SlideShare a Scribd company logo

An Active Case Study on Insider Threat Detection in your Applications

Amazon Web Services
Amazon Web Services

This document discusses techniques for detecting insider threats within an AWS environment. It provides an overview of several AWS security services such as CloudTrail, GuardDuty, and Config that can be used to monitor user activity and resource configurations. The document then presents a hypothetical example where GuardDuty detects suspicious EC2 instance activity and triggers automated remediation workflows using Lambda, CloudWatch, and Systems Manager to investigate and respond to potential security incidents.

1 of 43
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Nathan Case Detection techniques They’re inside the walls June, 2018
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What to Expect from the Session • Introduction • Discussion of the services used • The insider threat • The crunchy outer shell defense! • Auto remediation
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. They’re inside the walls!
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Identity & Access Management (IAM) AWS Organizations AWS Cognito AWS Directory Service AWS Single Sign-On AWS CloudTrail AWS Config Amazon CloudWatch Amazon GuardDuty VPC Flow Logs Amazon EC2 Systems Manager AWS Shield AWS Web Application Firewall (WAF) Amazon Inspector Amazon Virtual Private Cloud (VPC) AWS Key Management Service (KMS) AWS CloudHSM Amazon Macie Certificate Manager Server Side Encryption AWS Config Rules AWS Lambda Identity Detective control Infrastructure security Incident response Data protection AWS security solutions
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS CloudTrail Track user activity and API usage What can you do? • Simplify your compliance audits by automatically recording and storing activity logs for your AWS account • Increase visibility into your user and resource activity • Discover and troubleshoot security and operational issues by capturing a comprehensive history of changes that occurred in your AWS account
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS Config Record and evaluate configurations of your AWS resources. Enable compliance auditing, security analysis, resource change tracking, and troubleshooting Detective control AWS Account Level Controls • Get inventory of AWS resources • Discover new and deleted resources • Record configuration changes continuously • Get notified when configurations change • Know resource relationships dependencies
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Amazon GuardDuty Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads What can you do? • Quickly find the threats (needle) to your environments in the sea of log data (haystack) so you can focus on hardening their AWS environments • Analyzes billions of events across your AWS accounts for signs of risk • Monitors for activity such as unusual API calls or potentially unauthorized deployments that indicate a possible account compromise • Rapidly respond to malicious or suspicious behavior
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. VPC Flow Logs Capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs What can you do? Simplify your compliance audits by automatically recording and storing activity logs for your AWS account Increase visibility into your user and resource activity Discover and troubleshoot security and operational issues by capturing a comprehensive history of changes that occurred in your AWS account
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Amazon CloudWatch Monitoring service for AWS cloud resources and the applications you run on AWS. What can you do? • Monitor resource utilization, operational performance, and overall demand patterns • Collect metrics include CPU utilization, disk reads / writes, and network traffic • Accessible via the AWS Management Console, web service APIs, or Command Line Tools • Add custom metrics of your own • Alarms (which tie into auto-scaling, SNS, SQS) • Billing Alerts to ID unusual account activity
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Rabbit Hole! What Can You Detect Using AWS Services? Infrastructure VPC Resources Connectivity On-instance ... Service IAM S3 buckets Billing ... Application Patching Coding hole ... Other?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Humans and data don’t mix
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. So who is inside the walls, exactly…? - All of the enterprise employees, consultants, contractors, and you… are the vector of breach for your systems. - You are the threat to your systems.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. So who is inside the walls, exactly…? - For Today. - Pretend that Insider threat is handled by your team and that Insider threat includes: - Bad Actors - Actors acting outside their associated role - Actors doing something they should be doing to an incorrect resource
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Who is responsible? - Please Note: - Ownership and Classification of an event is a question your team needs to talk about. Its different in each enterprise. - You must have one group that is a catch all. If an action does not fall into anyone’s bucket, that team is responsible.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Target of the discussion The simple environment to the left has specific needs and allows for direct detection of threats, if: • The system has little human interaction • Normal patterns, and timed procedures • Limited well defined scope and functions AWS cloud virtual private cloud Availability Zone BAvailability Zone A Web Server App Server Web Server App Server RDS DB instance instance standby (multi-AZ)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Target of the discussion This is more realistic: • The system has lots of human interaction • No patterns, or timed procedures • No scope
