SlideShare une entreprise Scribd logo

AWS Meetup Nov 2015 - CloudTen Presentation

PolarSeven Pty Ltd
PolarSeven Pty Ltd

SIEM in the AWS Cloud An overview of Security Incident & Event Managment tools in AWS. How to integrate AWS' core security services such as IAM, Cloudtrail, Config, CloudWatch/Logs and the new VPC Flow Logs into a SIEM solution.

Technologie
1  sur  32
Télécharger pour lire hors ligne
©opyright   2015   Cloudten   Industries
Copyright 2015   Cloudten   Industries Security Information  & Event Management
Copyright 2015   Cloudten   Industries • Centralised collection  and  management  of   security  logs. • Aggregates  data  from  a  wide  variety  of   sources  (  firewalls,  IDS,  WAF,  anti-­‐virus  etc ) • Analyses  and  correlates  events  to  provide   statistical  information  and  real-­‐time   monitoring.
Copyright 2015   Cloudten   Industries
Copyright 2015   Cloudten   Industries • Threat  Detection  (  before  an  event  ) • Incident  Management  (  post  event  ) • Auditing  and  Reporting • Compliance
Copyright 2015   Cloudten   Industries • Hardware  or  virtual  appliances • Various  Licensing  Models: • EPS  – Events  Per  Second • FPM  – Flows  Per  Minute • Number  of  log  sources • Log  size  per  day • Various  Log  Collection  Methods • Agent  (  Log  forwarders,  probe  connectors  …  ) • Agentless  (  via  SSH,  syslog,  Windows  Event  Collector  )
Copyright 2015   Cloudten   Industries Appliances Software
Copyright 2015   Cloudten   Industries • The  basic  premise  is  the  same. • Can  be  easier,  cheaper  and  quicker  to  set  up. • It’s  just  as  (  if  not  more  )  important. • Potentially  much  greater  “blast  radius”
Copyright 2015   Cloudten   Industries
Copyright 2015   Cloudten   Industries …aaaaand  lost  it  in  2
Copyright 2015   Cloudten   Industries • Make  Security  “Job  Zero” • Don’t  make  security  an  afterthought. • Architect  security  into  the  foundations
Copyright 2015   Cloudten   Industries • AWS  provide  a  number  of  really  useful   security  tools  and  services  “out  of  the  box” • Nearly  all  of  AWS  services  have  APIs  that   integrate  with  the  security  services. • This  provides  centralised inputs  into  either  a   custom  built  SIEM  or  3rd party  solution.
Copyright 2015   Cloudten   Industries • User  accounts,  groups  and  roles • Create  and  map  fine  grained  access  policies • Provides  authenticated  and  auditable  access   to  all  resources. • Federate    to  an  external  directory  
Copyright 2015   Cloudten   Industries • a  webservice  that  records  all  kinds  of  API   calls  made  by  AWS  resources. • Eg.  Changes  to  security  groups,  modify  IAM   permissions  etc. • Stores  logs  in  a  secure  S3  bucket • One  of  the  most  important  services  from  a   SIEM  and  auditing  perspective.
Copyright 2015   Cloudten   Industries • Track  and  compare  infrastructure  changes  over   time • The  ability  to  restore  environment  configurations • Able  to  snapshot  an  environment  into   CloudFormation  templates  in  S3 • Integrates  with  CloudTrail
Copyright 2015   Cloudten   Industries • Define  rules  for  how  resources  are  created   (eg.  All  EBS  volumes  must  be  encrypted) • Can  monitor  config changes  and  provide  a   dashboard  to  check  compliance  status’ • Makes  it  easy  to  see  when  and  how  a   resource  became  non  compliant.
Copyright 2015   Cloudten   Industries • Not  just  basic  performance  metrics  anymore • Agent  based  log  collection • Filtering  language  to  monitor  and  alert • Ingests  logs  from  CloudTrail
Copyright 2015   Cloudten   Industries • Essentially  gives  the  ability  to  monitor   network  traffic  within  a  VPC     • Also  logs  dropped  packets  (  firewall  logs  ) • Outputs  to  CloudWatch  Logs • “Free”
Copyright 2015   Cloudten   Industries • Can  block  malicious  HTTP/S  requests • Sits  in  front  of  CloudFront • Generates  CloudWatch  metrics  
Copyright 2015   Cloudten   Industries
Copyright 2015   Cloudten   Industries { "Records": [ { "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EXAMPLE_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Jeff", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Jeff", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2015-08-25T04:04:11Z" } } }, "eventTime": "2015-08-25T04:12:22Z", "eventSource": "iam.amazonaws.com", "eventName": "AddUserToGroup", "awsRegion": "ap-southeast-2", "sourceIPAddress": "127.0.0.1", "userAgent": "AWSConsole", "requestParameters": { "userName": “Bob", "groupName": "admin" }, "responseElements": null } ] }
Copyright 2015   Cloudten   Industries
Copyright 2015   Cloudten   Industries
Copyright 2015   Cloudten   Industries • You  have  all  the  logs  but  what  do  you  do  with  them  ? • CloudWatch/Logs  is  good  …  but • There  are  a  number  of  specialist  log  management  vendors   who  have  adapted  their  products  to  work  as  a  SIEM. • They  provide  compliance,  auditing  and  pro-­‐active   monitoring  capabilities.  
Copyright 2015   Cloudten   Industries
Copyright 2015   Cloudten   Industries
Copyright 2015   Cloudten   Industries Collect  &  Aggregate • Many  and  varied  sources • Across  environments • Safe,  secure  &  fast Visualize  &  Alert • Real-­‐time  dashboards • Proactive  alerting • Out-­‐of-­‐the  box  apps Investigate  & Take  Action • Search  and  troubleshoot • Identify  unknowns • Analyze,  triage  and  isolate Monitor  &   Optimize • Detect  anomalies • Predict  and  preempt  issues • Streamline  and  improve  processes
Copyright 2015   Cloudten   Industries
Copyright 2015   Cloudten   Industries • Security  is  a  full  time  job • Many  companies  don’t  have  time/resources  to  keep  on  top   of  everything • Skilled  security  resources  are  expensive. • Many  high  profile  organisationschoose  to  outsource  SIEM   responsibilities  .
Copyright 2015   Cloudten   Industries
Copyright 2015   Cloudten   Industries • Security  focused  AWS  consulting  partner • AWS  Certified  to  the  highest  level • Consulting/Managed  Services • Come  and  talk  to  us  !  
©opyright   2015   Cloudten   Industries

