS Landing Zone structure: Basic Amazon S3 Bucket (manifest file) AWS CodePipeline AWS Service Catalog Account baseline Core OU AWS SSOAWS Organizations AWS Organizations account Shared services account Log archive account Account baseline Security account Network baseline Account baseline Aggregate CloudTrail and Config logs Account baseline Security cross- account roles Security notifications Organizations account • Account Provisioning • Account Access (SSO) Shared Services account • Active Directory • Log Analytics Log archive • Security logs Security account • Audit/break-glassAmazon GuardDuty master Parameter store
  • 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T The AWS Landing Zone pipeline Source Validate/build/test Deploy core account structure Deploy core resources Deploy Service Catalog portfolio/products Deploy baseline resources Launch AVM for core accounts AWS Organizations AWS Account Baseline StackSets Logging Security credentials AWS Service Catalog StackSet AWS Service Catalog Core Amazon S3 bucket Vended accounts AWS CloudFormation templates Manifest fileAWS Landing Zone .zip file AWS CodeBuild
  • 27. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 28.
  • 29. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions
  • 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS
  • 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions GuardDuty findings
  • 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS
  • 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS Communications Manual action
  • 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS Communications Manual action Via Amazon API Gateway*
  • 36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS Instance:~ ec2-user$ Elastic network interface Security group EBS volume IAM profile EC2 instance contents
  • 37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS
  • 38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS EC2 instance contents Instance:~ ec2-user$ Elastic network interface Security group EBS volume IAM profile EBS snapshot
  • 39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS EC2 instance contents Instance:~ ec2-user$ Elastic network interface Security group EBS volume IAM profile EBS snapshot Amazon S3 bucket AWS CloudTrail
  • 40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS EC2 instance contents Instance:~ ec2-user$ Elastic network interface Security group EBS volume IAM profile EBS snapshot Amazon S3 bucket AWS CloudTrail Forensics account
  • 41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS EC2 instance contents Instance:~ ec2-user$
  • 42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS EC2 instance contents Instance:~ ec2-user$ Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime Instance:~ ec2-user$ dd EBS volume IAM profile
  • 43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS EC2 instance contents Instance:~ ec2-user$ Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime Instance:~ ec2-user$ dd EBS volume IAM profile Forensics EBS
  • 44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS Forensics EBS EBS snapshot Amazon S3 bucket Forensics account
  • 45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS Forensics EBS EBS snapshot Amazon S3 bucket Forensics account
  • 46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function AWS Step Functions BACKDOOR:EC2/XORDDOS Forensics EBS EBS snapshot Amazon S3 bucket Forensics account Easier done than said
  • 47. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 48. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Responding to findings: Remediation Amazon CloudWatch AWS CloudTrail AWS Config Lambda function AWS APIs AWS WAF AWS Shield Detection Alerting Remediation Countermeasures Forensics Team collaboration (Slack, etc.) Amazon GuardDuty VPC Flow Logs AWS Step Functions Amazon EC2 Systems Manager Amazon EC2
  • 49. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Remediating threats on Amazon EC2 instances • Asynchronously execute commands • No need to SSH/RDP • Commands and output logged Amazon EC2 Systems Manager: Run command EC2 instances Lambda function AWS Systems Manager Amazon EC2
  • 50. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Threat detection and remediation partner solutions Consulting, data analysis, threat detection, and managed security operations
  • 51. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Open source resources ThreatResponse https://threatresponse.cloud Cloud Custodian https://github.com/capitalone/cloud-custodian Security Monkey https://github.com/Netflix/security_monkey Scout 2 https://github.com/nccgroup/Scout2 StreamAlert https://github.com/airbnb/streamalert AWS CIS Foundation Framework https://github.com/awslabs/aws-security-benchmark AWS IR https://github.com/ThreatResponse/aws_ir
  • 52. Thank you! S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Nathan Case Contact information