Contenu connexe Similaire à Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM03-S - Chicago AWS Summit (20) Plus de Amazon Web Services (20) Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM03-S - Chicago AWS Summit1. Gain Visibility and Real-Time Actionable Security Alerts with VPC
Flow Logs and AWS
Mindy Schlueter
Principal Cybersecurity Systems Engineer
2. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Why is this important? - Smarter threats are more
difficult to detect
Motivated and targeted
adversaries
Insider threats
Increased attack
sophistication
State sponsored
Financial/espionage motives
$1T cybercrime market
Compromised credentials
Disgruntled employees
Admin/privileged accounts
Advanced persistent threats
Encrypted malware
Zero-day exploits
Industry average
detection time for
a breach
Industry average
time to contain
a breach
Average cost
of a data
breach
Time
Source: Ponemon 2018 Cost of a Data Breach Study
3. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What is required? - Visibility is required for detection,
but is it enough?
Crypto Mining
Network Recon
Ransomware
Compliance Network Visualization Bad User Behavior
Shadow IT Unapproved DNS
High Risk Countries
Poor Security Posture
4. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Challenge – How do we analyze massive amounts of data
from many sources to find the interesting event?
Network
Users
HQ
Data Center
Admin
Branch
RECORD
every conversation
Understand what is
NORMAL
Be alerted to
CHANGE
KNOW
every host
Respond to
THREATS quickly
Roaming Users
Cloud
5. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Stealthwatch Cloud
Help with Visibility, Threat Identification and Network Compliance Using Dynamic
Entity Modeling (Machine Learning)
Cloud Native Logs Premises Network Flows
Virtual Sensor
NetFlow
IPFIX
Mirror/Span
AWS
6. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Entity
Modeling
(Machine Learning)
How? - Use cloud native APIs and data sources to
ingest the traffic in near real time
What? - Maintain a model (a kind of simulation) of
each and every device & entity on your network
Why? - Have a derived understanding of typical
behavior, be able to detect when behavior changes
represent a security risk
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How we do it?
7. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Machine Learning provides better threat detection
36 Day Baseline
Collect Input Draw ConclusionsPerform Analysis
AWS CloudTrail
NetFlow/IPFIX
IAM Logs
Watch lists
3rd Party Services
VPC Flow Logs
Dynamic Entity
Modeling
Using Machine
Learning
Group
Consistency
Rules
Forecast
Role
What ports/protocols does the device
continually use or never use?
Do all roles behave similarly? Do all remote
desktop servers communicate the same?
Does it communicate internally only?
What countries does it talk to? Should the
connection be allowed?
How much data does the device normally
send/receive by profile, time of day, etc.?
What is the role of the device? Should this role
being doing this on the network?
Turn network data into actionable alerts!
Start – collect meta data
8. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
36 Day Baseline
Monitor and model behavior
Classify roles
Dynamically assign
roles to entities
Alert Triggers for Database
Exfiltration
Database server
identified
IP address
detected
Data access from
regular location
Machine Learning helps us to detect abnormal activity for an entity
New External Connection
osbservation
New High Throughput
Connection
Existing IP accesses
database server
Communicates
with set of IPs
Data stays within
environment
?
Discovery & Learning
Role Detected Baselining
Normal Behavior
Anomaly Detected
Alert Generated
Machine Learning
9. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Excessive failed access attempts
Produce low-noise alerts
Made possible via Machine Learning
DDoS and amplification attacks
Potential data exfiltration
Geographically unusual remote access
Suspected botnet interaction
ALERT: Anomaly detected
96% of customers rated
the alerts generated by
Stealthwatch Cloud’s entity
modeling solutions as “helpful”
E.g. 10k endpoints =
1-2 Alerts/day
10. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Create an understanding of the resource/entity
http://www.cisco.obsrvbl.com/roles X IP Addresses
Traffic Counters
30 Day Dashboard
Connectivity Counters
Matched Traffic
Profiles
For example we monitor an entity’s:
11. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Expected behavior based on role
Lambda
Nat Gateway
Database Services
ELBs
Terminal Servers
http://www.cisco.obsrvbl.com/roles X
We use roles to predict how an entity will operate – determined by APIs or behavior
Someone scanning the IP of the NAT Gateway (role) is not as interesting as someone scanning my databases.
Entity with this role then
scan less important
Entity with this role
then scan more
important
12. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network Visibility
In addition to entity visibility, Stealthwatch Cloud can provide visibility of network resources
13. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
A database server exporting data to a foreign country
Note the
supporting
observations
14. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Talos Intelligence - Web Probing from Tor Exit Nodes
172.23.3.45 entity appears on multiple
watch (black) lists
Leverage threat feeds like Cisco’s Talos to identify bad hosts
15. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Failed SSH connection attempts seen
Multiple access failures – entity does not have
SSH locked down
Detect poor security posture – without the need to
complete baselining
So let’s identity the gaps before they become compromises.
16. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Building Segmentation Rules
Compliance rules – catch unwanted
communications
Highlight forbidden communications
between internal entities
So let’s identity the gaps before they become
compromises.
17. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
AWS Account
How does it work? - Amazon Web Services architecture
SaaS Portal
API
Permissions allow
SWC to read AWS
services
Role Created for
SWC in Account
Amazon
CloudWatch
AWS
CloudTrail
Amazon VPC Amazon VPC Amazon VPC
Amazon Simple
Storage Service (S3)
AWS Identity and
Access Management (IAM)
Amazon GuardDuty AWS Lambda
Amazon Inspector AWS Config
Flow logs Flow logs
Read only
permissions required
for VPC flow logs
TLS 1.2
18. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How do we integrate? - Open APIs and built-in services allow for
harmonization with current systems
SaaS Management Portal
Web Platforms
Email
SIEM AWS
And Other Applications
Amazon S3
Amazon
SQS
Stealthwatch
Cloud
Amazon
SNS
19. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How do I get started! - 60 Day free trial via AWS Marketplace or Cisco Direct
SaaS Management Portal features -
Unlimited users
No patching necessary
Support included
Available anywhere
New features added
monthly
http://www.cisco.obsrvbl.com/roles X
Link to free trial - https://aws.amazon.com/marketplace/pp/B075MWZVBM