REINO MONERA - Blog Educacional Ressurreição - … · REINO MONERA. Características Gerais
Alfredo Reino - Monitoring aws and azure
-
Upload
devseccon-limited -
Category
Presentations & Public Speaking
-
view
391 -
download
3
Transcript of Alfredo Reino - Monitoring aws and azure
![Page 1: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/1.jpg)
Join the conversation #devseccon
By Alfredo Reino
Monitoring AWS and Azure
![Page 2: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/2.jpg)
Agenda
• Who am I• Why monitor anything• What to monitor• How to monitor Azure• How to monitor AWS• Integrating with SIEMs and MSSPs
![Page 3: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/3.jpg)
Who am I
[insert something funny and slightly self-deprecating here]
Alfredo Reino / @[email protected] Architect
![Page 4: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/4.jpg)
Why monitor anything
• Threat detection (reactive)• Threat hunting (proactive)• Incident response and forensics• Data mining, anomaly detection• Reporting and dashboards• Regulatory and policy requirements• Troubleshooting and root cause analysis
![Page 5: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/5.jpg)
What to monitor
• (Easy answer) Everything and anything!• But• is it possible to log?• is it cost effective to do it?• do you have the storage?• can you make sense of it?• do you have the tools/skillset/capability/time to use it?
• Priorities!
![Page 6: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/6.jpg)
What to monitor
• Using the kill-chain
![Page 7: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/7.jpg)
Generic kill chain
• Recon• Passive recon• Active recon
• Delivery• Internet-facing services• Inbound email• Web browsing• Removable media• Insider / Third-party access
• Exploitation• Internet-facing servers• User endpoint
• Installation• Lateral movement• Elevation of privilege• Persistence• Command and Control
• Actions on target• Access to internal
system and data• Exfiltration• Attack third-party
![Page 8: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/8.jpg)
IaaS/PaaS kill chain
• Recon• Passive recon• Active recon
• Delivery• Internet-facing services• Inbound email• Web browsing• Removable media• Insider / Third-party access
• Exploitation• Internet-facing servers• User endpoint
• Installation• Lateral movement• Elevation of privilege• Persistence• Command and Control
• Actions on target• Access to internal
system and data• Exfiltration• Attack third-party
![Page 9: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/9.jpg)
What to monitor – Shared responsibility
Azure Shared responsibility model https://aka.ms/sharedresponsibility
AWS Shared responsibility modelhttps://aws.amazon.com/compliance/shared-responsibility-model/
![Page 10: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/10.jpg)
What to monitor (IaaS/PaaS)
• Operating System logs from IaaS virtual machines• Application/service logs (webserver, database, etc.)• Performance metrics (CPU, memory, data in/out,
filesystem, …)• Network traffic (at interface or across boundaries)• Other cloud security solutions (WAF, AV, FIM, etc.)• IaaS/PaaS service fabric logs• Audit/management logs (cloud resource access and
management)• Blob Storage/S3
![Page 11: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/11.jpg)
AWS Options
• CloudTrail• Records AWS API calls (usage of Management Console, SDKs, command line tools, and higher-level AWS services
such as AWS CloudFormation).• The recorded information includes the identity of the API caller, the time of the API call, the source IP address of
the API caller, the request parameters, and the response elements returned by the AWS service.• Logs to S3 bucket (possibility of aggregating multiple region or multiple account CloudTrail logs in one S3 bucket)
• CloudWatch• Collects and tracks metrics, collects and monitors log files, sets alarms.• Monitor EC2 instances, WAF, DynamoDB tables, and Amazon RDS DB instances, as well as custom metrics
generated by applications and services, and any log files applications generate.• S3 Server Access Logging
• Track requests for access to S3 bucket. • Each access log record provides details about a single access request, such as the requester, bucket name,
request time, request action, response status, and error code, if any.• VPC Flow Logs
• Log traffic flow in Virtual Private Cloud (VPC), subnets or Elastic Network Interfaces (ENI).• Captures accepted and rejected traffic.• Logs to CloudWatch.
![Page 12: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/12.jpg)
AWS CloudTrail
![Page 13: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/13.jpg)
AWS VPC Flow Logs
![Page 14: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/14.jpg)
Log Management solutions for AWS
• SumoLogic• logs from CloudTrail, VPC Flow, ELB, S3, etc
• Splunk add-on for AWS• logs from AWS Config, Config Rules,
CloudWatch, CloudTrail, Billing, S3, VPC Flow Log, Amazon Inspector, Metadata inputs, etc
• ELK (ElasticSearch+LogStash+Kibana)• logs from applications, OS, ELB, CloudTrail, VPC
Flow, CloudFront, S3, etc
![Page 15: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/15.jpg)
Log Management solutions for Azure
• SumoLogic• logs from Azure Audit Logs, AD access, etc.
• Splunk add-on for Microsoft Cloud• logs from Storage Tables, Storage Blobs, Azure
Service Management APIs and Office 365 Management API.
• ELK (ElasticSearch+LogStash+Kibana)• logs from applications, OS, Storage Blobs, Service
Management APIs, etc.• Azure Log Analytics
• Part of OMS (Operations Management Suite).• Collect logs from agents (Win/Linux), storage,
performance, IIS logs, syslog, etc.
![Page 16: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/16.jpg)
Connecting AWS logs to a SIEM
• Connectors by SIEM vendors• HP ArcSight SmartConnector
• Need to allow inbound SSL to ESM
![Page 17: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/17.jpg)
Connecting AWS logs to a SIEM
• Connectors by SIEM vendors• IBM Qradar
• Native support for AWS CloudTrail using S2 REST API
• Need to import the SSL cert first
![Page 18: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/18.jpg)
Connecting AWS logs to a SIEM
• Connectors by SIEM vendors• Splunk
• Requires “Splunk for AWS” app and “Splunk Add-on for Amazon Web Services”.
• Requires appropriate permissions created on IAM.
• Collects events from Simple Queue Service (SQS) that subscribes to a Simple Notification Service (SNS) events from AWS Config.
![Page 19: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/19.jpg)
Connecting AWS logs to a SIEM
• Connectors by SIEM vendors• ELK Stack (logz.io)
![Page 20: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/20.jpg)
Azure SIEM Integrator
• Integrate with on-premises SIEM (or MSSP)• Logs supported• VM logs• Azure Audit Logs• Azure Security Center alerts
![Page 21: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/21.jpg)
Azure SIEM Integrator
• How to deploy• Install Azlog Integrator on Windows server (on-premises)
• https://www.microsoft.com/en-us/download/details.aspx?id=53324• Needs access to Azure Storage
• Install SIEM log collection agent on same server• Splunk Universal Forwarder• HP ArcSight Windows Event Collector• IBM QRadar WinCollect• …
• Configure SIEM agents for collection • https://blogs.msdn.microsoft.com/azuresecurity/2016/08/23/azure-log-siem-configuration-steps/
• Scalability• On a 8 proc machine – 1 instance of Azlog can process about 277 EPS• On a 4 proc machine – 1 instance of Azlog can process about 17 EPS• Multiple instances of the SIEM Integrators can be run if event volume is high
![Page 22: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/22.jpg)
Azure SIEM Integrator example
![Page 23: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/23.jpg)
Azure SIEM Integrator example
![Page 24: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/24.jpg)
Azure SIEM Integrator example
![Page 25: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/25.jpg)
Threat intel feeds
• Good feeds of IOCs can be invaluable• Integrate threat intel feeds in SIEM/Log Management
solutions• tagging of events• quick searches for malicious activity
• For increased value, maintain your OWN threat intel feed and repository
![Page 26: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/26.jpg)
Endpoint activity monitoring
• Endpoint process activity monitoring tool• such as Carbon Black
• Deploy to IaaS instances• Agent-based blackbox-type recording for
• process activity (creation, termination, child processes)
• filesystem and registry activity• inbound and outbound network connections
• Integration with threat intel feeds• Can integrate (using API) with log
retention solutions• “if log event X then find process tree at the
time for endpoint Y”
![Page 27: Alfredo Reino - Monitoring aws and azure](https://reader031.fdocuments.us/reader031/viewer/2022013005/58ce62b31a28ab2f268b5c75/html5/thumbnails/27.jpg)
Join the conversation #devseccon
Thanks!