SlideShare une entreprise Scribd logo

Scaling threat detection and response on AWS

Amazon Web Services
Amazon Web Services

Join us for this hands-on workshop where you will learn about a number of AWS services you can use to identify and respond to threats in your AWS environments. Learn about the capabilities of Amazon GuardDuty, Amazon Macie, Amazon Inspector, and AWS Security Hub as you walk through real-world threat scenarios. For each scenario, we will review methods to detect and respond to threats both manually and automated using services like Amazon CloudWatch Events and AWS Lambda.

1  sur  54
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Jesse Fuchs Security Solutions Architect Amazon Web Services February 2019 Scaling threat detection and response on AWS Floor28
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Workshop Agenda • Intro • Module 1: Environment Build and Configuration (35 min) • Module 2: Attack simulation and presentation (30 min) • Module 3: Detect, investigate & respond (75 min) • Module 4: Review, discussion, and cleanup (15 min)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Verizon 2018 Data Breach Investigations Report https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf Data Breach Patterns
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Workload Scenario What could possibly go wrong here?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Module 1 Environment Build and Configuration
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Module 1 Agenda • Run the CloudFormation template (~5 min.) • Manual Setup Steps (~30 min.)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Environment Build and Configuration
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. use us-west-2 https://awssecworkshops.com/ Directions (35 min): • Workshops (top navigation) • Scaling threat detection and response on AWS • Module 1: Environment Build (bottom right) • Run the AWS CloudFormation template • Complete manual setup steps Environment Build and Configuration
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Module 2 Attack Simulation and Presentation
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Module 2 Agenda • Run the CloudFormation template (~5 min.) • Threat detection and response presentation (~20 min.) • Environment walk-through (~10 min.)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Attack Simulation Build https://awssecworkshops.com/ Directions (5 min): • Workshops (top navigation) • Scaling threat detection and response on AWS • Module 1: Environment Build • Module 2: Attack Simulation (bottom right) • Run the AWS CloudFormation template • Stop and wait for presentation use us-west-2
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Detection and Response
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why is threat detection so hard? Skills shortageSignal to noiseLarge datasets
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Get humans away from the data and analysis AWS CISO Stephen Schmidt, at re:Invent 2017: “It's people who make mistakes, it's people who have good intentions but get phished, it's people who use the same credentials in multiple locations and don't use a hardware token for a multi-factor authentication… Get the humans away from the data.”
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detecting breaches https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudTrail AWS Config Rules Amazon CloudWatch Logs Amazon GuardDuty VPC Flow Logs Amazon Macie AWS Shield AWS WAF AWS Systems Manager Amazon Inspector VPC KMS AWS CloudHSM IAM AWS Organizations AWS Cognito AWS Directory Service AWS Single Sign-On Certificate Manager AWS Secrets Manager AWS Config Rules AWS Lambda AWS Systems Manager Amazon CloudWatch Events Protect RespondDetect RecoverIdentify AWS Lambda AWS DR and Backup Solutions AWS Systems Manager AWS Config AWS Security Solutions https://www.nist.gov/cyberframework
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Detection Services
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Detection: Log Data Inputs AWS CloudTrail VPC Flow Logs CloudWatch Logs DNS Logs Track user activity and API usage IP traffic to/from network interfaces in your VPC Monitor apps using log data, store & access log files Log of DNS queries in a VPC when using the VPC DNS resolver
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Detection: Machine Learning Amazon GuardDuty Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads Amazon Macie Machine learning-powered security service to discover, classify & protect sensitive data
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Introducing AWS Security Hub – In preview • Comprehensive view of your security and compliance state within AWS • Aggregates security findings generated by other AWS security services and partners • Analyze security trends and identify the highest-priority security issues Amazon Inspector Amazon GuardDuty Amazon Macie AWS Security Hub Security findings providers Findings Insights & Standards Other AWS Config Partner Solutions
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Detection: Evocations/Triggers Amazon CloudWatch Events Delivers a near real-time stream of system events that describe changes in AWS resources AWS Config Continuously tracks your resource configuration changes and if they violate any of the conditions in your rules
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon CloudWatch Events { "source": [ "aws.guardduty" ] } CloudWatch Event GuardDuty findings Lambda function Alert (e.g. Slack or PagerDuty) Automated response (e.g. Isolate instance) Send to SIEM (e.g. Splunk, QRader)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Response Services
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Response Services AWS Systems Manager AWS Lambda Amazon Inspector Run code for virtually any kind of application or backend service – zero administration Gain operational insights and take action on AWS resources Automate security assessments of EC2 instances
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. High-Level Playbook Adversary Your environment Lambda function CloudWatch Events
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. High-Level Playbook Amazon CloudWatch Events AWS CloudTrail AWS Config AWS APIs Detection Alerting Remediation Countermeasures Forensics Team collaboration (Slack etc.) Amazon GuardDuty VPC Flow Logs Amazon Inspector AWS Step Functions AWS Security Hub
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Environment Walkthrough
