SlideShare a Scribd company logo

Using Splunk/ELK for auditing AWS/GCP/Azure security posture

Jose Hernandez, profile picture
Jose Hernandez

The document discusses cloud security, focusing on auditing the security posture of AWS, GCP, and Azure using the CS Suite tool developed by Rod Soto and José Hernandez. It highlights common cloud vulnerabilities, attack vectors, and the necessity for comprehensive security practices to safeguard against increasing threats. It also outlines the integration of logging and data streaming tools like Splunk/ELK for enhanced cloud security analysis and management.

Technology
Related topics:
Information Security
1 of 41
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Using Splunk/ELK for Auditing AWS/GCP/Azure Security Posture By Rod Soto and José Hernandez
$Whoami José Hernandez Principal Security Researcher at Splunk. He started his professional career at Prolexic Technologies (now Akamai), fighting DDOS attacks against Fortune 100 companies perpetrated by “anonymous” and “lulzsec.” As a engineering co-founder of Zenedge Inc. (acquired by Oracle Inc.), José helped build technologies to fight bots and web-application attacks. He has also built security operation centers and run a public threat-intelligence service. Rod Soto Principal Security Research Engineer at Splunk. Worked at Prolexic Technologies (now Akamai), and Caspida. Cofounder of Hackmiami and Pacific Hackers meetups and conferences. Creator of Kommand && KonTroll / NoQrtr-CTF.
Security in the Cloud... ● The cloud is prevalent and pervasive in all that we do. ● Cloud providers are not invulnerable and attacks against them affect our lives. ● As cloud adoption expands, there are an increasing number of new technologies and unknowns. ● Cloud security is not an exact translation of inside-the-perimeter security. ● Every provider has its own set of technologies, features, and security items. ● While there are several cloud-security initiatives, it is still an ongoing effort. ● There are a range of emerging tools designed to assess the cloud. We chose CS Suite because it helps analysts assess Azure, AWS, and GCP.
...Security in the Cloud
The Imaginary Line Between Provider And Customer
The Imaginary Line Is Not That Imaginary… AWS
Azure
GCP
Cloud Attacks Highlights ● Sony (2011): 77M users ● ICloud (2014): The Fappening ● CloudHopper: (2014 - 2016 - )(IBM, Fujitsu, NTT Data, Tata, HP, DXC, Dimension, CSC) ● Ashley Madison: (2015) / AFF (2015/2016) ● Equifax (2017): 143M customers ● HBO (2017): 1.5 TB of data stolen, including unreleased GoT ● Marriott (2018): 327M accounts ● Kubernetes: CVE-2018-1002105 (PrivEsc) ● Yup…2019 Capital One: 100M accounts
Main Cloud Attack Vectors CSA: "Treacherous 12" 1. Data breaches 2. Insufficient identity, credential, and access management 3. Insecure interfaces and application-programming interfaces (APIs) 4. System vulnerabilities 5. Account hijacking 6. Malicious insiders
Main Cloud Attack Vectors CSA: Treacherous 12 7. Advanced persistent threats (APTs) 8. Data loss 9. Insufficient due diligence 10. Abuse and nefarious use of cloud services 11. Denial of Service (DoS) 12. Shared technology vulnerabilities
Main Targets of Cloud Attacks ● Users: ATO, key exfil, phishing ● Providers: AZ, AWS, GCP ● Admins: Like Domain Admin, they have access to all ● Resources: Cryptomining, DDoS for rent ● Data: Everyone's private life and work information ● Third parties Partner or co-tenant gets hacked, actor pivots to your cloud, attacks affecting IdP
DevOps Attack Surface (CI/CD Pipeline) ● Source code repository: Bitbucket, Beanstalk, Github, Gitlab, SVN, S3 buckets ● CI/CD platform: TravisCI, Jenkins, CircleCI, Gitlab ● Container repository: Docker, Vagrant ● IaaS Provider: Kubernetes flavor, OpenStack (this may also be local in some private, hybrid environments) ● IaC Ansible, Terraform, Chef, Cloudformation
Main Cloud Attack Surface Segments HTTP, API, web services, web sockets Compute backend, distributed processing CLAN/CWAN Databases SQL/NOSQL Storage (block, object, file) Internet/intranet client
Can We Create Common Criteria For Cloud Security?
