SlideShare uma empresa Scribd logo

AWS SecOps: Using AWS Services to Protect, Adapt and Respond

Amazon Web Services
Amazon Web Services

This talk dives deep on how to build end-to-end security capabilities using AWS. Our goal is orchestrating AWS Security services with other AWS building blocks to deliver enhanced security. We cover working with AWS CloudWatch Events as a queueing mechanism for processing security events, using Amazon DynamoDB to provide a stateful layer to provide tailored response to events and other ancillary functions, using DynamoDB as an attack signature engine, and the use of analytics to derive tailored signatures for detection with AWS Lambda. Log sources include available AWS sources and also more traditional logs, such as syslog. The talk aims to keep slides to a minimum and demo live as much as possible. The demos come together to demonstrate an end-to-end architecture for SecOps. You'll get a toolkit consisting of code and templates so you can hit the ground running.

1 de 32
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:Invent SecOps 2021 Today: Using AWS Services to Deliver SecOps A l e x M a e s t r e t t i – N e t f l i x - E n g i n e e r i n g M a n a g e r - S e c u r i t y I n t e l l i g e n c e a n d R e s p o n s e T e a m A r m a n d o L e i t e – A W S – S n r M a n a g e r – R a p i d P r o t o t y p i n g & S o l u t i o n B u i l d e r G l o b a l s T e a m S I D 3 0 4 N o v e m b e r 2 9 , 2 0 1 7
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 2021?
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1. Protect 2. Adapt 3. Respond
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1. Protect 2. Adapt 3. Respond
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. A first use case EC2:RunInstances security group security group EC2 instance Web server security group EC2 instance App server 1. Use of approved AMIs with the right placement
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. RunInstances (AMI-xxxx, VPC + Subnet…) Amazon EC2 { "source": [ "aws.ec2" ], "detail": { "state": [ "pending" ] } } - What - Where - Is it ok? { "detail-type": [ "activeResponse" ], "detail": { "actionsRequested":["instanceTermination" ] } } Terminate Evaluate No
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Our message router Route events: Platform native filters/events Custom custom filters Our message handlers Context was hardcoded… 
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Signal Noise Gather Remediate Collate Correct Alert Enrich Stop Measure Spectrum of options Context: 1. Static (ex: add metadata) 2. Situational
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Static context: Account Metadata R e q u e s t
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Static context: Account Metadata R e t r i e v e
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Alert indexer Triage/Classification rules CloudTrail CloudTrail CloudTrail ... ... Security accountAccount 1 Account 2 Account N CloudTrail aggregation bucket Automated configuration to enable logging and aggregation destination Log files deposited in S3 bucket under Security Account SNS notifies lambda of new events available for processing Each Lambda evaluates a specific compliance item or misuse case Rules engines help define action to take based on asset and environment If dictated by rules engine, event results in notification via email (ex: critical events) Alerts preserved in DynamoDB for reporting and indexing of raw data All processing in Security Account (ex: no external dependencies to add new logic, log processing...)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1. Protect 2. Adapt 3. Respond
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Use Case: Adaptive security controls 1. Situational awareness 2. Adjust security posture 3. Stealth Auto Scaling group security group EC2 instance Web server Auto Scaling group SSH
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1 – Standard 2 – Enhanced 3 – Active Auto Scaling group security group security group EC2 instance Web server security group EC2 instance App server Auto Scaling group CloudWatch Syslog Flowlogs CloudTrail In standard operation, we are observant Control: - Security agent loaded in instance - Logons tracked Monitoring: - We gather data covering API activity (CloudTrail), network (Flowlogs) and also in- instance activity (Syslog) Fix: - We are good  Logon ok? Logon is OK! SSH Login! (CWECustom)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo – event flow 1 – Standard 2 – Enhanced 3 – Active Auto Scaling group security group security group EC2 instance Web server security group EC2 instance App server Auto Scaling group CloudWatch Syslog Flowlogs CloudTrail SSH Login! (CWECustom) A logon event occurs. We go to Enhanced surveillance mode Control: - Dynamically add Lambda subscriptions to log feeds Monitor: - In instance activity (privilege escalation) - Initiation of forbidden flows Fix: - Alert only. Watchful but passive. Enhance OS data analysis Network data analysis Subscribe to Syslog Enable Instance level flowlogs Subscribe to instance flowlogs Flowlogs Logon ok? Logon NOT ok
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo – event flow Auto Scaling group security group EC2 instance web app server Elastic Load Balancing security group EC2 instance web app server security group EC2 instance web app server security group App server 1 – Standard 2 – Enhanced 3 – Active OS data analysis Isolate Preserve Deregister Syslog data Root Access CloudWatch
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo – event flow Auto Scaling group security group EC2 instance web app server Elastic Load Balancing security group EC2 instance web app server security group EC2 instance Anomaly security group App server 1 – Standard 2 – Enhanced 3 – Active OS data analysis Isolate Preserve Deregister Syslog data CloudWatch
