SlideShare a Scribd company logo

Native cloud security monitoring

Download as PPTX, PDF
J
John Varghese

The document outlines a framework for enhancing cloud security monitoring on AWS, focusing on tools like CloudTrail, GuardDuty, and Elasticsearch. It emphasizes the setup of a monitoring infrastructure to improve visibility into account events, automate threat detection and response, and facilitate effective threat hunting. Key components and processes are detailed, along with cost metrics for different configurations, ultimately leading to a more efficient and scalable security logging solution.

Technology
Related topics:
AWS Community Day
1 of 45
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
BAY AREA
Native Cloud Security Monitoring “A journey through bootstrapping security logging and monitoring in AWS”
● Senior Security Engineer at Segment ● Author of Cloud-Based Rube Goldberg Machines ● 8 years experience building SIEM, and SOAR platforms for the enterprise Who am I and why should you care?
What this is about ● To get better visibility on events in our accounts. ● To automate incident detection and response ● Facilitate effective threat hunting Why are we here?
What this is about ● Configure requisite services (CloudTrail, GuardDuty, ElasticSearch) ● Assemble our services into monitoring infrastructure ● Apply some best practices How do we get there?
Security Monitoring on AWS CloudTrail - Consider this the audit and activity log for everything related to the events, users and resources in our account. ✅ Relatively easy to configure ✅ Covers the majority of AWS services
Security Monitoring on AWS CloudTrail - Consider this the audit and activity log for everything related to the events, users and resources in our account. ✅ Relatively easy to configure ✅ Covers the majority of AWS services ❌ Limited search capabilities ❌ Limited export capability
Security Monitoring on AWS CloudTrail - Consider this the audit and activity log for everything related to the resources, users and actions in your account. ✅ Relatively easy to configure ✅ Covers the majority of AWS services ❌ Limited search capabilities ❌ Limited export capability
Security Monitoring on AWS ✅ Easy to configure and deploy ✅ Monitors and alerts on events without additional configuration ✅ Supports external threat feeds ✅ Under active development GuardDuty - This is our Intrusion detection system. It generates alerts for suspicious activity in Cloudtrail, DNS, and VPC Flow logs.
Security Monitoring on AWS ✅ Easy to configure and deploy ✅ Monitors and alerts on events without additional configuration ✅ Supports external threat feeds ✅ Under active development ❌ Disabled by default ❌ No access to source log data ❌ No custom alerts GuardDuty - This is our Intrusion detection system. It generates alerts for suspicious activity in Cloudtrail, DNS, and VPC Flow logs.
Security Monitoring on AWS ✅ Easy to configure and deploy ✅ Monitors and alerts on events without additional configuration ✅ Supports external threat feeds ✅ Under active development ❌ Disabled by default ❌ No access to source log data ❌ No custom alerts GuardDuty - This is our Intrusion detection system. It generates alerts for suspicious activity in Cloudtrail, DNS, and VPC Flow logs.
Security Monitoring on AWS ✅ Industry Standard ✅ Helps contextualize data ✅ Search capabilities facilitate threat hunting AWS ElasticSearch - A managed SaaS search solution based on open source software, bundled with Kibana for data visualization (ELK)
Security Monitoring on AWS ✅ Industry Standard ✅ Helps contextualize data ✅ Search capabilities facilitate threat hunting ❌ Poor defaults ❌ Index management can be challenging AWS ElasticSearch - A managed SaaS search solution based on open source software, bundled with Kibana for data visualization (ELK)
Security Monitoring on AWS ✅ Industry Standard ✅ Helps contextualize data ✅ Search capabilities facilitate threat hunting ❌ Poor defaults ❌ Index management can be challenging AWS ElasticSearch - A managed SaaS search solution based on open source software, bundled with Kibana for data visualization (ELK)
Cloudtrail ❌ Limited search capabilities ❌ Limited export capability GuardDuty ❌ Disabled by default ❌ No access to source log data ❌ No custom alerts ElasticSearch ❌ Poor defaults ❌ Index management can be challenging Summary of Pain
● Deploy all required services and components automatically ● Extend log retention beyond 90 days (configurable) ● Tune ElasticSearch for ingesting CloudTrail logs ● Allow custom alert generation ● Enhance search capabilities and eliminate weak defaults ✨ Fault Tolerant ✨ Scalable ✨ Self-Maintaining Easing the pain - our solution
The Shopping List ● AWS ElasticSearch ● AWS CloudTrail ● AWS GuardDuty ● Terraform 0.11+ ● Lambda* ● Cloudwatch Trigger ● Kinesis Streams ● Kinesis Firehose ● S3 Buckets ● IAM Roles
Reference Architecture SSO
Infrastructure as Code ● All components will be arranged and configured by Terraform ● A resource name and an IP are all you need to get started Building the solution
Infrastructure as Code ● After about 15 minutes we have the full ELK ● Lambda replaces Logstash providing serverless log ingestion Building the solution
Terraform plan below 1. CloudTrail logs are written to S3 2. S3 ObjectCreated events trigger our log processing function 3. Lambda processes log and delivers it to a kinesis stream 4. Kinesis firehose reads from kinesis stream 5. Kinesis firehose delivers stream data to ElasticSearch index CloudTrail Logs
1. CloudTrail logs are written to S3 2. S3 ObjectCreated events trigger our log processing function 3. Lambda processes log and delivers it to a kinesis stream 4. Kinesis firehose reads from kinesis stream 5. Kinesis firehose delivers stream data to ElasticSearch index CloudTrail Logs
1. CloudTrail logs are written to S3 2. S3 ObjectCreated events trigger our log processing function 3. Lambda processes log and delivers it to a kinesis stream 4. Kinesis firehose reads from kinesis stream 5. Kinesis firehose delivers stream data to ElasticSearch index CloudTrail Logs ● Written in Go ● Highly efficient ● Cost effective
1. Cloudtrail logs are written to S3 2. S3 ObjectCreated events trigger our log processing function 3. Lambda processes log and delivers it to a kinesis stream 4. Kinesis firehose reads from kinesis stream 5. Kinesis firehose delivers stream data to ElasticSearch index CloudTrail Logs
1. Cloudtrail logs are written to S3 2. S3 ObjectCreated events trigger our log processing function 3. Lambda processes log and delivers it to a kinesis stream 4. Kinesis firehose reads from kinesis stream 5. Kinesis firehose delivers stream data to ElasticSearch index CloudTrail Logs
1. New GuardDuty findings trigger cloudwatch event 2. Cloudwatch sends GuardDuty event to Kinesis Stream 3. Kinesis firehose reads from kinesis stream 4. Kinesis firehose delivers stream data to ElasticSearch index GuardDuty Logs
1. New GuardDuty findings trigger cloudwatch event 2. Cloudwatch sends GuardDuty finding to Kinesis Stream 3. Kinesis firehose reads from kinesis stream 4. Kinesis firehose delivers stream data to ElasticSearch index GuardDuty Logs
1. New GuardDuty findings trigger cloudwatch event 2. Cloudwatch sends GuardDuty event to Kinesis Stream 3. Kinesis firehose reads from kinesis stream 4. Kinesis firehose delivers stream data to ElasticSearch index GuardDuty Logs
1. New GuardDuty findings trigger cloudwatch event 2. Cloudwatch sends GuardDuty event to Kinesis Stream 3. Kinesis firehose reads from kinesis stream 4. Kinesis firehose delivers stream data to ElasticSearch index GuardDuty Logs
Building the solution Logs are now flowing ● Data arrives in real time ● Kinesis streams allow us to retain log data and control flow rate ● Kinesis firehose allows us to retry delivery in case of downstream failure
Applying best practices ● Cloudtrail logs can potentially have thousands of fields ● Evenly distribute database shards to cluster hosts Building the solution
Raw log data is now searchable
Visualization adds context
● Built in monitoring and alerting functionality ● Triggered by search results ● Alerts can be sent directly to Slack, webhooks or SNS topics Creating Alerts
Creating Alerts Monitors ● Define an execution schedule ● Define an extraction query
Triggers ● Define trigger conditions for your monitor ● Triggers define when we should be notified Creating Alerts
Actions ● Define alert action and destination Creating Alerts
● Alert text is fully customizable via markdown ● Include links to source data ● Alerts can trigger other events via Lambda (webhook) Creating Alerts
● Alert history is maintained automatically ● Alerts can easily be enabled/disabled ● Alert configurations can be exported Creating Alerts
Wrapping things up ✨ Extend visibility ■ Logs can be retained in ElasticSearch and S3 for a configurable period of time ✨ Facilitate threat hunting ■ ElasticSearch allows us to search and visualize all our log data ✨ Automate detection and response ■ ElasticSearch monitoring and alerting can notify us of conditions in our Cloudtrail logs ✨ Easily deploy all resources ■ The entire solution is deployed using Terraform, only requiring a name and client IP
Wrapping things up Terraform plan available here: https://github.com/louisbarrett/Eager-Locomotive git clone https://github.com/louisbarrett/eager-locomotive cd eager-locomotive terraform init terraform plan / terraform apply Terraform Plan QR
Native Cloud Security Monitoring “A journey through bootstrapping security logging and monitoring in AWS” Terraform plan below
Platform demo configuration and cost metrics Instance type: t2.medium.elasticsearch Number of instances: 1 Master instance type: n/a Number of master instances: 0 Storage type: EBS EBS volume type: General Purpose (SSD) EBS volume size: 30 GB ElasticSearch was the primary cost driver. ● Consuming 307mb of log data per week, cost approximately $200 per month ● Suitable for lab environments, or low traffic environments
Platform production configuration and cost metrics Instance type: m5.large.elasticsearch Number of instances: 20 Master instance type: c5.large.elasticsearch Number of master instances: 3 Storage type: EBS EBS volume type: General Purpose (SSD) EBS volume size: 512 GB ElasticSearch was the primary cost driver. ● Consuming 2TB of log data per week, cost approximately $3k per month ● Total platform storage in this configuration is 10TB ● Remarkably stable, fast, and reliable
Wrapping things up ElasticSearch New Defaults: Terraform Plan QR

More Related Content

PPTX
Of CORS thats a thing how CORS in the cloud still kills security
John Varghese
 
PDF
AWS temporary credentials challenges in prevention detection mitigation
John Varghese
 
PPTX
EKS security best practices
John Varghese
 
PDF
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
CloudVillage
 
PDF
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Jose Hernandez
 
PPTX
Scaling Security in the Cloud With Open Source
CloudVillage
 
PDF
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
CloudVillage
 
PDF
Pragmatic Cloud Security Automation
CloudVillage
 
Of CORS thats a thing how CORS in the cloud still kills security
John Varghese
 
AWS temporary credentials challenges in prevention detection mitigation
John Varghese
 
EKS security best practices
John Varghese
 
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
CloudVillage
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Jose Hernandez
 
Scaling Security in the Cloud With Open Source
CloudVillage
 
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
CloudVillage
 
Pragmatic Cloud Security Automation
CloudVillage
 

What's hot (19)

PDF
Practical Guide to Securing Kubernetes
Lacework
 
PDF
MozDef Workshop slide
CloudVillage
 
PDF
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
CloudVillage
 
PDF
Securing your AWS Deployments with Spinnaker and Armory Enterprise
DevOps.com
 
PPTX
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
Lacework
 
PDF
AWS Re:Invent - Securing HIPAA Compliant Apps in AWS
Control Group
 
PPTX
Lacework Kubernetes Meetup | August 28, 2018
Lacework
 
PPTX
Automated Intrusion Detection and Response on AWS
2nd Sight Lab
 
PPTX
AWS security - NULL meet chennai
vinoth kumar
 
PDF
Battle in the Clouds - Attacker vs Defender on AWS
CloudVillage
 
PPTX
Crypto Miners in the Cloud
2nd Sight Lab
 
PDF
Phishing in the cloud era
CloudVillage
 
PPTX
Building A Cloud Security Strategy for Scale
Chris Farris
 
PDF
Aptible, AWS, and Telepharm: Architecting HIPAA compliance for the cloud
Aptible
 
PDF
Mining Malevolence: Cryptominers in the Cloud
CloudVillage
 
PDF
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
Evident.io
 
PDF
Build to Hack, Hack to Build
CloudVillage
 
PPTX
Packet Capture on AWS
2nd Sight Lab
 
PPTX
Serverless - minimizing the attack surface
Avi Shulman
 
Practical Guide to Securing Kubernetes
Lacework
 
MozDef Workshop slide
CloudVillage
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
CloudVillage
 
Securing your AWS Deployments with Spinnaker and Armory Enterprise
DevOps.com
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
Lacework
 
AWS Re:Invent - Securing HIPAA Compliant Apps in AWS
Control Group
 
Lacework Kubernetes Meetup | August 28, 2018
Lacework
 
Automated Intrusion Detection and Response on AWS
2nd Sight Lab
 
AWS security - NULL meet chennai
vinoth kumar
 
Battle in the Clouds - Attacker vs Defender on AWS
CloudVillage
 
Crypto Miners in the Cloud
2nd Sight Lab
 
Phishing in the cloud era
CloudVillage
 
Building A Cloud Security Strategy for Scale
Chris Farris
 
Aptible, AWS, and Telepharm: Architecting HIPAA compliance for the cloud
Aptible
 
Mining Malevolence: Cryptominers in the Cloud
CloudVillage
 
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
Evident.io
 
Build to Hack, Hack to Build
CloudVillage
 
Packet Capture on AWS
2nd Sight Lab
 
Serverless - minimizing the attack surface
Avi Shulman
 
Ad

Similar to Native cloud security monitoring (19)

PPTX
Automating AWS security and compliance
John Varghese
 
PPTX
004 - Logging in the Cloud -- hide01.ir.pptx
nitinscribd
 
PPTX
AWS Monitoring & Logging
Jason Poley
 
PDF
A New Perspective on Resource-Level Cloud Forensics
Christopher Doman
 
PDF
Developer Experience at the Guardian, Equal Experts Sept 2021
Akash Askoolum
 
PPTX
AWS Cloud trail
zekeLabs Technologies
 
PDF
Stream Processing in SmartNews #jawsdays
SmartNews, Inc.
 
PDF
AWS IoT Edge Management
Avinash Patil
 
PPTX
NVS_Sentinel
Mike Mihm
 
PPTX
AWS User Group - Security & Compliance
Satish Kumar Natarajan
 
PDF
Nava SIEM Agent Datasheet
Linkgard
 
PPTX
AWS Cloudtrail JSP.pptx
Jayesh Patil
 
PDF
Top conf serverlezz
Antons Kranga
 
PDF
AWS security monitoring and compliance validation from Adobe.
Splunk
 
PDF
Automating Security in Cloud Workloads with DevSecOps
Kristana Kane
 
PDF
Enterprise Cloud Security
MongoDB
 
PDF
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Toni de la Fuente
 
PDF
Incident response-in-the-cloud
Priyanka Aash
 
PDF
Monitoring docker, k8s and your applications with the elastic stack
SmartWave
 
Automating AWS security and compliance
John Varghese
 
004 - Logging in the Cloud -- hide01.ir.pptx
nitinscribd
 
AWS Monitoring & Logging
Jason Poley
 
A New Perspective on Resource-Level Cloud Forensics
Christopher Doman
 
Developer Experience at the Guardian, Equal Experts Sept 2021
Akash Askoolum
 
AWS Cloud trail
zekeLabs Technologies
 
Stream Processing in SmartNews #jawsdays
SmartNews, Inc.
 
AWS IoT Edge Management
Avinash Patil
 
NVS_Sentinel
Mike Mihm
 
AWS User Group - Security & Compliance
Satish Kumar Natarajan
 
Nava SIEM Agent Datasheet
Linkgard
 
AWS Cloudtrail JSP.pptx
Jayesh Patil
 
Top conf serverlezz
Antons Kranga
 
AWS security monitoring and compliance validation from Adobe.
Splunk
 
Automating Security in Cloud Workloads with DevSecOps
Kristana Kane
 
Enterprise Cloud Security
MongoDB
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Toni de la Fuente
 
Incident response-in-the-cloud
Priyanka Aash
 
Monitoring docker, k8s and your applications with the elastic stack
SmartWave
 
Ad

More from John Varghese (20)

PPTX
Lessons Learned From Cloud Migrations: Planning is Everything
John Varghese
 
PPTX
Leveraging AWS Cloudfront & S3 Services to Deliver Static Assets of a SPA
John Varghese
 
PPTX
AWS Transit Gateway-Benefits and Best Practices
John Varghese
 
PPTX
Bridging Operations and Development With Observabilty
John Varghese
 
PPTX
Security Observability for Cloud Based Applications
John Varghese
 
PPTX
Who Broke My Crypto
John Varghese
 
PPTX
Building an IoT System to Protect My Lunch
John Varghese
 
PPTX
Building a Highly Secure S3 Bucket
John Varghese
 
PPTX
Reduce Amazon RDS Costs up to 50% with Proxies
John Varghese
 
PPTX
Keynote - Lead the change around you
John Varghese
 
PDF
AWS Systems manager 2019
John Varghese
 
PDF
Acd19 kubertes cluster at scale on aws at intuit
John Varghese
 
PPTX
Emerging job trends and best practices in the aws community
John Varghese
 
PDF
Automating security in aws with divvy cloud
John Varghese
 
PDF
Securing aws workloads with embedded application security
John Varghese
 
PDF
Last year in AWS - 2019
John Varghese
 
PDF
Gpu accelerated BERT deployment on aws
John Varghese
 
PPTX
Cruising in data lake from zero to scale
John Varghese
 
PPTX
Best practices on building data lakes and lake formation
John Varghese
 
PPTX
Automate compliance with cloud guard dome9
John Varghese
 
Lessons Learned From Cloud Migrations: Planning is Everything
John Varghese
 
Leveraging AWS Cloudfront & S3 Services to Deliver Static Assets of a SPA
John Varghese
 
AWS Transit Gateway-Benefits and Best Practices
John Varghese
 
Bridging Operations and Development With Observabilty
John Varghese
 
Security Observability for Cloud Based Applications
John Varghese
 
Who Broke My Crypto
John Varghese
 
Building an IoT System to Protect My Lunch
John Varghese
 
Building a Highly Secure S3 Bucket
John Varghese
 
Reduce Amazon RDS Costs up to 50% with Proxies
John Varghese
 
Keynote - Lead the change around you
John Varghese
 
AWS Systems manager 2019
John Varghese
 
Acd19 kubertes cluster at scale on aws at intuit
John Varghese
 
Emerging job trends and best practices in the aws community
John Varghese
 
Automating security in aws with divvy cloud
John Varghese
 
Securing aws workloads with embedded application security
John Varghese
 
Last year in AWS - 2019
John Varghese
 
Gpu accelerated BERT deployment on aws
John Varghese
 
Cruising in data lake from zero to scale
John Varghese
 
Best practices on building data lakes and lake formation
John Varghese
 
Automate compliance with cloud guard dome9
John Varghese
 

Recently uploaded (20)

PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPT
Teaching material agriculture food technology
LiaRayya
 
Approach and Philosophy of On baking technology
30anthuong17
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
KodekX | Application Modernization Development
KodekX
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Teaching material agriculture food technology
LiaRayya
 

Native cloud security monitoring

  • 2. Native Cloud Security Monitoring “A journey through bootstrapping security logging and monitoring in AWS”
  • 3. ● Senior Security Engineer at Segment ● Author of Cloud-Based Rube Goldberg Machines ● 8 years experience building SIEM, and SOAR platforms for the enterprise Who am I and why should you care?
  • 4. What this is about ● To get better visibility on events in our accounts. ● To automate incident detection and response ● Facilitate effective threat hunting Why are we here?
  • 5. What this is about ● Configure requisite services (CloudTrail, GuardDuty, ElasticSearch) ● Assemble our services into monitoring infrastructure ● Apply some best practices How do we get there?
  • 6. Security Monitoring on AWS CloudTrail - Consider this the audit and activity log for everything related to the events, users and resources in our account. ✅ Relatively easy to configure ✅ Covers the majority of AWS services
  • 7. Security Monitoring on AWS CloudTrail - Consider this the audit and activity log for everything related to the events, users and resources in our account. ✅ Relatively easy to configure ✅ Covers the majority of AWS services ❌ Limited search capabilities ❌ Limited export capability
  • 8. Security Monitoring on AWS CloudTrail - Consider this the audit and activity log for everything related to the resources, users and actions in your account. ✅ Relatively easy to configure ✅ Covers the majority of AWS services ❌ Limited search capabilities ❌ Limited export capability
  • 9. Security Monitoring on AWS ✅ Easy to configure and deploy ✅ Monitors and alerts on events without additional configuration ✅ Supports external threat feeds ✅ Under active development GuardDuty - This is our Intrusion detection system. It generates alerts for suspicious activity in Cloudtrail, DNS, and VPC Flow logs.
  • 10. Security Monitoring on AWS ✅ Easy to configure and deploy ✅ Monitors and alerts on events without additional configuration ✅ Supports external threat feeds ✅ Under active development ❌ Disabled by default ❌ No access to source log data ❌ No custom alerts GuardDuty - This is our Intrusion detection system. It generates alerts for suspicious activity in Cloudtrail, DNS, and VPC Flow logs.
  • 11. Security Monitoring on AWS ✅ Easy to configure and deploy ✅ Monitors and alerts on events without additional configuration ✅ Supports external threat feeds ✅ Under active development ❌ Disabled by default ❌ No access to source log data ❌ No custom alerts GuardDuty - This is our Intrusion detection system. It generates alerts for suspicious activity in Cloudtrail, DNS, and VPC Flow logs.
  • 12. Security Monitoring on AWS ✅ Industry Standard ✅ Helps contextualize data ✅ Search capabilities facilitate threat hunting AWS ElasticSearch - A managed SaaS search solution based on open source software, bundled with Kibana for data visualization (ELK)
  • 13. Security Monitoring on AWS ✅ Industry Standard ✅ Helps contextualize data ✅ Search capabilities facilitate threat hunting ❌ Poor defaults ❌ Index management can be challenging AWS ElasticSearch - A managed SaaS search solution based on open source software, bundled with Kibana for data visualization (ELK)
  • 14. Security Monitoring on AWS ✅ Industry Standard ✅ Helps contextualize data ✅ Search capabilities facilitate threat hunting ❌ Poor defaults ❌ Index management can be challenging AWS ElasticSearch - A managed SaaS search solution based on open source software, bundled with Kibana for data visualization (ELK)
  • 15. Cloudtrail ❌ Limited search capabilities ❌ Limited export capability GuardDuty ❌ Disabled by default ❌ No access to source log data ❌ No custom alerts ElasticSearch ❌ Poor defaults ❌ Index management can be challenging Summary of Pain
  • 16. ● Deploy all required services and components automatically ● Extend log retention beyond 90 days (configurable) ● Tune ElasticSearch for ingesting CloudTrail logs ● Allow custom alert generation ● Enhance search capabilities and eliminate weak defaults ✨ Fault Tolerant ✨ Scalable ✨ Self-Maintaining Easing the pain - our solution
  • 17. The Shopping List ● AWS ElasticSearch ● AWS CloudTrail ● AWS GuardDuty ● Terraform 0.11+ ● Lambda* ● Cloudwatch Trigger ● Kinesis Streams ● Kinesis Firehose ● S3 Buckets ● IAM Roles
  • 19. Infrastructure as Code ● All components will be arranged and configured by Terraform ● A resource name and an IP are all you need to get started Building the solution
  • 20. Infrastructure as Code ● After about 15 minutes we have the full ELK ● Lambda replaces Logstash providing serverless log ingestion Building the solution
  • 21. Terraform plan below 1. CloudTrail logs are written to S3 2. S3 ObjectCreated events trigger our log processing function 3. Lambda processes log and delivers it to a kinesis stream 4. Kinesis firehose reads from kinesis stream 5. Kinesis firehose delivers stream data to ElasticSearch index CloudTrail Logs
  • 22. 1. CloudTrail logs are written to S3 2. S3 ObjectCreated events trigger our log processing function 3. Lambda processes log and delivers it to a kinesis stream 4. Kinesis firehose reads from kinesis stream 5. Kinesis firehose delivers stream data to ElasticSearch index CloudTrail Logs
  • 23. 1. CloudTrail logs are written to S3 2. S3 ObjectCreated events trigger our log processing function 3. Lambda processes log and delivers it to a kinesis stream 4. Kinesis firehose reads from kinesis stream 5. Kinesis firehose delivers stream data to ElasticSearch index CloudTrail Logs ● Written in Go ● Highly efficient ● Cost effective
  • 24. 1. Cloudtrail logs are written to S3 2. S3 ObjectCreated events trigger our log processing function 3. Lambda processes log and delivers it to a kinesis stream 4. Kinesis firehose reads from kinesis stream 5. Kinesis firehose delivers stream data to ElasticSearch index CloudTrail Logs
  • 25. 1. Cloudtrail logs are written to S3 2. S3 ObjectCreated events trigger our log processing function 3. Lambda processes log and delivers it to a kinesis stream 4. Kinesis firehose reads from kinesis stream 5. Kinesis firehose delivers stream data to ElasticSearch index CloudTrail Logs
  • 26. 1. New GuardDuty findings trigger cloudwatch event 2. Cloudwatch sends GuardDuty event to Kinesis Stream 3. Kinesis firehose reads from kinesis stream 4. Kinesis firehose delivers stream data to ElasticSearch index GuardDuty Logs
  • 27. 1. New GuardDuty findings trigger cloudwatch event 2. Cloudwatch sends GuardDuty finding to Kinesis Stream 3. Kinesis firehose reads from kinesis stream 4. Kinesis firehose delivers stream data to ElasticSearch index GuardDuty Logs
  • 28. 1. New GuardDuty findings trigger cloudwatch event 2. Cloudwatch sends GuardDuty event to Kinesis Stream 3. Kinesis firehose reads from kinesis stream 4. Kinesis firehose delivers stream data to ElasticSearch index GuardDuty Logs
  • 29. 1. New GuardDuty findings trigger cloudwatch event 2. Cloudwatch sends GuardDuty event to Kinesis Stream 3. Kinesis firehose reads from kinesis stream 4. Kinesis firehose delivers stream data to ElasticSearch index GuardDuty Logs
  • 30. Building the solution Logs are now flowing ● Data arrives in real time ● Kinesis streams allow us to retain log data and control flow rate ● Kinesis firehose allows us to retry delivery in case of downstream failure
  • 31. Applying best practices ● Cloudtrail logs can potentially have thousands of fields ● Evenly distribute database shards to cluster hosts Building the solution
  • 32. Raw log data is now searchable
  • 34. ● Built in monitoring and alerting functionality ● Triggered by search results ● Alerts can be sent directly to Slack, webhooks or SNS topics Creating Alerts
  • 35. Creating Alerts Monitors ● Define an execution schedule ● Define an extraction query
  • 36. Triggers ● Define trigger conditions for your monitor ● Triggers define when we should be notified Creating Alerts
  • 37. Actions ● Define alert action and destination Creating Alerts
  • 38. ● Alert text is fully customizable via markdown ● Include links to source data ● Alerts can trigger other events via Lambda (webhook) Creating Alerts
  • 39. ● Alert history is maintained automatically ● Alerts can easily be enabled/disabled ● Alert configurations can be exported Creating Alerts
  • 40. Wrapping things up ✨ Extend visibility ■ Logs can be retained in ElasticSearch and S3 for a configurable period of time ✨ Facilitate threat hunting ■ ElasticSearch allows us to search and visualize all our log data ✨ Automate detection and response ■ ElasticSearch monitoring and alerting can notify us of conditions in our Cloudtrail logs ✨ Easily deploy all resources ■ The entire solution is deployed using Terraform, only requiring a name and client IP
  • 41. Wrapping things up Terraform plan available here: https://github.com/louisbarrett/Eager-Locomotive git clone https://github.com/louisbarrett/eager-locomotive cd eager-locomotive terraform init terraform plan / terraform apply Terraform Plan QR
  • 42. Native Cloud Security Monitoring “A journey through bootstrapping security logging and monitoring in AWS” Terraform plan below
  • 43. Platform demo configuration and cost metrics Instance type: t2.medium.elasticsearch Number of instances: 1 Master instance type: n/a Number of master instances: 0 Storage type: EBS EBS volume type: General Purpose (SSD) EBS volume size: 30 GB ElasticSearch was the primary cost driver. ● Consuming 307mb of log data per week, cost approximately $200 per month ● Suitable for lab environments, or low traffic environments
  • 44. Platform production configuration and cost metrics Instance type: m5.large.elasticsearch Number of instances: 20 Master instance type: c5.large.elasticsearch Number of master instances: 3 Storage type: EBS EBS volume type: General Purpose (SSD) EBS volume size: 512 GB ElasticSearch was the primary cost driver. ● Consuming 2TB of log data per week, cost approximately $3k per month ● Total platform storage in this configuration is 10TB ● Remarkably stable, fast, and reliable
  • 45. Wrapping things up ElasticSearch New Defaults: Terraform Plan QR