As AWS customers continue to adopt and migrate workloads to the platform, they are adopting multi-account and multi-regional deployments to incorporate DR/COOP into their enterprise architectures while managing blast radius, account limits costs, and security. This session is focused on enabling a centralized SOC account for organizations running multi-account, multi-region workloads on AWS. The centralized SOC account on AWS has 2 primary purposes: (1) centralize data and visibility to quickly detect incidents, and (2) provide event driven automation for responding to and recovering from incidents.

1. P U B L I C S E C T O R
S U M M I T
Washington, DC

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Centralized SOC Architectures on
AWS
Darren House
Sr. Solutions Architect
AWS
3 0 2 8 3 6

3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Related breakouts
302833 - Beating Sophisticated Attackers at Their
Game Using AWS
Tim Rains
319028 - Aligning to the NIST Cybersecurity
Framework in the AWS
Michael South

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Agenda
Use MITRE ATT&CK Tactics & Techniques to demonstrate how
you can incorporate detection and response in AWS
SOC Baseline
How can we centralize data and visibility to identify and
detect incidents and protect multiple accounts?
How can we provide event driven automation for responding to
and recovering from incidents in multiple accounts?

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
AWS Security Services Overview
Protect Detect Respond
Automate
Investigate
RecoverIdentify
ArchiveSnapshot

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Monitoring
Detection
Response
Tier 1
Analyst
Tier 2
Responder
Tier 3
SME
Hunter

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
AWS
Lambda
Amazon
CloudWatc
h
AWS CloudTrail
Scheduled
Event
AWS Config
AWS Systems
Manager
Amazon
GuardDuty
Amazon Inspector
CIO Dashboard
Centralized
S3 Bucket
AWS Step
Functions
Lambda
Functions
Amazon
QuickSight

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Service Centralize Data MA MR
AWS Config Config Aggregator Yes Yes
Systems
Manager
Resource Data Sync Yes Yes
Cloud Trail Writes to Cloud Watch Logs and S3 Yes Yes
Guard Duty Master Account Yes No
Security
Hub
Master Account Yes No
CloudWatch
Events
Cloud Watch Event Bus supports multiple accounts. Yes No
CloudWatch
Logs
Cloud Watch Logs Agent Config File Yes No
Inspector Regional, Single Account No No

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
https://attack.mitre.org

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
APT18 Leviathan
Threat group that has
operated since at
least 2009 and has
targeted a range of
industries, including
technology,
manufacturing,
human rights groups,
government, and
medical.
Cyber espionage
group that has been
active since at least
2013. The group
generally targets
defense and
government
organizations
Persistence
Registry
Files
Staging
Folders
Credentials
Dump
PWD hash
Execution
Power
Shell

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Persistence
Registry
Staging
Folders
Gh0st RAT
• Registry
• HKEY_CURRENT_USER
SoftwareMicrosoftWindo
wsCurrentVersionRun
• Folders:
• C:ProgramDataHIDMgr
• C:ProgramDataRascon
• C:ProgramDataTrkSvr
APT
18

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
AWS Systems
Manager
Amazon GuardDuty
Instance with
CloudWatch
Amazon CloudWatch
Logs Insights
AWS CloudTrail
Flow logs
GD Finding
Event
(event-
based)
Amazon CloudWatch
Amazon DynamoDB
GD Event
Type maps to
CWL Insights
query
Inventory
CloudWatch
SOC Dashboard
AWS Step
Functions1
2
3
Amazon Simple
Notification Service
4
5
7
6
8
Behavior:EC2/NetworkPortUnusual
CWI
Queries

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Credentials
Dump
PWD
hash
Staging
Folders
Execution
Power
Shell
• Dump PWD Hash
• Pass the hash
• Folders:
• C:WindowsDebug
• C:Perflogs
• Power Shell
• Tool downloads (Cobalt
Strike)
Leviathan

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
AWS Systems
Manager
Amazon GuardDuty
Instance with
CloudWatch
Amazon CloudWatch
Logs Insights
AWS CloudTrail
Flow logs
GD Finding
Event
(event-
based)
Amazon CloudWatch
Amazon DynamoDB
GD Event
Type maps to
CWL Insights
query
Inventory
CloudWatch
SOC Dashboard
AWS Step
Functions1
2
3
Amazon Simple
Notification Service
4
5
7
6
8
Backdoor:EC2/C&CActivity.B!DNS
CWI
Queries

16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T

18. Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C TO R
S U M M I T
Darren House
Dahouse@amazon.com