Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Automated Defence for Cloud Security in AWS using Serverless @ Serverless Summit 2017

Madhu Akula
October 27, 2017

Automated Defence for Cloud Security in AWS using Serverless @ Serverless Summit 2017

Monitoring for attacks and defending them in real-time is crucial. Making the right choices during attacks can prove to be a nightmare even with the solutions already available in the market. In this talk we will see how an automated defence system powered by Serverless can be used to block attacks against our cloud infrastructure. By collecting logs from various sources we will monitor, analyse and act by applying defensive rules against attackers automatically. We will use AWS for managing and securing the infrastructure discussed in our talk.

Madhu Akula

October 27, 2017
Tweet

More Decks by Madhu Akula

Other Decks in Technology

Transcript

  1. Automated Defence for Cloud
    Security in AWS using Serverless
    Madhu Akula & Subash SN
    Appsecco

    View Slide

  2. Why you should listen to us?
    Madhu Akula
    ●
    Automation Ninja at Appsecco
    ●
    Interested on Security, DevOps and
    Cloud
    ●
    Speaker & Trainer at Defcon, All Day
    DevOps, DevSecCon, etc.
    ●
    Found security vulnerabilities in
    Google, Microsoft, Adobe, etc.
    ●
    Twitter @madhuakula
    Subash SN
    ●
    Security Engineer at Appsecco
    ●
    Interested on Security, Development
    and Machine learning
    ●
    Speaker & Trainer at CSI, null, etc.
    ●
    Technical director at Computer
    Society of India
    ●
    Twitter @pingsns

    View Slide

  3. View Slide

  4. What we are going to show you for next 15 min?

    View Slide

  5. Let’s start with Demo

    View Slide

  6. High level architecture

    View Slide

  7. Services used
    ●
    DynamoDB
    ○
    DynamoDB is the central database where rules are mapped to their respective ACL IDs. Rules for IP
    addresses and expirytime are added and removed from the blacklist_ip table by appropriate lambda
    functions
    ●
    Blacklist Lambda function
    ○
    Blacklist function is the only exposed endpoint from the setup. Any IP that needs to be blacklisted
    needs to be supplied to this function via a HTTPS request and a valid accessToken
    ●
    Handle Expiry Lambda function
    ○
    HandleExpiry function is periodically triggered to remove the expired rules from the ACL and
    database

    View Slide

  8. Services used
    ●
    Cloudwatch
    ○
    Cloudwatch is used to trigger the HandleExpiry lambda function periodically. The function is
    triggered every minute to remove expired rules
    ●
    VPC Network ACL
    ○
    The Access Control List for our VPC Network (Basically the Firewall rules)

    View Slide

  9. Configuration
    Blacklist Endpoint :
    https://lambda_url/blacklistip?accessToken=ACCESS_TOKEN&ip=IP_ADDRESS
    Parameters:
    ●
    acl_id : The ACL ID that was used to add the rule
    ●
    accessToken: Access token to validate requests
    ●
    expiryTime : Time after which the rule expires
    ●
    ruleLimit: The maximum number of rules that can be added

    View Slide

  10. Bonus - We did this for Azure cloud as well

    View Slide

  11. Summary
    ●
    We created attack threshold rules in ElastAlert
    ●
    Created AWS Lambda functions backed by DyanamoDB to dynamically block IP
    addresses in AWS network ACL
    ●
    We created a near real-time blocking system that is infinitely scalable
    ●
    The ideas are not limited to only these. By leveraging on the advantages of
    serverless we can solve some interesting problems in the security industry
    ●
    While Security teams can leverage Serverless to solve problems at scale, we should
    remember that, attackers can also leverage on these infinitely scalable platform

    View Slide

  12. References
    ●
    https://blog.appsecco.com/automated-defense-using-serverless-computing-84ee04
    b9b129
    ●
    https://github.com/appsecco/alldaydevops-aism
    ●
    https://github.com/appsecco/defcon24-infra-monitoring-workshop
    ●
    https://serverless.com
    ●
    https://aws.amazon.com/serverless
    ●
    https://azure.microsoft.com/en-in/services/functions
    ●
    https://www.youtube.com/watch?v=YZ058hmLuv0

    View Slide

  13. QUESTIONS
    @madhuakula | @pingsns | @appseccouk

    View Slide