Cloudten: SIEM in the AWS Cloud
-
Upload
richard-tomkinson -
Category
Technology
-
view
525 -
download
0
Transcript of Cloudten: SIEM in the AWS Cloud
![Page 1: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/1.jpg)
©opyright 2015Cloudten Industries
![Page 2: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/2.jpg)
Copyright 2015Cloudten Industries
Copyrightstatement:
ThisdocumentcontainsapresentationgiventotheAWSSydneyUserGroupinNovember2015.Ithasbeenmadeavailablefreelyforeducationalpurposes.Nopartofthisdocumentmaybereproducedormodifiedwithouttheexpresswrittenconsentoftheauthor.
![Page 3: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/3.jpg)
Copyright 2015Cloudten Industries
SecurityInformation&EventManagement
![Page 4: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/4.jpg)
Copyright 2015Cloudten Industries
• Centralised collectionandmanagementofsecuritylogs.
• Aggregatesdatafromawidevarietyofsources(firewalls,IDS,WAF,anti-virusetc )
• Analysesandcorrelateseventstoprovidestatisticalinformationandreal-timemonitoring.
![Page 5: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/5.jpg)
Copyright 2015Cloudten Industries
![Page 6: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/6.jpg)
Copyright 2015Cloudten Industries
• ThreatDetection(beforeanevent)
• IncidentManagement(postevent)
• AuditingandReporting
• Compliance
![Page 7: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/7.jpg)
Copyright 2015Cloudten Industries
• Hardwareorvirtualappliances
• VariousLicensingModels:• EPS– EventsPerSecond• FPM– FlowsPerMinute• Numberof logsources• Logsizeperday
• VariousLogCollectionMethods• Agent(Logforwarders,probeconnectors…)• Agentless(viaSSH,syslog,WindowsEventCollector)
![Page 8: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/8.jpg)
Copyright 2015Cloudten Industries
Appliances
Software
![Page 9: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/9.jpg)
Copyright 2015Cloudten Industries
• Thebasicpremiseisthesame.
• Canbeeasier,cheaperandquickertosetup.
• It’sjustas(ifnotmore)important.
• Potentiallymuchgreater“blastradius”
![Page 10: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/10.jpg)
Copyright 2015Cloudten Industries
![Page 11: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/11.jpg)
Copyright 2015Cloudten Industries
…aaaaandlostitin2
![Page 12: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/12.jpg)
Copyright 2015Cloudten Industries
• MakeSecurity“JobZero”
• Don’tmakesecurityanafterthought.
• Architectsecurityintothefoundations
![Page 13: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/13.jpg)
Copyright 2015Cloudten Industries
• AWSprovideanumberofreallyusefulsecuritytoolsandservices“outofthebox”
• NearlyallofAWSserviceshaveAPIsthatintegratewiththesecurityservices.
• Thisprovidescentralised inputsintoeitheracustombuiltSIEMor3rd partysolution.
![Page 14: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/14.jpg)
Copyright 2015Cloudten Industries
• Useraccounts,groupsandroles
• Createandmapfinegrainedaccesspolicies
• Providesauthenticatedandauditableaccesstoallresources.
• Federatetoanexternaldirectory
![Page 15: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/15.jpg)
Copyright 2015Cloudten Industries
• awebservicethatrecordsallkindsofAPIcallsmadebyAWSresources.
• Eg.Changestosecuritygroups,modifyIAMpermissionsetc.
• StoreslogsinasecureS3bucket
• OneofthemostimportantservicesfromaSIEMandauditingperspective.
![Page 16: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/16.jpg)
Copyright 2015Cloudten Industries
• Trackandcompareinfrastructurechangesovertime
• Theabilitytorestoreenvironmentconfigurations
• AbletosnapshotanenvironmentintoCloudFormationtemplatesinS3
• IntegrateswithCloudTrail
![Page 17: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/17.jpg)
Copyright 2015Cloudten Industries
• Definerulesforhowresourcesarecreated(eg.AllEBSvolumesmustbeencrypted)
• Canmonitorconfig changesandprovideadashboardtocheckcompliancestatus’
• Makesiteasytoseewhenandhowaresourcebecamenoncompliant.
