aws meetup nov 2015 - cloudten presentation
Post on 13-Feb-2017
121 Views
Preview:
TRANSCRIPT
Copyright 2015 Cloudten Industries
• Centralised collection and management of security logs.
• Aggregates data from a wide variety of sources ( firewalls, IDS, WAF, anti-‐virus etc )
• Analyses and correlates events to provide statistical information and real-‐time monitoring.
Copyright 2015 Cloudten Industries
• Threat Detection ( before an event )
• Incident Management ( post event )
• Auditing and Reporting
• Compliance
Copyright 2015 Cloudten Industries
• Hardware or virtual appliances
• Various Licensing Models:• EPS – Events Per Second• FPM – Flows Per Minute• Number of log sources• Log size per day
• Various Log Collection Methods• Agent ( Log forwarders, probe connectors … )• Agentless ( via SSH, syslog, Windows Event Collector )
Copyright 2015 Cloudten Industries
• The basic premise is the same.
• Can be easier, cheaper and quicker to set up.
• It’s just as ( if not more ) important.
• Potentially much greater “blast radius”
Copyright 2015 Cloudten Industries
• Make Security “Job Zero”
• Don’t make security an afterthought.
• Architect security into the foundations
Copyright 2015 Cloudten Industries
• AWS provide a number of really useful security tools and services “out of the box”
• Nearly all of AWS services have APIs that integrate with the security services.
• This provides centralised inputs into either a custom built SIEM or 3rd party solution.
Copyright 2015 Cloudten Industries
• User accounts, groups and roles
• Create and map fine grained access policies
• Provides authenticated and auditable access to all resources.
• Federate to an external directory
Copyright 2015 Cloudten Industries
• a webservice that records all kinds of API calls made by AWS resources.
• Eg. Changes to security groups, modify IAM permissions etc.
• Stores logs in a secure S3 bucket
• One of the most important services from a SIEM and auditing perspective.
Copyright 2015 Cloudten Industries
• Track and compare infrastructure changes over time
• The ability to restore environment configurations
• Able to snapshot an environment into CloudFormation templates in S3
• Integrates with CloudTrail
Copyright 2015 Cloudten Industries
• Define rules for how resources are created (eg. All EBS volumes must be encrypted)
• Can monitor config changes and provide a dashboard to check compliance status’
• Makes it easy to see when and how a resource became non compliant.
Copyright 2015 Cloudten Industries
• Not just basic performance metrics anymore
• Agent based log collection
• Filtering language to monitor and alert
• Ingests logs from CloudTrail
Copyright 2015 Cloudten Industries
• Essentially gives the ability to monitor network traffic within a VPC
• Also logs dropped packets ( firewall logs )
• Outputs to CloudWatch Logs
• “Free”
Copyright 2015 Cloudten Industries
• Can block malicious HTTP/S requests
• Sits in front of CloudFront
• Generates CloudWatch metrics
Copyright 2015 Cloudten Industries
{"Records": [
{"eventVersion": "1.0","userIdentity": {
"type": "IAMUser","principalId": "EXAMPLE_PRINCIPAL_ID","arn": "arn:aws:iam::123456789012:user/Jeff","accountId": "123456789012","accessKeyId": "EXAMPLE_KEY_ID","userName": "Jeff","sessionContext": {
"attributes": {"mfaAuthenticated": "false","creationDate": "2015-08-25T04:04:11Z"
}}
},"eventTime": "2015-08-25T04:12:22Z","eventSource": "iam.amazonaws.com","eventName": "AddUserToGroup","awsRegion": "ap-southeast-2","sourceIPAddress": "127.0.0.1","userAgent": "AWSConsole","requestParameters": {
"userName": “Bob","groupName": "admin"
},"responseElements": null
}]
}
Copyright 2015 Cloudten Industries
• You have all the logs but what do you do with them ?
• CloudWatch/Logs is good … but
• There are a number of specialist log management vendors who have adapted their products to work as a SIEM.
• They provide compliance, auditing and pro-‐active monitoring capabilities.
Copyright 2015 Cloudten Industries
Collect & Aggregate• Many and varied sources• Across environments• Safe, secure & fast
Visualize & Alert• Real-‐time dashboards• Proactive alerting• Out-‐of-‐the box apps
Investigate &Take Action• Search and troubleshoot• Identify unknowns• Analyze, triage and isolate
Monitor & Optimize• Detect anomalies• Predict and preempt issues• Streamline and improve processes
Copyright 2015 Cloudten Industries
• Security is a full time job
• Many companies don’t have time/resources to keep on top of everything
• Skilled security resources are expensive.
• Many high profile organisations choose to outsource SIEM responsibilities .
Copyright 2015 Cloudten Industries
• Security focused AWS consulting partner
• AWS Certified to the highest level
• Consulting/Managed Services
• Come and talk to us !
top related