Automated Infrastructure Security: Monitoring using FOSS
Transcript of Automated Infrastructure Security: Monitoring using FOSS
![Page 1: Automated Infrastructure Security: Monitoring using FOSS](https://reader035.fdocuments.us/reader035/viewer/2022062523/587365491a28abe7648b6a5b/html5/thumbnails/1.jpg)
Automated Infrastructure SecurityMonitoring using FOSS
#AllDayDevOps
@madhuakula, Automation NinjaAppsecco
![Page 2: Automated Infrastructure Security: Monitoring using FOSS](https://reader035.fdocuments.us/reader035/viewer/2022062523/587365491a28abe7648b6a5b/html5/thumbnails/2.jpg)
About Me !Automation Ninja at Appsecco
Appsecco is a specialist application security company
Interested in Security, DevOps & Cloud
Found bugs in Google, Microsoft, Yahoo, etc
Never ending learner!
Follow (or) Tweet to me @madhuakula
2
![Page 3: Automated Infrastructure Security: Monitoring using FOSS](https://reader035.fdocuments.us/reader035/viewer/2022062523/587365491a28abe7648b6a5b/html5/thumbnails/3.jpg)
What we are covering today?ELK stack to analyse and visualise logs in near realtime
ElastAlert to create rules to automatically defend against SSHbruteforce attacks
AWS Lambda to do this, since our infra is hosted on AWS
Python based Chalice framework for using AWS Lambda
3
![Page 4: Automated Infrastructure Security: Monitoring using FOSS](https://reader035.fdocuments.us/reader035/viewer/2022062523/587365491a28abe7648b6a5b/html5/thumbnails/4.jpg)
Architecture
4
![Page 5: Automated Infrastructure Security: Monitoring using FOSS](https://reader035.fdocuments.us/reader035/viewer/2022062523/587365491a28abe7648b6a5b/html5/thumbnails/5.jpg)
Automated Defence DemoAppsecco Automated Infrastructure Security Monitoring Demo (ELK + AWS Lambda)
http://bit.ly/addoaism
5
![Page 6: Automated Infrastructure Security: Monitoring using FOSS](https://reader035.fdocuments.us/reader035/viewer/2022062523/587365491a28abe7648b6a5b/html5/thumbnails/6.jpg)
AWS Lambda Chalice Code
https://github.com/appsecco/alldaydevopsaism
6
![Page 7: Automated Infrastructure Security: Monitoring using FOSS](https://reader035.fdocuments.us/reader035/viewer/2022062523/587365491a28abe7648b6a5b/html5/thumbnails/7.jpg)
Security for our AWS LambdaWe are primarily doing the following two things
1. A sufficiently random token to protect the request when wepost the IP address from ElastAlert
2. Whitelist the IP address of the host where the HTTP POST request originates from
7
![Page 8: Automated Infrastructure Security: Monitoring using FOSS](https://reader035.fdocuments.us/reader035/viewer/2022062523/587365491a28abe7648b6a5b/html5/thumbnails/8.jpg)
Use Cases for Automated Defence1. Automated Defender (Attack Alerts + Automated Firewall)
2. Security Analytics + Reports
3. Near realtime Centralised Log Monitoring
8
![Page 9: Automated Infrastructure Security: Monitoring using FOSS](https://reader035.fdocuments.us/reader035/viewer/2022062523/587365491a28abe7648b6a5b/html5/thumbnails/9.jpg)
Attack Scenario : Wordpress XMLRPC
https://blog.appsecco.com/analysingattacksonawordpressxmlrpcusingan
elkstack3bf25a7e36cc
9
![Page 10: Automated Infrastructure Security: Monitoring using FOSS](https://reader035.fdocuments.us/reader035/viewer/2022062523/587365491a28abe7648b6a5b/html5/thumbnails/10.jpg)
Needs ImprovementMore attack signatures required
For example OSSEC Wazuh Ruleset
Improve the ElastAlert Alerter custom code
Any suggestions from your side
10
![Page 11: Automated Infrastructure Security: Monitoring using FOSS](https://reader035.fdocuments.us/reader035/viewer/2022062523/587365491a28abe7648b6a5b/html5/thumbnails/11.jpg)
Alternatives to our stackStack Elastic Graylog TICK Stack Prometheus + Grafana
Serverless AWS Lambda Azure Functions Cloud Functions
11
![Page 12: Automated Infrastructure Security: Monitoring using FOSS](https://reader035.fdocuments.us/reader035/viewer/2022062523/587365491a28abe7648b6a5b/html5/thumbnails/12.jpg)
Our assumptionsYou are already monitoring in near realtime using the ELKstack
You are under attack for a specific service
You have configured ElastAlert for your alerting
12
![Page 13: Automated Infrastructure Security: Monitoring using FOSS](https://reader035.fdocuments.us/reader035/viewer/2022062523/587365491a28abe7648b6a5b/html5/thumbnails/13.jpg)
In SummaryWe created attack threshold rules in ElastAlert
We created an AWS Lambda endpoint to be able to modifyAWS VPC Network ACLs
We have a realtime blocking system infinitely scalable
13
![Page 14: Automated Infrastructure Security: Monitoring using FOSS](https://reader035.fdocuments.us/reader035/viewer/2022062523/587365491a28abe7648b6a5b/html5/thumbnails/14.jpg)
ReferencesBlog Post
Elastic
Elast Alert
AWS Lambda
Chalice
14
![Page 15: Automated Infrastructure Security: Monitoring using FOSS](https://reader035.fdocuments.us/reader035/viewer/2022062523/587365491a28abe7648b6a5b/html5/thumbnails/15.jpg)
![Page 16: Automated Infrastructure Security: Monitoring using FOSS](https://reader035.fdocuments.us/reader035/viewer/2022062523/587365491a28abe7648b6a5b/html5/thumbnails/16.jpg)
![Page 17: Automated Infrastructure Security: Monitoring using FOSS](https://reader035.fdocuments.us/reader035/viewer/2022062523/587365491a28abe7648b6a5b/html5/thumbnails/17.jpg)
Thanks@madhuakula | @appseccouk | http://appsecco.com