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Building a crunch outer shell • Does not defend complex systems from an insider threat • Does not defend simple systems either • Do not make assumptions about the target of an insider threat • Do not assume that the target with be malicious
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Gosl of the discussion • Unify Logs/Trail • Implement similar checks in all accounts • Unify events/findings into CloudWatch Dashboards • Trigger CloudWatch Events based on actions in the environment • Watch for changes, not just actions • Setup SNS Topics
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. So … that happened.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Example Walkthrough: CloudWatch Events Your AWS Account, GuardDuty generates Finding and sends to CloudWatch Events. CloudWatch Events forwards to CloudWatch Event Bus in AWS Master Account. { "account": "123456789012", "region": "us-west-2", "detail": { "description": "EC2 instance i-99999999 is querying a domain name that is associated with Bitcoin-related activity.", "resource": { "resourceType": "Instance", "instanceDetails": { ... "instanceId": "i-99999999", "instanceState": "running", ... "instanceType": "p2.xlarge”}, ... "title": "Bitcoin-related domain name queried by EC2 instance i-99999999.", ... }
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. In the AWS Master Account, CloudWatch Events triggers the Response Handler Lambda function to analyze the event by processing signature logic for conditional evaluation. { "account": "123456789012", "region": "us-west-2", "detail": { "description": "EC2 instance i-99999999... with Bitcoin-related activity.", "resource": { "resourceType": "Instance", "instanceDetails": { ... "instanceId": "i-99999999", "instanceState": "running", ... "instanceType": "p2.xlarge”}, ... “type": “CryptoCurrency:EC2/Bitcoin...” ... } Example Walkthrough: Lambda Trigger "account": "123456789012", "region": "us-west-2", "instanceId": "i-99999999", “type": “CryptoCurrency:EC2/Bitcoin...”
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch Rules CloudWatch Dashboard POLICY
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch Rules CloudWatch Dashboard POLICY
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. In the AWS, the Response Handler Lambda function analyzes the event by processing conditional logic to determine responsive Action, which in this case is to terminate the instance(s). Example Walkthrough: Response Handler "account": "123456789012", "region": "us-west-2", "instanceId": "i-99999999", “type": “CryptoCurrency:EC2/Bitcoin...” TerminateInstanceTest: cloudwatch.event: - name: guardduty - identifier: “CryptoCurrency:EC2/Bitcoin...” - actions: - "ec2:TerminateInstance" - onlyif: - and: - region: 'us-west-2' - or: - account: 123456789012 - account: 123456789013
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. In the AWS Master Account, if the event matches a signature the Response Handler Lambda function initiates a StepFunction execution of the Raptor Response Action State Machine. Example Walkthrough: Response Handler TerminateInstanceTest: cloudwatch.event: - name: guardduty - identifier: “CryptoCurrency:EC2/Bitcoin...” - actions: - "ec2:TerminateInstance" - onlyif: - and: - region: 'us-west-2' - or: - account: 123456789012 - account: 123456789013 { "Account": “123456789012", "SnsNotification": true, "ec2": { "RemoveEip": false, "ApplySecurityGroup": false, "SecurityGroupName": null, "instanceId": [“i-99999999”], "region": “us-west-2”, "Snapshot": { "ShareSnap": null }, "StopInstance": false, "CreateSnapshot": false, "TerminateInstance": true }, "sns": {...} }
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Findings: Threat Purpose Details • Backdoor: resource compromised and capable of contacting source home • Behavior: activity that differs from established baseline • Crypto Currency::detected software associated with Crypto currencies • Pentest::activity detected similar to that generated by known pen testing tools • Recon: attack scoping vulnerabilities by probing ports, listening, database tables, etc. • Stealth::attack trying to hide actions / tracks • Trojan::program detected carrying out suspicious activity • Unauthorized Access::suspicious activity / pattern by unauthorized user Describes the primary purpose of the threat. Available at launch, more coming!
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Remediate a Compromised Instance • Remediate Compromised AWS Credentials Responding to Findings: Remediation Automatic Remediation GuardDuty CloudWatch Events Lambda Amazon GuardDuty Amazon CloudWatch CloudWatch Event Lambda Function AWS Lambda
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Remediation Actions • Account Remediation • Remediate AWS credentials • PenTest • Recon (Black Listed IP) • Stealth • UnauthorizedAccess • Investigate before Credential Remediation • Behavior • UnauthorizedAccess • Architecture Change • Recon • Instance Remediation • Remediate Compromised Instances • Backdoor • CryptoCurrency • Recon (out going) • Trojan • UnauthorizedAccess • Investigate before EC2 Remediate • Behavior
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume 80, 443->DataSG
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume 3389 -> 0.0.0.0/0 80, 443->DataSG
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter Lambda function EBS Volume 80, 443->DataSG
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty Lambda function EBS Volume EBS Forensics
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty Lambda function EBS Volume
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule AWS Lambda Amazon GuardDuty Lambda function EBS Volume Amazon EBS snapshot
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM Policies LAMBDA POLICY
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM Policies LAMBDA POLICY
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo

Recommended

A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Amazon CloudWatch Logs and AWS Lambda: A Match Made in Heaven
Amazon CloudWatch Logs and AWS Lambda: A Match Made in HeavenAmazon CloudWatch Logs and AWS Lambda: A Match Made in Heaven
Amazon CloudWatch Logs and AWS Lambda: A Match Made in HeavenAmazon Web Services
 
AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar Amazon Web Services
 
Amazon CloudWatch Logs and AWS Lambda
Amazon CloudWatch Logs and AWS LambdaAmazon CloudWatch Logs and AWS Lambda
Amazon CloudWatch Logs and AWS LambdaAmazon Web Services
 
AWS for Backup and Recovery
AWS for Backup and RecoveryAWS for Backup and Recovery
AWS for Backup and RecoveryAmazon Web Services
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWSAmazon Web Services
 
Backup and archiving in the aws cloud
Backup and archiving in the aws cloudBackup and archiving in the aws cloud
Backup and archiving in the aws cloudAmazon Web Services
 
AWS WAF
AWS WAFAWS WAF
AWS WAFAmazon Web Services
 

Recommended

A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Amazon CloudWatch Logs and AWS Lambda: A Match Made in Heaven
Amazon CloudWatch Logs and AWS Lambda: A Match Made in HeavenAmazon CloudWatch Logs and AWS Lambda: A Match Made in Heaven
Amazon CloudWatch Logs and AWS Lambda: A Match Made in HeavenAmazon Web Services
 
AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar Amazon Web Services
 
Amazon CloudWatch Logs and AWS Lambda
Amazon CloudWatch Logs and AWS LambdaAmazon CloudWatch Logs and AWS Lambda
Amazon CloudWatch Logs and AWS LambdaAmazon Web Services
 
AWS for Backup and Recovery
AWS for Backup and RecoveryAWS for Backup and Recovery
AWS for Backup and RecoveryAmazon Web Services
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWSAmazon Web Services
 
Backup and archiving in the aws cloud
Backup and archiving in the aws cloudBackup and archiving in the aws cloud
Backup and archiving in the aws cloudAmazon Web Services
 
AWS WAF
AWS WAFAWS WAF
AWS WAFAmazon Web Services
 
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...Amazon Web Services
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security FundamentalsAmazon Web Services
 
AWS networking fundamentals
AWS networking fundamentalsAWS networking fundamentals
AWS networking fundamentalsAmazon Web Services
 
AWS Systems Manager
AWS Systems ManagerAWS Systems Manager
AWS Systems ManagerCrishantha Nanayakkara
 
Best Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSBest Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSAmazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
Shared Responsibility Deep Dive
Shared Responsibility Deep DiveShared Responsibility Deep Dive
Shared Responsibility Deep DiveAmazon Web Services
 
