SlideShare una empresa de Scribd logo
1 de 46
Descargar para leer sin conexión
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Threat detection
Ross Warren
Specialized Solutions Architect
AWS
S E C 2 0 7
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Workshop agenda
Module 1: Environment setup (20 min.)
Module 2: Attack kickoff and presentation (40 min.)
Module 3: Detect, investigate, and respond (45 min.)
Module 4: Review, questions, and lessons learned (15 min.)
Use US West (Oregon)
us-west-2
Please follow directions
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS event engine
We will use the AWS event engine; please don’t use one of your
own accounts
https://dashboard.eventengine.run
You will enter the hash that is provided at the URL above
Event name: Scaling threat detection and response in AWS
1. Click AWS Console
2. Click Open Console
3. Verify that you are in the AWS Management Console in the
us-west-2 Region
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Data breach patterns
Verizon 2018 Data Breach Investigations Report,
11th Edition
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Workshop scenario
Internet
Public subnet
AWS Cloud
Availability zone
Web server
VPC
Amazon S3 bucket
Bare minimum architecture for POC
Users
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Module 1: Build detective controls
Run the AWS CloudFormation template (~5 min.)
• Before moving on, make sure the stack status = CREATE_COMPLETE
• You will get an email from Amazon SNS asking you to confirm the subscription;
do this so that you can receive email alerts from AWS services during the
workshop
Manual setup steps (~15 min.)
• Create a Amazon CloudWatch event rule
• Enable Amazon GuardDuty
• Enable AWS Security Hub
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Module 1: Build detective controls
Detect and investigate
AWS Security
Hub
Amazon
Macie
Amazon
GuardDuty
AWS
CloudTrail
Amazon
CloudWatch
Events
Amazon
CloudWatch
logs
Amazon VPC
flow logs
DNS logs
Amazon
Inspector
Amazon
S3
AWS Lambda
Amazon SNS
Security analyst
Respond
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Module 1: Build detective controls
https://dashboard.eventengine.run
https://tinyurl.com/yyc6tvph
Directions
1. Browse to the URL
2. Read through the workshop scenario
3. Choose Module 1: Environment Build in the outline on the left
4. Complete the module (~15 min.), and then stop
Use US West (Oregon)
us-west-2
Please follow directions
Do not skip the manual steps
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Module 2: Attack kickoff
Run the AWS CloudFormation template (~5 min.)
Do not move on to Module 3
Threat detection and response presentation (~30 min.)
Workshop walk-through (~5 min.)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Module 2: Attack kickoff
https://dashboard.eventengine.run
https://tinyurl.com/yyc6tvph
Directions
1. Browse to the URL
2. Choose Module 2: Attack Simulation in the outline on the left
3. Complete the module (~5 min.), and then stop
4. Do not move on to Module 3
Use US West (Oregon)
us-west-2
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Why is threat detection so hard?
Skills shortageSignal to noiseLarge datasets
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Identity and Access
Management (IAM)
AWS Single Sign-On
AWS Directory Service
Amazon Cognito
AWS Organizations
AWS Secrets Manager
AWS Resource Access Manager
AWS Security Hub
Amazon GuardDuty
AWS Config
AWS CloudTrail
Amazon
CloudWatch
Amazon Virtual Private Cloud
(Amazon VPC)
flow logs
AWS Systems Manager
AWS Shield
AWS WAF
(web application firewall)
AWS Firewall Manager
Amazon Inspector
Amazon VPC
AWS Key Management
Service (KMS)
AWS CloudHSM
AWS Certificate Manager
Amazon Macie
Server-side encryption
AWS Config rules
AWS Lambda
AWS Systems Manager
Identity Detect
Infrastructure
protection
Respond
Data
protection
Deep set of security tools
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Threat detection: Log data inputs
DNS logs
Track user activity
and API usage
IP traffic to and from
network interfaces
in a VPC
Monitor applications
using log data; store and
access log files
Log of DNS queries in a
VPC when using the VPC
DNS resolver
AWS CloudTrail Flow logs Amazon CloudWatch
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Threat detection: Machine learning
Intelligent threat detection and
continuous monitoring to protect your
AWS accounts and workloads
Machine learning-powered security
service to discover, classify, and protect
sensitive data
Amazon GuardDuty Amazon Macie
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Threat detection: Amazon GuardDuty
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Threat detection: AWS Security Hub
• Comprehensive view of your security and compliance state within
AWS
• Aggregates security findings generated by other AWS security services
and partners
• Analyze security trends and identify the highest-priority security issues
Amazon
Inspector
Amazon
GuardDuty
Amazon
Macie
AWS Security Hub
Security
findings
providers
Findings
Insights &
standards
Other
AWS
Config
Partner
solutions
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Threat detection: Evocations and triggers
Continuously tracks your resource
configuration changes and whether
they violate any of the conditions in
your rules
Delivers a near real-time stream of
system events that describe changes
in AWS resources
Amazon CloudWatch
Events
AWS Config
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Attacker lifecycle: Stages
Reconnaissance
Establish
foothold
Escalate
privileges
Internal
reconnaissance
Maintain
persistence
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Attacker lifecycle: Attacker actions
RDP brute force RAT installed
Exfiltrate data
over DNS
Probe API with
temporary
credentials
Attempt to
compromise
account
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Attacker lifecycle: Amazon GuardDuty findings
RDP brute force RAT installed
Exfiltrate data
over DNS
Probe API with
temporary
credentials
Attempt to
compromise
