GuardDuty - the non AWS version - Feb2018

Transcript

1. Guardduty– the non AWS version AWS Security Meetup – February,

   2018

2. Who am I? Ashish Rajan https://au.linkedin.com/in/ashishrajan @hashishrajan Security, Startups, Public

   Speaker, Meetup Organiser Trying to make cloud a safer space J Versent – 2nd in the list of fastest growing startup in Australia for 2017 (source: BRW Australia 2017 edition) AWS Security Competency Partner

3. What is covered • GuardDuty • What does it do?

   • You have it Enabled – now what do you need to consider

4. • Intelligent Threat Detection Service • Continuous monitoring of malicious

   or unauthorized behaviour in “trusted” AWS Accounts • Analyses billions of events across AWS accounts • Centralized threat detection across all accounts • Strengthens security through automation What does Guardduty do?

5. • Uses VPC Flow Logs, AWS CloudTrail and AWS DNS

   logs, • Integrates with CloudWatch Events • Uses AWS Intelligence feeds • Threat intelligence info from Crowdstrike and Proofpoint • Can be automated using AWS Cloudformation and AWS cli What does Guardduty do?

6. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types.html

7. How does GuardDuty work?

8. Enabled https://aws.amazon.com/blogs/aws/amazon-guardduty-continuous-security-monitoring-threat-detection/

9. Now what 1. Architecture 2. CloudWatch Events 1. Lambda ->

   <Insert-Action> 2. SNS Notification 3. Kinesis 3. SIEM 4. Monitoring & Alerting Linkedin: https://au.linkedin.com/in/ashishrajan Twitter: @hashishrajan

10. Architecture 1. Implementation Model 2. Regional vs Global 3. Onboarding

    4. Access to GuardDuty Linkedin: https://au.linkedin.com/in/ashishrajan Twitter: @hashishrajan

11. CloudWatch Events 1. CloudWatch Events 1. Lambda -> <Insert-Action> 2.

    SNS Notification 3. Kinesis 2. Gotchas Linkedin: https://au.linkedin.com/in/ashishrajan Twitter: @hashishrajan

12. Gotchas - CloudWatch Events 1. CloudWatch Rules Linkedin: https://au.linkedin.com/in/ashishrajan Twitter:

    @hashishrajan

13. Console vs CLi

14. CloudWatch Events

15. SIEM Integration 1. Splunk 2. Sumologic, etc Linkedin: https://au.linkedin.com/in/ashishrajan Twitter:

    @hashishrajan

16. Monitoring and Alerting 1. CloudWatch Alerts on GuardDuty Suspend or

    Disable Activity 2. IAM Roles Access to GuardDuty 3. Trusted/Threat IP – across master and member accounts 4. Reducing Noise by taking appropriate action 1. Sev 2 - PagerDuty 2. Sev 5 or greater – PagerDuty, Jira, ServiceNow, Slack, SNS Linkedin: https://au.linkedin.com/in/ashishrajan Twitter: @hashishrajan

17. Next Evolution of security in GuardDuty 1. CloudTrail + Config

    + CloudWatch Lambda 2. More features – multiple Trusted IP 3. Monitoring more threat behavior 4. Food for thought Linkedin: https://au.linkedin.com/in/ashishrajan Twitter: @hashishrajan

18. Conclusion Linkedin: https://au.linkedin.com/in/ashishrajan Twitter: @hashishrajan

19. Ashish Rajan Linkedin: https://au.linkedin.com/in/ashishrajan Twitter: @hashishrajan DevSecOps Melbourne Meetup Organiser