Pro Yearly is on sale from $80 to $50! »

Automated Defence for Cloud Security in AWS using Serverless @ Serverless Summit 2017

Automated Defence for Cloud Security in AWS using Serverless @ Serverless Summit 2017

Monitoring for attacks and defending them in real-time is crucial. Making the right choices during attacks can prove to be a nightmare even with the solutions already available in the market. In this talk we will see how an automated defence system powered by Serverless can be used to block attacks against our cloud infrastructure. By collecting logs from various sources we will monitor, analyse and act by applying defensive rules against attackers automatically. We will use AWS for managing and securing the infrastructure discussed in our talk.

A53edd970bfc4b815bad87323175367b?s=128

Madhu Akula

October 27, 2017
Tweet

Transcript

  1. Automated Defence for Cloud Security in AWS using Serverless Madhu

    Akula & Subash SN Appsecco
  2. Why you should listen to us? Madhu Akula • Automation

    Ninja at Appsecco • Interested on Security, DevOps and Cloud • Speaker & Trainer at Defcon, All Day DevOps, DevSecCon, etc. • Found security vulnerabilities in Google, Microsoft, Adobe, etc. • Twitter @madhuakula Subash SN • Security Engineer at Appsecco • Interested on Security, Development and Machine learning • Speaker & Trainer at CSI, null, etc. • Technical director at Computer Society of India • Twitter @pingsns
  3. None
  4. What we are going to show you for next 15

    min?
  5. Let’s start with Demo

  6. High level architecture

  7. Services used • DynamoDB ◦ DynamoDB is the central database

    where rules are mapped to their respective ACL IDs. Rules for IP addresses and expirytime are added and removed from the blacklist_ip table by appropriate lambda functions • Blacklist Lambda function ◦ Blacklist function is the only exposed endpoint from the setup. Any IP that needs to be blacklisted needs to be supplied to this function via a HTTPS request and a valid accessToken • Handle Expiry Lambda function ◦ HandleExpiry function is periodically triggered to remove the expired rules from the ACL and database
  8. Services used • Cloudwatch ◦ Cloudwatch is used to trigger

    the HandleExpiry lambda function periodically. The function is triggered every minute to remove expired rules • VPC Network ACL ◦ The Access Control List for our VPC Network (Basically the Firewall rules)
  9. Configuration Blacklist Endpoint : https://lambda_url/blacklistip?accessToken=ACCESS_TOKEN&ip=IP_ADDRESS Parameters: • acl_id : The

    ACL ID that was used to add the rule • accessToken: Access token to validate requests • expiryTime : Time after which the rule expires • ruleLimit: The maximum number of rules that can be added
  10. Bonus - We did this for Azure cloud as well

  11. Summary • We created attack threshold rules in ElastAlert •

    Created AWS Lambda functions backed by DyanamoDB to dynamically block IP addresses in AWS network ACL • We created a near real-time blocking system that is infinitely scalable • The ideas are not limited to only these. By leveraging on the advantages of serverless we can solve some interesting problems in the security industry • While Security teams can leverage Serverless to solve problems at scale, we should remember that, attackers can also leverage on these infinitely scalable platform
  12. References • https://blog.appsecco.com/automated-defense-using-serverless-computing-84ee04 b9b129 • https://github.com/appsecco/alldaydevops-aism • https://github.com/appsecco/defcon24-infra-monitoring-workshop • https://serverless.com

    • https://aws.amazon.com/serverless • https://azure.microsoft.com/en-in/services/functions • https://www.youtube.com/watch?v=YZ058hmLuv0
  13. QUESTIONS @madhuakula | @pingsns | @appseccouk