account
Malicious or
suspicious IP
Unusual ports
DNS exfiltration
Unusual traffic volume
Connect to blacklisted site
Recon:EC2/PortProbeUnprotectedPort
Anonymizing proxy
Temporary credentials
used off-instance
Unusual ISP caller
Bitcoin activity
Unusual instance launch
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Threat response: Amazon CloudWatch Events
Amazon GuardDuty findings
AWS Lambda
function
Partner solutions
Automated
response
Anything
else
Amazon CloudWatch
Events
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS
Lambda
Threat response: Services
AWS Systems
Manager
Amazon
Inspector
Run code for virtually
any kind of application
or backend service—
zero administration
Gain operational
insights and take action
on AWS resources
Automate security
assessments of Amazon
EC2 instances
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Threat response: High-level playbook
Adversary
or intern
Your environment AWS Lambda
function
Amazon CloudWatch
Events
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Threat response: Detailed playbook
Amazon
CloudWatch
Events
AWS Config
AWS Lambda
function
AWS APIs
Detect
Investigate
Respond
Team
collaboration
(e.g., Slack)
Amazon
Inspector
AWS Security Hub
Amazon
GuardDuty
Amazon Macie
Amazon
Inspector
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Module 2: Attack target
InternetUsers
Public subnet
AWS Cloud
Availability zone
Web server
VPC
Amazon S3 bucket
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Module 2: Setup
AWS Lambda
Amazon SNS
Security analyst
RespondDetect and investigate
AWS
Security Hub
Amazon
Macie
Amazon
GuardDuty
AWS
CloudTrail
Amazon
CloudWatch
Events
Amazon
CloudWatch
logs
DNS logs
Amazon
Inspector
Amazon
S3
Amazon VPC
flow logs
Public subnet
AWS Cloud
Availability zone
Web server
VPC
Environment
Amazon S3 bucket
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Module 2: The attack
AWS Cloud
Amazon API
Gateway
endpoints
Amazon S3
bucket
Public subnet
AWS Cloud
Availability zone
VPC
Amazon EC2
compromised instance
Malicious host Internet
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Module 3: Detect and response
https://dashboard.eventengine.run
https://tinyurl.com/yyc6tvph
Directions
1. Browse to the URL
2. Choose Module 3: Detect & Respond in the outline on the left
3. Run through the module (~45 min.)
Use US West (Oregon)
us-west-2
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Module 4: What happened?
Review (5 min.)
Questions (10 min.)
Lessons learned
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Module 4: What happened?
https://tinyurl.com/yyc6tvph
Directions
1. Browse to the URL
2. Choose Module 4: Discussion in the outline on the left
3. We will summarize the workshop, then answer questions
4. Do not need to do – Cleanup
Use US West (Oregon)
us-west-2
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Module 4: The attack
AWS Cloud
Amazon API
Gateway
endpoints
Bucket
Public subnet
AWS Cloud
Availability Zone
VPC
Amazon EC2
compromised instance
Malicious host
Internet
1 2
3
4
API calls
Bucket changes
SSH brute force attack
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Module 4: What really happened?
AWS Lambda
Amazon SNS
Security analyst
RespondDetect and investigate
AWS Security
Hub
Amazon
Macie
Amazon
GuardDuty
AWS
CloudTrail
Amazon
CloudWatch
Events
Amazon
CloudWatch
logs
DNS logs
Amazon
Inspector
Amazon
S3
Amazon VPC
flow logs
AWS Cloud
VPC
Public subnet
Compromised
instance
Subnet 2
Elastic IP in custom
threat list
Availability zone
Public subnet
Malicious
host
Subnet 1
Bucket
The attack
1 2
43
API calls
Bucket
changes
API Gateway
endpoints
SSH brute
force attack
5
Amazon
Inspector
Inspector
assessment
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Workshop questions 1
Which of the following AWS services have direct access to your Amazon EC2
instances?
What performance impact does Amazon GuardDuty have on your account if you
have more than 100 VPCs?
How do you kick off notifications or actions based on events in
Amazon GuardDuty?
What is the difference between Amazon Macie and Amazon GuardDuty?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Workshop questions 2
The lab mentions that you can ignore the high-severity SSH brute force attack
finding; why?
Why did the API calls from the malicious host generate Amazon GuardDuty
findings?
What is required for Amazon CloudWatch logs to capture evidence to help
investigate an SSH brute force attack?
What key remediation step was missed regarding the SSH brute
force attack?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lessons learned from incident response
Use a strong tagging strategy!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lessons learned from incident response
Questions to ask during the investigation
• Is this finding a true positive?
• Is the event an unusual activity or more?
• Where did the incident occur?
• Who reported or discovered the incident?
• How was it discovered?
• Are there any other areas that have been compromised by the incident? If so, what are they and when
were they discovered?
• What is the scope of the impact?
• What is the business impact?
• Have the source(s) of the incident been located? If so, where, when, and what are they?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lessons learned from incident response
Enrich findings and get the full picture of your environment
• Network intrusion detection
• Firewall alerts
• AWS WAF alerts
• Identity (UBA)
• Endpoint and compute events (AV, EDR)
• OS-level Information
• Application level logs
Centralize GuardDuty findings into a SIEM
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Useful links
https://aws.amazon.com/security/
https://enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf
https://www.nist.gov/cyberframework
https://d0.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf
https://aws.amazon.com/security/penetration-testing/
https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdf
Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ross Warren
ross@amazon.com