Creating the Cloud Business Case
Creating the Cloud Business CaseCreating the Cloud Business Case
Creating the Cloud Business CaseAmazon Web Services
 
Modernizing Infrastructure Monitoring and Management with AIOps
Modernizing Infrastructure Monitoring and Management with AIOpsModernizing Infrastructure Monitoring and Management with AIOps
Modernizing Infrastructure Monitoring and Management with AIOpsOpsRamp
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWSAmazon Web Services
 
AWS WAF - A Web App Firewall
AWS WAF - A Web App FirewallAWS WAF - A Web App Firewall
AWS WAF - A Web App FirewallAmazon Web Services
 
Too Many Tools - How AWS Systems Manager Bridges Operational Models
Too Many Tools - How AWS Systems Manager Bridges Operational ModelsToo Many Tools - How AWS Systems Manager Bridges Operational Models
Too Many Tools - How AWS Systems Manager Bridges Operational ModelsAmazon Web Services
 
AWS PrivateLink Fundamentals
AWS PrivateLink FundamentalsAWS PrivateLink Fundamentals
AWS PrivateLink FundamentalsAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
Introduction to Amazon EC2
Introduction to Amazon EC2Introduction to Amazon EC2
Introduction to Amazon EC2Amazon Web Services
 
Building APIs with Amazon API Gateway
Building APIs with Amazon API GatewayBuilding APIs with Amazon API Gateway
Building APIs with Amazon API GatewayAmazon Web Services
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
Elastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech TalkElastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech TalkAmazon Web Services
 
Amazon CloudWatch - Observability and Monitoring
Amazon CloudWatch - Observability and MonitoringAmazon CloudWatch - Observability and Monitoring
Amazon CloudWatch - Observability and MonitoringRick Hwang
 
Introduction to Amazon DynamoDB
Introduction to Amazon DynamoDBIntroduction to Amazon DynamoDB
Introduction to Amazon DynamoDBAmazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftIntro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftAmazon Web Services
 

More Related Content

What's hot

Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...Amazon Web Services
 
Best Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSBest Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSAmazon Web Services
 
Creating the Cloud Business Case
Creating the Cloud Business CaseCreating the Cloud Business Case
Creating the Cloud Business CaseAmazon Web Services
 
Modernizing Infrastructure Monitoring and Management with AIOps
Modernizing Infrastructure Monitoring and Management with AIOpsModernizing Infrastructure Monitoring and Management with AIOps
Modernizing Infrastructure Monitoring and Management with AIOpsOpsRamp
 
Too Many Tools - How AWS Systems Manager Bridges Operational Models
Too Many Tools - How AWS Systems Manager Bridges Operational ModelsToo Many Tools - How AWS Systems Manager Bridges Operational Models
Too Many Tools - How AWS Systems Manager Bridges Operational ModelsAmazon Web Services
 
Building APIs with Amazon API Gateway
Building APIs with Amazon API GatewayBuilding APIs with Amazon API Gateway
Building APIs with Amazon API GatewayAmazon Web Services
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
Elastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech TalkElastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech TalkAmazon Web Services
 
Amazon CloudWatch - Observability and Monitoring
Amazon CloudWatch - Observability and MonitoringAmazon CloudWatch - Observability and Monitoring
Amazon CloudWatch - Observability and MonitoringRick Hwang
 

What's hot (20)

Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
 
AWS networking fundamentals
AWS networking fundamentalsAWS networking fundamentals
AWS networking fundamentals
 
AWS Systems Manager
AWS Systems ManagerAWS Systems Manager
AWS Systems Manager
 
Best Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSBest Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWS
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
 
Shared Responsibility Deep Dive
Shared Responsibility Deep DiveShared Responsibility Deep Dive
Shared Responsibility Deep Dive
 
Creating the Cloud Business Case
Creating the Cloud Business CaseCreating the Cloud Business Case
Creating the Cloud Business Case
 
Modernizing Infrastructure Monitoring and Management with AIOps
Modernizing Infrastructure Monitoring and Management with AIOpsModernizing Infrastructure Monitoring and Management with AIOps
Modernizing Infrastructure Monitoring and Management with AIOps
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWS
 