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo – event flow Auto Scaling group security group EC2 instance web app server Elastic Load Balancing security group EC2 instance web app server security group EC2 instance Anomaly security group App server 1 – Standard 2 – Enhanced 3 – Active OS data analysis Isolate Preserve Deregister Syslog data CloudWatch Block all
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo – event flow Auto Scaling group security group EC2 instance web app server Elastic Load Balancing security group EC2 instance web app server security group EC2 instance Anomaly security group App server 1 – Standard 2 – Enhanced 3 – Active OS data analysis Isolate Deregister Preserve Syslog data CloudWatch Block all Dereg ASG/ELB
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo – event flow Auto Scaling group security group EC2 instance web app server Elastic Load Balancing security group EC2 instance web app server security group EC2 instance Anomaly security group App server 1 – Standard 2 – Enhanced 3 – Active OS data analysis Isolate Deregister Preserve Syslog data CloudWatch Logs Block all Dereg ASG/ELB Amazon EBS snapshots
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo – event flow Auto Scaling group security group EC2 instance web app server Elastic Load Balancing security group EC2 instance web app server security group EC2 instance web app server security group App server 1 – Standard 2 – Enhanced 3 – Active security group EC2 instance Anomaly An escalation occurred and we switched to Active (ex: intervene and get it fixed) Control: - SG to isolate anomalous instance - Preserve instance for both live and offline analysis - Deregister application from live use Monitoring: - We continue to monitor all activity as per previous steps Fix: - The control actions cause ASG to be 1 instance short and will recover to original fleet size from ‘last known good’
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo – event flow 1 – Standard 2 – Enhanced 3 – Active Auto Scaling group security group security group EC2 instance Web server security group EC2 instance App server Auto Scaling group CloudWatch Syslog Flowlogs CloudTrail In standard operation, we are observant Control: - Security agent loaded in instance - Logons tracked to TT Monitoring: - We gather data covering API activity (CloudTrail), network (Flowlogs) and also in- instance activity (Syslog) Fix: - We are BACK TO good  All code at: https://github.com/awslabs/automating- governance-sample
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1. Protect 2. Adapt 3.Respond
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detection Analysis Containment Eradication Recovery Alex Maestretti - Engineering Manager, Netflix SIRT Netflix - Security Intelligence and Response Team
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. To enable forensic capture and response, it is helpful to have dedicated roles and accounts established ahead of time ● A dedicated forensics account ● An ‘IR_S3’ role in the forensics account that allows read to a trusted/ prefix and write to an evidence/ prefix of buckets in the forensics account ● A managed policy on all accounts that allows instance profiles to assume into the IR_S3 role ● A role in all accounts that can be assumed into from the forensics account and allows snapshots Roles and Accounts
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The best way to acquire forensic data is NOT to touch the target instance. In AWS we rely on APIs to achieve this: ● A snapshot Lambda in the forensic account ● Assumes into the target account IR_role ● Snapshots each of the target’s root volumes ● Shares the snapshots with the forensics account ● Assumes back into the forensics account role ● Creates volumes from the snapshots in the forensics account Stealthy Acquisition
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. At this stage we have snapshots saved to our forensics account 1. Turn snapshots into volumes 2. Spin up collection instances from an AMI 3. Attach volumes to the collection instances 4. Instances detect new volumes and process them 5. We run a hashdeep recursion and compare to known good file hashes, copying interesting new files 6. We copy artifact files based on Forensic Artifact YAML Processing—Snapshots
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. If we are not worried about stealth, we can get more information more quickly through live response. For this we leverage Simple Server Manager (SSM): 1. Task target instances via SSM 2. Target assumes into IR_S3 role 3. Pulls safe binaries and tasking from the trusted/ bucket 4. Executes 5. Writes results to Amazon S3—files, command output, etc. Fast Acquisition
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Whether via live response or through the snapshot process, we now have forensic artifacts stored in Amazon S3. The processing stage makes use of Amazon Simple Queue Service (Amazon SQS) queues which trigger on new keys/files in the evidence/ bucket. 1. New files are en-queued 2. The ‘dispatch’ Lambda function takes a file key from the queue and looks up metadata 3. Metadata defines a parser 4. Dispatch looks to see if it has a matching Lambda function, and if so, sends the key to that Lambda 5. Parser Lambdas write results to Amazon Elasticsearch Service (Amazon ES) and/or back to Amazon S3 Processing—Artifacts in Amazon S3
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you! Jam Lounge Wed and Thu from 8 a.m. Drop by at any time Alex Maetretti@Netflix Armando Leite@AWS Come Jam with us! 

