$30 off During Our Annual Pro Sale. View Details »

All Day DevOps - Automated Infrastructure Security Monitoring and Defence (ELK + AWS Lambda)

Madhu Akula
November 15, 2016

All Day DevOps - Automated Infrastructure Security Monitoring and Defence (ELK + AWS Lambda)

Slides from my http://www.alldaydevops.com talk on Automated Infrastructure Security Monitoring using FOSS

Madhu Akula

November 15, 2016
Tweet

More Decks by Madhu Akula

Other Decks in Technology

Transcript

  1. Automated Infrastructure Security
    Monitoring using FOSS
    #AllDayDevOps
    @madhuakula, Automation Ninja
    Appsecco

    View Slide

  2. About Me !
    Automation Ninja at Appsecco
    Appsecco is a specialist application security company
    Interested in Security, DevOps & Cloud
    Found bugs in Google, Microsoft, Yahoo, etc
    Never ending learner!
    Follow (or) Tweet to me @madhuakula
    2

    View Slide

  3. What we are covering today?
    ELK stack to analyse and visualise logs in near real­time
    ElastAlert to create rules to automatically defend against SSH
    bruteforce attacks
    AWS Lambda to do this, since our infra is hosted on AWS
    Python based Chalice framework for using AWS Lambda
    3

    View Slide

  4. Architecture
    4

    View Slide

  5. Automated Defence Demo
    Appsecco Automated Infrastructure Security Monitoring Demo (ELK + AWS Lambda)
    http://bit.ly/addo­aism
    5

    View Slide

  6. AWS Lambda ­ Chalice Code
    https://github.com/appsecco/alldaydevops­aism
    6

    View Slide

  7. Security for our AWS Lambda
    We are primarily doing the following two things
    1. A sufficiently random token to protect the request when we
    post the IP address from ElastAlert
    2. Whitelist the IP address of the host where the H
    T
    T
    P P
    O
    S
    T
    request originates from
    7

    View Slide

  8. Use Cases for Automated Defence
    1. Automated Defender (Attack Alerts + Automated Firewall)
    2. Security Analytics + Reports
    3. Near real­time Centralised Log Monitoring
    8

    View Slide

  9. Attack Scenario : Wordpress XML­RPC
    https://blog.appsecco.com/analysing­attacks­on­a­wordpress­xml­rpc­using­an­
    elk­stack­3bf25a7e36cc
    9

    View Slide

  10. Needs Improvement
    More attack signatures required
    For example OSSEC Wazuh Ruleset
    Improve the ElastAlert Alerter custom code
    Any suggestions from your side
    10

    View Slide

  11. Alternatives to our stack
    Stack
    Elastic
    Graylog
    TICK Stack
    Prometheus + Grafana
    Serverless
    AWS Lambda
    Azure Functions
    Cloud Functions
    11

    View Slide

  12. Our assumptions
    You are already monitoring in near real­time using the ELK
    stack
    You are under attack for a specific service
    You have configured ElastAlert for your alerting
    12

    View Slide

  13. In Summary
    We created attack threshold rules in ElastAlert
    We created an AWS Lambda endpoint to be able to modify
    AWS VPC Network ACLs
    We have a real­time blocking system infinitely scalable
    13

    View Slide

  14. References
    Blog Post
    Elastic
    Elast Alert
    AWS Lambda
    Chalice
    14

    View Slide

  15. View Slide

  16. View Slide

  17. Thanks
    @madhuakula | @appseccouk | http://appsecco.com

    View Slide