SlideShare a Scribd company logo

A Case Study on Insider Threat Detection

Amazon Web Services
Amazon Web Services

by Nathan Case, Sr. Consultant, AWS Insider threat detection! How do we use AWS products to find an insider threat. We will cover Macie, GuardDuty and lambda to review a production account actions and remediate findings as they arise . We will also cover the utilization of CloudWatch to unify our finds into a single pane of glass. Level 400

1 of 38
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Nathan Case Detection techniques They’re inside the walls February, 2018
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What to Expect from the Session • Introduction • Discussion of the services used • The insider threat • The crunchy outer shell defense! • Auto remediation
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. They’re inside the walls!
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Identity & Access Management (IAM) AWS Organizations AWS Cognito AWS Directory Service AWS Single Sign-On AWS CloudTrail AWS Config Amazon CloudWatch Amazon GuardDuty VPC Flow Logs Amazon EC2 Systems Manager AWS Shield AWS Web Application Firewall (WAF) Amazon Inspector Amazon Virtual Private Cloud (VPC) AWS Key Management Service (KMS) AWS CloudHSM Amazon Macie Certificate Manager Server Side Encryption AWS Config Rules AWS Lambda Identity Detective control Infrastructure security Incident response Data protection AWS security solutions
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Amazon GuardDuty Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads What can you do? • Quickly find the threats (needle) to your environments in the sea of log data (haystack) so you can focus on hardening their AWS environments • Analyzes billions of events across your AWS accounts for signs of risk • Monitors for activity such as unusual API calls or potentially unauthorized deployments that indicate a possible account compromise • Rapidly respond to malicious or suspicious behavior
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Amazon Macie Machine learning-powered security service to discover, classify, & protect sensitive data What can you do? • Helps you better understand where sensitive information is stored • Shows you how your data is being accessed, including user authentications and access patterns • Use machine learning and user behavior analytics to uncover potential threats • Find user behavior outliners that indicate possible compromise • Macie can send all findings to Amazon CloudWatch Events
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS CloudTrail Track user activity and API usage What can you do? • Simplify your compliance audits by automatically recording and storing activity logs for your AWS account • Increase visibility into your user and resource activity • Discover and troubleshoot security and operational issues by capturing a comprehensive history of changes that occurred in your AWS account
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Amazon CloudWatch Monitoring service for AWS cloud resources and the applications you run on AWS. What can you do? • Monitor resource utilization, operational performance, and overall demand patterns • Collect metrics include CPU utilization, disk reads / writes, and network traffic • Accessible via the AWS Management Console, web service APIs, or Command Line Tools • Add custom metrics of your own • Alarms (which tie into auto-scaling, SNS, SQS) • Billing Alerts to ID unusual account activity
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS WAF Web application firewall to help detect and block malicious web requests targeted at your web applications What can you do? • Deploy new rules within minutes, letting you respond quickly to changing traffic patterns • Use the full-featured API to automate the creation, deployment, and maintenance of web security rules • Put web security at multiple points in the development chain by defining application-specific rules that increase web security as you develop your application
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. VPC Flow Logs Capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs What can you do? Simplify your compliance audits by automatically recording and storing activity logs for your AWS account Increase visibility into your user and resource activity Discover and troubleshoot security and operational issues by capturing a comprehensive history of changes that occurred in your AWS account
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Humans and data don’t mix
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. So who is inside the walls, exactly…? - All of the enterprise employees, consultants, contractors, and you… are the vector of breach for your systems. - You are the threat to your systems.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. So who is inside the walls, exactly…? - For Today. - Pretend that Insider threat is handled by your team and that Insider threat includes: - Bad Actors - Actors acting outside their associated role - Actors doing something they should be doing to an incorrect resource
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Who is responsible? - Please Note: - Ownership and Classification of an event is a question your team needs to talk about. Its different in each enterprise. - You must have one group that is a catch all. If an action does not fall into anyone’s bucket, that team is responsible.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Target of the discussion The simple environment to the left has specific needs and allows for direct detection of threats, if: • The system has little human interaction • Normal patterns, and timed procedures • Limited well defined scope and functions AWS cloud virtual private cloud Availability Zone BAvailability Zone A Web Server App Server Web Server App Server RDS DB instance instance standby (multi-AZ)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Target of the discussion This is more realistic: • The system has lots of human interaction • No patterns, or timed procedures • No scope
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Building a crunch outer shell • Does not defend complex systems from an insider threat • Does not defend simple systems either • Do not make assumptions about the target of an insider threat • Do not assume that the target with be malicious
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Target of the discussion • Unify Logs/Trail • Implement similar checks in all accounts • Unify events/findings into CloudWatch Dashboards • Trigger CloudWatch Events based on actions in the environment • Watch for changes, not just actions • Setup SNS Topics
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Remediate a Compromised Instance • Remediate Compromised AWS Credentials Responding to Findings: Remediation Automatic Remediation GuardDuty CloudWatch Events Lambda Amazon GuardDuty Amazon CloudWatch CloudWatch Event Lambda Function AWS Lambda
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch Rules CloudWatch Dashboard POLICY
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch Rules CloudWatch Dashboard POLICY
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Findings: Threat Purpose Details • Backdoor: resource compromised and capable of contacting source home • Behavior: activity that differs from established baseline • Crypto Currency::detected software associated with Crypto currencies • Pentest::activity detected similar to that generated by known pen testing tools • Recon: attack scoping vulnerabilities by probing ports, listening, database tables, etc. • Stealth::attack trying to hide actions / tracks • Trojan::program detected carrying out suspicious activity • Unauthorized Access::suspicious activity / pattern by unauthorized user Describes the primary purpose of the threat. Available at launch, more coming!
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Remediation Actions • Account Remediation • Remediate AWS credentials • PenTest • Recon (Black Listed IP) • Stealth • UnauthorizedAccess • Investigate before Credential Remediation • Behavior • UnauthorizedAccess • Architecture Change • Recon • Instance Remediation • Remediate Compromised Instances • Backdoor • CryptoCurrency • Recon (out going) • Trojan • UnauthorizedAccess • Investigate before EC2 Remediate • Behavior
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume 80, 443->DataSG
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume 3389 -> 0.0.0.0/0 80, 443->DataSG
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter Lambda function EBS Volume 80, 443->DataSG
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty Lambda function EBS Volume EBS Forensics
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty Lambda function EBS Volume
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule AWS Lambda Amazon GuardDuty Lambda function EBS Volume Amazon EBS snapshot
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM Policies LAMBDA POLICY
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM Policies LAMBDA POLICY
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo

Recommended

An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAmazon Web Services
 
(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon Inspector(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon InspectorAmazon Web Services
 
Security & Compliance in AWS
Security & Compliance in AWSSecurity & Compliance in AWS
Security & Compliance in AWSAmazon Web Services
 
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...Amazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
AWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAmazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
Aws VPC
Aws VPCAws VPC
Aws VPCAbhishek Amralkar
 

Recommended

An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAmazon Web Services
 
(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon Inspector(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon InspectorAmazon Web Services
 
Security & Compliance in AWS
Security & Compliance in AWSSecurity & Compliance in AWS
Security & Compliance in AWSAmazon Web Services
 
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...Amazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
AWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAmazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
Aws VPC
Aws VPCAws VPC
Aws VPCAbhishek Amralkar
 
Advanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAdvanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAmazon Web Services
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: SecurityAmazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill ChainPuma Security, LLC
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon InspectorAmazon Web Services
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYMaganathin Veeraragaloo
 
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 Amazon Web Services
 
(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAF(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAFAmazon Web Services
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty LabAmazon Web Services
 
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...Digital Bond
 
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksAmazon Web Services
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0Dinis Cruz
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCAmazon Web Services
 
Aws organizations
Aws organizationsAws organizations
Aws organizationsOlaf Conijn
 
Ssdf nist
Ssdf nistSsdf nist
Ssdf nistNaveen Koyi
 
AWS WAF
AWS WAFAWS WAF
AWS WAFAmazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
 
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...Amazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Security@Scale
Security@ScaleSecurity@Scale
Security@ScaleAmazon Web Services
 

More Related Content

What's hot

Advanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAdvanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAmazon Web Services
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon InspectorAmazon Web Services
 
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 Amazon Web Services
 
(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAF(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAFAmazon Web Services
 
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...Digital Bond
 
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksAmazon Web Services
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0Dinis Cruz
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCAmazon Web Services
 
Aws organizations
Aws organizationsAws organizations
Aws organizationsOlaf Conijn
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
 
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...Amazon Web Services
 

What's hot (20)

Advanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAdvanced Security Best Practices Masterclass
Advanced Security Best Practices Masterclass
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon Inspector
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
 
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
 
(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAF(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAF
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty Lab
 
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
 
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPC
 
Aws organizations
Aws organizationsAws organizations
Aws organizations
 
Ssdf nist
Ssdf nistSsdf nist
Ssdf nist
 
AWS WAF
AWS WAFAWS WAF
AWS WAF
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
 
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
 

Similar to A Case Study on Insider Threat Detection

A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfHow to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfAmazon Web Services
 
Secure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation SecuritySecure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation SecurityAmazon Web Services
 
Compliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesCompliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesAmazon Web Services
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitAmazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
SID301 Threat Detection and Mitigation
SID301 Threat Detection and Mitigation SID301 Threat Detection and Mitigation
SID301 Threat Detection and MitigationAmazon Web Services
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS SummitAmazon Web Services
 
Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Amazon Web Services
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS SummitAmazon Web Services
 
Amazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and RemediationAmazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and RemediationAmazon Web Services
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Amazon Web Services
 
AWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & RemediationAWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & RemediationAmazon Web Services
 
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...Amazon Web Services
 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day OneAWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day OneAWS Germany
 

Similar to A Case Study on Insider Threat Detection (20)

A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
Security@Scale
Security@ScaleSecurity@Scale
Security@Scale
 
How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfHow to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdf
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
Secure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation SecuritySecure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation Security
 
Compliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesCompliance and Security Mitigation Techniques
Compliance and Security Mitigation Techniques
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWS
 
Mitigating techniques
Mitigating techniquesMitigating techniques
Mitigating techniques
 
SID301 Threat Detection and Mitigation
SID301 Threat Detection and Mitigation SID301 Threat Detection and Mitigation
SID301 Threat Detection and Mitigation
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
 
Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
 
Amazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and RemediationAmazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and Remediation
 
How AI is disrupting the world
How AI is disrupting the world How AI is disrupting the world
How AI is disrupting the world
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2
 
AWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & RemediationAWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & Remediation
 
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day OneAWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
 
Enterprise Security
Enterprise SecurityEnterprise Security
Enterprise Security
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

