All Day DevOps - Automated Infrastructure Security Monitoring and Defence (ELK + AWS Lambda)

Automated Infrastructure Security Monitoring using FOSS #AllDayDevOps @madhuakula, Automation Ninja
Appsecco

About Me ! Automation Ninja at Appsecco Appsecco is a
specialist application security company Interested in Security, DevOps & Cloud Found bugs in Google, Microsoft, Yahoo, etc Never ending learner! Follow (or) Tweet to me @madhuakula 2

What we are covering today? ELK stack to analyse and
visualise logs in near realtime ElastAlert to create rules to automatically defend against SSH bruteforce attacks AWS Lambda to do this, since our infra is hosted on AWS Python based Chalice framework for using AWS Lambda 3

Architecture 4

Automated Defence Demo Appsecco Automated Infrastructure Security Monitoring Demo (ELK
+ AWS Lambda) http://bit.ly/addoaism 5

AWS Lambda Chalice Code https://github.com/appsecco/alldaydevopsaism 6

Security for our AWS Lambda We are primarily doing the
following two things 1. A sufficiently random token to protect the request when we post the IP address from ElastAlert 2. Whitelist the IP address of the host where the H T T P P O S T request originates from 7

Use Cases for Automated Defence 1. Automated Defender (Attack Alerts
+ Automated Firewall) 2. Security Analytics + Reports 3. Near realtime Centralised Log Monitoring 8

Attack Scenario : Wordpress XMLRPC https://blog.appsecco.com/analysingattacksonawordpressxmlrpcusingan elkstack3bf25a7e36cc 9

Needs Improvement More attack signatures required For example OSSEC Wazuh
Ruleset Improve the ElastAlert Alerter custom code Any suggestions from your side 10

Alternatives to our stack Stack Elastic Graylog TICK Stack Prometheus
+ Grafana Serverless AWS Lambda Azure Functions Cloud Functions 11

Our assumptions You are already monitoring in near realtime using
the ELK stack You are under attack for a specific service You have configured ElastAlert for your alerting 12

In Summary We created attack threshold rules in ElastAlert We
created an AWS Lambda endpoint to be able to modify AWS VPC Network ACLs We have a realtime blocking system infinitely scalable 13

References Blog Post Elastic Elast Alert AWS Lambda Chalice 14

Thanks @madhuakula | @appseccouk | http://appsecco.com

All Day DevOps - Automated Infrastructure Security Monitoring and Defence (ELK + AWS Lambda)

All Day DevOps - Automated Infrastructure Security Monitoring and Defence (ELK + AWS Lambda)

Madhu Akula

More Decks by Madhu Akula

Other Decks in Technology

Featured

Transcript

Automated Infrastructure Security Monitoring using FOSS #AllDayDevOps @madhuakula, Automation Ninja

About Me ! Automation Ninja at Appsecco Appsecco is a

What we are covering today? ELK stack to analyse and

Architecture 4

Automated Defence Demo Appsecco Automated Infrastructure Security Monitoring Demo (ELK

AWS Lambda Chalice Code https://github.com/appsecco/alldaydevopsaism 6

Security for our AWS Lambda We are primarily doing the

Use Cases for Automated Defence 1. Automated Defender (Attack Alerts

Attack Scenario : Wordpress XMLRPC https://blog.appsecco.com/analysingattacksonawordpressxmlrpcusingan elkstack3bf25a7e36cc 9

Needs Improvement More attack signatures required For example OSSEC Wazuh

Alternatives to our stack Stack Elastic Graylog TICK Stack Prometheus

Our assumptions You are already monitoring in near realtime using

In Summary We created attack threshold rules in ElastAlert We

References Blog Post Elastic Elast Alert AWS Lambda Chalice 14

Thanks @madhuakula | @appseccouk | http://appsecco.com