Recomendados

Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Amazon Web Services
 
SID301_Using AWS Lambda as a Security Team
SID301_Using AWS Lambda as a Security TeamSID301_Using AWS Lambda as a Security Team
SID301_Using AWS Lambda as a Security TeamAmazon Web Services
 
WPS205_Is AWS GovCloud Right for your Regulated Workload
WPS205_Is AWS GovCloud Right for your Regulated WorkloadWPS205_Is AWS GovCloud Right for your Regulated Workload
WPS205_Is AWS GovCloud Right for your Regulated WorkloadAmazon Web Services
 
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...Amazon Web Services
 
Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Inv...
Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Inv...Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Inv...
Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Inv...Amazon Web Services
 
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017Amazon Web Services
 
GPSTEC302_Anti-Patterns- Learning through Failure
GPSTEC302_Anti-Patterns- Learning through FailureGPSTEC302_Anti-Patterns- Learning through Failure
GPSTEC302_Anti-Patterns- Learning through FailureAmazon Web Services
 
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017Amazon Web Services
 

Recomendados

Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Amazon Web Services
 
SID301_Using AWS Lambda as a Security Team
SID301_Using AWS Lambda as a Security TeamSID301_Using AWS Lambda as a Security Team
SID301_Using AWS Lambda as a Security TeamAmazon Web Services
 
WPS205_Is AWS GovCloud Right for your Regulated Workload
WPS205_Is AWS GovCloud Right for your Regulated WorkloadWPS205_Is AWS GovCloud Right for your Regulated Workload
WPS205_Is AWS GovCloud Right for your Regulated WorkloadAmazon Web Services
 
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...Amazon Web Services
 
Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Inv...
Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Inv...Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Inv...
Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Inv...Amazon Web Services
 
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017Amazon Web Services
 
GPSTEC302_Anti-Patterns- Learning through Failure
GPSTEC302_Anti-Patterns- Learning through FailureGPSTEC302_Anti-Patterns- Learning through Failure
GPSTEC302_Anti-Patterns- Learning through FailureAmazon Web Services
 
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017Amazon Web Services
 
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionSID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionAmazon Web Services
 
Cloud-Native App Protection: Web Application Security at Pearson and other cu...
Cloud-Native App Protection: Web Application Security at Pearson and other cu...Cloud-Native App Protection: Web Application Security at Pearson and other cu...
Cloud-Native App Protection: Web Application Security at Pearson and other cu...Amazon Web Services
 
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3MDEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3MAmazon Web Services
 
The AWS Philosophy of Security - SID322 - re:Invent 2017
The AWS Philosophy of Security - SID322 - re:Invent 2017The AWS Philosophy of Security - SID322 - re:Invent 2017
The AWS Philosophy of Security - SID322 - re:Invent 2017Amazon Web Services
 
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Amazon Web Services
 
GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...
GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...
GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...Amazon Web Services
 
