Scaling threat detection and response in AWS

Transcript

1. © 2019, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. Scaling threat detection and response in AWS Zamira Jaupaj Solutions Architect @AWS 11/29/21 Twitter @Zamirajaupaj

2. © 2019, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda 11/29/21 Twitter @Zamirajaupaj • Attacker lifecycle

3. © 2019, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why is threat detection so hard? Skills shortage Signal to noise Large datasets

4. © 2019, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. Gain the visibility you need to spot issues before they impact the business, improve your security posture, and reduce the risk profile of your environment Detective controls AWS Security Hub Centrally view & manage security alerts & automate compliance checks Amazon GuardDuty Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads Amazon Inspector Automates security assessments to help improve the security and compliance of applications deployed on AWS Amazon CloudWatch Complete visibility of your cloud resources and applications to collect metrics, monitor log files, set alarms, and automatically react to changes AWS Config Record and evaluate configurations of your AWS resources to enable compliance auditing, resource change tracking, & security analysis AWS CloudTrail Track user activity and API usage to enable governance, compliance, and operational/risk auditing of your AWS account VPC Flow Logs Capture info about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs

5. © 2019, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. Attacker lifecycle: Stages Reconnaissance Establish foothold Escalate privileges Internal reconnaissance Maintain persistence

6. © 2019, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon S3 Bucket “Data Backup” Internal Data Service Bad Person Amazon S3 Bucket “Website Images” Web Server Instance Internet AWS Account Internet Gateway 1 2 3 4 5 1 Access the vulnerable web application 2 Pivot to the data service 3 Delete the website image files 4 Change permissions to the data backup 5 Download the data backup

7. © 2019, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. What happened AWS Lambda Amazon SNS Security analyst Respond Detect and investigate AWS Security Hub Amazon Macie Amazon GuardDuty AWS CloudTrail Amazon CloudWatch Events Amazon CloudWatch logs DNS logs Amazon Inspector Amazon S3 Amazon VPC flow logs AWS Cloud VPC Public subnet Compromised instance Subnet 2 Elastic IP in custom threat list Availability zone Public subnet Malicious host Subnet 1 Bucket The attack 1 2 4 3 API calls Bucket changes API Gateway endpoints SSH brute force attack 5 Amazon Inspector Inspector assessment

8. © 2019, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. Share your feedback with us! Thank You! Twitter @Zamirajaupaj https://eventbox.dev/survey/7TJITXC