Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
ALERTLOGIC’SINTEGRATION
WITHAMAZONGUARDDUTY
RyanHolland
SrDirector,CloudPlatforms
Outline
•ServicesOverview
•GuardDutyIntegration
•TopFindings,ConfigurationErrors,andCVEs
•Demo
SERVICES
OVERVIEW
Anzeige
Anzeige
Anzeige
Anzeige
Nächste SlideShare
Handson Lab Log Analytics
Handson Lab Log Analytics
Wird geladen in …3
×

Hier ansehen

1 von 21 Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie Alert Logic (20)

Anzeige

Weitere von Amazon Web Services (20)

Alert Logic

  1. 1. ALERTLOGIC’SINTEGRATION WITHAMAZONGUARDDUTY RyanHolland SrDirector,CloudPlatforms
  2. 2. Outline •ServicesOverview •GuardDutyIntegration •TopFindings,ConfigurationErrors,andCVEs •Demo
  3. 3. SERVICES OVERVIEW
  4. 4. AmazonGuardDuty •AWSthreatdetectionservice(launchedatre:Invent2017)that monitorsyourenvironmentforsuspiciousbehavior -AWSCloudTraileventlogs -VPCFlowLogs -DNSLogs •GuardDutyidentifiespotentialsecurityissuescalled“Findings” -Reconnaissance(e.g.,EC2instancebeingprobed) -Instancecompromise(e.g.,EC2instancequeryingphishingdomains) -Accountcompromise(e.g.,Credentialsusedfrommultiplelocations)
  5. 5. CloudInsightEssentials •AlertLogicservice(alsolaunchedatre:Invent2017)thatidentifies configurationsthatgoagainstAWSBestSecurityPracticesand GuardDutyfindingsenrichmentandmanagagment. •UsesanIAMrole/policytomonitorCloudTraillogsandidentify riskyconfigurationslike: -UsernotconfiguredtouseMFA -S3buckethasaglobalACL -Passwordsnotconfiguredtoexpire •Candeployvulnerabilityscanners(CloudInsight)toidentify CommonVulnerabilityExposures(CVEs)insoftware •AvailableonAWSMarketplacewith30dayfreetrail -https://aws.amazon.com/marketplace/pp/B0764JH55Q
  6. 6. CloudInsightEssentialsTopologyView
  7. 7. GUARDDUTY INTEGRATION
  8. 8. CloudFormationTemplate •CloudFormationtemplatethatdeploysaKinesisStreamand LambdafunctionthatactasaCloudWatchEventscollector. •CloudWatchEventscollectorgathersallCloudWatchEvents associatedtoGuardDutyFindingsandforwardsthoseeventsto CloudInsightEssentials. •CloudInsightEssentialsaugmentsFindingsbyprovidingmore, detailedinformation,whattodowithFindings,andtrackshistorical trends. •AvailableonGithub(https://github.com/alertlogic/cwe-collector/)
  9. 9. Amazon GuardDuty AWS CloudTrail VPC FlowLogs DNSLogs CloudWatch Event GuardDuty Finding CloudWatch EventsCollector LambdaFunction GuardDuty Trends Remediations CloudInsight Essentials CloudFormation Template GuardDutyIntegrationArchitecture
  10. 10. EC2 InstancesAmazon Inspector Enumerates Findings Inspector Findings Exposures Remediations CloudInsight Essentials InspectorIntegrationArchitecture LambdaFunction Scheduled Event
  11. 11. AWS Config NewSnapshot RulecompletesCloudInsight Exposures Remediations CloudInsight Essentials ConfigRulesIntegrationArchitecture LambdaFunction Converts results
  12. 12. IncidentSummaries •IncidentSummarygivesyouanoverviewofGuardDutyprimary detectioncategories
  13. 13. IncidentList •IncidentListgivesyouanInvestigationReport(summaryof Findingwithlinkstoindustryknowledge)
  14. 14. GuardDutyRecommendations •Recommendationsprovideshort-termactions(withlinksonhowto investigatecompromises)andlinkstoAWSconsoletoconduct furtherinvestigation
  15. 15. GuardDutyEvidence •EvidencerecordsthefullGuardDutyFindingandthelasttimeseen
  16. 16. GuardDutyRemediations •StepstohelpscustomersenableGuardDutyanddeployour CloudWatchEventcollectors
  17. 17. TOPFINDINGS, MISCONFIGURATIONS,&CVES
  18. 18. TheTerribleTen #GuardDutyFinding 1Recon:EC2/PortProbeUnprotectedPort 2Recon:EC2/Portscan 3UnauthorizedAccess:EC2/SSHBruteForce 4UnauthorizedAccess:EC2/RDPBruteForce 5CrytpoCurrency:EC2/BitcoinTool.B!DNS 6Stealth:IAMUser/PasswordPolicyChange 7UnauthorizedAccess:EC2/TorIPCaller 8Behavior:EC2/NetworkPortUnusual 9Trojan:EC2/DropPoint!DNS 10PenTest:IAM/User/KaliLInux #Misconfigurations 1UnencryptedAMIDiscovered 2UnencryptedEBSVolume 3S3LoggingnotEnabled 4SinglePOFornoAutoScaling 5S3ObjectVersioningnotEnabled 6UsernotconfiguredtouseMFA 7UserAccessKeysnotRotating 8IAMPoliciesDirectlyAttachedtoUser 9DangerousUserPrivilegedAccesstoS3 10DangerousIAMRoleforS3 #CVEs 1RC4Ciphers 2MD5Hash-collision 3OpenSSHSecurityBypass 4OpenSSHDoS 5TLSLogjamIssue 6OpenSSHBufferOverflow 7OpenSSHInfoDisclosure 8OpenSSHMemoryCorrupt 9OpenBSDDoS 10OpenBSDSecurityBypass
  19. 19. Conclusions •“By202095%ofcloudsecurityfailureswillbethecustomer’s fault.”* •MostfrequentGuardDutyFindingsareduetocustomersleaving portsopenornotrestrictingaccesstoports •Mostfrequentconfigurationissuesareduetocustomersnot encryptingAMIs/volumes,enablingloggingandIAMpermissisons •MostfrequentCVEsareduetocustomersrunningout-of-date opensourcesoftware *GartnerRevealsTopPredicationsforITOrganizationsandUsersfor2016andBeyond: https://www.gartner.com/newsroom/id/3143718
  20. 20. DEMO
  21. 21. Thankyou.

×