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...Amazon Web Services
 
SID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategySID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategyAmazon Web Services
 
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWSAmazon Web Services
 
WIN203_With Amazon EC2 for Windows Server and Thinkbox Deadline
WIN203_With Amazon EC2 for Windows Server and Thinkbox DeadlineWIN203_With Amazon EC2 for Windows Server and Thinkbox Deadline
WIN203_With Amazon EC2 for Windows Server and Thinkbox DeadlineAmazon Web Services
 
SRV332_Building Serverless Real-Time Data Processing (Now with Unicorns!).pdf
SRV332_Building Serverless Real-Time Data Processing (Now with Unicorns!).pdfSRV332_Building Serverless Real-Time Data Processing (Now with Unicorns!).pdf
SRV332_Building Serverless Real-Time Data Processing (Now with Unicorns!).pdfAmazon Web Services
 
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Amazon Web Services
 
GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...
GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...
GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...Amazon Web Services
 
SID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and AlexaSID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and AlexaAmazon Web Services
 
AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017Amazon Web Services
 
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdfWIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdfAmazon Web Services
 
SID202_Deep Dive on How Capital One Automates the Delivery of Directory Servi...
SID202_Deep Dive on How Capital One Automates the Delivery of Directory Servi...SID202_Deep Dive on How Capital One Automates the Delivery of Directory Servi...
SID202_Deep Dive on How Capital One Automates the Delivery of Directory Servi...Amazon Web Services
 
MBL306_Mobile State of the Union
MBL306_Mobile State of the UnionMBL306_Mobile State of the Union
MBL306_Mobile State of the UnionAmazon Web Services
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Amazon Web Services
 
SID402_An AWS Security Odyssey
SID402_An AWS Security OdysseySID402_An AWS Security Odyssey
SID402_An AWS Security OdysseyAmazon Web Services
 
Security @ (Cloud) Scale Deep Dive
Security @ (Cloud) Scale Deep DiveSecurity @ (Cloud) Scale Deep Dive
Security @ (Cloud) Scale Deep DiveKristana Kane
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Amazon Web Services
 

Mais conteúdo relacionado

Mais procurados

SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionSID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionAmazon Web Services
 
Cloud-Native App Protection: Web Application Security at Pearson and other cu...
Cloud-Native App Protection: Web Application Security at Pearson and other cu...Cloud-Native App Protection: Web Application Security at Pearson and other cu...
Cloud-Native App Protection: Web Application Security at Pearson and other cu...Amazon Web Services
 
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3MDEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3MAmazon Web Services
 
The AWS Philosophy of Security - SID322 - re:Invent 2017
The AWS Philosophy of Security - SID322 - re:Invent 2017The AWS Philosophy of Security - SID322 - re:Invent 2017
The AWS Philosophy of Security - SID322 - re:Invent 2017Amazon Web Services
 
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Amazon Web Services
 
GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...
GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...
GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...Amazon Web Services
 
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...Amazon Web Services
 
SID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategySID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategyAmazon Web Services
 
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWSAmazon Web Services
 
WIN203_With Amazon EC2 for Windows Server and Thinkbox Deadline
WIN203_With Amazon EC2 for Windows Server and Thinkbox DeadlineWIN203_With Amazon EC2 for Windows Server and Thinkbox Deadline
WIN203_With Amazon EC2 for Windows Server and Thinkbox DeadlineAmazon Web Services
 
SRV332_Building Serverless Real-Time Data Processing (Now with Unicorns!).pdf
SRV332_Building Serverless Real-Time Data Processing (Now with Unicorns!).pdfSRV332_Building Serverless Real-Time Data Processing (Now with Unicorns!).pdf
SRV332_Building Serverless Real-Time Data Processing (Now with Unicorns!).pdfAmazon Web Services
 
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Amazon Web Services
 
GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...
GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...
GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...Amazon Web Services
 
SID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and AlexaSID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and AlexaAmazon Web Services
 
AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017Amazon Web Services
 
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdfWIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdfAmazon Web Services
 
SID202_Deep Dive on How Capital One Automates the Delivery of Directory Servi...
SID202_Deep Dive on How Capital One Automates the Delivery of Directory Servi...SID202_Deep Dive on How Capital One Automates the Delivery of Directory Servi...
SID202_Deep Dive on How Capital One Automates the Delivery of Directory Servi...Amazon Web Services
 
MBL306_Mobile State of the Union
MBL306_Mobile State of the UnionMBL306_Mobile State of the Union
MBL306_Mobile State of the UnionAmazon Web Services
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Amazon Web Services
 

Mais procurados (20)

SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionSID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
 
Cloud-Native App Protection: Web Application Security at Pearson and other cu...
Cloud-Native App Protection: Web Application Security at Pearson and other cu...Cloud-Native App Protection: Web Application Security at Pearson and other cu...
Cloud-Native App Protection: Web Application Security at Pearson and other cu...
 
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3MDEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
 
The AWS Philosophy of Security - SID322 - re:Invent 2017
The AWS Philosophy of Security - SID322 - re:Invent 2017The AWS Philosophy of Security - SID322 - re:Invent 2017
The AWS Philosophy of Security - SID322 - re:Invent 2017
 
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
 
GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...
GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...
GPSTEC309-SaaS Monitoring Creating a Unified View of Multitenant Health featu...
 
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
 
SID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategySID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account Strategy
 
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
 
WIN203_With Amazon EC2 for Windows Server and Thinkbox Deadline
WIN203_With Amazon EC2 for Windows Server and Thinkbox DeadlineWIN203_With Amazon EC2 for Windows Server and Thinkbox Deadline
WIN203_With Amazon EC2 for Windows Server and Thinkbox Deadline
 
SRV332_Building Serverless Real-Time Data Processing (Now with Unicorns!).pdf
SRV332_Building Serverless Real-Time Data Processing (Now with Unicorns!).pdfSRV332_Building Serverless Real-Time Data Processing (Now with Unicorns!).pdf
SRV332_Building Serverless Real-Time Data Processing (Now with Unicorns!).pdf
 
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
 
GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...
GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...
GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...
 
SID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and AlexaSID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and Alexa
 
AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017
 
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdfWIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
 
SID202_Deep Dive on How Capital One Automates the Delivery of Directory Servi...
SID202_Deep Dive on How Capital One Automates the Delivery of Directory Servi...SID202_Deep Dive on How Capital One Automates the Delivery of Directory Servi...
SID202_Deep Dive on How Capital One Automates the Delivery of Directory Servi...
 
MBL306_Mobile State of the Union
MBL306_Mobile State of the UnionMBL306_Mobile State of the Union
MBL306_Mobile State of the Union
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
 
SID402_An AWS Security Odyssey
SID402_An AWS Security OdysseySID402_An AWS Security Odyssey
SID402_An AWS Security Odyssey
 

Semelhante a AWS SecOps: Using AWS Services to Protect, Adapt and Respond

Security @ (Cloud) Scale Deep Dive
Security @ (Cloud) Scale Deep DiveSecurity @ (Cloud) Scale Deep Dive
Security @ (Cloud) Scale Deep DiveKristana Kane
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Amazon Web Services
 
Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Amazon Web Services
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseAmazon Web Services
 
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...Amazon Web Services
 
Inventory, Track, and Respond to AWS Asset Changes within Seconds at Scale (S...
Inventory, Track, and Respond to AWS Asset Changes within Seconds at Scale (S...Inventory, Track, and Respond to AWS Asset Changes within Seconds at Scale (S...
Inventory, Track, and Respond to AWS Asset Changes within Seconds at Scale (S...Amazon Web Services
 
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF) Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)Amazon Web Services
 
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018Amazon Web Services
 
Deep Dive on Amazon S3 & Amazon Glacier Storage Management - STG311 - re:Inve...
Deep Dive on Amazon S3 & Amazon Glacier Storage Management - STG311 - re:Inve...Deep Dive on Amazon S3 & Amazon Glacier Storage Management - STG311 - re:Inve...
Deep Dive on Amazon S3 & Amazon Glacier Storage Management - STG311 - re:Inve...Amazon Web Services
 