![Page 18: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/18.jpg)
Copyright 2015Cloudten Industries
• Notjustbasicperformancemetricsanymore
• Agentbasedlogcollection
• Filteringlanguagetomonitorandalert
• IngestslogsfromCloudTrail
![Page 19: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/19.jpg)
Copyright 2015Cloudten Industries
• EssentiallygivestheabilitytomonitornetworktrafficwithinaVPC
• Alsologsdroppedpackets(firewalllogs)
• OutputstoCloudWatchLogs
• “Free”
![Page 20: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/20.jpg)
Copyright 2015Cloudten Industries
• CanblockmaliciousHTTP/Srequests
• SitsinfrontofCloudFront
• GeneratesCloudWatchmetrics
![Page 21: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/21.jpg)
Copyright 2015Cloudten Industries
![Page 22: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/22.jpg)
Copyright 2015Cloudten Industries
{"Records": [
{"eventVersion": "1.0","userIdentity": {
"type": "IAMUser","principalId": "EXAMPLE_PRINCIPAL_ID","arn": "arn:aws:iam::123456789012:user/Jeff","accountId": "123456789012","accessKeyId": "EXAMPLE_KEY_ID","userName": "Jeff","sessionContext": {
"attributes": {"mfaAuthenticated": "false","creationDate": "2015-08-25T04:04:11Z"
}}
},"eventTime": "2015-08-25T04:12:22Z","eventSource": "iam.amazonaws.com","eventName": "AddUserToGroup","awsRegion": "ap-southeast-2","sourceIPAddress": "127.0.0.1","userAgent": "AWSConsole","requestParameters": {
"userName": “Bob","groupName": "admin"
},"responseElements": null
}]
}
![Page 23: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/23.jpg)
Copyright 2015Cloudten Industries
![Page 24: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/24.jpg)
Copyright 2015Cloudten Industries
![Page 25: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/25.jpg)
Copyright 2015Cloudten Industries
• Youhaveallthelogsbutwhatdoyoudowiththem?
• CloudWatch/Logsisgood…but
• ThereareanumberofspecialistlogmanagementvendorswhohaveadaptedtheirproductstoworkasaSIEM.
• Theyprovidecompliance,auditingandpro-activemonitoringcapabilities.
![Page 26: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/26.jpg)
Copyright 2015Cloudten Industries
![Page 27: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/27.jpg)
Copyright 2015Cloudten Industries
![Page 28: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/28.jpg)
Copyright 2015Cloudten Industries
Collect&Aggregate• Manyandvariedsources• Acrossenvironments• Safe,secure&fast
Visualize&Alert• Real-timedashboards• Proactivealerting• Out-of-theboxapps
Investigate&TakeAction• Searchandtroubleshoot• Identifyunknowns• Analyze,triageandisolate
Monitor&Optimize• Detectanomalies• Predictandpreemptissues• Streamlineandimproveprocesses
![Page 29: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/29.jpg)
Copyright 2015Cloudten Industries
![Page 30: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/30.jpg)
Copyright 2015Cloudten Industries
• Securityisafulltimejob
• Manycompaniesdon’thavetime/resourcestokeepontopofeverything
• Skilledsecurityresourcesareexpensive.
• Manyhighprofileorganisations choosetooutsourceSIEMresponsibilities.
![Page 31: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/31.jpg)
Copyright 2015Cloudten Industries
![Page 32: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/32.jpg)
Copyright 2015Cloudten Industries
• SecurityfocusedAWSconsultingpartner
• AWSCertifiedtothehighestlevel
• Consulting/ManagedServices
• Comeandtalktous!
![Page 33: Cloudten: SIEM in the AWS Cloud](https://reader033.fdocuments.us/reader033/viewer/2022051706/58f9a7821a28abb1178b456b/html5/thumbnails/33.jpg)
©opyright 2015Cloudten Industries