Mais conteúdo relacionado Semelhante a Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to Protect Your AWS Accounts and Workloads (20) Mais de Amazon Web Services (20) Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to Protect Your AWS Accounts and Workloads2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is Amazon GuardDuty?
• A threat detection service re-imagined for the cloud
• Continuously monitors and protects AWS accounts, along
with the applications and services running within them
• Detects known and unknown threats (Zero-Days)
• Makes use of artificial intelligence and machine learning
• Integrated threat intelligence
• Operates on CloudTrail, VPC Flow Logs & DNS
• Detailed & Actionable Findings
3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Detecting Known Threats
Threat intelligence
• GuardDuty consumes feeds from various sources
• AWS Security
• Commercial feeds
• Open source feeds
• Customer provided threat intel (STIX)
• Known malware infected hosts
• Anonymizing proxies
• Sites hosting malware & hacker tools
• Crypto-currency mining pools and wallets
• Great catch-all for suspicious & malicious activity
4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Detecting Unknown Threats
Anomaly detection
• Algorithms to detect unusual behavior
• Inspecting signal patterns for signatures
• Profiling normal and looking at deviations
• Machine learning classifiers
• Larger R&D effort
• Highly skilled data scientists to study data
• Develop theoretical detection models
• Experiment with implementations
• Testing, tuning, and validation
5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Brute Force Example
6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What can the service detect?
RDP brute
force
RAT Installed
Exfiltrate
temp IAM
creds over
DNS
Probe API
with temp
creds
Attempt to
compromise
account
Malicious or
suspicious IP
Unusual ports DNS exfiltration
RDP brute force
Unusual traffic volumeConnect to blacklisted site
Recon
Anonymizing proxy
Temp credentials
used off-instance
Unusual ISP caller
Bitcoin activity
Unusual instance launch
7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Recon
Port Probe on unprotected port
Outbound port scans
Callers from anonymizing proxies
Backdoor
Spambot or C&C activity detected
Exfiltration over DNS channel
Suspicious domain request
Trojan
DGA Domain Request
Blackhole traffic
DropPoint
Unauthorized Access
Unusual ISP caller
SSH BruteForce
RDP Brute Force
Stealth
Password Policy Change
CloudTrail Logging Disabled
GuardDuty Disabled in member account
CryptoCurrency
Communication with Bitcoin DNS pools
CryptoCurrency related DNS calls
Connections to Bitcoin mining pools
Finding Type Categories
8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Security
Investigation of threats and patterns
Produce threat intelligence
Provide guidance to all service teams
Detection Flywheel
Amazon GuardDuty
Learns of new threats and patterns
Consumes threat intelligence
Develops new analytics
Deploys new & updated detections
AWS Field Organizations
AWS Support / TAM
Solutions architects
Professional services
Customers & Partners
Receive a steady stream of new detections
All benefit from learnings of any one
Develop new detections
9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Rapid Pace of Iteration
re:Invent
10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CloudWatch Events
{
"source": [
"aws.guardduty"
]
}
Rule
GuardDuty Findings
11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Multi-Account Support
Account B Account C
Security Team Account
Account A
CW Events
12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
GuardDuty Multi-Account Onboarding
13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
GuardDuty Multi-Account
14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
GuardDuty Multi-Account
15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
GuardDuty Multi-Account
16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Full GuardDuty SDK – Java, Go, Python, JS, Ruby, PHP, .Net
• Detector (Create, List, Delete, Update, Describe)
• IPSet (Create, List, Delete, Update, Describe)
• ThreatIntelSet (Create, List, Delete, Update, Describe)
• Finding (List, Get, Describe, Archive, Unarchive, Generate, UpdateFeedback)
• Member (Create, Invite, Fix, Describe, Delete, Unlink, StartMonitoring, StopMonitoring, List)
• Master (Get, Unlink, AcceptInvitation)
• Invitation (List, Get, Decline, Delete)
API, AWS CLI & AWS CloudFormation
CloudFormation supported at launch
"BasicDetector": {
"Type": "AWS::GuardDuty::Detector",
"Properties": {
"DetectorEnable": true
}
}
17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pricing
AWS CloudTrail analysis
• $4.00 per 1,000,000 events
VPC Flow Log + DNS Query Log Analysis
• First 500 GB/month $1.00 per GB
• Next 2000 GB/month $0.50 per GB
• Over 2500 GB/month $0.25 per GB
One month free trial
18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
U S E a s t ( N . V i r g i n i a )
U S E a s t ( O h i o )
U S W e s t ( N . C a l i f o r n i a )
U S W e s t ( O r e g o n )
C a n a d a ( C e n t r a l )
E U ( I r e l a n d )
E U ( F r a n k f u r t )
E U ( L o n d o n )
A s i a P a c i f i c ( S i n g a p o r e )
A s i a P a c i f i c ( S y d n e y )
A s i a P a c i f i c ( S e o u l )
A s i a P a c i f i c ( T o k y o )
A s i a P a c i f i c ( M u m b a i )
S o u t h A m e r i c a ( S a o P a u l o )
Fourteen Regions Supported Today!
19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• C h i n e s e
• E n g l i s h
• F r e n c h
• G e r m a n
Eight Languages Supported Today!
• J a p a n e s e
• K o r e a n
• P o r t u g u e s e
• S p a n i s h
20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
GuardDuty Partners
21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon GuardDuty
AWS Lambda
Amazon CloudWatch Events
Amazon GuardDuty Amazon Kinesis Firehose
Amazon ES
23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon GuardDuty
Amazon GuardDuty
CloudWatch Events
24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon GuardDuty
Security Analysis
Central
CloudWatch
EventBus
Amazon GuardDuty
CloudWatch Events
25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon GuardDuty
Kinesis Firehose
Amazon ES
Security Analysis
Central Processing
Lambda
Central
CloudWatch
EventBus
Amazon GuardDuty
CloudWatch Events
26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon GuardDuty
CloudWatch Event
Kinesis Firehose
Amazon ES
Security AnalysisGuardDuty Topic in Pulsar
Account
Central Processing
Lambda
Central
CloudWatch
EventBus
Amazon GuardDuty
CloudWatch Events
27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon GuardDuty Result Samples
• Anomaly Detection: Potentially sensitive API calls from an unusual ISP
• Amazon GuardDuty sent an alert when I was making AWS CloudTrail calls
from a relative’s house without being on VPN.
• DNS Log analysis: Potential C&C Activity
• Amazon GuardDuty identified one of our honeypots after the honeypot
began sending outbound requests to a domain designated as a C&C.
• VPC Flow: Unprotected ports being probed by a malicious IP
• Amazon GuardDuty allows us to add weight to existing notifications that
warn of insecure security group configurations by alerting on probes and
brute force attempts on unprotected ports.
28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon GuardDuty Takeaways
• Painless setup with transparent pricing for first 30 days.
• Allowed our team to focus on findings and integrations rather than maintaining the
service itself.
• More than just IDS on Amazon VPC Flow Logs – The combination of AWS CloudTrail,
DNS Logs, Threat Intel, and Machine Learning yield high caliber, informed findings.
• The Amazon GuardDuty team has been quick to iterate on feedback and continually
improve the service, so we are excited to continue working with Amazon GuardDuty
and the evolution of the service.
29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
THANK YOU!h t t p s : / / a w s . a m a z o n . c o m / G u a r d D u t y