Más contenido relacionado

La actualidad más candente

A few milliseconds in the life of an HTTP request - SVC303 - New York AWS Summit
A few milliseconds in the life of an HTTP request - SVC303 - New York AWS SummitA few milliseconds in the life of an HTTP request - SVC303 - New York AWS Summit
A few milliseconds in the life of an HTTP request - SVC303 - New York AWS SummitAmazon Web Services
 
Data protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
Data protection using encryption in AWS - SEC201 - Santa Clara AWS SummitData protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
Data protection using encryption in AWS - SEC201 - Santa Clara AWS SummitAmazon Web Services
 
Technology as a means for compliance - GRC206 - AWS re:Inforce 2019
Technology as a means for compliance - GRC206 - AWS re:Inforce 2019 Technology as a means for compliance - GRC206 - AWS re:Inforce 2019
Technology as a means for compliance - GRC206 - AWS re:Inforce 2019 Amazon Web Services
 
Making CI/CD pipelines safer with application monitoring and tracing - MAD202...
Making CI/CD pipelines safer with application monitoring and tracing - MAD202...Making CI/CD pipelines safer with application monitoring and tracing - MAD202...
Making CI/CD pipelines safer with application monitoring and tracing - MAD202...Amazon Web Services
 
Developing Modern Applications in the Cloud
Developing Modern Applications in the CloudDeveloping Modern Applications in the Cloud
Developing Modern Applications in the CloudAmazon Web Services
 