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automated Responses Amazon CloudWatch Event Rule Macie finding triggers CloudWatch Event Rule CloudWatch Event Rule publishes to an SNS Topic CloudWatch Event Rule: threat-detection-wksp-macie-alert Amazon Macie Amazon SNS You CloudWatch Event Rule publishes to an SNS Topic
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automated Responses Amazon DynamoDB CloudWatch Event Rule: threat-detection-wksp-macie-alert Input Transformer InputTransformer: InputTemplate: '"Amazon Macie Alert: <macdesc>"' InputPathsMap: macdesc: "$.detail.summary.Description" Event Pattern { "detail-type": [ "Macie Alert" ], "source": [ "aws.macie" ] }
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automated Responses Amazon CloudWatch Event Rule GuardDuty IAM/EC2 finding triggers CloudWatch Event Rule CloudWatch Event Rule publishes to an SNS Topic CloudWatch Event Rule: Amazon GuardDuty Amazon SNS You CloudWatch Event Rule publishes to an SNS Topic threat-detection-wksp-guardduty-iam-finding threat-detection-wksp-guardduty-ec2-finding
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automated Responses Amazon DynamoDB CloudWatch Event Rule: threat-detection-wksp-macie-alert Input Transformer InputTransformer: InputTemplate: ""Amazon GuardDuty Finding : <type>"nn"Account : <account>"n"Region : <region>"n"Description : <description>"n"Access Key ID : <accessKey>"n"User Type : <userType>"" InputPathsMap: type: "$.detail.type" description: "$.detail.description" account: "$.account" region: "$.region" accessKey: "$.detail.resource.accessKeyDetails.accessKeyId" userType: "$.detail.resource.accessKeyDetails.userType" Event Pattern { "detail-type": [ "GuardDuty Finding" ], "source": [ "aws.guardduty" ], "detail": { "resource": { "resourceType": [ "AccessKey" ] } } }
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automated Responses CloudWatch Event Rule: threat-detection-wksp-guardduty-finding-ec2-maliciousip Amazon CloudWatch Event Rule GuardDuty EC2 malicious finding triggers CloudWatch Event Rule CloudWatch Event Rule triggers a Lambda function Amazon GuardDuty AWS Lambda Network Access Control List Function modifies a NACL Outbound Rule to Deny Destination IP
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automated Responses CloudWatch Event Rule: threat-detection-wksp-guardduty-finding-sshbruteforce Amazon CloudWatch Event Rule GuardDuty SSH bruteforce finding triggers CloudWatch Event Rule Amazon GuardDuty CloudWatch Event Rule triggers a Lambda function AWS Lambda Network Access Control List Function modifies a NACL Inbound Rule to Deny Destination IP AWS Lambda Amazon EC2 Function adds a unique tag to the EC2 instance listed in the finding Function creates and initiates an Inspector scan Inspector scans EC2 instance
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automated Responses CloudWatch Event Rule: threat-detection-wksp-guardduty-finding-sshbruteforce Event Pattern { "source": [ "aws.guardduty" ], "detail": { "type": [ "UnauthorizedAccess:EC2/SSHBruteForce" ] } }
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Review Questions • How can you create custom rules for Config? • How do GuardDuty and Macie differ when it comes to CloudTrail analysis? • What services are important for the automation of responses? • What performance impact does GuardDuty have on your account if you have more then 100 VPCs? • Which of the services discussed have direct access to your EC2 Instances?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Module 3 Detection and Response
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detect and Respond https://awssecworkshops.com/ Directions (75 min): • Workshops (top navigation) • Scaling threat detection and response on AWS • Module 1: Environment Build • Module 2: Attack Simulation • Module 3: Detect & Respond (bottom right) • Part 1: Compromised AWS IAM Credential • Part 2: Compromised EC2 instance • Part 3: Compromised S3 Bucket use us-west-2
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Module 4 Review, Discussion, & Cleanup
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Module 4 Agenda • Review ( 5 min) • Questions ( 10 min) • Cleanup
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Start Module 4 https://awssecworkshops.com/ Directions (45 min): • Workshops (top navigation) • Scaling threat detection and response on AWS • Module 1: Environment Build • Module 2: Attack Simulation • Module 3: Detect & Respond • Module 4: Discussion (bottom right) use us-west-2
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Attack
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What really happened?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Workshop Questions
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 1 Why did the AWS API calls from the “malicious host” generate GuardDuty findings?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 2 How many unique AWS API calls were made from the “malicious host” and how did you identify them?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 3 The lab mentions you can ignore the high severity SSH brute force attack finding. Why can you ignore it and how is it different from the low severity brute force finding?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 4 When you revoke all sessions for the IAM Role you run the risk of affecting the availability of your application. What can you change in the remediation to mitigate this?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 4 "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "*" ], "Resource": [ "*" ], "Condition": { "DateLessThan": { "aws:TokenIssueTime": "2018-12-30T04:29:04.801Z" }, "StringEquals": { "aws:userId": ["AROAI47FH4JKLKEU4833D:i-06123456789098765"] } } } ]
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 5 What control can you put in place to prevent someone from making a S3 bucket or object anonymously accessible?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 5 Block public access
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 6 What type of server-side encryption was used to encrypt the objects in the data bucket? Would Macie be able to classify the objects if you were to use SSE-KMS?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 7 Macie had an alert for “S3 Bucket IAM policy grants global read rights.” We investigated that bucket in the workshop. Were the objects in the bucket actually publicly accessible? If the bucket had a policy that allowed for global read rights, would the encrypted objects be accessible?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cleanup
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you! Floor28