A Case Study on Insider Threat Detection

  • 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Nathan Case Detection techniques They’re inside the walls February, 2018
  • 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What to Expect from the Session • Introduction • Discussion of the services used • The insider threat • The crunchy outer shell defense! • Auto remediation
  • 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. They’re inside the walls!
  • 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Identity & Access Management (IAM) AWS Organizations AWS Cognito AWS Directory Service AWS Single Sign-On AWS CloudTrail AWS Config Amazon CloudWatch Amazon GuardDuty VPC Flow Logs Amazon EC2 Systems Manager AWS Shield AWS Web Application Firewall (WAF) Amazon Inspector Amazon Virtual Private Cloud (VPC) AWS Key Management Service (KMS) AWS CloudHSM Amazon Macie Certificate Manager Server Side Encryption AWS Config Rules AWS Lambda Identity Detective control Infrastructure security Incident response Data protection AWS security solutions
  • 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Amazon GuardDuty Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads What can you do? • Quickly find the threats (needle) to your environments in the sea of log data (haystack) so you can focus on hardening their AWS environments • Analyzes billions of events across your AWS accounts for signs of risk • Monitors for activity such as unusual API calls or potentially unauthorized deployments that indicate a possible account compromise • Rapidly respond to malicious or suspicious behavior
  • 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Amazon Macie Machine learning-powered security service to discover, classify, & protect sensitive data What can you do? • Helps you better understand where sensitive information is stored • Shows you how your data is being accessed, including user authentications and access patterns • Use machine learning and user behavior analytics to uncover potential threats • Find user behavior outliners that indicate possible compromise • Macie can send all findings to Amazon CloudWatch Events
  • 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS CloudTrail Track user activity and API usage What can you do? • Simplify your compliance audits by automatically recording and storing activity logs for your AWS account • Increase visibility into your user and resource activity • Discover and troubleshoot security and operational issues by capturing a comprehensive history of changes that occurred in your AWS account
  • 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Amazon CloudWatch Monitoring service for AWS cloud resources and the applications you run on AWS. What can you do? • Monitor resource utilization, operational performance, and overall demand patterns • Collect metrics include CPU utilization, disk reads / writes, and network traffic • Accessible via the AWS Management Console, web service APIs, or Command Line Tools • Add custom metrics of your own • Alarms (which tie into auto-scaling, SNS, SQS) • Billing Alerts to ID unusual account activity
  • 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS WAF Web application firewall to help detect and block malicious web requests targeted at your web applications What can you do? • Deploy new rules within minutes, letting you respond quickly to changing traffic patterns • Use the full-featured API to automate the creation, deployment, and maintenance of web security rules • Put web security at multiple points in the development chain by defining application-specific rules that increase web security as you develop your application
  • 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. VPC Flow Logs Capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs What can you do? Simplify your compliance audits by automatically recording and storing activity logs for your AWS account Increase visibility into your user and resource activity Discover and troubleshoot security and operational issues by capturing a comprehensive history of changes that occurred in your AWS account
  • 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Humans and data don’t mix
  • 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. So who is inside the walls, exactly…? - All of the enterprise employees, consultants, contractors, and you… are the vector of breach for your systems. - You are the threat to your systems.
  • 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. So who is inside the walls, exactly…? - For Today. - Pretend that Insider threat is handled by your team and that Insider threat includes: - Bad Actors - Actors acting outside their associated role - Actors doing something they should be doing to an incorrect resource
  • 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Who is responsible? - Please Note: - Ownership and Classification of an event is a question your team needs to talk about. Its different in each enterprise. - You must have one group that is a catch all. If an action does not fall into anyone’s bucket, that team is responsible.
  • 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Target of the discussion The simple environment to the left has specific needs and allows for direct detection of threats, if: • The system has little human interaction • Normal patterns, and timed procedures • Limited well defined scope and functions AWS cloud virtual private cloud Availability Zone BAvailability Zone A Web Server App Server Web Server App Server RDS DB instance instance standby (multi-AZ)
  • 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Target of the discussion This is more realistic: • The system has lots of human interaction • No patterns, or timed procedures • No scope
  • 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Building a crunch outer shell • Does not defend complex systems from an insider threat • Does not defend simple systems either • Do not make assumptions about the target of an insider threat • Do not assume that the target with be malicious
  • 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Target of the discussion • Unify Logs/Trail • Implement similar checks in all accounts • Unify events/findings into CloudWatch Dashboards • Trigger CloudWatch Events based on actions in the environment • Watch for changes, not just actions • Setup SNS Topics
  • 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Remediate a Compromised Instance • Remediate Compromised AWS Credentials Responding to Findings: Remediation Automatic Remediation GuardDuty CloudWatch Events Lambda Amazon GuardDuty Amazon CloudWatch CloudWatch Event Lambda Function AWS Lambda
  • 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch Rules CloudWatch Dashboard POLICY
  • 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch Rules CloudWatch Dashboard POLICY
  • 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Findings: Threat Purpose Details • Backdoor: resource compromised and capable of contacting source home • Behavior: activity that differs from established baseline • Crypto Currency::detected software associated with Crypto currencies • Pentest::activity detected similar to that generated by known pen testing tools • Recon: attack scoping vulnerabilities by probing ports, listening, database tables, etc. • Stealth::attack trying to hide actions / tracks • Trojan::program detected carrying out suspicious activity • Unauthorized Access::suspicious activity / pattern by unauthorized user Describes the primary purpose of the threat. Available at launch, more coming!
  • 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Remediation Actions • Account Remediation • Remediate AWS credentials • PenTest • Recon (Black Listed IP) • Stealth • UnauthorizedAccess • Investigate before Credential Remediation • Behavior • UnauthorizedAccess • Architecture Change • Recon • Instance Remediation • Remediate Compromised Instances • Backdoor • CryptoCurrency • Recon (out going) • Trojan • UnauthorizedAccess • Investigate before EC2 Remediate • Behavior
  • 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
  • 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
  • 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
  • 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function
  • 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume
  • 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume 80, 443->DataSG
  • 30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume 3389 -> 0.0.0.0/0 80, 443->DataSG
  • 31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter Lambda function EBS Volume 80, 443->DataSG
  • 32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume
  • 33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty Lambda function EBS Volume EBS Forensics
  • 34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty Lambda function EBS Volume
  • 35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule AWS Lambda Amazon GuardDuty Lambda function EBS Volume Amazon EBS snapshot
  • 36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM Policies LAMBDA POLICY
  • 37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM Policies LAMBDA POLICY
  • 38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo