Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
Next

Share

Alert Logic

by Ryan Holland, Sr. Director, Alert Logic

Learn how Alert Logic has integrated with Amazon GuardDuty.

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Alert Logic

  1. 1. ALERTLOGIC’SINTEGRATION WITHAMAZONGUARDDUTY RyanHolland SrDirector,CloudPlatforms
  2. 2. Outline •ServicesOverview •GuardDutyIntegration •TopFindings,ConfigurationErrors,andCVEs •Demo
  3. 3. SERVICES OVERVIEW
  4. 4. AmazonGuardDuty •AWSthreatdetectionservice(launchedatre:Invent2017)that monitorsyourenvironmentforsuspiciousbehavior -AWSCloudTraileventlogs -VPCFlowLogs -DNSLogs •GuardDutyidentifiespotentialsecurityissuescalled“Findings” -Reconnaissance(e.g.,EC2instancebeingprobed) -Instancecompromise(e.g.,EC2instancequeryingphishingdomains) -Accountcompromise(e.g.,Credentialsusedfrommultiplelocations)
  5. 5. CloudInsightEssentials •AlertLogicservice(alsolaunchedatre:Invent2017)thatidentifies configurationsthatgoagainstAWSBestSecurityPracticesand GuardDutyfindingsenrichmentandmanagagment. •UsesanIAMrole/policytomonitorCloudTraillogsandidentify riskyconfigurationslike: -UsernotconfiguredtouseMFA -S3buckethasaglobalACL -Passwordsnotconfiguredtoexpire •Candeployvulnerabilityscanners(CloudInsight)toidentify CommonVulnerabilityExposures(CVEs)insoftware •AvailableonAWSMarketplacewith30dayfreetrail -https://aws.amazon.com/marketplace/pp/B0764JH55Q
  6. 6. CloudInsightEssentialsTopologyView
  7. 7. GUARDDUTY INTEGRATION
  8. 8. CloudFormationTemplate •CloudFormationtemplatethatdeploysaKinesisStreamand LambdafunctionthatactasaCloudWatchEventscollector. •CloudWatchEventscollectorgathersallCloudWatchEvents associatedtoGuardDutyFindingsandforwardsthoseeventsto CloudInsightEssentials. •CloudInsightEssentialsaugmentsFindingsbyprovidingmore, detailedinformation,whattodowithFindings,andtrackshistorical trends. •AvailableonGithub(https://github.com/alertlogic/cwe-collector/)
  9. 9. Amazon GuardDuty AWS CloudTrail VPC FlowLogs DNSLogs CloudWatch Event GuardDuty Finding CloudWatch EventsCollector LambdaFunction GuardDuty Trends Remediations CloudInsight Essentials CloudFormation Template GuardDutyIntegrationArchitecture
  10. 10. EC2 InstancesAmazon Inspector Enumerates Findings Inspector Findings Exposures Remediations CloudInsight Essentials InspectorIntegrationArchitecture LambdaFunction Scheduled Event
  11. 11. AWS Config NewSnapshot RulecompletesCloudInsight Exposures Remediations CloudInsight Essentials ConfigRulesIntegrationArchitecture LambdaFunction Converts results
  12. 12. IncidentSummaries •IncidentSummarygivesyouanoverviewofGuardDutyprimary detectioncategories
  13. 13. IncidentList •IncidentListgivesyouanInvestigationReport(summaryof Findingwithlinkstoindustryknowledge)
  14. 14. GuardDutyRecommendations •Recommendationsprovideshort-termactions(withlinksonhowto investigatecompromises)andlinkstoAWSconsoletoconduct furtherinvestigation
  15. 15. GuardDutyEvidence •EvidencerecordsthefullGuardDutyFindingandthelasttimeseen
  16. 16. GuardDutyRemediations •StepstohelpscustomersenableGuardDutyanddeployour CloudWatchEventcollectors
  17. 17. TOPFINDINGS, MISCONFIGURATIONS,&CVES
  18. 18. TheTerribleTen #GuardDutyFinding 1Recon:EC2/PortProbeUnprotectedPort 2Recon:EC2/Portscan 3UnauthorizedAccess:EC2/SSHBruteForce 4UnauthorizedAccess:EC2/RDPBruteForce 5CrytpoCurrency:EC2/BitcoinTool.B!DNS 6Stealth:IAMUser/PasswordPolicyChange 7UnauthorizedAccess:EC2/TorIPCaller 8Behavior:EC2/NetworkPortUnusual 9Trojan:EC2/DropPoint!DNS 10PenTest:IAM/User/KaliLInux #Misconfigurations 1UnencryptedAMIDiscovered 2UnencryptedEBSVolume 3S3LoggingnotEnabled 4SinglePOFornoAutoScaling 5S3ObjectVersioningnotEnabled 6UsernotconfiguredtouseMFA 7UserAccessKeysnotRotating 8IAMPoliciesDirectlyAttachedtoUser 9DangerousUserPrivilegedAccesstoS3 10DangerousIAMRoleforS3 #CVEs 1RC4Ciphers 2MD5Hash-collision 3OpenSSHSecurityBypass 4OpenSSHDoS 5TLSLogjamIssue 6OpenSSHBufferOverflow 7OpenSSHInfoDisclosure 8OpenSSHMemoryCorrupt 9OpenBSDDoS 10OpenBSDSecurityBypass
  19. 19. Conclusions •“By202095%ofcloudsecurityfailureswillbethecustomer’s fault.”* •MostfrequentGuardDutyFindingsareduetocustomersleaving portsopenornotrestrictingaccesstoports •Mostfrequentconfigurationissuesareduetocustomersnot encryptingAMIs/volumes,enablingloggingandIAMpermissisons •MostfrequentCVEsareduetocustomersrunningout-of-date opensourcesoftware *GartnerRevealsTopPredicationsforITOrganizationsandUsersfor2016andBeyond: https://www.gartner.com/newsroom/id/3143718
  20. 20. DEMO
  21. 21. Thankyou.

by Ryan Holland, Sr. Director, Alert Logic Learn how Alert Logic has integrated with Amazon GuardDuty.

Views

Total views

501

On Slideshare

0

From embeds

0

Number of embeds

0

Actions

Downloads

0

Shares

0

Comments

0

Likes

0

×