STG311_Deep Dive on Amazon S3 & Amazon Glacier Storage Management
STG311_Deep Dive on Amazon S3 & Amazon Glacier Storage ManagementSTG311_Deep Dive on Amazon S3 & Amazon Glacier Storage Management
STG311_Deep Dive on Amazon S3 & Amazon Glacier Storage ManagementAmazon Web Services
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseAmazon Web Services
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsAmazon Web Services
 
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Amazon Web Services
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountAmazon Web Services
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksAmazon Web Services
 
ABD331_Log Analytics at Expedia Using Amazon Elasticsearch Service
ABD331_Log Analytics at Expedia Using Amazon Elasticsearch ServiceABD331_Log Analytics at Expedia Using Amazon Elasticsearch Service
ABD331_Log Analytics at Expedia Using Amazon Elasticsearch ServiceAmazon Web Services
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfAmazon Web Services
 
Protecting Your Data- AWS Security Tools and Features
Protecting Your Data- AWS Security Tools and FeaturesProtecting Your Data- AWS Security Tools and Features
Protecting Your Data- AWS Security Tools and FeaturesAmazon Web Services
 
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...Amazon Web Services
 

Semelhante a AWS SecOps: Using AWS Services to Protect, Adapt and Respond (20)

Security @ (Cloud) Scale Deep Dive
Security @ (Cloud) Scale Deep DiveSecurity @ (Cloud) Scale Deep Dive
Security @ (Cloud) Scale Deep Dive
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2
 
Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat Response
 
SEC301 Security @ (Cloud) Scale
SEC301 Security @ (Cloud) ScaleSEC301 Security @ (Cloud) Scale
SEC301 Security @ (Cloud) Scale
 
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
 
Inventory, Track, and Respond to AWS Asset Changes within Seconds at Scale (S...
Inventory, Track, and Respond to AWS Asset Changes within Seconds at Scale (S...Inventory, Track, and Respond to AWS Asset Changes within Seconds at Scale (S...
Inventory, Track, and Respond to AWS Asset Changes within Seconds at Scale (S...
 
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF) Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
 
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
 
Deep Dive on Amazon S3 & Amazon Glacier Storage Management - STG311 - re:Inve...
Deep Dive on Amazon S3 & Amazon Glacier Storage Management - STG311 - re:Inve...Deep Dive on Amazon S3 & Amazon Glacier Storage Management - STG311 - re:Inve...
Deep Dive on Amazon S3 & Amazon Glacier Storage Management - STG311 - re:Inve...
 
STG311_Deep Dive on Amazon S3 & Amazon Glacier Storage Management
STG311_Deep Dive on Amazon S3 & Amazon Glacier Storage ManagementSTG311_Deep Dive on Amazon S3 & Amazon Glacier Storage Management
STG311_Deep Dive on Amazon S3 & Amazon Glacier Storage Management
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat Response
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
 
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS Account
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
 
ABD331_Log Analytics at Expedia Using Amazon Elasticsearch Service
ABD331_Log Analytics at Expedia Using Amazon Elasticsearch ServiceABD331_Log Analytics at Expedia Using Amazon Elasticsearch Service
ABD331_Log Analytics at Expedia Using Amazon Elasticsearch Service
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdf
 
Protecting Your Data- AWS Security Tools and Features
Protecting Your Data- AWS Security Tools and FeaturesProtecting Your Data- AWS Security Tools and Features
Protecting Your Data- AWS Security Tools and Features
 
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
 

Mais de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Mais de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