Common Criteria For Cloud Security 1. Network: External access, VLAN/VWAN, VPN, routing 2. Security: CIA → heavy emphasis in IAM, encryption, and FWs 3. Compute: Artifacts such as virtual machines, containers, apps, microservices 4. Database: SQL, NOSQL 5. Storage: Basically buckets and file type storage (block, object, file) 6. Management: Kubernetes flavor, logging setup, Management access
Common Criteria for Cloud Security Audits Compute AWS: EC2, Lightsail, Lambda, Elastic Beanstalk, ECS, EKS, Batch, ECR, Kubernetes Azure: Virtual machines (VMs), load balancers, app services, batch, Mesh, disks, Kubernetes GCP: VM Instances, disks, snapshots, images, TPUs, metadata, zones, Kubernetes, "big data"
Common Criteria for Cloud Security Audits Management AWS: Console, CloudTrail, Config, OpsWorks, Systems Manager, CloudFormation, Kubernetes Azure: Console, Monitor, Advisor, activity log, metrics, manage applications, solutions, Kubernetes GCP: Console, StackDriver, audit logs, cloud tasks
Common Criteria for Cloud Security Audits Storage AWS: S3, EFS, FSx, S3 Glacier, storage gateway, AWS backup Azure: Data Box, Storage explorer, StorSimple, Data Lake Storage GCP: Bigtable, Buckets, DataStore, FireStore, Filestore, Spanner, Memorystore
Common Criteria for Cloud Security Audits Security AWS: IAM, Resource Access Manager, Secrets Manager, GuardDuty, AWS SSO, Certificate Manager, Key Management Service, Dir Service, WAF & Shield, Security Hub Azure: Azure AD, Security Center (encryption, FW, WAF, etc.), Azure Vault GCP: Security Command Center, Cloud Identity-Aware Proxy, Access Context Manager, VPC, Binary Authorization, Data Loss Prevention, cryptographic keys, Access Approval, Web Security Scanner
Common Criteria for Cloud Security Audits Network AWS: VPC, CloudFront, Route53, API Gateway, Direct Connect, AWS App Mesh, AWS Cloud Map, Global Accelerator Azure: Virtual Networks, Load Balancers, DNS zones, CDN, Traffic Manager, ExpressRoutes, IPs, route tables/filters, Virtual WANS, Network Interfaces GCP: Virtual Private Cloud network, Network Services, Hybrid Connectivity, Network Service Tiers, network security
Common Criteria for Cloud Security Audits Database AWS: RDS, DynamoDB, ElastiCache, Neptune, Amazon Redshift, Amazon QLDB, Amazon DocumentDB Azure: SQL DB, Azure DB for PostGres/MariaDB, Redis, SQL Elastic pools, Cosmos DB GCP: Datastore, BigQuery, MongoDB, PostgreSQL
Enter Cloud Security Suite One-stop tool for auditing the security posture of AWS/GCP/Azure infrastructure Gathers and presents unified information from the following tools: ● GScout ● Scout2 ● Prowler ● Lynis ● Azure Audit template
Installation Github https://github.com/SecurityFTW/cs-suite ● We modified the original project to produce output logs that can be ingested by major SIEM frameworks. ● You will need CLI tools, accounts with read privileges, and an API token for authentication, in some cases. ● Your vision may vary, depending on segmented resources and organizational architecture. ● The tool, however, presents a nice report category interface.
Azure Security Benchmarks
GCP Security Benchmark
AWS Security Benchmarks
The Challenge Of Getting All These Sources Together... ● Logging in the cloud costs $ and requires time for setup. It is not provided by default (CloudTrail, Stackdriver, Azure Monitor, GCP Stackdriver). ● A log indexing and data streaming pipeline infrastructure (Splunk/ELK) needs to be present. ● Architecture of streaming and storage ● A framework that allows analysis and further knowledge operation (basically SIEM). ● Most of the cloud providers have JSON output. Not all monitoring logs are in JSON file, but enough to get a first comprehensive approach.
Architectural Diagram
Integration with popular SIEMS Splunk/ELK - Based on the common criteria items we can create knowledge objects that can allow the analyst have a better vision on cloud security resources - Things such as dashboards, reports can help analysts make sense of the onslaught of logs coming from such disparate sources - We can then create alerts, lookups and even SOAR playbooks that can help us automate from the onslaught of logs.
ELK
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
ELK Logstash
Kibana slide
Splunk
SPLUNK
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
SPLUNK
SPLUNK
Splunk Alerts on Results
Q&A Thank You! Rod Soto @rodsoto rod@rodsoto.net Jose Hernandez @d1vious josehelps.com