Migrate your Oracle and SQL Server databases to Amazon RDS - ADB210 - New Yor...
Migrate your Oracle and SQL Server databases to Amazon RDS - ADB210 - New Yor...Migrate your Oracle and SQL Server databases to Amazon RDS - ADB210 - New Yor...
Migrate your Oracle and SQL Server databases to Amazon RDS - ADB210 - New Yor...Amazon Web Services
 
Kubernetes on AWS with Amazon EKS - MAD301 - New York AWS Summit
Kubernetes on AWS with Amazon EKS - MAD301 - New York AWS SummitKubernetes on AWS with Amazon EKS - MAD301 - New York AWS Summit
Kubernetes on AWS with Amazon EKS - MAD301 - New York AWS SummitAmazon Web Services
 
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Amazon Web Services
 
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...Amazon Web Services
 
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...Amazon Web Services
 
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...Amazon Web Services
 
Twelve-factor serverless applications - MAD302 - Santa Clara AWS Summit
Twelve-factor serverless applications - MAD302 - Santa Clara AWS SummitTwelve-factor serverless applications - MAD302 - Santa Clara AWS Summit
Twelve-factor serverless applications - MAD302 - Santa Clara AWS SummitAmazon Web Services
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019 Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019 Amazon Web Services
 
Find all the threats - AWS threat detection and remediation - SEC202 - Atlant...
Find all the threats - AWS threat detection and remediation - SEC202 - Atlant...Find all the threats - AWS threat detection and remediation - SEC202 - Atlant...
Find all the threats - AWS threat detection and remediation - SEC202 - Atlant...Amazon Web Services
 
Driving performance & security across your industrial facility with AWS - SVC...
Driving performance & security across your industrial facility with AWS - SVC...Driving performance & security across your industrial facility with AWS - SVC...
Driving performance & security across your industrial facility with AWS - SVC...Amazon Web Services
 
Monitoring with container insights & anomaly detection - SVC308 - New York AW...
Monitoring with container insights & anomaly detection - SVC308 - New York AW...Monitoring with container insights & anomaly detection - SVC308 - New York AW...
Monitoring with container insights & anomaly detection - SVC308 - New York AW...Amazon Web Services
 
What’s new with Amazon S3, Amazon EFS, and other AWS storage services - STG20...
What’s new with Amazon S3, Amazon EFS, and other AWS storage services - STG20...What’s new with Amazon S3, Amazon EFS, and other AWS storage services - STG20...
What’s new with Amazon S3, Amazon EFS, and other AWS storage services - STG20...Amazon Web Services
 
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...Amazon Web Services
 
Take action on your security & compliance alerts with AWS Security Hub - SEC2...
Take action on your security & compliance alerts with AWS Security Hub - SEC2...Take action on your security & compliance alerts with AWS Security Hub - SEC2...
Take action on your security & compliance alerts with AWS Security Hub - SEC2...Amazon Web Services
 

La actualidad más candente (20)

A few milliseconds in the life of an HTTP request - SVC303 - New York AWS Summit
A few milliseconds in the life of an HTTP request - SVC303 - New York AWS SummitA few milliseconds in the life of an HTTP request - SVC303 - New York AWS Summit
A few milliseconds in the life of an HTTP request - SVC303 - New York AWS Summit
 
Data protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
Data protection using encryption in AWS - SEC201 - Santa Clara AWS SummitData protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
Data protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
 
Technology as a means for compliance - GRC206 - AWS re:Inforce 2019
Technology as a means for compliance - GRC206 - AWS re:Inforce 2019 Technology as a means for compliance - GRC206 - AWS re:Inforce 2019
Technology as a means for compliance - GRC206 - AWS re:Inforce 2019
 
Making CI/CD pipelines safer with application monitoring and tracing - MAD202...
Making CI/CD pipelines safer with application monitoring and tracing - MAD202...Making CI/CD pipelines safer with application monitoring and tracing - MAD202...
Making CI/CD pipelines safer with application monitoring and tracing - MAD202...
 
Developing Modern Applications in the Cloud
Developing Modern Applications in the CloudDeveloping Modern Applications in the Cloud
Developing Modern Applications in the Cloud
 
Migrate your Oracle and SQL Server databases to Amazon RDS - ADB210 - New Yor...
Migrate your Oracle and SQL Server databases to Amazon RDS - ADB210 - New Yor...Migrate your Oracle and SQL Server databases to Amazon RDS - ADB210 - New Yor...
Migrate your Oracle and SQL Server databases to Amazon RDS - ADB210 - New Yor...
 
Kubernetes on AWS with Amazon EKS - MAD301 - New York AWS Summit
Kubernetes on AWS with Amazon EKS - MAD301 - New York AWS SummitKubernetes on AWS with Amazon EKS - MAD301 - New York AWS Summit
Kubernetes on AWS with Amazon EKS - MAD301 - New York AWS Summit
 
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
 
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
 
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
 
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
 
Twelve-factor serverless applications - MAD302 - Santa Clara AWS Summit
Twelve-factor serverless applications - MAD302 - Santa Clara AWS SummitTwelve-factor serverless applications - MAD302 - Santa Clara AWS Summit
Twelve-factor serverless applications - MAD302 - Santa Clara AWS Summit
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
 
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019 Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
 
Find all the threats - AWS threat detection and remediation - SEC202 - Atlant...
Find all the threats - AWS threat detection and remediation - SEC202 - Atlant...Find all the threats - AWS threat detection and remediation - SEC202 - Atlant...
Find all the threats - AWS threat detection and remediation - SEC202 - Atlant...
 
Driving performance & security across your industrial facility with AWS - SVC...
Driving performance & security across your industrial facility with AWS - SVC...Driving performance & security across your industrial facility with AWS - SVC...
Driving performance & security across your industrial facility with AWS - SVC...
 
Monitoring with container insights & anomaly detection - SVC308 - New York AW...
Monitoring with container insights & anomaly detection - SVC308 - New York AW...Monitoring with container insights & anomaly detection - SVC308 - New York AW...
Monitoring with container insights & anomaly detection - SVC308 - New York AW...
 
What’s new with Amazon S3, Amazon EFS, and other AWS storage services - STG20...
What’s new with Amazon S3, Amazon EFS, and other AWS storage services - STG20...What’s new with Amazon S3, Amazon EFS, and other AWS storage services - STG20...
What’s new with Amazon S3, Amazon EFS, and other AWS storage services - STG20...
 
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
 
Take action on your security & compliance alerts with AWS Security Hub - SEC2...
Take action on your security & compliance alerts with AWS Security Hub - SEC2...Take action on your security & compliance alerts with AWS Security Hub - SEC2...
Take action on your security & compliance alerts with AWS Security Hub - SEC2...
 

Similar a Threat detection - SEC207 - New York AWS Summit

Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Amazon Web Services
 
Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...
Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...
Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...Amazon Web Services
 
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...Amazon Web Services
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWSAmazon Web Services
 
Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...
Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...
Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...Amazon Web Services
 
Threat detection and mitigation at AWS
Threat detection and mitigation at AWSThreat detection and mitigation at AWS
Threat detection and mitigation at AWSNathan Case
 
Continuous security monitoring and threat detection with AWS services - SEC20...
Continuous security monitoring and threat detection with AWS services - SEC20...Continuous security monitoring and threat detection with AWS services - SEC20...
Continuous security monitoring and threat detection with AWS services - SEC20...Amazon Web Services
 
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...Amazon Web Services
 
Detecting and mitigating threats with AWS - SEC301 - Chicago AWS Summit
Detecting and mitigating threats with AWS - SEC301 - Chicago AWS SummitDetecting and mitigating threats with AWS - SEC301 - Chicago AWS Summit
Detecting and mitigating threats with AWS - SEC301 - Chicago AWS SummitAmazon Web Services
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Amazon Web Services
 
Sicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practiceSicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practiceAmazon Web Services
 
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in awsAWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in awsAWS Riyadh User Group
 
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Amazon Web Services
 
Serverless SecOps Automation on AWS at AWS UG Krakow, Poland
Serverless SecOps Automation on AWS at AWS UG Krakow, PolandServerless SecOps Automation on AWS at AWS UG Krakow, Poland
Serverless SecOps Automation on AWS at AWS UG Krakow, PolandDennis Traub
 
How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...Amazon Web Services
 
How to act on security and compliance alerts with AWS Security Hub - SEC202 -...
How to act on security and compliance alerts with AWS Security Hub - SEC202 -...How to act on security and compliance alerts with AWS Security Hub - SEC202 -...
How to act on security and compliance alerts with AWS Security Hub - SEC202 -...Amazon Web Services
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Amazon Web Services
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSAmazon Web Services
 
AWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: SecurityAWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: SecurityCobus Bernard
 
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Amazon Web Services
 

Similar a Threat detection - SEC207 - New York AWS Summit (20)

Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
 
Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...
Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...
Find All the Threats: AWS Threat Detection and Remediation - SEC303 - Anaheim...
 
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWS
 
Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...
Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...
Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...
 
Threat detection and mitigation at AWS
Threat detection and mitigation at AWSThreat detection and mitigation at AWS
Threat detection and mitigation at AWS
 
Continuous security monitoring and threat detection with AWS services - SEC20...
Continuous security monitoring and threat detection with AWS services - SEC20...Continuous security monitoring and threat detection with AWS services - SEC20...
Continuous security monitoring and threat detection with AWS services - SEC20...
 
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...
 
Detecting and mitigating threats with AWS - SEC301 - Chicago AWS Summit
Detecting and mitigating threats with AWS - SEC301 - Chicago AWS SummitDetecting and mitigating threats with AWS - SEC301 - Chicago AWS Summit
Detecting and mitigating threats with AWS - SEC301 - Chicago AWS Summit
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
 
Sicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practiceSicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practice
 
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in awsAWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
 
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
 
Serverless SecOps Automation on AWS at AWS UG Krakow, Poland
Serverless SecOps Automation on AWS at AWS UG Krakow, PolandServerless SecOps Automation on AWS at AWS UG Krakow, Poland
Serverless SecOps Automation on AWS at AWS UG Krakow, Poland
 
How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...
 
How to act on security and compliance alerts with AWS Security Hub - SEC202 -...
How to act on security and compliance alerts with AWS Security Hub - SEC202 -...How to act on security and compliance alerts with AWS Security Hub - SEC202 -...
How to act on security and compliance alerts with AWS Security Hub - SEC202 -...
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
 
AWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: SecurityAWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: Security
 
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
 

Más de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Más de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Threat detection - SEC207 - New York AWS Summit

  • 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Threat detection Ross Warren Specialized Solutions Architect AWS S E C 2 0 7
  • 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Workshop agenda Module 1: Environment setup (20 min.) Module 2: Attack kickoff and presentation (40 min.) Module 3: Detect, investigate, and respond (45 min.) Module 4: Review, questions, and lessons learned (15 min.) Use US West (Oregon) us-west-2 Please follow directions
  • 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS event engine We will use the AWS event engine; please don’t use one of your own accounts https://dashboard.eventengine.run You will enter the hash that is provided at the URL above Event name: Scaling threat detection and response in AWS 1. Click AWS Console 2. Click Open Console 3. Verify that you are in the AWS Management Console in the us-west-2 Region
  • 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Data breach patterns Verizon 2018 Data Breach Investigations Report, 11th Edition
  • 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Workshop scenario Internet Public subnet AWS Cloud Availability zone Web server VPC Amazon S3 bucket Bare minimum architecture for POC Users
  • 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 1: Build detective controls Run the AWS CloudFormation template (~5 min.) • Before moving on, make sure the stack status = CREATE_COMPLETE • You will get an email from Amazon SNS asking you to confirm the subscription; do this so that you can receive email alerts from AWS services during the workshop Manual setup steps (~15 min.) • Create a Amazon CloudWatch event rule • Enable Amazon GuardDuty • Enable AWS Security Hub
  • 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 1: Build detective controls Detect and investigate AWS Security Hub Amazon Macie Amazon GuardDuty AWS CloudTrail Amazon CloudWatch Events Amazon CloudWatch logs Amazon VPC flow logs DNS logs Amazon Inspector Amazon S3 AWS Lambda Amazon SNS Security analyst Respond
  • 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 1: Build detective controls https://dashboard.eventengine.run https://tinyurl.com/yyc6tvph Directions 1. Browse to the URL 2. Read through the workshop scenario 3. Choose Module 1: Environment Build in the outline on the left 4. Complete the module (~15 min.), and then stop Use US West (Oregon) us-west-2 Please follow directions Do not skip the manual steps
  • 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 2: Attack kickoff Run the AWS CloudFormation template (~5 min.) Do not move on to Module 3 Threat detection and response presentation (~30 min.) Workshop walk-through (~5 min.)
  • 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 2: Attack kickoff https://dashboard.eventengine.run https://tinyurl.com/yyc6tvph Directions 1. Browse to the URL 2. Choose Module 2: Attack Simulation in the outline on the left 3. Complete the module (~5 min.), and then stop 4. Do not move on to Module 3 Use US West (Oregon) us-west-2
  • 11. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Why is threat detection so hard? Skills shortageSignal to noiseLarge datasets
  • 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Identity and Access Management (IAM) AWS Single Sign-On AWS Directory Service Amazon Cognito AWS Organizations AWS Secrets Manager AWS Resource Access Manager AWS Security Hub Amazon GuardDuty AWS Config AWS CloudTrail Amazon CloudWatch Amazon Virtual Private Cloud (Amazon VPC) flow logs AWS Systems Manager AWS Shield AWS WAF (web application firewall) AWS Firewall Manager Amazon Inspector Amazon VPC AWS Key Management Service (KMS) AWS CloudHSM AWS Certificate Manager Amazon Macie Server-side encryption AWS Config rules AWS Lambda AWS Systems Manager Identity Detect Infrastructure protection Respond Data protection Deep set of security tools
  • 14. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Threat detection: Log data inputs DNS logs Track user activity and API usage IP traffic to and from network interfaces in a VPC Monitor applications using log data; store and access log files Log of DNS queries in a VPC when using the VPC DNS resolver AWS CloudTrail Flow logs Amazon CloudWatch
  • 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Threat detection: Machine learning Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads Machine learning-powered security service to discover, classify, and protect sensitive data Amazon GuardDuty Amazon Macie
  • 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Threat detection: Amazon GuardDuty
  • 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Threat detection: AWS Security Hub • Comprehensive view of your security and compliance state within AWS • Aggregates security findings generated by other AWS security services and partners • Analyze security trends and identify the highest-priority security issues Amazon Inspector Amazon GuardDuty Amazon Macie AWS Security Hub Security findings providers Findings Insights & standards Other AWS Config Partner solutions
  • 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Threat detection: Evocations and triggers Continuously tracks your resource configuration changes and whether they violate any of the conditions in your rules Delivers a near real-time stream of system events that describe changes in AWS resources Amazon CloudWatch Events AWS Config
  • 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Attacker lifecycle: Stages Reconnaissance Establish foothold Escalate privileges Internal reconnaissance Maintain persistence
  • 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Attacker lifecycle: Attacker actions RDP brute force RAT installed Exfiltrate data over DNS Probe API with temporary credentials Attempt to compromise account
  • 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Attacker lifecycle: Amazon GuardDuty findings RDP brute force RAT installed Exfiltrate data over DNS Probe API with temporary credentials Attempt to compromise account Malicious or suspicious IP Unusual ports DNS exfiltration Unusual traffic volume Connect to blacklisted site Recon:EC2/PortProbeUnprotectedPort Anonymizing proxy Temporary credentials used off-instance Unusual ISP caller Bitcoin activity Unusual instance launch
  • 23. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Threat response: Amazon CloudWatch Events Amazon GuardDuty findings AWS Lambda function Partner solutions Automated response Anything else Amazon CloudWatch Events
  • 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Lambda Threat response: Services AWS Systems Manager Amazon Inspector Run code for virtually any kind of application or backend service— zero administration Gain operational insights and take action on AWS resources Automate security assessments of Amazon EC2 instances
  • 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Threat response: High-level playbook Adversary or intern Your environment AWS Lambda function Amazon CloudWatch Events
  • 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Threat response: Detailed playbook Amazon CloudWatch Events AWS Config AWS Lambda function AWS APIs Detect Investigate Respond Team collaboration (e.g., Slack) Amazon Inspector AWS Security Hub Amazon GuardDuty Amazon Macie Amazon Inspector
  • 28. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 2: Attack target InternetUsers Public subnet AWS Cloud Availability zone Web server VPC Amazon S3 bucket
  • 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 2: Setup AWS Lambda Amazon SNS Security analyst RespondDetect and investigate AWS Security Hub Amazon Macie Amazon GuardDuty AWS CloudTrail Amazon CloudWatch Events Amazon CloudWatch logs DNS logs Amazon Inspector Amazon S3 Amazon VPC flow logs Public subnet AWS Cloud Availability zone Web server VPC Environment Amazon S3 bucket
  • 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 2: The attack AWS Cloud Amazon API Gateway endpoints Amazon S3 bucket Public subnet AWS Cloud Availability zone VPC Amazon EC2 compromised instance Malicious host Internet
  • 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 3: Detect and response https://dashboard.eventengine.run https://tinyurl.com/yyc6tvph Directions 1. Browse to the URL 2. Choose Module 3: Detect & Respond in the outline on the left 3. Run through the module (~45 min.) Use US West (Oregon) us-west-2
  • 33. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 4: What happened? Review (5 min.) Questions (10 min.) Lessons learned
  • 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 4: What happened? https://tinyurl.com/yyc6tvph Directions 1. Browse to the URL 2. Choose Module 4: Discussion in the outline on the left 3. We will summarize the workshop, then answer questions 4. Do not need to do – Cleanup Use US West (Oregon) us-west-2
  • 36. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 4: The attack AWS Cloud Amazon API Gateway endpoints Bucket Public subnet AWS Cloud Availability Zone VPC Amazon EC2 compromised instance Malicious host Internet 1 2 3 4 API calls Bucket changes SSH brute force attack
  • 38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 4: What really happened? AWS Lambda Amazon SNS Security analyst RespondDetect and investigate AWS Security Hub Amazon Macie Amazon GuardDuty AWS CloudTrail Amazon CloudWatch Events Amazon CloudWatch logs DNS logs Amazon Inspector Amazon S3 Amazon VPC flow logs AWS Cloud VPC Public subnet Compromised instance Subnet 2 Elastic IP in custom threat list Availability zone Public subnet Malicious host Subnet 1 Bucket The attack 1 2 43 API calls Bucket changes API Gateway endpoints SSH brute force attack 5 Amazon Inspector Inspector assessment
  • 39. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Workshop questions 1 Which of the following AWS services have direct access to your Amazon EC2 instances? What performance impact does Amazon GuardDuty have on your account if you have more than 100 VPCs? How do you kick off notifications or actions based on events in Amazon GuardDuty? What is the difference between Amazon Macie and Amazon GuardDuty?
  • 41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Workshop questions 2 The lab mentions that you can ignore the high-severity SSH brute force attack finding; why? Why did the API calls from the malicious host generate Amazon GuardDuty findings? What is required for Amazon CloudWatch logs to capture evidence to help investigate an SSH brute force attack? What key remediation step was missed regarding the SSH brute force attack?
  • 42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lessons learned from incident response Use a strong tagging strategy!
  • 43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lessons learned from incident response Questions to ask during the investigation • Is this finding a true positive? • Is the event an unusual activity or more? • Where did the incident occur? • Who reported or discovered the incident? • How was it discovered? • Are there any other areas that have been compromised by the incident? If so, what are they and when were they discovered? • What is the scope of the impact? • What is the business impact? • Have the source(s) of the incident been located? If so, where, when, and what are they?
  • 44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lessons learned from incident response Enrich findings and get the full picture of your environment • Network intrusion detection • Firewall alerts • AWS WAF alerts • Identity (UBA) • Endpoint and compute events (AV, EDR) • OS-level Information • Application level logs Centralize GuardDuty findings into a SIEM
  • 45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Useful links https://aws.amazon.com/security/ https://enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf https://www.nist.gov/cyberframework https://d0.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf https://aws.amazon.com/security/penetration-testing/ https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdf
  • 46. Thank you! S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Ross Warren ross@amazon.com