1. Jack Naglieri | Founder & CEO | jack.naglieri@runpanther.io
Detecting S3 Breaches
with Panther
2. Detecting S3 Breaches | Panther
Your Host
● Originally from D.C. area, now based in SF
● Ex Security Engineer/Manager at Yahoo & Airbnb
● Co-creator and core developer of StreamAlert
Jack Naglieri
4. Detecting S3 Breaches | Panther
Monitor access to your S3 buckets
Understand your S3 security posture
Search your catalog of S3 data
Goals
5. Detecting S3 Breaches | Panther
Organizations struggle to
implement proper cloud
security–more than 33
billion records were
exposed in 2018 and 2019.
33
BILLION RECORDS
EXPOSED
6. Detecting S3 Breaches | Panther
Our mission is to stop security breaches by
providing cloud-scale visibility
8. Detecting S3 Breaches | Panther
Monitoring Options
CloudTrail is a service to monitor all API calls
focused around infrastructure changes and
management.
S3 Server Access Logs provide a more detailed,
web-style log on traffic to our objects and
buckets.
9. Detecting S3 Breaches | Panther
Monitoring Options
Pros Cons
CloudTrail
● Low latency (15 minutes)
● Lower overhead to configure
● Flexible on monitoring
buckets/prefixes
● Pay for data events and S3
storage cost
S3 Server Access Logs
● Only pay S3 storage cost
● Fields for HTTP referer, total
request time, object size
● Track auth failures and lifecycle
transitions
● Higher latency (1+ hours)
● Requires per-bucket
configurations
10. Detecting S3 Breaches | Panther
S3 Server Access
Log Configuration
Single AWS Region
Source Buckets
Access Logs
bucket-1
Prefix: bucket-1/2019-12-31-03-21-21.txt
Prefix: bucket-2/2019-12-31-03-21-21.txt
Log Files
bucket-2
15. Detecting S3 Breaches | Panther
What do we need to know?
1. Who accessed our bucket?
2. What data was accessed?
3. When did they access it?
What should we monitor?
1. Model our “known-good” traffic flows
2. Finding insecure access to buckets
3. Access errors on buckets
Open source rules: bit.ly/panther-s3-rules
27. Detecting S3 Breaches | Panther
Open Source Policies
Bucket Encryption Secure the data at rest with AWS SSE or KMS
MFA Delete Require multi-factor authentication prior to deleting objects
Bucket Logging Monitor all traffic in and out of the bucket
Public Access Blocks Prevent buckets from becoming publicly accessible
Public Read or Write ACLs Detect buckets with publicly-accessible ACLs
Bucket Versioning Provides multiple variants of bucket objects
Secure Access Enforce encrypted connections to buckets
bit.ly/panther-s3-policies
30. Detecting S3 Breaches | Panther
Use S3 Server Access Logs for a lower price and a very high scale.
Use CloudTrail for lower latency/overhead and easy centralization of data.
Ensure your buckets have encryption, logging, no public access, etc.
Turn on logging as soon as possible!
Recap!
31. Detecting S3 Breaches | Panther
1. Panther provides visibility into your S3 traffic at scale
2. Python-based rules and policies detect threats/vulns
3. Alerts notify your team to investigate
4. All data can be queried with SQL
34. Detecting S3 Breaches | Panther
Subscription Tiers
SaaS
Real-Time Log Analysis
Cloud Security and Remediation
Real-Time Alerting
Historical Search of Log Data
Powerful User Interface
200+ pre-built Rules and Policies
—Get Started—
Data Explorer
SaaS Data
Role-Based Access Control
Higher-Scale
24 x 7 Support & Live Chat
150+ Premium Analysis Packs
—Contact Us—
Fully hosted platform
Community
github.com/panther-labs/panther