Recommandé

Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
Security Innovation
 
Webinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Webinar: Vulnerability Management leicht gemacht – mit Splunk und QualysWebinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Webinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Georg Knon
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
Alert Logic
 
QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014
QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014
QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014
Risk Analysis Consultants, s.r.o.
 
Architecture
ArchitectureArchitecture
Architecture
Shiva Chunduru
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
Alert Logic
 
Pros and Cons of Moving to Cloud and Managed Services
Pros and Cons of Moving to Cloud and Managed ServicesPros and Cons of Moving to Cloud and Managed Services
Pros and Cons of Moving to Cloud and Managed Services
Eagle Technologies
 
Hp arcsight services 2014 ewb
Hp arcsight services 2014 ewbHp arcsight services 2014 ewb
Hp arcsight services 2014 ewb
rty_ngtglobal
 

Recommandé

Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
Security Innovation
 
Webinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Webinar: Vulnerability Management leicht gemacht – mit Splunk und QualysWebinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Webinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Georg Knon
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
Alert Logic
 
QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014
QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014
QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014
Risk Analysis Consultants, s.r.o.
 
Architecture
ArchitectureArchitecture
Architecture
Shiva Chunduru
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
Alert Logic
 
Pros and Cons of Moving to Cloud and Managed Services
Pros and Cons of Moving to Cloud and Managed ServicesPros and Cons of Moving to Cloud and Managed Services
Pros and Cons of Moving to Cloud and Managed Services
Eagle Technologies
 
Hp arcsight services 2014 ewb
Hp arcsight services 2014 ewbHp arcsight services 2014 ewb
Hp arcsight services 2014 ewb
rty_ngtglobal
 
Cyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecurityCyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to Security
Security Innovation
 
AWS on Splunk, Splunk on AWS
AWS on Splunk, Splunk on AWSAWS on Splunk, Splunk on AWS
AWS on Splunk, Splunk on AWS
Splunk
 
Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0
Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0
Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0
Protect724
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud Security
Alert Logic
 
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
RightScale
 
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeCSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
Alert Logic
 
