SlideShare uma empresa Scribd logo

Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to Protect Your AWS Accounts and Workloads

Amazon Web Services
Amazon Web Services

Amazon GuardDuty is a threat detection service that monitors AWS accounts and the applications within them for malicious or unauthorized behavior. It uses machine learning, threat intelligence feeds, and other techniques to detect both known and unknown threats. GuardDuty analyzes AWS CloudTrail logs, VPC flow logs, and DNS logs to generate detailed findings on issues like reconnaissance, unauthorized access, and crypto-currency mining. It also integrates with other AWS services like Lambda and CloudWatch Events.

1 de 29
Baixar para ler offline
Amazon GuardDuty Iolaire McKinnon AWS Professional Services - Security, Risk & Compliance Level 200
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What is Amazon GuardDuty? • A threat detection service re-imagined for the cloud • Continuously monitors and protects AWS accounts, along with the applications and services running within them • Detects known and unknown threats (Zero-Days) • Makes use of artificial intelligence and machine learning • Integrated threat intelligence • Operates on CloudTrail, VPC Flow Logs & DNS • Detailed & Actionable Findings
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detecting Known Threats Threat intelligence • GuardDuty consumes feeds from various sources • AWS Security • Commercial feeds • Open source feeds • Customer provided threat intel (STIX) • Known malware infected hosts • Anonymizing proxies • Sites hosting malware & hacker tools • Crypto-currency mining pools and wallets • Great catch-all for suspicious & malicious activity
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detecting Unknown Threats Anomaly detection • Algorithms to detect unusual behavior • Inspecting signal patterns for signatures • Profiling normal and looking at deviations • Machine learning classifiers • Larger R&D effort • Highly skilled data scientists to study data • Develop theoretical detection models • Experiment with implementations • Testing, tuning, and validation
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Brute Force Example
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What can the service detect? RDP brute force RAT Installed Exfiltrate temp IAM creds over DNS Probe API with temp creds Attempt to compromise account Malicious or suspicious IP Unusual ports DNS exfiltration RDP brute force Unusual traffic volumeConnect to blacklisted site Recon Anonymizing proxy Temp credentials used off-instance Unusual ISP caller Bitcoin activity Unusual instance launch
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Recon Port Probe on unprotected port Outbound port scans Callers from anonymizing proxies Backdoor Spambot or C&C activity detected Exfiltration over DNS channel Suspicious domain request Trojan DGA Domain Request Blackhole traffic DropPoint Unauthorized Access Unusual ISP caller SSH BruteForce RDP Brute Force Stealth Password Policy Change CloudTrail Logging Disabled GuardDuty Disabled in member account CryptoCurrency Communication with Bitcoin DNS pools CryptoCurrency related DNS calls Connections to Bitcoin mining pools Finding Type Categories
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security Investigation of threats and patterns Produce threat intelligence Provide guidance to all service teams Detection Flywheel Amazon GuardDuty Learns of new threats and patterns Consumes threat intelligence Develops new analytics Deploys new & updated detections AWS Field Organizations AWS Support / TAM Solutions architects Professional services Customers & Partners Receive a steady stream of new detections All benefit from learnings of any one Develop new detections
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Rapid Pace of Iteration re:Invent
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch Events { "source": [ "aws.guardduty" ] } Rule GuardDuty Findings
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Multi-Account Support Account B Account C Security Team Account Account A CW Events
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Multi-Account Onboarding
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Multi-Account
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Multi-Account
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Multi-Account
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Full GuardDuty SDK – Java, Go, Python, JS, Ruby, PHP, .Net • Detector (Create, List, Delete, Update, Describe) • IPSet (Create, List, Delete, Update, Describe) • ThreatIntelSet (Create, List, Delete, Update, Describe) • Finding (List, Get, Describe, Archive, Unarchive, Generate, UpdateFeedback) • Member (Create, Invite, Fix, Describe, Delete, Unlink, StartMonitoring, StopMonitoring, List) • Master (Get, Unlink, AcceptInvitation) • Invitation (List, Get, Decline, Delete) API, AWS CLI & AWS CloudFormation CloudFormation supported at launch "BasicDetector": { "Type": "AWS::GuardDuty::Detector", "Properties": { "DetectorEnable": true } }
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pricing AWS CloudTrail analysis • $4.00 per 1,000,000 events VPC Flow Log + DNS Query Log Analysis • First 500 GB/month $1.00 per GB • Next 2000 GB/month $0.50 per GB • Over 2500 GB/month $0.25 per GB One month free trial
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. U S E a s t ( N . V i r g i n i a ) U S E a s t ( O h i o ) U S W e s t ( N . C a l i f o r n i a ) U S W e s t ( O r e g o n ) C a n a d a ( C e n t r a l ) E U ( I r e l a n d ) E U ( F r a n k f u r t ) E U ( L o n d o n ) A s i a P a c i f i c ( S i n g a p o r e ) A s i a P a c i f i c ( S y d n e y ) A s i a P a c i f i c ( S e o u l ) A s i a P a c i f i c ( T o k y o ) A s i a P a c i f i c ( M u m b a i ) S o u t h A m e r i c a ( S a o P a u l o ) Fourteen Regions Supported Today!
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • C h i n e s e • E n g l i s h • F r e n c h • G e r m a n Eight Languages Supported Today! • J a p a n e s e • K o r e a n • P o r t u g u e s e • S p a n i s h
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Partners
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty AWS Lambda Amazon CloudWatch Events Amazon GuardDuty Amazon Kinesis Firehose Amazon ES
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty Amazon GuardDuty CloudWatch Events
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty Security Analysis Central CloudWatch EventBus Amazon GuardDuty CloudWatch Events
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty Kinesis Firehose Amazon ES Security Analysis Central Processing Lambda Central CloudWatch EventBus Amazon GuardDuty CloudWatch Events
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty CloudWatch Event Kinesis Firehose Amazon ES Security AnalysisGuardDuty Topic in Pulsar Account Central Processing Lambda Central CloudWatch EventBus Amazon GuardDuty CloudWatch Events
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty Result Samples • Anomaly Detection: Potentially sensitive API calls from an unusual ISP • Amazon GuardDuty sent an alert when I was making AWS CloudTrail calls from a relative’s house without being on VPN. • DNS Log analysis: Potential C&C Activity • Amazon GuardDuty identified one of our honeypots after the honeypot began sending outbound requests to a domain designated as a C&C. • VPC Flow: Unprotected ports being probed by a malicious IP • Amazon GuardDuty allows us to add weight to existing notifications that warn of insecure security group configurations by alerting on probes and brute force attempts on unprotected ports.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty Takeaways • Painless setup with transparent pricing for first 30 days. • Allowed our team to focus on findings and integrations rather than maintaining the service itself. • More than just IDS on Amazon VPC Flow Logs – The combination of AWS CloudTrail, DNS Logs, Threat Intel, and Machine Learning yield high caliber, informed findings. • The Amazon GuardDuty team has been quick to iterate on feedback and continually improve the service, so we are excited to continue working with Amazon GuardDuty and the evolution of the service.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. THANK YOU!h t t p s : / / a w s . a m a z o n . c o m / G u a r d D u t y

Recomendados

Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Amazon Web Services
 
GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on Lab
Amazon Web Services
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty Lab
Amazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
Amazon Web Services
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPC
Amazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
Amazon Web Services
 

Recomendados

Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Amazon Web Services
 
GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on Lab
Amazon Web Services
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty Lab
Amazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
Amazon Web Services
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
VPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPCVPC Design and New Capabilities for Amazon VPC
VPC Design and New Capabilities for Amazon VPC
Amazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
Amazon Web Services
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & Logging
Jason Poley
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
Amazon Web Services
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
Amazon Web Services
 
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
Amazon Web Services
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Amazon Web Services
 
Aws config
Aws configAws config
Aws config
Shagun Rathore
 
AWS 101
AWS 101AWS 101
AWS 101
Amazon Web Services
 
AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar
Amazon Web Services
 
Plan Advanced AWS Networking Architectures - SRV323 - Chicago AWS Summit
Plan Advanced AWS Networking Architectures - SRV323 - Chicago AWS SummitPlan Advanced AWS Networking Architectures - SRV323 - Chicago AWS Summit
Plan Advanced AWS Networking Architectures - SRV323 - Chicago AWS Summit
Amazon Web Services
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Amazon Web Services
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security Hub
Amazon Web Services
 
AWS Cloud trail
AWS Cloud trailAWS Cloud trail
AWS Cloud trail
zekeLabs Technologies
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS Migrations
Amazon Web Services
 
Amazon Cognito
Amazon CognitoAmazon Cognito
Amazon Cognito
Amazon Web Services
 
(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon Inspector(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon Inspector
Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon Web Services
 
Amazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for KubernetesAmazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for Kubernetes
Amazon Web Services
 
NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017
NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017
NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017
Amazon Web Services
 
Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...
Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...
Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...
Amazon Web Services
 

Mais conteúdo relacionado

Mais procurados

Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
Amazon Web Services
 
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
Amazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
Amazon Web Services
 

Mais procurados (20)

AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & Logging
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
 
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
 
Aws config
Aws configAws config
Aws config
 
AWS 101
AWS 101AWS 101
AWS 101
 
AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar
 
Plan Advanced AWS Networking Architectures - SRV323 - Chicago AWS Summit
Plan Advanced AWS Networking Architectures - SRV323 - Chicago AWS SummitPlan Advanced AWS Networking Architectures - SRV323 - Chicago AWS Summit
Plan Advanced AWS Networking Architectures - SRV323 - Chicago AWS Summit
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security Hub
 
AWS Cloud trail
AWS Cloud trailAWS Cloud trail
AWS Cloud trail
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS Migrations
 
Amazon Cognito
Amazon CognitoAmazon Cognito
Amazon Cognito
 
(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon Inspector(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon Inspector
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
 
Amazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for KubernetesAmazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for Kubernetes
 

Semelhante a Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to Protect Your AWS Accounts and Workloads

NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017
NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017
NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017
Amazon Web Services
 
Secure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation SecuritySecure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation Security
Amazon Web Services
 
SID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and AlexaSID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and Alexa
Amazon Web Services
 

Semelhante a Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to Protect Your AWS Accounts and Workloads (20)

NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017
NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017
NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017
 
Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...
Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...
Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWS
 
Intro to threat_detection_and_remediation on aws
Intro to threat_detection_and_remediation on awsIntro to threat_detection_and_remediation on aws
Intro to threat_detection_and_remediation on aws
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWS
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
 
Introduction to Threat Detection and Remediation
Introduction to Threat Detection and RemediationIntroduction to Threat Detection and Remediation
Introduction to Threat Detection and Remediation
 
AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWS
 
AWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & RemediationAWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & Remediation
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
 
Secure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation SecuritySecure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation Security
 
HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...
HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...
HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
 
Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS
 
SID301 Threat Detection and Mitigation
SID301 Threat Detection and Mitigation SID301 Threat Detection and Mitigation
SID301 Threat Detection and Mitigation
 
Use Amazon Rekognition to Build a Facial Recognition System
Use Amazon Rekognition to Build a Facial Recognition SystemUse Amazon Rekognition to Build a Facial Recognition System
Use Amazon Rekognition to Build a Facial Recognition System
 
Use Amazon Rekognition to Build a Facial Recognition System
Use Amazon Rekognition to Build a Facial Recognition SystemUse Amazon Rekognition to Build a Facial Recognition System
Use Amazon Rekognition to Build a Facial Recognition System
 
SID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and AlexaSID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and Alexa
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation Overview
 

Mais de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

Mais de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to Protect Your AWS Accounts and Workloads

  • 1. Amazon GuardDuty Iolaire McKinnon AWS Professional Services - Security, Risk & Compliance Level 200
  • 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What is Amazon GuardDuty? • A threat detection service re-imagined for the cloud • Continuously monitors and protects AWS accounts, along with the applications and services running within them • Detects known and unknown threats (Zero-Days) • Makes use of artificial intelligence and machine learning • Integrated threat intelligence • Operates on CloudTrail, VPC Flow Logs & DNS • Detailed & Actionable Findings
  • 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detecting Known Threats Threat intelligence • GuardDuty consumes feeds from various sources • AWS Security • Commercial feeds • Open source feeds • Customer provided threat intel (STIX) • Known malware infected hosts • Anonymizing proxies • Sites hosting malware & hacker tools • Crypto-currency mining pools and wallets • Great catch-all for suspicious & malicious activity
  • 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detecting Unknown Threats Anomaly detection • Algorithms to detect unusual behavior • Inspecting signal patterns for signatures • Profiling normal and looking at deviations • Machine learning classifiers • Larger R&D effort • Highly skilled data scientists to study data • Develop theoretical detection models • Experiment with implementations • Testing, tuning, and validation
  • 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Brute Force Example
  • 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What can the service detect? RDP brute force RAT Installed Exfiltrate temp IAM creds over DNS Probe API with temp creds Attempt to compromise account Malicious or suspicious IP Unusual ports DNS exfiltration RDP brute force Unusual traffic volumeConnect to blacklisted site Recon Anonymizing proxy Temp credentials used off-instance Unusual ISP caller Bitcoin activity Unusual instance launch
  • 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Recon Port Probe on unprotected port Outbound port scans Callers from anonymizing proxies Backdoor Spambot or C&C activity detected Exfiltration over DNS channel Suspicious domain request Trojan DGA Domain Request Blackhole traffic DropPoint Unauthorized Access Unusual ISP caller SSH BruteForce RDP Brute Force Stealth Password Policy Change CloudTrail Logging Disabled GuardDuty Disabled in member account CryptoCurrency Communication with Bitcoin DNS pools CryptoCurrency related DNS calls Connections to Bitcoin mining pools Finding Type Categories
  • 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security Investigation of threats and patterns Produce threat intelligence Provide guidance to all service teams Detection Flywheel Amazon GuardDuty Learns of new threats and patterns Consumes threat intelligence Develops new analytics Deploys new & updated detections AWS Field Organizations AWS Support / TAM Solutions architects Professional services Customers & Partners Receive a steady stream of new detections All benefit from learnings of any one Develop new detections
  • 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Rapid Pace of Iteration re:Invent
  • 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch Events { "source": [ "aws.guardduty" ] } Rule GuardDuty Findings
  • 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Multi-Account Support Account B Account C Security Team Account Account A CW Events
  • 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Multi-Account Onboarding
  • 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Multi-Account
  • 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Multi-Account
  • 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Multi-Account
  • 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Full GuardDuty SDK – Java, Go, Python, JS, Ruby, PHP, .Net • Detector (Create, List, Delete, Update, Describe) • IPSet (Create, List, Delete, Update, Describe) • ThreatIntelSet (Create, List, Delete, Update, Describe) • Finding (List, Get, Describe, Archive, Unarchive, Generate, UpdateFeedback) • Member (Create, Invite, Fix, Describe, Delete, Unlink, StartMonitoring, StopMonitoring, List) • Master (Get, Unlink, AcceptInvitation) • Invitation (List, Get, Decline, Delete) API, AWS CLI & AWS CloudFormation CloudFormation supported at launch "BasicDetector": { "Type": "AWS::GuardDuty::Detector", "Properties": { "DetectorEnable": true } }
  • 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pricing AWS CloudTrail analysis • $4.00 per 1,000,000 events VPC Flow Log + DNS Query Log Analysis • First 500 GB/month $1.00 per GB • Next 2000 GB/month $0.50 per GB • Over 2500 GB/month $0.25 per GB One month free trial
  • 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. U S E a s t ( N . V i r g i n i a ) U S E a s t ( O h i o ) U S W e s t ( N . C a l i f o r n i a ) U S W e s t ( O r e g o n ) C a n a d a ( C e n t r a l ) E U ( I r e l a n d ) E U ( F r a n k f u r t ) E U ( L o n d o n ) A s i a P a c i f i c ( S i n g a p o r e ) A s i a P a c i f i c ( S y d n e y ) A s i a P a c i f i c ( S e o u l ) A s i a P a c i f i c ( T o k y o ) A s i a P a c i f i c ( M u m b a i ) S o u t h A m e r i c a ( S a o P a u l o ) Fourteen Regions Supported Today!
  • 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • C h i n e s e • E n g l i s h • F r e n c h • G e r m a n Eight Languages Supported Today! • J a p a n e s e • K o r e a n • P o r t u g u e s e • S p a n i s h
  • 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Partners
  • 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty AWS Lambda Amazon CloudWatch Events Amazon GuardDuty Amazon Kinesis Firehose Amazon ES
  • 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty Amazon GuardDuty CloudWatch Events
  • 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty Security Analysis Central CloudWatch EventBus Amazon GuardDuty CloudWatch Events
  • 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty Kinesis Firehose Amazon ES Security Analysis Central Processing Lambda Central CloudWatch EventBus Amazon GuardDuty CloudWatch Events
  • 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty CloudWatch Event Kinesis Firehose Amazon ES Security AnalysisGuardDuty Topic in Pulsar Account Central Processing Lambda Central CloudWatch EventBus Amazon GuardDuty CloudWatch Events
  • 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty Result Samples • Anomaly Detection: Potentially sensitive API calls from an unusual ISP • Amazon GuardDuty sent an alert when I was making AWS CloudTrail calls from a relative’s house without being on VPN. • DNS Log analysis: Potential C&C Activity • Amazon GuardDuty identified one of our honeypots after the honeypot began sending outbound requests to a domain designated as a C&C. • VPC Flow: Unprotected ports being probed by a malicious IP • Amazon GuardDuty allows us to add weight to existing notifications that warn of insecure security group configurations by alerting on probes and brute force attempts on unprotected ports.
  • 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty Takeaways • Painless setup with transparent pricing for first 30 days. • Allowed our team to focus on findings and integrations rather than maintaining the service itself. • More than just IDS on Amazon VPC Flow Logs – The combination of AWS CloudTrail, DNS Logs, Threat Intel, and Machine Learning yield high caliber, informed findings. • The Amazon GuardDuty team has been quick to iterate on feedback and continually improve the service, so we are excited to continue working with Amazon GuardDuty and the evolution of the service.
  • 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. THANK YOU!h t t p s : / / a w s . a m a z o n . c o m / G u a r d D u t y