Upgrade to Pro — share decks privately, control downloads, hide ads and more …

GuardDuty - the non AWS version - Feb2018

Ashish
February 08, 2018
Technology
0
80

GuardDuty - the non AWS version - Feb2018

Ashish

February 08, 2018
Tweet

More Decks by Ashish

See All by Ashish
Traditional Security is Dead! - NYC-Sep2018
hashishrajan
0
38
Automated Detection and Remediation in AWS
hashishrajan
0
70
Long living creds in Cloud?
hashishrajan
0
56
DevSecOps Meetup - Security Challenges in DevOps - Wynand Viljoen
hashishrajan
0
170
Security in the world of Cloud and Chaos Engineering
hashishrajan
0
69
Convincing security to let you deploy in AWS
hashishrajan
0
73
Walkthrough of a compromised AWS Account - AWS Meetup Nov2016
hashishrajan
0
96
Walkthrough of a compromised AWS Account-InfraCoder-MeetupNov2016
hashishrajan
0
98

Other Decks in Technology

See All in Technology
本当のAWS基礎
toru_kubota
0
530
ChatworkのSRE部って実は 半分くらいPlatform Engineering部かもしれない
saramune
0
160
LLM開発・活用の舞台裏@2024.04.25
yushin_n
1
370
Vertex AI を中心に 生成AIのアップデートを共有します
kaz1437
0
310
Terraformあれやこれ/terraform-this-and-that
emiki
8
1.4k
複雑な構成要素を持つUIとの向き合い方 〜新・支出グラフでの実例〜 / B43 TECH TALK
nakamuuu
0
140
Azureの基本的な権限管理の勉強会
yhana
0
600
Azure Container Apps + Bicep 〜 こんな感じで運用しています
kaz29
2
480
エンジニアのキャリアをちょっと楽しくする3本の軸/Three Pillars to Make an Engineer's Career More Enjoyable
kwappa
0
2.7k
元インフラエンジニアに成る / Human Resources to Human Relations
bobtani
4
930
AOAI をきっかけに​ 社内の Azure 管理を見直した話​
recruitengineers
PRO
1
300
長期間TiDBを使ってきた話 @ 私たちはなぜNewSQLを使うのかTiDB選定5社が語る選定理由と活用LT / Experiences with TiDB Over Time
chibiegg
2
900

Featured

See All Featured
Writing Fast Ruby
sferik
621
60k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
6
1.5k
What's new in Ruby 2.0
geeforr
337
31k
The Brand Is Dead. Long Live the Brand.
mthomps
49
29k
Design by the Numbers
sachag
274
18k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
4 Signs Your Business is Dying
shpigford
175
21k
Art, The Web, and Tiny UX
lynnandtonic
289
19k
Build your cross-platform service in a week with App Engine
jlugia
225
17k
Creatively Recalculating Your Daily Design Routine
revolveconf
210
11k
Documentation Writing (for coders)
carmenintech
60
3.9k
Large-scale JavaScript Application Architecture
addyosmani
504
110k

Transcript

  1. Guardduty– the non AWS version AWS Security Meetup – February,

    2018

  2. Who am I? Ashish Rajan https://au.linkedin.com/in/ashishrajan @hashishrajan Security, Startups, Public

    Speaker, Meetup Organiser Trying to make cloud a safer space J Versent – 2nd in the list of fastest growing startup in Australia for 2017 (source: BRW Australia 2017 edition) AWS Security Competency Partner

  3. What is covered • GuardDuty • What does it do?

    • You have it Enabled – now what do you need to consider

  4. • Intelligent Threat Detection Service • Continuous monitoring of malicious

    or unauthorized behaviour in “trusted” AWS Accounts • Analyses billions of events across AWS accounts • Centralized threat detection across all accounts • Strengthens security through automation What does Guardduty do?

  5. • Uses VPC Flow Logs, AWS CloudTrail and AWS DNS

    logs, • Integrates with CloudWatch Events • Uses AWS Intelligence feeds • Threat intelligence info from Crowdstrike and Proofpoint • Can be automated using AWS Cloudformation and AWS cli What does Guardduty do?

  6. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types.html

  7. How does GuardDuty work?

  8. Enabled https://aws.amazon.com/blogs/aws/amazon-guardduty-continuous-security-monitoring-threat-detection/

  9. Now what 1. Architecture 2. CloudWatch Events 1. Lambda ->

    <Insert-Action> 2. SNS Notification 3. Kinesis 3. SIEM 4. Monitoring & Alerting Linkedin: https://au.linkedin.com/in/ashishrajan Twitter: @hashishrajan

  10. Architecture 1. Implementation Model 2. Regional vs Global 3. Onboarding

    4. Access to GuardDuty Linkedin: https://au.linkedin.com/in/ashishrajan Twitter: @hashishrajan

  11. CloudWatch Events 1. CloudWatch Events 1. Lambda -> <Insert-Action> 2.

    SNS Notification 3. Kinesis 2. Gotchas Linkedin: https://au.linkedin.com/in/ashishrajan Twitter: @hashishrajan

  12. Gotchas - CloudWatch Events 1. CloudWatch Rules Linkedin: https://au.linkedin.com/in/ashishrajan Twitter:

    @hashishrajan

  13. Console vs CLi

  14. CloudWatch Events

  15. SIEM Integration 1. Splunk 2. Sumologic, etc Linkedin: https://au.linkedin.com/in/ashishrajan Twitter:

    @hashishrajan

  16. Monitoring and Alerting 1. CloudWatch Alerts on GuardDuty Suspend or

    Disable Activity 2. IAM Roles Access to GuardDuty 3. Trusted/Threat IP – across master and member accounts 4. Reducing Noise by taking appropriate action 1. Sev 2 - PagerDuty 2. Sev 5 or greater – PagerDuty, Jira, ServiceNow, Slack, SNS Linkedin: https://au.linkedin.com/in/ashishrajan Twitter: @hashishrajan

  17. Next Evolution of security in GuardDuty 1. CloudTrail + Config

    + CloudWatch Lambda 2. More features – multiple Trusted IP 3. Monitoring more threat behavior 4. Food for thought Linkedin: https://au.linkedin.com/in/ashishrajan Twitter: @hashishrajan

  18. Conclusion Linkedin: https://au.linkedin.com/in/ashishrajan Twitter: @hashishrajan

  19. Ashish Rajan Linkedin: https://au.linkedin.com/in/ashishrajan Twitter: @hashishrajan DevSecOps Melbourne Meetup Organiser