RightScale Webinar: Best Practices: Software Development Strategies Using Win...
RightScale Webinar: Best Practices: Software Development Strategies Using Win...RightScale Webinar: Best Practices: Software Development Strategies Using Win...
RightScale Webinar: Best Practices: Software Development Strategies Using Win...
RightScale
 
Rethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectRethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure Effect
CloudPassage
 
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
CloudPassage
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO Successful
CloudPassage
 
Advanced Security Compliance and Risk Management with Xacta 360: Customer Sho...
Advanced Security Compliance and Risk Management with Xacta 360: Customer Sho...Advanced Security Compliance and Risk Management with Xacta 360: Customer Sho...
Advanced Security Compliance and Risk Management with Xacta 360: Customer Sho...
Amazon Web Services
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 
AWS Webcast - Sumo Logic
AWS Webcast - Sumo LogicAWS Webcast - Sumo Logic
AWS Webcast - Sumo Logic
Amazon Web Services
 
Integrated Security & Operations for Scaling Securely in AWS
Integrated Security & Operations for Scaling Securely in AWSIntegrated Security & Operations for Scaling Securely in AWS
Integrated Security & Operations for Scaling Securely in AWS
Amazon Web Services
 
Q radar architecture deep dive
Q radar architecture deep diveQ radar architecture deep dive
Q radar architecture deep dive
Kamal Mouline
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
Alert Logic
 
Creating an Event Backbone for the Hybrid Cloud
Creating an Event Backbone for the Hybrid CloudCreating an Event Backbone for the Hybrid Cloud
Creating an Event Backbone for the Hybrid Cloud
Solace
 
Lessons learnt building a Distributed Linked List on S3
Lessons learnt building a Distributed Linked List on S3Lessons learnt building a Distributed Linked List on S3
Lessons learnt building a Distributed Linked List on S3
AWS User Group Bengaluru
 
Building Performance Clinical Systems' HIPAA-Compliant Clinical Workflow Plat...
Building Performance Clinical Systems' HIPAA-Compliant Clinical Workflow Plat...Building Performance Clinical Systems' HIPAA-Compliant Clinical Workflow Plat...
Building Performance Clinical Systems' HIPAA-Compliant Clinical Workflow Plat...
Amazon Web Services
 
Cintia y paula presentación de energías renovables
Cintia y paula presentación de energías renovablesCintia y paula presentación de energías renovables
Cintia y paula presentación de energías renovables
2709cin
 
camilla_CV[1]
camilla_CV[1]camilla_CV[1]
camilla_CV[1]
Camilla Breck
 
sandeep_cv
sandeep_cvsandeep_cv
sandeep_cv
sandeep soni
 

Contenu connexe

Tendances

RightScale Webinar: Best Practices: Software Development Strategies Using Win...
RightScale Webinar: Best Practices: Software Development Strategies Using Win...RightScale Webinar: Best Practices: Software Development Strategies Using Win...
RightScale Webinar: Best Practices: Software Development Strategies Using Win...
RightScale
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO Successful
CloudPassage
 

Tendances (19)

Cyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecurityCyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to Security
 
AWS on Splunk, Splunk on AWS
AWS on Splunk, Splunk on AWSAWS on Splunk, Splunk on AWS
AWS on Splunk, Splunk on AWS
 
Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0
Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0
Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud Security
 
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
 
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeCSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
 
RightScale Webinar: Best Practices: Software Development Strategies Using Win...
RightScale Webinar: Best Practices: Software Development Strategies Using Win...RightScale Webinar: Best Practices: Software Development Strategies Using Win...
RightScale Webinar: Best Practices: Software Development Strategies Using Win...
 
Rethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectRethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure Effect
 
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO Successful
 
Advanced Security Compliance and Risk Management with Xacta 360: Customer Sho...
Advanced Security Compliance and Risk Management with Xacta 360: Customer Sho...Advanced Security Compliance and Risk Management with Xacta 360: Customer Sho...
Advanced Security Compliance and Risk Management with Xacta 360: Customer Sho...
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
AWS Webcast - Sumo Logic
AWS Webcast - Sumo LogicAWS Webcast - Sumo Logic
AWS Webcast - Sumo Logic
 
Integrated Security & Operations for Scaling Securely in AWS
Integrated Security & Operations for Scaling Securely in AWSIntegrated Security & Operations for Scaling Securely in AWS
Integrated Security & Operations for Scaling Securely in AWS
 
Q radar architecture deep dive
Q radar architecture deep diveQ radar architecture deep dive
Q radar architecture deep dive
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
Creating an Event Backbone for the Hybrid Cloud
Creating an Event Backbone for the Hybrid CloudCreating an Event Backbone for the Hybrid Cloud
Creating an Event Backbone for the Hybrid Cloud
 
Lessons learnt building a Distributed Linked List on S3
Lessons learnt building a Distributed Linked List on S3Lessons learnt building a Distributed Linked List on S3
Lessons learnt building a Distributed Linked List on S3
 
Building Performance Clinical Systems' HIPAA-Compliant Clinical Workflow Plat...
Building Performance Clinical Systems' HIPAA-Compliant Clinical Workflow Plat...Building Performance Clinical Systems' HIPAA-Compliant Clinical Workflow Plat...
Building Performance Clinical Systems' HIPAA-Compliant Clinical Workflow Plat...
 

En vedette

Cintia y paula presentación de energías renovables
Cintia y paula presentación de energías renovablesCintia y paula presentación de energías renovables
Cintia y paula presentación de energías renovables
2709cin
 

En vedette (13)

Cintia y paula presentación de energías renovables
Cintia y paula presentación de energías renovablesCintia y paula presentación de energías renovables
Cintia y paula presentación de energías renovables
 
camilla_CV[1]
camilla_CV[1]camilla_CV[1]
camilla_CV[1]
 
sandeep_cv
sandeep_cvsandeep_cv
sandeep_cv
 
Apuntes
ApuntesApuntes
Apuntes
 
Wondering Which Currencies to Trade? Try These 8
Wondering Which Currencies to Trade? Try These 8Wondering Which Currencies to Trade? Try These 8
Wondering Which Currencies to Trade? Try These 8
 
Valentin Sala: Marketing electoral
Valentin Sala: Marketing electoralValentin Sala: Marketing electoral
Valentin Sala: Marketing electoral
 
Tejidos Animales
Tejidos AnimalesTejidos Animales
Tejidos Animales
 
Emilio durkheim alexia
Emilio durkheim alexiaEmilio durkheim alexia
Emilio durkheim alexia
 
RakutenQute!
RakutenQute!RakutenQute!
RakutenQute!
 
Habilidades gerenciales
Habilidades gerencialesHabilidades gerenciales
Habilidades gerenciales
 
Desierto
DesiertoDesierto
Desierto
 
Las plantas
Las plantasLas plantas
Las plantas
 
Las glaciaciones
Las glaciacionesLas glaciaciones
Las glaciaciones
 

Similaire à AWS Meetup Nov 2015 - CloudTen Presentation

Enforcing Your Security Policy at Scale - Technical 301
Enforcing Your Security Policy at Scale - Technical 301Enforcing Your Security Policy at Scale - Technical 301
Enforcing Your Security Policy at Scale - Technical 301
Amazon Web Services
 
(SEC308) Wrangling Security Events In The Cloud
(SEC308) Wrangling Security Events In The Cloud(SEC308) Wrangling Security Events In The Cloud
(SEC308) Wrangling Security Events In The Cloud
Amazon Web Services
 
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
Amazon Web Services
 
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Amazon Web Services
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
Amazon Web Services
 
Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS
Amazon Web Services
 
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Amazon Web Services
 

Similaire à AWS Meetup Nov 2015 - CloudTen Presentation (20)

Cloudten: SIEM in the AWS Cloud
Cloudten: SIEM in the AWS CloudCloudten: SIEM in the AWS Cloud
Cloudten: SIEM in the AWS Cloud
 
Enforcing Your Security Policy at Scale - Technical 301
Enforcing Your Security Policy at Scale - Technical 301Enforcing Your Security Policy at Scale - Technical 301
Enforcing Your Security Policy at Scale - Technical 301
 
Automated Compliance and Governance with AWS Config and AWS CloudTrail
Automated Compliance and Governance with AWS Config and AWS CloudTrailAutomated Compliance and Governance with AWS Config and AWS CloudTrail
Automated Compliance and Governance with AWS Config and AWS CloudTrail
 