AWS SecOps: Using AWS Services to Protect, Adapt and Respond

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:Invent SecOps 2021 Today: Using AWS Services to Deliver SecOps A l e x M a e s t r e t t i – N e t f l i x - E n g i n e e r i n g M a n a g e r - S e c u r i t y I n t e l l i g e n c e a n d R e s p o n s e T e a m A r m a n d o L e i t e – A W S – S n r M a n a g e r – R a p i d P r o t o t y p i n g & S o l u t i o n B u i l d e r G l o b a l s T e a m S I D 3 0 4 N o v e m b e r 2 9 , 2 0 1 7
  • 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 2021?
  • 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1. Protect 2. Adapt 3. Respond
  • 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1. Protect 2. Adapt 3. Respond
  • 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. A first use case EC2:RunInstances security group security group EC2 instance Web server security group EC2 instance App server 1. Use of approved AMIs with the right placement
  • 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. RunInstances (AMI-xxxx, VPC + Subnet…) Amazon EC2 { "source": [ "aws.ec2" ], "detail": { "state": [ "pending" ] } } - What - Where - Is it ok? { "detail-type": [ "activeResponse" ], "detail": { "actionsRequested":["instanceTermination" ] } } Terminate Evaluate No
  • 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Our message router Route events: Platform native filters/events Custom custom filters Our message handlers Context was hardcoded… 
  • 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Signal Noise Gather Remediate Collate Correct Alert Enrich Stop Measure Spectrum of options Context: 1. Static (ex: add metadata) 2. Situational
  • 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Static context: Account Metadata R e q u e s t
  • 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Static context: Account Metadata R e t r i e v e
  • 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Alert indexer Triage/Classification rules CloudTrail CloudTrail CloudTrail ... ... Security accountAccount 1 Account 2 Account N CloudTrail aggregation bucket Automated configuration to enable logging and aggregation destination Log files deposited in S3 bucket under Security Account SNS notifies lambda of new events available for processing Each Lambda evaluates a specific compliance item or misuse case Rules engines help define action to take based on asset and environment If dictated by rules engine, event results in notification via email (ex: critical events) Alerts preserved in DynamoDB for reporting and indexing of raw data All processing in Security Account (ex: no external dependencies to add new logic, log processing...)
  • 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1. Protect 2. Adapt 3. Respond
  • 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Use Case: Adaptive security controls 1. Situational awareness 2. Adjust security posture 3. Stealth Auto Scaling group security group EC2 instance Web server Auto Scaling group SSH
  • 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1 – Standard 2 – Enhanced 3 – Active Auto Scaling group security group security group EC2 instance Web server security group EC2 instance App server Auto Scaling group CloudWatch Syslog Flowlogs CloudTrail In standard operation, we are observant Control: - Security agent loaded in instance - Logons tracked Monitoring: - We gather data covering API activity (CloudTrail), network (Flowlogs) and also in- instance activity (Syslog) Fix: - We are good  Logon ok? Logon is OK! SSH Login! (CWECustom)
  • 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo – event flow 1 – Standard 2 – Enhanced 3 – Active Auto Scaling group security group security group EC2 instance Web server security group EC2 instance App server Auto Scaling group CloudWatch Syslog Flowlogs CloudTrail SSH Login! (CWECustom) A logon event occurs. We go to Enhanced surveillance mode Control: - Dynamically add Lambda subscriptions to log feeds Monitor: - In instance activity (privilege escalation) - Initiation of forbidden flows Fix: - Alert only. Watchful but passive. Enhance OS data analysis Network data analysis Subscribe to Syslog Enable Instance level flowlogs Subscribe to instance flowlogs Flowlogs Logon ok? Logon NOT ok
  • 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo – event flow Auto Scaling group security group EC2 instance web app server Elastic Load Balancing security group EC2 instance web app server security group EC2 instance web app server security group App server 1 – Standard 2 – Enhanced 3 – Active OS data analysis Isolate Preserve Deregister Syslog data Root Access CloudWatch
  • 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo – event flow Auto Scaling group security group EC2 instance web app server Elastic Load Balancing security group EC2 instance web app server security group EC2 instance Anomaly security group App server 1 – Standard 2 – Enhanced 3 – Active OS data analysis Isolate Preserve Deregister Syslog data CloudWatch
  • 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo – event flow Auto Scaling group security group EC2 instance web app server Elastic Load Balancing security group EC2 instance web app server security group EC2 instance Anomaly security group App server 1 – Standard 2 – Enhanced 3 – Active OS data analysis Isolate Preserve Deregister Syslog data CloudWatch Block all
  • 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo – event flow Auto Scaling group security group EC2 instance web app server Elastic Load Balancing security group EC2 instance web app server security group EC2 instance Anomaly security group App server 1 – Standard 2 – Enhanced 3 – Active OS data analysis Isolate Deregister Preserve Syslog data CloudWatch Block all Dereg ASG/ELB
  • 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo – event flow Auto Scaling group security group EC2 instance web app server Elastic Load Balancing security group EC2 instance web app server security group EC2 instance Anomaly security group App server 1 – Standard 2 – Enhanced 3 – Active OS data analysis Isolate Deregister Preserve Syslog data CloudWatch Logs Block all Dereg ASG/ELB Amazon EBS snapshots
  • 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo – event flow Auto Scaling group security group EC2 instance web app server Elastic Load Balancing security group EC2 instance web app server security group EC2 instance web app server security group App server 1 – Standard 2 – Enhanced 3 – Active security group EC2 instance Anomaly An escalation occurred and we switched to Active (ex: intervene and get it fixed) Control: - SG to isolate anomalous instance - Preserve instance for both live and offline analysis - Deregister application from live use Monitoring: - We continue to monitor all activity as per previous steps Fix: - The control actions cause ASG to be 1 instance short and will recover to original fleet size from ‘last known good’
  • 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo – event flow 1 – Standard 2 – Enhanced 3 – Active Auto Scaling group security group security group EC2 instance Web server security group EC2 instance App server Auto Scaling group CloudWatch Syslog Flowlogs CloudTrail In standard operation, we are observant Control: - Security agent loaded in instance - Logons tracked to TT Monitoring: - We gather data covering API activity (CloudTrail), network (Flowlogs) and also in- instance activity (Syslog) Fix: - We are BACK TO good  All code at: https://github.com/awslabs/automating- governance-sample
  • 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1. Protect 2. Adapt 3.Respond
  • 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detection Analysis Containment Eradication Recovery Alex Maestretti - Engineering Manager, Netflix SIRT Netflix - Security Intelligence and Response Team
  • 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. To enable forensic capture and response, it is helpful to have dedicated roles and accounts established ahead of time ● A dedicated forensics account ● An ‘IR_S3’ role in the forensics account that allows read to a trusted/ prefix and write to an evidence/ prefix of buckets in the forensics account ● A managed policy on all accounts that allows instance profiles to assume into the IR_S3 role ● A role in all accounts that can be assumed into from the forensics account and allows snapshots Roles and Accounts
  • 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The best way to acquire forensic data is NOT to touch the target instance. In AWS we rely on APIs to achieve this: ● A snapshot Lambda in the forensic account ● Assumes into the target account IR_role ● Snapshots each of the target’s root volumes ● Shares the snapshots with the forensics account ● Assumes back into the forensics account role ● Creates volumes from the snapshots in the forensics account Stealthy Acquisition
  • 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. At this stage we have snapshots saved to our forensics account 1. Turn snapshots into volumes 2. Spin up collection instances from an AMI 3. Attach volumes to the collection instances 4. Instances detect new volumes and process them 5. We run a hashdeep recursion and compare to known good file hashes, copying interesting new files 6. We copy artifact files based on Forensic Artifact YAML Processing—Snapshots
  • 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. If we are not worried about stealth, we can get more information more quickly through live response. For this we leverage Simple Server Manager (SSM): 1. Task target instances via SSM 2. Target assumes into IR_S3 role 3. Pulls safe binaries and tasking from the trusted/ bucket 4. Executes 5. Writes results to Amazon S3—files, command output, etc. Fast Acquisition
  • 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Whether via live response or through the snapshot process, we now have forensic artifacts stored in Amazon S3. The processing stage makes use of Amazon Simple Queue Service (Amazon SQS) queues which trigger on new keys/files in the evidence/ bucket. 1. New files are en-queued 2. The ‘dispatch’ Lambda function takes a file key from the queue and looks up metadata 3. Metadata defines a parser 4. Dispatch looks to see if it has a matching Lambda function, and if so, sends the key to that Lambda 5. Parser Lambdas write results to Amazon Elasticsearch Service (Amazon ES) and/or back to Amazon S3 Processing—Artifacts in Amazon S3
  • 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you! Jam Lounge Wed and Thu from 8 a.m. Drop by at any time Alex Maetretti@Netflix Armando Leite@AWS Come Jam with us! 