AWS WAF - A Web App Firewall
AWS WAF - A Web App FirewallAWS WAF - A Web App Firewall
AWS WAF - A Web App Firewall
 
Too Many Tools - How AWS Systems Manager Bridges Operational Models
Too Many Tools - How AWS Systems Manager Bridges Operational ModelsToo Many Tools - How AWS Systems Manager Bridges Operational Models
Too Many Tools - How AWS Systems Manager Bridges Operational Models
 
AWS PrivateLink Fundamentals
AWS PrivateLink FundamentalsAWS PrivateLink Fundamentals
AWS PrivateLink Fundamentals
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Introduction to Amazon EC2
Introduction to Amazon EC2Introduction to Amazon EC2
Introduction to Amazon EC2
 
Building APIs with Amazon API Gateway
Building APIs with Amazon API GatewayBuilding APIs with Amazon API Gateway
Building APIs with Amazon API Gateway
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
 
Elastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech TalkElastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech Talk
 
Amazon CloudWatch - Observability and Monitoring
Amazon CloudWatch - Observability and MonitoringAmazon CloudWatch - Observability and Monitoring
Amazon CloudWatch - Observability and Monitoring
 
Introduction to Amazon DynamoDB
Introduction to Amazon DynamoDBIntroduction to Amazon DynamoDB
Introduction to Amazon DynamoDB
 

Similar to An Active Case Study on Insider Threat Detection in your Applications

A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftIntro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftAmazon Web Services
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Toronto AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Toronto AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Toronto AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Toronto AWS SummitAmazon Web Services
 
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Amazon Web Services
 
Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Amazon Web Services
 
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Amazon Web Services
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsAmazon Web Services
 
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS SummitThreat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS SummitAmazon Web Services
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountAmazon Web Services
 
Secure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation SecuritySecure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation SecurityAmazon Web Services
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Amazon Web Services
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSAmazon Web Services
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitAmazon Web Services
 
Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Amazon Web Services
 
SID301 Threat Detection and Mitigation
SID301 Threat Detection and Mitigation SID301 Threat Detection and Mitigation
SID301 Threat Detection and MitigationAmazon Web Services
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS SummitAmazon Web Services
 

Similar to An Active Case Study on Insider Threat Detection in your Applications (20)

A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftIntro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
 
Security@Scale
Security@ScaleSecurity@Scale
Security@Scale
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Toronto AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Toronto AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Toronto AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Toronto AWS Summit
 
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
 
Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS
 
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
 
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS SummitThreat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
 
Enterprise Security
Enterprise SecurityEnterprise Security
Enterprise Security
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS Account
 
Secure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation SecuritySecure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation Security
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
 
Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS
 
SID301 Threat Detection and Mitigation
SID301 Threat Detection and Mitigation SID301 Threat Detection and Mitigation
SID301 Threat Detection and Mitigation
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

