All Day DevOps - Automated Infrastructure Security Monitoring and Defence (ELK + AWS Lambda)

A53edd970bfc4b815bad87323175367b?s=47 Madhu Akula
November 15, 2016

All Day DevOps - Automated Infrastructure Security Monitoring and Defence (ELK + AWS Lambda)

Slides from my http://www.alldaydevops.com talk on Automated Infrastructure Security Monitoring using FOSS

A53edd970bfc4b815bad87323175367b?s=128

Madhu Akula

November 15, 2016
Tweet

Transcript

  1. Automated Infrastructure Security Monitoring using FOSS #AllDayDevOps @madhuakula, Automation Ninja

    Appsecco
  2. About Me ! Automation Ninja at Appsecco Appsecco is a

    specialist application security company Interested in Security, DevOps & Cloud Found bugs in Google, Microsoft, Yahoo, etc Never ending learner! Follow (or) Tweet to me @madhuakula 2
  3. What we are covering today? ELK stack to analyse and

    visualise logs in near real­time ElastAlert to create rules to automatically defend against SSH bruteforce attacks AWS Lambda to do this, since our infra is hosted on AWS Python based Chalice framework for using AWS Lambda 3
  4. Architecture 4

  5. Automated Defence Demo Appsecco Automated Infrastructure Security Monitoring Demo (ELK

    + AWS Lambda) http://bit.ly/addo­aism 5
  6. AWS Lambda ­ Chalice Code https://github.com/appsecco/alldaydevops­aism 6

  7. Security for our AWS Lambda We are primarily doing the

    following two things 1. A sufficiently random token to protect the request when we post the IP address from ElastAlert 2. Whitelist the IP address of the host where the H T T P P O S T request originates from 7
  8. Use Cases for Automated Defence 1. Automated Defender (Attack Alerts

    + Automated Firewall) 2. Security Analytics + Reports 3. Near real­time Centralised Log Monitoring 8
  9. Attack Scenario : Wordpress XML­RPC https://blog.appsecco.com/analysing­attacks­on­a­wordpress­xml­rpc­using­an­ elk­stack­3bf25a7e36cc 9

  10. Needs Improvement More attack signatures required For example OSSEC Wazuh

    Ruleset Improve the ElastAlert Alerter custom code Any suggestions from your side 10
  11. Alternatives to our stack Stack Elastic Graylog TICK Stack Prometheus

    + Grafana Serverless AWS Lambda Azure Functions Cloud Functions 11
  12. Our assumptions You are already monitoring in near real­time using

    the ELK stack You are under attack for a specific service You have configured ElastAlert for your alerting 12
  13. In Summary We created attack threshold rules in ElastAlert We

    created an AWS Lambda endpoint to be able to modify AWS VPC Network ACLs We have a real­time blocking system infinitely scalable 13
  14. References Blog Post Elastic Elast Alert AWS Lambda Chalice 14

  15. None
  16. None
  17. Thanks @madhuakula | @appseccouk | http://appsecco.com