Cloudten: SIEM in the AWS Cloud
33
©opyright 2015 Cloudten Industries
-
Upload
richard-tomkinson -
Category
Technology
-
view
525 -
download
0
Transcript of Cloudten: SIEM in the AWS Cloud
©opyright 2015Cloudten Industries
Copyright 2015Cloudten Industries
Copyrightstatement:
ThisdocumentcontainsapresentationgiventotheAWSSydneyUserGroupinNovember2015.Ithasbeenmadeavailablefreelyforeducationalpurposes.Nopartofthisdocumentmaybereproducedormodifiedwithouttheexpresswrittenconsentoftheauthor.
Copyright 2015Cloudten Industries
SecurityInformation&EventManagement
Copyright 2015Cloudten Industries
• Centralised collectionandmanagementofsecuritylogs.
• Aggregatesdatafromawidevarietyofsources(firewalls,IDS,WAF,anti-virusetc )
• Analysesandcorrelateseventstoprovidestatisticalinformationandreal-timemonitoring.
Copyright 2015Cloudten Industries
Copyright 2015Cloudten Industries
• ThreatDetection(beforeanevent)
• IncidentManagement(postevent)
• AuditingandReporting
• Compliance
Copyright 2015Cloudten Industries
• Hardwareorvirtualappliances
• VariousLicensingModels:• EPS– EventsPerSecond• FPM– FlowsPerMinute• Numberof logsources• Logsizeperday
• VariousLogCollectionMethods• Agent(Logforwarders,probeconnectors…)• Agentless(viaSSH,syslog,WindowsEventCollector)
Copyright 2015Cloudten Industries
Appliances
Software
Copyright 2015Cloudten Industries
• Thebasicpremiseisthesame.
• Canbeeasier,cheaperandquickertosetup.
• It’sjustas(ifnotmore)important.
• Potentiallymuchgreater“blastradius”
Copyright 2015Cloudten Industries
Copyright 2015Cloudten Industries
…aaaaandlostitin2
Copyright 2015Cloudten Industries
• MakeSecurity“JobZero”
• Don’tmakesecurityanafterthought.
• Architectsecurityintothefoundations
Copyright 2015Cloudten Industries
• AWSprovideanumberofreallyusefulsecuritytoolsandservices“outofthebox”
• NearlyallofAWSserviceshaveAPIsthatintegratewiththesecurityservices.
• Thisprovidescentralised inputsintoeitheracustombuiltSIEMor3rd partysolution.
Copyright 2015Cloudten Industries
• Useraccounts,groupsandroles
• Createandmapfinegrainedaccesspolicies
• Providesauthenticatedandauditableaccesstoallresources.
• Federatetoanexternaldirectory
Copyright 2015Cloudten Industries
• awebservicethatrecordsallkindsofAPIcallsmadebyAWSresources.
• Eg.Changestosecuritygroups,modifyIAMpermissionsetc.
• StoreslogsinasecureS3bucket
• OneofthemostimportantservicesfromaSIEMandauditingperspective.
Copyright 2015Cloudten Industries
• Trackandcompareinfrastructurechangesovertime
• Theabilitytorestoreenvironmentconfigurations
• AbletosnapshotanenvironmentintoCloudFormationtemplatesinS3
• IntegrateswithCloudTrail
Copyright 2015Cloudten Industries
• Definerulesforhowresourcesarecreated(eg.AllEBSvolumesmustbeencrypted)
• Canmonitorconfig changesandprovideadashboardtocheckcompliancestatus’
• Makesiteasytoseewhenandhowaresourcebecamenoncompliant.
Copyright 2015Cloudten Industries
• Notjustbasicperformancemetricsanymore
• Agentbasedlogcollection
• Filteringlanguagetomonitorandalert
• IngestslogsfromCloudTrail
Copyright 2015Cloudten Industries
• EssentiallygivestheabilitytomonitornetworktrafficwithinaVPC
• Alsologsdroppedpackets(firewalllogs)
• OutputstoCloudWatchLogs
• “Free”
Copyright 2015Cloudten Industries
• CanblockmaliciousHTTP/Srequests
• SitsinfrontofCloudFront
• GeneratesCloudWatchmetrics
Copyright 2015Cloudten Industries
Copyright 2015Cloudten Industries
{"Records": [
{"eventVersion": "1.0","userIdentity": {
"type": "IAMUser","principalId": "EXAMPLE_PRINCIPAL_ID","arn": "arn:aws:iam::123456789012:user/Jeff","accountId": "123456789012","accessKeyId": "EXAMPLE_KEY_ID","userName": "Jeff","sessionContext": {
"attributes": {"mfaAuthenticated": "false","creationDate": "2015-08-25T04:04:11Z"
}}
},"eventTime": "2015-08-25T04:12:22Z","eventSource": "iam.amazonaws.com","eventName": "AddUserToGroup","awsRegion": "ap-southeast-2","sourceIPAddress": "127.0.0.1","userAgent": "AWSConsole","requestParameters": {
"userName": “Bob","groupName": "admin"
},"responseElements": null
}]
}
Copyright 2015Cloudten Industries
Copyright 2015Cloudten Industries
Copyright 2015Cloudten Industries
• Youhaveallthelogsbutwhatdoyoudowiththem?
• CloudWatch/Logsisgood…but
• ThereareanumberofspecialistlogmanagementvendorswhohaveadaptedtheirproductstoworkasaSIEM.
• Theyprovidecompliance,auditingandpro-activemonitoringcapabilities.
Copyright 2015Cloudten Industries
Copyright 2015Cloudten Industries
Copyright 2015Cloudten Industries
Collect&Aggregate• Manyandvariedsources• Acrossenvironments• Safe,secure&fast
Visualize&Alert• Real-timedashboards• Proactivealerting• Out-of-theboxapps
Investigate&TakeAction• Searchandtroubleshoot• Identifyunknowns• Analyze,triageandisolate
Monitor&Optimize• Detectanomalies• Predictandpreemptissues• Streamlineandimproveprocesses
Copyright 2015Cloudten Industries
Copyright 2015Cloudten Industries
• Securityisafulltimejob
• Manycompaniesdon’thavetime/resourcestokeepontopofeverything
• Skilledsecurityresourcesareexpensive.
• Manyhighprofileorganisations choosetooutsourceSIEMresponsibilities.
Copyright 2015Cloudten Industries
Copyright 2015Cloudten Industries
• SecurityfocusedAWSconsultingpartner
• AWSCertifiedtothehighestlevel
• Consulting/ManagedServices
• Comeandtalktous!
©opyright 2015Cloudten Industries