An Active Case Study on Insider Threat Detection in your Applications

  • 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Nathan Case Detection techniques They’re inside the walls June, 2018
  • 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What to Expect from the Session • Introduction • Discussion of the services used • The insider threat • The crunchy outer shell defense! • Auto remediation
  • 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. They’re inside the walls!
  • 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Identity & Access Management (IAM) AWS Organizations AWS Cognito AWS Directory Service AWS Single Sign-On AWS CloudTrail AWS Config Amazon CloudWatch Amazon GuardDuty VPC Flow Logs Amazon EC2 Systems Manager AWS Shield AWS Web Application Firewall (WAF) Amazon Inspector Amazon Virtual Private Cloud (VPC) AWS Key Management Service (KMS) AWS CloudHSM Amazon Macie Certificate Manager Server Side Encryption AWS Config Rules AWS Lambda Identity Detective control Infrastructure security Incident response Data protection AWS security solutions
  • 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS CloudTrail Track user activity and API usage What can you do? • Simplify your compliance audits by automatically recording and storing activity logs for your AWS account • Increase visibility into your user and resource activity • Discover and troubleshoot security and operational issues by capturing a comprehensive history of changes that occurred in your AWS account
  • 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS Config Record and evaluate configurations of your AWS resources. Enable compliance auditing, security analysis, resource change tracking, and troubleshooting Detective control AWS Account Level Controls • Get inventory of AWS resources • Discover new and deleted resources • Record configuration changes continuously • Get notified when configurations change • Know resource relationships dependencies
  • 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Amazon GuardDuty Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads What can you do? • Quickly find the threats (needle) to your environments in the sea of log data (haystack) so you can focus on hardening their AWS environments • Analyzes billions of events across your AWS accounts for signs of risk • Monitors for activity such as unusual API calls or potentially unauthorized deployments that indicate a possible account compromise • Rapidly respond to malicious or suspicious behavior
  • 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. VPC Flow Logs Capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs What can you do? Simplify your compliance audits by automatically recording and storing activity logs for your AWS account Increase visibility into your user and resource activity Discover and troubleshoot security and operational issues by capturing a comprehensive history of changes that occurred in your AWS account
  • 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Amazon CloudWatch Monitoring service for AWS cloud resources and the applications you run on AWS. What can you do? • Monitor resource utilization, operational performance, and overall demand patterns • Collect metrics include CPU utilization, disk reads / writes, and network traffic • Accessible via the AWS Management Console, web service APIs, or Command Line Tools • Add custom metrics of your own • Alarms (which tie into auto-scaling, SNS, SQS) • Billing Alerts to ID unusual account activity
  • 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Rabbit Hole! What Can You Detect Using AWS Services? Infrastructure VPC Resources Connectivity On-instance ... Service IAM S3 buckets Billing ... Application Patching Coding hole ... Other?
  • 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Humans and data don’t mix
  • 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. So who is inside the walls, exactly…? - All of the enterprise employees, consultants, contractors, and you… are the vector of breach for your systems. - You are the threat to your systems.
  • 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. So who is inside the walls, exactly…? - For Today. - Pretend that Insider threat is handled by your team and that Insider threat includes: - Bad Actors - Actors acting outside their associated role - Actors doing something they should be doing to an incorrect resource
  • 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Who is responsible? - Please Note: - Ownership and Classification of an event is a question your team needs to talk about. Its different in each enterprise. - You must have one group that is a catch all. If an action does not fall into anyone’s bucket, that team is responsible.
  • 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Target of the discussion The simple environment to the left has specific needs and allows for direct detection of threats, if: • The system has little human interaction • Normal patterns, and timed procedures • Limited well defined scope and functions AWS cloud virtual private cloud Availability Zone BAvailability Zone A Web Server App Server Web Server App Server RDS DB instance instance standby (multi-AZ)
  • 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Target of the discussion This is more realistic: • The system has lots of human interaction • No patterns, or timed procedures • No scope
  • 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Building a crunch outer shell • Does not defend complex systems from an insider threat • Does not defend simple systems either • Do not make assumptions about the target of an insider threat • Do not assume that the target with be malicious
  • 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Gosl of the discussion • Unify Logs/Trail • Implement similar checks in all accounts • Unify events/findings into CloudWatch Dashboards • Trigger CloudWatch Events based on actions in the environment • Watch for changes, not just actions • Setup SNS Topics