NVS_Sentinel
NVS_SentinelNVS_Sentinel
NVS_Sentinel
 
(SEC308) Wrangling Security Events In The Cloud
(SEC308) Wrangling Security Events In The Cloud(SEC308) Wrangling Security Events In The Cloud
(SEC308) Wrangling Security Events In The Cloud
 
Automated Compliance and Governance with AWS Config and AWS CloudTrail
Automated Compliance and Governance with AWS Config and AWS CloudTrailAutomated Compliance and Governance with AWS Config and AWS CloudTrail
Automated Compliance and Governance with AWS Config and AWS CloudTrail
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
Identiverse Zero Trust Customer Briefing, Identiverse 2019
Identiverse Zero Trust Customer Briefing, Identiverse 2019Identiverse Zero Trust Customer Briefing, Identiverse 2019
Identiverse Zero Trust Customer Briefing, Identiverse 2019
 
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
The Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the CloudThe Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the Cloud
 
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
 
Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)
Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)
Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)
 
Nava SIEM Agent Datasheet
Nava SIEM Agent DatasheetNava SIEM Agent Datasheet
Nava SIEM Agent Datasheet
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
 
Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS
 
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
 

Plus de PolarSeven Pty Ltd

Amazon Web Services User Group Sydney - March 2018
Amazon Web Services User Group Sydney - March 2018Amazon Web Services User Group Sydney - March 2018
Amazon Web Services User Group Sydney - March 2018
PolarSeven Pty Ltd
 
Amazon Web Services User Group Sydney - February 2018
Amazon Web Services User Group Sydney - February 2018Amazon Web Services User Group Sydney - February 2018
Amazon Web Services User Group Sydney - February 2018
PolarSeven Pty Ltd
 
Deep Dive on Cloud Policies and Automation
Deep Dive on Cloud Policies and AutomationDeep Dive on Cloud Policies and Automation
Deep Dive on Cloud Policies and Automation
PolarSeven Pty Ltd
 
Telstra Programmable Networks & Scaling a Serverless Team with Automation
Telstra Programmable Networks & Scaling a Serverless Team with Automation Telstra Programmable Networks & Scaling a Serverless Team with Automation
Telstra Programmable Networks & Scaling a Serverless Team with Automation
PolarSeven Pty Ltd
 
AWS User Group Sydney - Meetup #60
AWS User Group Sydney - Meetup #60AWS User Group Sydney - Meetup #60
AWS User Group Sydney - Meetup #60
PolarSeven Pty Ltd
 
AWS OpsWorks for Chef Automate
AWS OpsWorks for Chef AutomateAWS OpsWorks for Chef Automate
AWS OpsWorks for Chef Automate
PolarSeven Pty Ltd
 
AWS CloudFormation Automation, TrafficScript, and Serverless architecture wit...
AWS CloudFormation Automation, TrafficScript, and Serverless architecture wit...AWS CloudFormation Automation, TrafficScript, and Serverless architecture wit...
AWS CloudFormation Automation, TrafficScript, and Serverless architecture wit...
PolarSeven Pty Ltd
 

Plus de PolarSeven Pty Ltd (20)

AWS Forcecast: DeepAR Predictor Time-series
AWS Forcecast: DeepAR Predictor Time-series AWS Forcecast: DeepAR Predictor Time-series
AWS Forcecast: DeepAR Predictor Time-series
 
Aws user group #04 landing zones
Aws user group #04 landing zonesAws user group #04 landing zones
Aws user group #04 landing zones
 
Aws user group #03 - All things Iot
Aws user group #03 - All things IotAws user group #03 - All things Iot
Aws user group #03 - All things Iot
 
Aws user group #01 lets talk serverless
Aws user group #01 lets talk serverlessAws user group #01 lets talk serverless
Aws user group #01 lets talk serverless
 
AWS Reinvent Recap 2018
AWS Reinvent Recap 2018 AWS Reinvent Recap 2018
AWS Reinvent Recap 2018
 
AWS User Group October
AWS User Group OctoberAWS User Group October
AWS User Group October
 
AWS User Group August
AWS User Group AugustAWS User Group August
AWS User Group August
 
AWS User Group November
AWS User Group NovemberAWS User Group November
AWS User Group November
 
AWS User Group September
AWS User Group September AWS User Group September
AWS User Group September
 
Amazon Web Services User Group Sydney - March 2018
Amazon Web Services User Group Sydney - March 2018Amazon Web Services User Group Sydney - March 2018
Amazon Web Services User Group Sydney - March 2018
 
Amazon Web Services User Group Sydney - February 2018
Amazon Web Services User Group Sydney - February 2018Amazon Web Services User Group Sydney - February 2018
Amazon Web Services User Group Sydney - February 2018
 
Deep Dive on Cloud Policies and Automation
Deep Dive on Cloud Policies and AutomationDeep Dive on Cloud Policies and Automation
Deep Dive on Cloud Policies and Automation
 
Securing Traffic Leaving A VPC
Securing Traffic Leaving A VPCSecuring Traffic Leaving A VPC
Securing Traffic Leaving A VPC
 
Telstra Programmable Networks & Scaling a Serverless Team with Automation
Telstra Programmable Networks & Scaling a Serverless Team with Automation Telstra Programmable Networks & Scaling a Serverless Team with Automation
Telstra Programmable Networks & Scaling a Serverless Team with Automation
 
AWS User Group Sydney - Meetup #60
AWS User Group Sydney - Meetup #60AWS User Group Sydney - Meetup #60
AWS User Group Sydney - Meetup #60
 
Shared Security in AWS
Shared Security in AWSShared Security in AWS
Shared Security in AWS
 
Visibility, Optimization & Governance for Cloud Services
Visibility, Optimization & Governance for Cloud ServicesVisibility, Optimization & Governance for Cloud Services
Visibility, Optimization & Governance for Cloud Services
 
AWS OpsWorks for Chef Automate
AWS OpsWorks for Chef AutomateAWS OpsWorks for Chef Automate
AWS OpsWorks for Chef Automate
 
AWS CloudFormation Automation, TrafficScript, and Serverless architecture wit...
AWS CloudFormation Automation, TrafficScript, and Serverless architecture wit...AWS CloudFormation Automation, TrafficScript, and Serverless architecture wit...
AWS CloudFormation Automation, TrafficScript, and Serverless architecture wit...
 
AWS User Group December 2016
AWS User Group December 2016AWS User Group December 2016
AWS User Group December 2016
 

Dernier

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 

Dernier (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

AWS Meetup Nov 2015 - CloudTen Presentation

  • 1. ©opyright   2015   Cloudten   Industries
  • 2. Copyright 2015   Cloudten   Industries Security Information  & Event Management
  • 3. Copyright 2015   Cloudten   Industries • Centralised collection  and  management  of   security  logs. • Aggregates  data  from  a  wide  variety  of   sources  (  firewalls,  IDS,  WAF,  anti-­‐virus  etc ) • Analyses  and  correlates  events  to  provide   statistical  information  and  real-­‐time   monitoring.
  • 5. Copyright 2015   Cloudten   Industries • Threat  Detection  (  before  an  event  ) • Incident  Management  (  post  event  ) • Auditing  and  Reporting • Compliance
  • 6. Copyright 2015   Cloudten   Industries • Hardware  or  virtual  appliances • Various  Licensing  Models: • EPS  – Events  Per  Second • FPM  – Flows  Per  Minute • Number  of  log  sources • Log  size  per  day • Various  Log  Collection  Methods • Agent  (  Log  forwarders,  probe  connectors  …  ) • Agentless  (  via  SSH,  syslog,  Windows  Event  Collector  )
  • 7. Copyright 2015   Cloudten   Industries Appliances Software
  • 8. Copyright 2015   Cloudten   Industries • The  basic  premise  is  the  same. • Can  be  easier,  cheaper  and  quicker  to  set  up. • It’s  just  as  (  if  not  more  )  important. • Potentially  much  greater  “blast  radius”
  • 10. Copyright 2015   Cloudten   Industries …aaaaand  lost  it  in  2
  • 11. Copyright 2015   Cloudten   Industries • Make  Security  “Job  Zero” • Don’t  make  security  an  afterthought. • Architect  security  into  the  foundations
  • 12. Copyright 2015   Cloudten   Industries • AWS  provide  a  number  of  really  useful   security  tools  and  services  “out  of  the  box” • Nearly  all  of  AWS  services  have  APIs  that   integrate  with  the  security  services. • This  provides  centralised inputs  into  either  a   custom  built  SIEM  or  3rd party  solution.
  • 13. Copyright 2015   Cloudten   Industries • User  accounts,  groups  and  roles • Create  and  map  fine  grained  access  policies • Provides  authenticated  and  auditable  access   to  all  resources. • Federate    to  an  external  directory  
  • 14. Copyright 2015   Cloudten   Industries • a  webservice  that  records  all  kinds  of  API   calls  made  by  AWS  resources. • Eg.  Changes  to  security  groups,  modify  IAM   permissions  etc. • Stores  logs  in  a  secure  S3  bucket • One  of  the  most  important  services  from  a   SIEM  and  auditing  perspective.
  • 15. Copyright 2015   Cloudten   Industries • Track  and  compare  infrastructure  changes  over   time • The  ability  to  restore  environment  configurations • Able  to  snapshot  an  environment  into   CloudFormation  templates  in  S3 • Integrates  with  CloudTrail
  • 16. Copyright 2015   Cloudten   Industries • Define  rules  for  how  resources  are  created   (eg.  All  EBS  volumes  must  be  encrypted) • Can  monitor  config changes  and  provide  a   dashboard  to  check  compliance  status’ • Makes  it  easy  to  see  when  and  how  a   resource  became  non  compliant.
  • 17. Copyright 2015   Cloudten   Industries • Not  just  basic  performance  metrics  anymore • Agent  based  log  collection • Filtering  language  to  monitor  and  alert • Ingests  logs  from  CloudTrail
  • 18. Copyright 2015   Cloudten   Industries • Essentially  gives  the  ability  to  monitor   network  traffic  within  a  VPC     • Also  logs  dropped  packets  (  firewall  logs  ) • Outputs  to  CloudWatch  Logs • “Free”
  • 19. Copyright 2015   Cloudten   Industries • Can  block  malicious  HTTP/S  requests • Sits  in  front  of  CloudFront • Generates  CloudWatch  metrics  
  • 20. Copyright 2015   Cloudten   Industries
  • 21. Copyright 2015   Cloudten   Industries { "Records": [ { "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EXAMPLE_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Jeff", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Jeff", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2015-08-25T04:04:11Z" } } }, "eventTime": "2015-08-25T04:12:22Z", "eventSource": "iam.amazonaws.com", "eventName": "AddUserToGroup", "awsRegion": "ap-southeast-2", "sourceIPAddress": "127.0.0.1", "userAgent": "AWSConsole", "requestParameters": { "userName": “Bob", "groupName": "admin" }, "responseElements": null } ] }
  • 22. Copyright 2015   Cloudten   Industries
  • 23. Copyright 2015   Cloudten   Industries
  • 24. Copyright 2015   Cloudten   Industries • You  have  all  the  logs  but  what  do  you  do  with  them  ? • CloudWatch/Logs  is  good  …  but • There  are  a  number  of  specialist  log  management  vendors   who  have  adapted  their  products  to  work  as  a  SIEM. • They  provide  compliance,  auditing  and  pro-­‐active   monitoring  capabilities.  
  • 25. Copyright 2015   Cloudten   Industries
  • 26. Copyright 2015   Cloudten   Industries
  • 27. Copyright 2015   Cloudten   Industries Collect  &  Aggregate • Many  and  varied  sources • Across  environments • Safe,  secure  &  fast Visualize  &  Alert • Real-­‐time  dashboards • Proactive  alerting • Out-­‐of-­‐the  box  apps Investigate  & Take  Action • Search  and  troubleshoot • Identify  unknowns • Analyze,  triage  and  isolate Monitor  &   Optimize • Detect  anomalies • Predict  and  preempt  issues • Streamline  and  improve  processes
  • 28. Copyright 2015   Cloudten   Industries
  • 29. Copyright 2015   Cloudten   Industries • Security  is  a  full  time  job • Many  companies  don’t  have  time/resources  to  keep  on  top   of  everything • Skilled  security  resources  are  expensive. • Many  high  profile  organisationschoose  to  outsource  SIEM   responsibilities  .
  • 30. Copyright 2015   Cloudten   Industries
  • 31. Copyright 2015   Cloudten   Industries • Security  focused  AWS  consulting  partner • AWS  Certified  to  the  highest  level • Consulting/Managed  Services • Come  and  talk  to  us  !  
  • 32. ©opyright   2015   Cloudten   Industries