SIEM in the AWS Cloud
An overview of Security Incident & Event Managment tools in AWS. How to integrate AWS' core security services such as IAM, Cloudtrail, Config, CloudWatch/Logs and the new VPC Flow Logs into a SIEM solution.
3. Copyright 2015
Cloudten
Industries
• Centralised collection
and
management
of
security
logs.
• Aggregates
data
from
a
wide
variety
of
sources
(
firewalls,
IDS,
WAF,
anti-‐virus
etc )
• Analyses
and
correlates
events
to
provide
statistical
information
and
real-‐time
monitoring.
5. Copyright 2015
Cloudten
Industries
• Threat
Detection
(
before
an
event
)
• Incident
Management
(
post
event
)
• Auditing
and
Reporting
• Compliance
6. Copyright 2015
Cloudten
Industries
• Hardware
or
virtual
appliances
• Various
Licensing
Models:
• EPS
– Events
Per
Second
• FPM
– Flows
Per
Minute
• Number
of
log
sources
• Log
size
per
day
• Various
Log
Collection
Methods
• Agent
(
Log
forwarders,
probe
connectors
…
)
• Agentless
(
via
SSH,
syslog,
Windows
Event
Collector
)
8. Copyright 2015
Cloudten
Industries
• The
basic
premise
is
the
same.
• Can
be
easier,
cheaper
and
quicker
to
set
up.
• It’s
just
as
(
if
not
more
)
important.
• Potentially
much
greater
“blast
radius”
11. Copyright 2015
Cloudten
Industries
• Make
Security
“Job
Zero”
• Don’t
make
security
an
afterthought.
• Architect
security
into
the
foundations
12. Copyright 2015
Cloudten
Industries
• AWS
provide
a
number
of
really
useful
security
tools
and
services
“out
of
the
box”
• Nearly
all
of
AWS
services
have
APIs
that
integrate
with
the
security
services.
• This
provides
centralised inputs
into
either
a
custom
built
SIEM
or
3rd party
solution.
13. Copyright 2015
Cloudten
Industries
• User
accounts,
groups
and
roles
• Create
and
map
fine
grained
access
policies
• Provides
authenticated
and
auditable
access
to
all
resources.
• Federate
to
an
external
directory
14. Copyright 2015
Cloudten
Industries
• a
webservice
that
records
all
kinds
of
API
calls
made
by
AWS
resources.
• Eg.
Changes
to
security
groups,
modify
IAM
permissions
etc.
• Stores
logs
in
a
secure
S3
bucket
• One
of
the
most
important
services
from
a
SIEM
and
auditing
perspective.
15. Copyright 2015
Cloudten
Industries
• Track
and
compare
infrastructure
changes
over
time
• The
ability
to
restore
environment
configurations
• Able
to
snapshot
an
environment
into
CloudFormation
templates
in
S3
• Integrates
with
CloudTrail
16. Copyright 2015
Cloudten
Industries
• Define
rules
for
how
resources
are
created
(eg.
All
EBS
volumes
must
be
encrypted)
• Can
monitor
config changes
and
provide
a
dashboard
to
check
compliance
status’
• Makes
it
easy
to
see
when
and
how
a
resource
became
non
compliant.
17. Copyright 2015
Cloudten
Industries
• Not
just
basic
performance
metrics
anymore
• Agent
based
log
collection
• Filtering
language
to
monitor
and
alert
• Ingests
logs
from
CloudTrail
18. Copyright 2015
Cloudten
Industries
• Essentially
gives
the
ability
to
monitor
network
traffic
within
a
VPC
• Also
logs
dropped
packets
(
firewall
logs
)
• Outputs
to
CloudWatch
Logs
• “Free”
19. Copyright 2015
Cloudten
Industries
• Can
block
malicious
HTTP/S
requests
• Sits
in
front
of
CloudFront
• Generates
CloudWatch
metrics
24. Copyright 2015
Cloudten
Industries
• You
have
all
the
logs
but
what
do
you
do
with
them
?
• CloudWatch/Logs
is
good
…
but
• There
are
a
number
of
specialist
log
management
vendors
who
have
adapted
their
products
to
work
as
a
SIEM.
• They
provide
compliance,
auditing
and
pro-‐active
monitoring
capabilities.
29. Copyright 2015
Cloudten
Industries
• Security
is
a
full
time
job
• Many
companies
don’t
have
time/resources
to
keep
on
top
of
everything
• Skilled
security
resources
are
expensive.
• Many
high
profile
organisationschoose
to
outsource
SIEM
responsibilities
.
31. Copyright 2015
Cloudten
Industries
• Security
focused
AWS
consulting
partner
• AWS
Certified
to
the
highest
level
• Consulting/Managed
Services
• Come
and
talk
to
us
!