  • 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. So … that happened.
  • 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Example Walkthrough: CloudWatch Events Your AWS Account, GuardDuty generates Finding and sends to CloudWatch Events. CloudWatch Events forwards to CloudWatch Event Bus in AWS Master Account. { "account": "123456789012", "region": "us-west-2", "detail": { "description": "EC2 instance i-99999999 is querying a domain name that is associated with Bitcoin-related activity.", "resource": { "resourceType": "Instance", "instanceDetails": { ... "instanceId": "i-99999999", "instanceState": "running", ... "instanceType": "p2.xlarge”}, ... "title": "Bitcoin-related domain name queried by EC2 instance i-99999999.", ... }
  • 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. In the AWS Master Account, CloudWatch Events triggers the Response Handler Lambda function to analyze the event by processing signature logic for conditional evaluation. { "account": "123456789012", "region": "us-west-2", "detail": { "description": "EC2 instance i-99999999... with Bitcoin-related activity.", "resource": { "resourceType": "Instance", "instanceDetails": { ... "instanceId": "i-99999999", "instanceState": "running", ... "instanceType": "p2.xlarge”}, ... “type": “CryptoCurrency:EC2/Bitcoin...” ... } Example Walkthrough: Lambda Trigger "account": "123456789012", "region": "us-west-2", "instanceId": "i-99999999", “type": “CryptoCurrency:EC2/Bitcoin...”
  • 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch Rules CloudWatch Dashboard POLICY
  • 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch Rules CloudWatch Dashboard POLICY
  • 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. In the AWS, the Response Handler Lambda function analyzes the event by processing conditional logic to determine responsive Action, which in this case is to terminate the instance(s). Example Walkthrough: Response Handler "account": "123456789012", "region": "us-west-2", "instanceId": "i-99999999", “type": “CryptoCurrency:EC2/Bitcoin...” TerminateInstanceTest: cloudwatch.event: - name: guardduty - identifier: “CryptoCurrency:EC2/Bitcoin...” - actions: - "ec2:TerminateInstance" - onlyif: - and: - region: 'us-west-2' - or: - account: 123456789012 - account: 123456789013
  • 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. In the AWS Master Account, if the event matches a signature the Response Handler Lambda function initiates a StepFunction execution of the Raptor Response Action State Machine. Example Walkthrough: Response Handler TerminateInstanceTest: cloudwatch.event: - name: guardduty - identifier: “CryptoCurrency:EC2/Bitcoin...” - actions: - "ec2:TerminateInstance" - onlyif: - and: - region: 'us-west-2' - or: - account: 123456789012 - account: 123456789013 { "Account": “123456789012", "SnsNotification": true, "ec2": { "RemoveEip": false, "ApplySecurityGroup": false, "SecurityGroupName": null, "instanceId": [“i-99999999”], "region": “us-west-2”, "Snapshot": { "ShareSnap": null }, "StopInstance": false, "CreateSnapshot": false, "TerminateInstance": true }, "sns": {...} }
  • 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Findings: Threat Purpose Details • Backdoor: resource compromised and capable of contacting source home • Behavior: activity that differs from established baseline • Crypto Currency::detected software associated with Crypto currencies • Pentest::activity detected similar to that generated by known pen testing tools • Recon: attack scoping vulnerabilities by probing ports, listening, database tables, etc. • Stealth::attack trying to hide actions / tracks • Trojan::program detected carrying out suspicious activity • Unauthorized Access::suspicious activity / pattern by unauthorized user Describes the primary purpose of the threat. Available at launch, more coming!
  • 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Remediate a Compromised Instance • Remediate Compromised AWS Credentials Responding to Findings: Remediation Automatic Remediation GuardDuty CloudWatch Events Lambda Amazon GuardDuty Amazon CloudWatch CloudWatch Event Lambda Function AWS Lambda
  • 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Remediation Actions • Account Remediation • Remediate AWS credentials • PenTest • Recon (Black Listed IP) • Stealth • UnauthorizedAccess • Investigate before Credential Remediation • Behavior • UnauthorizedAccess • Architecture Change • Recon • Instance Remediation • Remediate Compromised Instances • Backdoor • CryptoCurrency • Recon (out going) • Trojan • UnauthorizedAccess • Investigate before EC2 Remediate • Behavior
  • 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
  • 30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
  • 31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
  • 32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function
  • 33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume
  • 34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume 80, 443->DataSG
  • 35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume 3389 -> 0.0.0.0/0 80, 443->DataSG
  • 36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter Lambda function EBS Volume 80, 443->DataSG
  • 37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume
  • 38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty Lambda function EBS Volume EBS Forensics
  • 39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty Lambda function EBS Volume
  • 40. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule AWS Lambda Amazon GuardDuty Lambda function EBS Volume Amazon EBS snapshot
  • 41. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM Policies LAMBDA POLICY
  • 42. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM Policies LAMBDA POLICY
  • 43. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo