Eyes Everywhere: Monitoring Today's Borderless Landscape

Similar documents
DevOps Agility in the Evolving Cloud Services Landscape

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

CLOUD WORKLOAD SECURITY

Getting Started with AWS Security

Automating Security Practices for the DevOps Revolution

AALOK INSTITUTE. DevOps Training

Aspirin as a Service: Using the Cloud to Cure Security Headaches

Microservices Architekturen aufbauen, aber wie?

Microservices on AWS. Matthias Jung, Solutions Architect AWS

Securing Microservices Containerized Security in AWS

Qualys Cloud Platform

Amazon Search Services. Christoph Schmitter

PRAGMATIC SECURITY AUTOMATION FOR CLOUD

Experiences with Serverless Big Data

Understanding Perimeter Security

Monitoring Serverless Architectures in AWS

Splunk & Amazon Web Services

Zombie Apocalypse Workshop

Splunk & AWS. Gain real-time insights from your data at scale. Ray Zhu Product Manager, AWS Elias Haddad Product Manager, Splunk

INTRODUCING CISCO SECURITY FOR AWS

Deep Dive on AWS CodeStar

Cloud Security Strategy - Adapt to Changes with Security Automation -

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security

Incident Response and Forensics in your Pyjamas

Qualys Cloud Platform

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Additional Security Services on AWS

Architecting for Greater Security in AWS

Amazon Web Services (AWS) Solutions Architect Intermediate Level Course Content

Popular SIEM vs aisiem

Azure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region

Hackproof Your Cloud Responding to 2016 Threats

About Intellipaat. About the Course. Why Take This Course?

How to go serverless with AWS Lambda

SIEMLESS THREAT DETECTION FOR AWS

Cloud security 2.0: Joko nyt pilveen voi luottaa?

SAA-C01. AWS Solutions Architect Associate. Exam Summary Syllabus Questions

Best Practices for Cloud Security at Scale. Phil Rodrigues Security Solutions Architect Amazon Web Services, ANZ

AWS Agility + Splunk Visibility = Cloud Success. Splunk App for AWS Demo. Laura Ripans, AWS Alliance Manager

How can you implement this through a script that a scheduling daemon runs daily on the application servers?

Regaining Our Lost Visibility

Amazon Web Services (AWS) Training Course Content

STATE OF MODERN APPLICATIONS IN THE CLOUD

Build, Deploy & Operate Intelligent Chatbots with Amazon Lex

Certificate of Registration

The New Normal. Unique Challenges When Monitoring Hybrid Cloud Environments

AWS Solutions Architect Associate (SAA-C01) Sample Exam Questions

Security Camp 2016 Cloud Security. August 18, 2016

Network security monitoring. Patrick Crowley Bo Bayles!

DevOps Course Content

Serverless Architecture Hochskalierbare Anwendungen ohne Server. Sascha Möllering, Solutions Architect

INTRODUCING CISCO SECURITY FOR AWS

WHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction

USE CASE IN ACTION Splunk + Komand

Introduction to Cloud Computing

Training on Amazon AWS Cloud Computing. Course Content

Video on Demand on AWS

Enroll Now to Take online Course Contact: Demo video By Chandra sir

This document (including, without limitation, any product roadmap or statement of direction data) illustrates the planned testing, release and

Building a Self-Defending Border. Shane Baldacchino, Solutions Architect, AWS Marcus Santos, Solutions Architect, AWS

CLOUD AND AWS TECHNICAL ESSENTIALS PLUS

Serverless Computing. Redefining the Cloud. Roger S. Barga, Ph.D. General Manager Amazon Web Services

DATA SHEET AlienVault USM Anywhere Powerful Threat Detection and Incident Response for All Your Critical Infrastructure

CSV-W14 - BUILDING AND ADOPTING A CLOUD-NATIVE SECURITY PROGRAM

AWS Reference Design Document

NEXT GENERATION CLOUD SECURITY

ALIENVAULT USM FOR AWS SOLUTION GUIDE

Build, Don t Buy Enable Analytics, Machine Learning, and Forensics with Security Data Lake on AWS

Hackproof Your Cloud: Preventing 2017 Threats for a New Security Paradigm

Streamline AWS Security Incidents

What s New at AWS? A selection of some new stuff. Constantin Gonzalez, Principal Solutions Architect, Amazon Web Services

IoT Device Simulator

EC2 Scheduler. AWS Implementation Guide. Lalit Grover. September Last updated: September 2017 (see revisions)

Who done it: Gaining visibility and accountability in the cloud

Netflix OSS Spinnaker on the AWS Cloud

DevOps Tooling from AWS

AWS Lambda: Event-driven Code in the Cloud

Cloud Computing. Amazon Web Services (AWS)

Containers, Serverless and Functions in a nutshell. Eugene Fedorenko

PARTLY CLOUDY DESIGN & DEVELOPMENT OF A HYBRID CLOUD SYSTEM

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

Getting started with AWS security

Security & Compliance in the AWS Cloud. Amazon Web Services

MONITORING SERVERLESS ARCHITECTURES

Reactive Microservices Architecture on AWS

The Divine and Felonious Nature of Cyber Security

Security Aspekts on Services for Serverless Architectures. Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

We are ready to serve Latest IT Trends, Are you ready to learn? New Batches Info

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

Community Edition Getting Started Guide. July 25, 2018

HashiCorp Vault on the AWS Cloud

RA-GRS, 130 replication support, ZRS, 130

Containers & Microservices For Realists. Karthik

Containers and the Evolution of Computing

Pursuit of stability. Growing AWS ECS in production. Alexander Köhler Frankfurt, September 2018

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

ElasticIntel. Scalable Threat Intel Aggregation in AWS

Network Security & Access Control in AWS

Amazon Web Services Training. Training Topics:

Elastic Load Balancing

Transcription:

SESSION ID: CMI1-R09 Eyes Everywhere: Monitoring Today's Borderless Landscape Bill Shinn Principal Security Architect Amazon Web Services @packet791

What we ll cover today Event & Finding Reference Architecture Generating Events and Findings Old and New Design Patterns for Collection/Ingestion/Aggregation Approaches to Processing Analysis and Workflow Call to Action 2

Event & Finding Reference Architecture

Simple Definitions - Events & Findings Events - one time record - or series of records that fire - where you can't change the state of what happened. Examples: record of user activity, details of a network flow, parameters of an API call request/response 4

Simple Definitions - Events & Findings Events - one time record - or series of records that fire - where you can't change the state of what happened. Examples: record of user activity, details of a network flow, parameters of an API call request/response Finding - longer-lived information which reflect the state of something that can be changed. Examples: vulnerability scan result, patch state, software defect, build status, threat level, undesireable state of user entitlements 5

Event & Finding Reference Architecture Event & Finding Generation Event & Finding Collection/Ingestion Aggregation Event & Finding Processing Event & Finding Analysis & Workflow 6

Event & Finding Generation

Event Generation Traditional Sources Source code you write (e.g log.debug( foodebug ); ) Source code you configure (e.g. log4j.properties ) Source code you configure with json, inf, xml files - DEBUG, WARN, INFO, etc.) 8

Event Generation Traditional Sources Source code you write (e.g log.debug( foodebug ); ) Source code you configure (e.g. log4j.properties ) Source code you configure with json, inf, xml files - DEBUG, WARN, INFO, etc.) Operating System log configuration (*nix syslog.conf, Windows Event Log properties) Network devices (router/switch log configuration, firewall changes and drop/accept configuration, IDS/IPS signature set/severity configuration) Security services (application source code scanner job status, vulnerability scanner job status) 9

Finding Generation - Traditional Sources Traditional Sources Patch evaluation task results missing patches Vulnerability scanner results open CVEs Unit test results failed classes/code base + error, failed build Application security assessments (software defects) Questionnaires - 1000 s of vendor due diligence output Access/Entitlement review results (elevated privileges, affirm/reapprove) 10

Demo #1 Events vs Findings from a CVE Assessment Tool 11

Streaming Reference Architecture Assessment/CVE Agent (eg Amazon Inspector) Source Code Repository CI/CD Task Build Target Server Image Factory flow logs 12

Streaming Reference Architecture Assessment/CVE Agent (eg Amazon Inspector) Events (ticketing to ops on failure) Source Code Repository CI/CD Task Build Target Findings (backlog or Jira issue to devs or server build team) Server Image Factory flow logs 13

Event Generation Modern Sources Cloud platform logs (entitlement management events, infrastructure events such as instance launches or network configuration changes) Server-less application logs/streams (cloud-based functions, object storage notification) PaaS & managed database services logs (not in a file, but accessible only via API or table) SaaS logs delivered via download or API feed 14

Demo #2 Cloud Service Provider Platform Logging 15

Demo #3 Server-less Architecture Logging 16

Demo #3 (reference architecture) 17

Event & Finding Collection/Ingestion/Aggregation

Event Collection Traditional Forms Files & remote syslog (ultimately another file, but with some filtering on the way) Database tables Windows Event Log 19

Finding Collection Traditional Forms Static reports (console, csv/excel, pdf) Findings entered into a database table 20

Event & Finding Collection Modern Forms Event Streams Findings available via an API 21

Demo #4 Event Streams 22

Streaming Reference Architecture Amazon EC2 Agent-based Logging Amazon CloudWatch (Log Group/Log Stream) Subscription AWS Lambda Amazon Elasticsearch Service flow logs 23

Streaming Reference Architecture Amazon EC2 Agent-based Logging Amazon CloudWatch (Log Group/Log Stream) Subscription AWS Lambda Subscription Amazon Elasticsearch Service Network Traffic Stream Amazon EC2 Elastic Network Interface Amazon VPC Flow Logs Amazon CloudWatch (Log Group/Log Stream) flow logs 24

Event & Finding Processing

Event & Finding Processing Rules-engine application MapReduce tasks Elasticsearch cluster 26

Demo #5 Cloud-based rules engine 27

Rules Engine Reference Architecture AWS CloudTrail Event Selector Amazon CloudWatch Events Rule Target AWS Lambda Output of function flow logs 28

Event & Finding Analysis and Workflow

Event & Finding Analysis Commercial log/event search tools and product consoles SIEM tools Kibana (part of ELK stack) 30

Analyzing Ephemeral Events & Findings What happens when you log something from a server that no longer exists? Even more with serverless architectures, what happens when you log something from a function call that didn't exist as a running set of code loaded into a servlet container or container until it was invoked? How? Track the configuration, not the configuration item Correlate events from no-longer-existing assets with platform events 31

Event & Finding Enrichment Meta data on objects Resolver groups Data classification Correlation or joins on other sources Extract fields and key off critical key/value pairs to perform lookups on related data such as last change, related objects 32

Event & Finding Workflow Ticketing or case management system DevOps collaboration platforms (Slack, HipChat, etc.) 33

Demo #6 Cloud-based event workflow 34

Cloud-based Workflow Reference Architecture AWS CloudTrail Event Selector Amazon CloudWatch Events Rule Target AWS Lambda flow logs 35

Applied Architecture Call to action - 1-2 weeks Document event & finding flow for 2 critical applications Keep it to super simple documentation like this and check into revision control: Java properties -> flat file -> file monitor agent -> aggregation microservice -> object storage -> Elasticsearch) Java properties -> flat file -> file monitor agent -> aggregation microservice -> stream processing rules engine-> ticketing API) Pair up security analysts with developers to understand log generation and events of interest in 1-2 critical applications 36

Applied Architecture Call to action - 3 months Stand up a centralized log ingestion platform Create micro-services to integrate event/finding processing & analysis tiers with actionable workflow systems 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback