Join us for this chalk talk, where we discuss several AWS services involved with threat detection and remediation, including Amazon GuardDuty, Amazon Macie, and AWS Config. We walk you through real-world threat scenarios and answer your questions about how to approach threat detection on AWS. For each scenario, we review methods to remediate the threat using GuardDuty, Macie, and AWS Config, and other services, including AWS CloudFormation, Amazon S3, AWS CloudTrail, Amazon VPC flow logs, Amazon CloudWatch Events, Amazon SNS, DNS logs, AWS Lambda, and Amazon Inspector.

1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Continuous security monitoring and
threat detection with AWS services
Ross Warren
Security Specialist, AWS WWCS Geo Solution Architect
Amazon Web Services
S E C 2 0 6

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Attacker life cycle: Stages
Reconnaissance
Establish
foothold
Escalate
privileges
Internal
reconnaissance
Maintain
persistence

3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Attacker life cycle: Attacker actions
RDP brute
force
RAT
installed
Exfiltrate
data over
DNS
Probe API
with temp
creds
Attempt to
compromise
account

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Attacker life cycle: Amazon GuardDuty findings
RDP brute
force
RAT
installed
Exfiltrate
data over
DNS
Probe API
with temp
creds
Attempt to
compromise
account
Malicious or
suspicious IP
Unusual ports
DNS exfiltration
Unusual traffic volume
Connect to blacklisted site
Recon:EC2/PortProbeUnprotectedPort
Anonymizing proxy
Temp credentials
used off-instance
Unusual ISP caller
Bitcoin activity
Unusual instance launch

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Problem statements
Large volume of
alerts, and the need
to prioritize and
take action
3
Dozens of security
tools with different
data formats
2
Many compliance
requirements, and
not enough time to
build the checks
1
Too many security
alerts
Too many security
alert formats
Backlog of
compliance
requirements
Lack of an
integrated view of
security and
compliance across
accounts
4
Lack of an
integrated view

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lessons learned from incident response
Use a strong tagging strategy!

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lessons learned from incident response
• Questions to ask during the investigation
• Is this finding a true positive?
• is the event an unusual activity or more?
• Where did the incident occur?
• Who reported or discovered the incident?
• How was it discovered?
• Are there any other areas that have been compromised by the incident? If so, what are they and when
were they discovered?
• What is the scope of the impact?
• What is the business impact?
• Have the source(s) of the incident been located? If so, where, when, and what are they?

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lessons learned from incident response
Enrich findings and get the full picture of your environment
Network intrusion detection
Firewall alerts
AWS WAF alerts
Identity (UBA)
Endpoint and compute events (AV, EDR)
OS-level Information
Application level logs
Centralize GuardDuty findings into a SIEM

9. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Use case 1: Centralized security and compliance
workspace
Goal
Have a single pane of glass to view, triage, and take action on AWS security
and compliance issues across accounts
Personas
SecOps, compliance, and/or DevSecOps teams focused on AWS, Cloud
Centers of Excellence, the first security hire
Key processes
example
1. Ingest findings from finding providers
2. High-volume and well-known findings are programmatically routed to
remediation workflows, which include updating the status of the finding
3. Remaining findings are routed to analysts via an on-call management
system, and they use ticketing and chat systems to resolve them
“Taking action”
integrations
Ticketing systems, chat systems, on-call management systems, SOAR
platforms, customer-built remediation playbooks

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Use case 2: Centralized routing to a SIEM
Goal
Easily route all AWS security and compliance findings in a normalized format
to a centralized SIEM or log management tool
Personas SecOps, compliance, and/or DevSecOps teams
Key processes
example
1. Ingest findings from finding providers
2. All findings are routed via Amazon CloudWatch Events to a central SIEM
that stores AWS and on-premises security and compliance data
3. Analyst workflows are linked to the central SIEM
“Taking action”
integrations
SIEM

12. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

13. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Threat response: Detailed playbook
Amazon
CloudWatch
Events
AWS
CloudTrail
AWS Config
Lambda
function
AWS APIs
Detect
Investigate
Respond
Team
collaboration
(Slack, etc.)
Amazon
GuardDuty
VPC Flow Logs
Amazon
Inspector
Amazon Macie
AWS Security Hub

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Taking action with Security Hub
Security Hub CloudWatch Events
GuardDuty
Amazon Inspector
Macie
Third-party providers

16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Taking action on all findings

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Event pattern examples {
“source”: [
“aws.securityhub”
],
“detail-type”: [
“Security Hub Findings”
],
“detail”: {
“findings”: {
“Resources”: {
“Tags”: {
“Environment”: [
“PCI”
]
}
}
}
}
}
Filter by tags

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Event pattern examples
Filter by severity
{
“source”: [
“aws.securityhub”
],
“detail-type”: [
“Security Hub Findings”
],
“detail”: {
“findings”: {
“Severity”: {
“Normalized”: [
95,
96,
97,
98,
99,
100
]
}}}}

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Custom actions in Security Hub

20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Custom actions in Security Hub
Rule
Event
{
"source": [
"aws.securityhub"
],
"resources": [
"arn:aws:securityhub:us-west-
2:xxxxxxxxxxxx:action/custom/send_to_email"
]
}

21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Custom actions in Security Hub
Rule
Event
Rule
Event
Rule
Event
Run
command

22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Custom actions in Security Hub

23. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Identity and Access
Management (IAM)
AWS Single Sign-On
AWS Directory Service
Amazon Cognito
AWS Organizations
AWS Secrets Manager
AWS Resource Access Manager
Security Hub
GuardDuty
AWS Config
AWS CloudTrail
Amazon
CloudWatch
VPC Flow Logs
AWS Systems Manager
AWS Shield
AWS WAF
AWS Firewall Manager
Amazon Inspector
Amazon VPC
AWS KMS
AWS CloudHSM
AWS Certificate Manager
Macie
Server-side encryption
AWS Config rules
AWS Lambda
AWS Systems Manager
Identity Detect
Infrastructure
Protection
Respond
Data
Protection
Deep set of security tools

25. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.