Recommandé

Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...Amazon Web Services
 
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Amazon Web Services
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access ManagementAmazon Web Services
 
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...Amazon Web Services
 
Securing serverless and container services - SDD306 - AWS re:Inforce 2019
Securing serverless and container services - SDD306 - AWS re:Inforce 2019 Securing serverless and container services - SDD306 - AWS re:Inforce 2019
Securing serverless and container services - SDD306 - AWS re:Inforce 2019 Amazon Web Services
 
Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Amazon Web Services
 
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...Amazon Web Services
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Amazon Web Services
 

Recommandé

Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...Amazon Web Services
 
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Amazon Web Services
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access ManagementAmazon Web Services
 
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...Amazon Web Services
 
Securing serverless and container services - SDD306 - AWS re:Inforce 2019
Securing serverless and container services - SDD306 - AWS re:Inforce 2019 Securing serverless and container services - SDD306 - AWS re:Inforce 2019
Securing serverless and container services - SDD306 - AWS re:Inforce 2019 Amazon Web Services
 
Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Amazon Web Services
 
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...Amazon Web Services
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Amazon Web Services
 
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019 Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019 Amazon Web Services
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...Amazon Web Services
 
Capital One case study: Addressing compliance and security within AWS - FND21...
Capital One case study: Addressing compliance and security within AWS - FND21...Capital One case study: Addressing compliance and security within AWS - FND21...
Capital One case study: Addressing compliance and security within AWS - FND21...Amazon Web Services
 
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019 Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019 Amazon Web Services
 
Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019
Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019 Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019
Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019 Amazon Web Services
 
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...Amazon Web Services
 
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...Amazon Web Services
 
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...Amazon Web Services
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Amazon Web Services
 
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...Amazon Web Services
 
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Amazon Web Services
 
Containers and mission-critical applications - SEP309-R - AWS re:Inforce 2019
Containers and mission-critical applications - SEP309-R - AWS re:Inforce 2019 Containers and mission-critical applications - SEP309-R - AWS re:Inforce 2019
Containers and mission-critical applications - SEP309-R - AWS re:Inforce 2019 Amazon Web Services
 
Module 1: AWS Introduction and History - AWSome Day Online Conference - APAC
Module 1: AWS Introduction and History - AWSome Day Online Conference - APACModule 1: AWS Introduction and History - AWSome Day Online Conference - APAC
Module 1: AWS Introduction and History - AWSome Day Online Conference - APACAmazon Web Services
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftAmazon Web Services
 
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019 Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019 Amazon Web Services
 
AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...
AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...
AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...Bhavin Desai, CCIE Security
 
Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...
Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...
Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...Amazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
Scale permissions management in AWS with attribute-based access control - SDD...
Scale permissions management in AWS with attribute-based access control - SDD...Scale permissions management in AWS with attribute-based access control - SDD...
Scale permissions management in AWS with attribute-based access control - SDD...Amazon Web Services
 
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...Amazon Web Services
 
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Amazon Web Services
 
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...Amazon Web Services
 

Contenu connexe

Tendances

Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019 Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019 Amazon Web Services
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...Amazon Web Services
 
Capital One case study: Addressing compliance and security within AWS - FND21...
Capital One case study: Addressing compliance and security within AWS - FND21...Capital One case study: Addressing compliance and security within AWS - FND21...
Capital One case study: Addressing compliance and security within AWS - FND21...Amazon Web Services
 
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019 Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019 Amazon Web Services
 
Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019
Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019 Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019
Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019 Amazon Web Services
 
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...Amazon Web Services
 
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...Amazon Web Services
 
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...Amazon Web Services
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Amazon Web Services
 
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...Amazon Web Services
 
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Amazon Web Services
 
Containers and mission-critical applications - SEP309-R - AWS re:Inforce 2019
Containers and mission-critical applications - SEP309-R - AWS re:Inforce 2019 Containers and mission-critical applications - SEP309-R - AWS re:Inforce 2019
Containers and mission-critical applications - SEP309-R - AWS re:Inforce 2019 Amazon Web Services
 
Module 1: AWS Introduction and History - AWSome Day Online Conference - APAC
Module 1: AWS Introduction and History - AWSome Day Online Conference - APACModule 1: AWS Introduction and History - AWSome Day Online Conference - APAC
Module 1: AWS Introduction and History - AWSome Day Online Conference - APACAmazon Web Services
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftAmazon Web Services
 
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019 Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019 Amazon Web Services
 
AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...
AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...
AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...Bhavin Desai, CCIE Security
 
Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...
Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...
Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...Amazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
Scale permissions management in AWS with attribute-based access control - SDD...
Scale permissions management in AWS with attribute-based access control - SDD...Scale permissions management in AWS with attribute-based access control - SDD...
Scale permissions management in AWS with attribute-based access control - SDD...Amazon Web Services
 
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...Amazon Web Services
 

Tendances (20)

Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019 Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...
 
Capital One case study: Addressing compliance and security within AWS - FND21...
Capital One case study: Addressing compliance and security within AWS - FND21...Capital One case study: Addressing compliance and security within AWS - FND21...
Capital One case study: Addressing compliance and security within AWS - FND21...
 
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019 Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
 
Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019
Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019 Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019
Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019
 
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
 
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
 
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
 
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
 
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
 
Containers and mission-critical applications - SEP309-R - AWS re:Inforce 2019
Containers and mission-critical applications - SEP309-R - AWS re:Inforce 2019 Containers and mission-critical applications - SEP309-R - AWS re:Inforce 2019
Containers and mission-critical applications - SEP309-R - AWS re:Inforce 2019
 
Module 1: AWS Introduction and History - AWSome Day Online Conference - APAC
Module 1: AWS Introduction and History - AWSome Day Online Conference - APACModule 1: AWS Introduction and History - AWSome Day Online Conference - APAC
Module 1: AWS Introduction and History - AWSome Day Online Conference - APAC
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
 
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019 Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
 
AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...
AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...
AWS re:Inforce 2019 Builders session: Simplify and secure your network archit...
 
Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...
Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...
Accelerare l’utilizzo del Machine Learning con le soluzioni ML pronte per l’u...
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
 
Scale permissions management in AWS with attribute-based access control - SDD...
Scale permissions management in AWS with attribute-based access control - SDD...Scale permissions management in AWS with attribute-based access control - SDD...
Scale permissions management in AWS with attribute-based access control - SDD...
 
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...
 

Similaire à Scaling threat detection and response on AWS

Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Amazon Web Services
 
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...Amazon Web Services
 
Threat detection - SEC207 - New York AWS Summit
Threat detection - SEC207 - New York AWS SummitThreat detection - SEC207 - New York AWS Summit
Threat detection - SEC207 - New York AWS SummitAmazon Web Services
 
Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...
Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...
Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...Amazon Web Services
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Amazon Web Services
 
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Amazon Web Services
 
Threat Detection and Remediation Workshop
Threat Detection and Remediation WorkshopThreat Detection and Remediation Workshop
Threat Detection and Remediation WorkshopAmazon Web Services
 
Building a security knowledge management platform for AWS - FND224 - AWS re:I...
Building a security knowledge management platform for AWS - FND224 - AWS re:I...Building a security knowledge management platform for AWS - FND224 - AWS re:I...
Building a security knowledge management platform for AWS - FND224 - AWS re:I...Amazon Web Services
 
How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...Amazon Web Services
 
Threat Detection & Remediation Workshop
Threat Detection & Remediation WorkshopThreat Detection & Remediation Workshop
Threat Detection & Remediation WorkshopAmazon Web Services
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Amazon Web Services
 
Take action on your security & compliance alerts with AWS Security Hub - SEC2...
Take action on your security & compliance alerts with AWS Security Hub - SEC2...Take action on your security & compliance alerts with AWS Security Hub - SEC2...
Take action on your security & compliance alerts with AWS Security Hub - SEC2...Amazon Web Services
 
Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...
Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...
Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...Amazon Web Services
 
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...Amazon Web Services
 
AWS Security Week: Threat Detection & Remediation Workshop
AWS Security Week: Threat Detection & Remediation WorkshopAWS Security Week: Threat Detection & Remediation Workshop
AWS Security Week: Threat Detection & Remediation WorkshopAmazon Web Services
 
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...Amazon Web Services
 
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019 DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019 Amazon Web Services
 
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...Amazon Web Services
 
Threat detection and mitigation at AWS - SEC201 - New York AWS Summit
Threat detection and mitigation at AWS - SEC201 - New York AWS SummitThreat detection and mitigation at AWS - SEC201 - New York AWS Summit
Threat detection and mitigation at AWS - SEC201 - New York AWS SummitAmazon Web Services
 
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 Amazon Web Services
 

Similaire à Scaling threat detection and response on AWS (20)

Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
 
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...
 
Threat detection - SEC207 - New York AWS Summit
Threat detection - SEC207 - New York AWS SummitThreat detection - SEC207 - New York AWS Summit
Threat detection - SEC207 - New York AWS Summit
 
Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...
Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...
Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2
 
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
 
Threat Detection and Remediation Workshop
Threat Detection and Remediation WorkshopThreat Detection and Remediation Workshop
Threat Detection and Remediation Workshop
 
Building a security knowledge management platform for AWS - FND224 - AWS re:I...
Building a security knowledge management platform for AWS - FND224 - AWS re:I...Building a security knowledge management platform for AWS - FND224 - AWS re:I...
Building a security knowledge management platform for AWS - FND224 - AWS re:I...
 
How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...
 
Threat Detection & Remediation Workshop
Threat Detection & Remediation WorkshopThreat Detection & Remediation Workshop
Threat Detection & Remediation Workshop
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
 
Take action on your security & compliance alerts with AWS Security Hub - SEC2...
Take action on your security & compliance alerts with AWS Security Hub - SEC2...Take action on your security & compliance alerts with AWS Security Hub - SEC2...
Take action on your security & compliance alerts with AWS Security Hub - SEC2...
 
Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...
Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...
Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...
 
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
 
AWS Security Week: Threat Detection & Remediation Workshop
AWS Security Week: Threat Detection & Remediation WorkshopAWS Security Week: Threat Detection & Remediation Workshop
AWS Security Week: Threat Detection & Remediation Workshop
 
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
 
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019 DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
 
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
 
Threat detection and mitigation at AWS - SEC201 - New York AWS Summit
Threat detection and mitigation at AWS - SEC201 - New York AWS SummitThreat detection and mitigation at AWS - SEC201 - New York AWS Summit
Threat detection and mitigation at AWS - SEC201 - New York AWS Summit
 
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
 

Plus de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Plus de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Scaling threat detection and response on AWS

  • 1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Jesse Fuchs Security Solutions Architect Amazon Web Services February 2019 Scaling threat detection and response on AWS Floor28
  • 2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Workshop Agenda • Intro • Module 1: Environment Build and Configuration (35 min) • Module 2: Attack simulation and presentation (30 min) • Module 3: Detect, investigate & respond (75 min) • Module 4: Review, discussion, and cleanup (15 min)
  • 3. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Verizon 2018 Data Breach Investigations Report https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf Data Breach Patterns
  • 4. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Workload Scenario What could possibly go wrong here?
  • 5. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Module 1 Environment Build and Configuration
  • 6. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Module 1 Agenda • Run the CloudFormation template (~5 min.) • Manual Setup Steps (~30 min.)
  • 7. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Environment Build and Configuration
  • 8. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. use us-west-2 https://awssecworkshops.com/ Directions (35 min): • Workshops (top navigation) • Scaling threat detection and response on AWS • Module 1: Environment Build (bottom right) • Run the AWS CloudFormation template • Complete manual setup steps Environment Build and Configuration
  • 9. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Module 2 Attack Simulation and Presentation
  • 10. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Module 2 Agenda • Run the CloudFormation template (~5 min.) • Threat detection and response presentation (~20 min.) • Environment walk-through (~10 min.)
  • 11. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Attack Simulation Build https://awssecworkshops.com/ Directions (5 min): • Workshops (top navigation) • Scaling threat detection and response on AWS • Module 1: Environment Build • Module 2: Attack Simulation (bottom right) • Run the AWS CloudFormation template • Stop and wait for presentation use us-west-2
  • 12. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Detection and Response
  • 13. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why is threat detection so hard? Skills shortageSignal to noiseLarge datasets
  • 14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Get humans away from the data and analysis AWS CISO Stephen Schmidt, at re:Invent 2017: “It's people who make mistakes, it's people who have good intentions but get phished, it's people who use the same credentials in multiple locations and don't use a hardware token for a multi-factor authentication… Get the humans away from the data.”
  • 15. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detecting breaches https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf
  • 16. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudTrail AWS Config Rules Amazon CloudWatch Logs Amazon GuardDuty VPC Flow Logs Amazon Macie AWS Shield AWS WAF AWS Systems Manager Amazon Inspector VPC KMS AWS CloudHSM IAM AWS Organizations AWS Cognito AWS Directory Service AWS Single Sign-On Certificate Manager AWS Secrets Manager AWS Config Rules AWS Lambda AWS Systems Manager Amazon CloudWatch Events Protect RespondDetect RecoverIdentify AWS Lambda AWS DR and Backup Solutions AWS Systems Manager AWS Config AWS Security Solutions https://www.nist.gov/cyberframework
  • 17. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Detection Services
  • 18. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Detection: Log Data Inputs AWS CloudTrail VPC Flow Logs CloudWatch Logs DNS Logs Track user activity and API usage IP traffic to/from network interfaces in your VPC Monitor apps using log data, store & access log files Log of DNS queries in a VPC when using the VPC DNS resolver
  • 19. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Detection: Machine Learning Amazon GuardDuty Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads Amazon Macie Machine learning-powered security service to discover, classify & protect sensitive data
  • 20. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Introducing AWS Security Hub – In preview • Comprehensive view of your security and compliance state within AWS • Aggregates security findings generated by other AWS security services and partners • Analyze security trends and identify the highest-priority security issues Amazon Inspector Amazon GuardDuty Amazon Macie AWS Security Hub Security findings providers Findings Insights & Standards Other AWS Config Partner Solutions
  • 21. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Detection: Evocations/Triggers Amazon CloudWatch Events Delivers a near real-time stream of system events that describe changes in AWS resources AWS Config Continuously tracks your resource configuration changes and if they violate any of the conditions in your rules
  • 22. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon CloudWatch Events { "source": [ "aws.guardduty" ] } CloudWatch Event GuardDuty findings Lambda function Alert (e.g. Slack or PagerDuty) Automated response (e.g. Isolate instance) Send to SIEM (e.g. Splunk, QRader)
  • 23. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Response Services
  • 24. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threat Response Services AWS Systems Manager AWS Lambda Amazon Inspector Run code for virtually any kind of application or backend service – zero administration Gain operational insights and take action on AWS resources Automate security assessments of EC2 instances
  • 25. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. High-Level Playbook Adversary Your environment Lambda function CloudWatch Events
  • 26. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. High-Level Playbook Amazon CloudWatch Events AWS CloudTrail AWS Config AWS APIs Detection Alerting Remediation Countermeasures Forensics Team collaboration (Slack etc.) Amazon GuardDuty VPC Flow Logs Amazon Inspector AWS Step Functions AWS Security Hub
  • 27. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Environment Walkthrough
  • 28. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automated Responses Amazon CloudWatch Event Rule Macie finding triggers CloudWatch Event Rule CloudWatch Event Rule publishes to an SNS Topic CloudWatch Event Rule: threat-detection-wksp-macie-alert Amazon Macie Amazon SNS You CloudWatch Event Rule publishes to an SNS Topic
  • 29. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automated Responses Amazon DynamoDB CloudWatch Event Rule: threat-detection-wksp-macie-alert Input Transformer InputTransformer: InputTemplate: '"Amazon Macie Alert: <macdesc>"' InputPathsMap: macdesc: "$.detail.summary.Description" Event Pattern { "detail-type": [ "Macie Alert" ], "source": [ "aws.macie" ] }
  • 30. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automated Responses Amazon CloudWatch Event Rule GuardDuty IAM/EC2 finding triggers CloudWatch Event Rule CloudWatch Event Rule publishes to an SNS Topic CloudWatch Event Rule: Amazon GuardDuty Amazon SNS You CloudWatch Event Rule publishes to an SNS Topic threat-detection-wksp-guardduty-iam-finding threat-detection-wksp-guardduty-ec2-finding
  • 31. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automated Responses Amazon DynamoDB CloudWatch Event Rule: threat-detection-wksp-macie-alert Input Transformer InputTransformer: InputTemplate: ""Amazon GuardDuty Finding : <type>"nn"Account : <account>"n"Region : <region>"n"Description : <description>"n"Access Key ID : <accessKey>"n"User Type : <userType>"" InputPathsMap: type: "$.detail.type" description: "$.detail.description" account: "$.account" region: "$.region" accessKey: "$.detail.resource.accessKeyDetails.accessKeyId" userType: "$.detail.resource.accessKeyDetails.userType" Event Pattern { "detail-type": [ "GuardDuty Finding" ], "source": [ "aws.guardduty" ], "detail": { "resource": { "resourceType": [ "AccessKey" ] } } }
  • 32. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automated Responses CloudWatch Event Rule: threat-detection-wksp-guardduty-finding-ec2-maliciousip Amazon CloudWatch Event Rule GuardDuty EC2 malicious finding triggers CloudWatch Event Rule CloudWatch Event Rule triggers a Lambda function Amazon GuardDuty AWS Lambda Network Access Control List Function modifies a NACL Outbound Rule to Deny Destination IP
  • 33. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automated Responses CloudWatch Event Rule: threat-detection-wksp-guardduty-finding-sshbruteforce Amazon CloudWatch Event Rule GuardDuty SSH bruteforce finding triggers CloudWatch Event Rule Amazon GuardDuty CloudWatch Event Rule triggers a Lambda function AWS Lambda Network Access Control List Function modifies a NACL Inbound Rule to Deny Destination IP AWS Lambda Amazon EC2 Function adds a unique tag to the EC2 instance listed in the finding Function creates and initiates an Inspector scan Inspector scans EC2 instance
  • 34. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automated Responses CloudWatch Event Rule: threat-detection-wksp-guardduty-finding-sshbruteforce Event Pattern { "source": [ "aws.guardduty" ], "detail": { "type": [ "UnauthorizedAccess:EC2/SSHBruteForce" ] } }
  • 35. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Review Questions • How can you create custom rules for Config? • How do GuardDuty and Macie differ when it comes to CloudTrail analysis? • What services are important for the automation of responses? • What performance impact does GuardDuty have on your account if you have more then 100 VPCs? • Which of the services discussed have direct access to your EC2 Instances?
  • 36. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Module 3 Detection and Response
  • 37. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detect and Respond https://awssecworkshops.com/ Directions (75 min): • Workshops (top navigation) • Scaling threat detection and response on AWS • Module 1: Environment Build • Module 2: Attack Simulation • Module 3: Detect & Respond (bottom right) • Part 1: Compromised AWS IAM Credential • Part 2: Compromised EC2 instance • Part 3: Compromised S3 Bucket use us-west-2
  • 38. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Module 4 Review, Discussion, & Cleanup
  • 39. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Module 4 Agenda • Review ( 5 min) • Questions ( 10 min) • Cleanup
  • 40. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Start Module 4 https://awssecworkshops.com/ Directions (45 min): • Workshops (top navigation) • Scaling threat detection and response on AWS • Module 1: Environment Build • Module 2: Attack Simulation • Module 3: Detect & Respond • Module 4: Discussion (bottom right) use us-west-2
  • 41. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Attack
  • 42. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What really happened?
  • 43. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Workshop Questions
  • 44. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 1 Why did the AWS API calls from the “malicious host” generate GuardDuty findings?
  • 45. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 2 How many unique AWS API calls were made from the “malicious host” and how did you identify them?
  • 46. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 3 The lab mentions you can ignore the high severity SSH brute force attack finding. Why can you ignore it and how is it different from the low severity brute force finding?
  • 47. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 4 When you revoke all sessions for the IAM Role you run the risk of affecting the availability of your application. What can you change in the remediation to mitigate this?
  • 48. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 4 "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "*" ], "Resource": [ "*" ], "Condition": { "DateLessThan": { "aws:TokenIssueTime": "2018-12-30T04:29:04.801Z" }, "StringEquals": { "aws:userId": ["AROAI47FH4JKLKEU4833D:i-06123456789098765"] } } } ]
  • 49. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 5 What control can you put in place to prevent someone from making a S3 bucket or object anonymously accessible?
  • 50. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 5 Block public access
  • 51. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 6 What type of server-side encryption was used to encrypt the objects in the data bucket? Would Macie be able to classify the objects if you were to use SSE-KMS?
  • 52. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question 7 Macie had an alert for “S3 Bucket IAM policy grants global read rights.” We investigated that bucket in the workshop. Were the objects in the bucket actually publicly accessible? If the bucket had a policy that allowed for global read rights, would the encrypted objects be accessible?
  • 53. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cleanup
  • 54. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you! Floor28