More Related Content

PPTX
Azure sentinel
Marius Sandbu
 
PDF
Azure Saturday: Security + DevOps + Azure = Awesomeness
Karl Ots
 
PDF
Hashicorp Vault - OPEN Public Sector
Kangaroot
 
PDF
Haal de mist uit de monitoring van je cloud met System Center 2012 R2 Operati...
wwwally
 
PDF
Launching a Highly-regulated Startup in the Public Cloud
Poornaprajna Udupi
 
PPTX
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
PDF
Azure vm introduction
Lalit Rawat
 
PDF
Automate threat detections and avoid false positives
Elasticsearch
 
Azure sentinel
Marius Sandbu
 
Azure Saturday: Security + DevOps + Azure = Awesomeness
Karl Ots
 
Hashicorp Vault - OPEN Public Sector
Kangaroot
 
Haal de mist uit de monitoring van je cloud met System Center 2012 R2 Operati...
wwwally
 
Launching a Highly-regulated Startup in the Public Cloud
Poornaprajna Udupi
 
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
Azure vm introduction
Lalit Rawat
 
Automate threat detections and avoid false positives
Elasticsearch
 

What's hot (19)

PDF
Automatize a detecção de ameaças e evite falsos positivos
Elasticsearch
 
PPTX
Microsoft Azure News - April 2021
Daniel Toomey
 
PDF
Tour to Azure Security Center
Lalit Rawat
 
PDF
Empower your security practitioners with the Elastic Stack
Elasticsearch
 
PDF
Cloud Native Security: New Approach for a New Reality
Carlos Andrés García
 
PDF
Extending Amazon GuardDuty with Cloud Insight Essentials
Alert Logic
 
PDF
Practical Guide to Securing Kubernetes
Lacework
 
PDF
Govern Your Cloud: The Foundation for Success
Alert Logic
 
PPTX
Shared Security Responsibility for the Azure Cloud
Alert Logic
 
PPTX
K8s monitoring with prometheus
Kasun Rajapakse
 
PDF
End-to-End Security Analytics with the Elastic Stack
Elasticsearch
 
PDF
Deploying Cloud Use Cases
Jason Singh
 
PDF
Delivering transparent data_encryption_while_centrally_managing_keys_eskm-blo...
Bloombase
 
PDF
Azure Penetration Testing
Cheah Eng Soon
 
PDF
Search for all with Elastic Enterprise Search
Elasticsearch
 
PDF
Log Monitoring and Anomaly Detection at Scale at ORNL
Elasticsearch
 
PPTX
Native cloud security monitoring
John Varghese
 
PPTX
Orchestrating stateful applications with PKS and Portworx
VMware Tanzu
 
PPTX
Of CORS thats a thing how CORS in the cloud still kills security
John Varghese
 
Automatize a detecção de ameaças e evite falsos positivos
Elasticsearch
 
Microsoft Azure News - April 2021
Daniel Toomey
 
Tour to Azure Security Center
Lalit Rawat
 
Empower your security practitioners with the Elastic Stack
Elasticsearch
 
Cloud Native Security: New Approach for a New Reality
Carlos Andrés García
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Alert Logic
 
Practical Guide to Securing Kubernetes
Lacework
 
Govern Your Cloud: The Foundation for Success
Alert Logic
 
Shared Security Responsibility for the Azure Cloud
Alert Logic
 
K8s monitoring with prometheus
Kasun Rajapakse
 
End-to-End Security Analytics with the Elastic Stack
Elasticsearch
 
Deploying Cloud Use Cases
Jason Singh
 
Delivering transparent data_encryption_while_centrally_managing_keys_eskm-blo...
Bloombase
 
Azure Penetration Testing
Cheah Eng Soon
 
Search for all with Elastic Enterprise Search
Elasticsearch
 
Log Monitoring and Anomaly Detection at Scale at ORNL
Elasticsearch
 
Native cloud security monitoring
John Varghese
 
Orchestrating stateful applications with PKS and Portworx
VMware Tanzu
 
Of CORS thats a thing how CORS in the cloud still kills security
John Varghese
 
Ad

Similar to Using Splunk/ELK for auditing AWS/GCP/Azure security posture (20)

PDF
Practical Cloud Security A Guide For Secure Design And Deployment 1st Edition...
jaromdembo
 
PDF
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Priyanka Aash
 
PDF
Practical Cloud Security A Guide for Secure Design and Deployment 1st Edition...
omorialeksi5
 
PDF
Practical Cloud Security A Guide for Secure Design and Deployment 1st Edition...
bvpxmqwie0546
 
PPTX
Cloud computing and Cloud security fundamentals
Viresh Suri
 
PDF
Unified Protection for Multi-Cloud Infrastructure
MarketingArrowECS_CZ
 
PDF
The 3 Recommendations for Cloud Security
VAST
 
PDF
Cumulonimbus fortification-secure-your-data-in-the-cloud
David Busby, CISSP
 
PDF
AWS Pentesting
MichaelRodriguesdosS1
 
PDF
Top 10 cloud security tools to adopt in 2024.pdf
Sparity1
 
PPTX
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24
 
PDF
Presd1 10
Niels Groeneveld
 
PDF
A Cloud Security Ghost Story Craig Balding
craigbalding
 
PDF
DEF CON 25 - Gerald-Steere-and-Sean-Metcalf-Hacking-the-Cloud.pdf
werhkr1
 
PDF
AWS Cloud Security
Amazon Web Services LATAM
 
PPTX
Cloud Security Zen: Principles to Meditate On
Samuel Reed
 
PPTX
Hack proof your aws cloud cloudcheckr_040416
Jarrett Plante
 
PPTX
Hackproof Your Cloud: Responding to 2016 Threats
CloudCheckr
 
PPTX
Automate or die! Rootedcon 2017
Toni de la Fuente
 
PPTX
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
RootedCON
 
Practical Cloud Security A Guide For Secure Design And Deployment 1st Edition...
jaromdembo
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Priyanka Aash
 
Practical Cloud Security A Guide for Secure Design and Deployment 1st Edition...
omorialeksi5
 
Practical Cloud Security A Guide for Secure Design and Deployment 1st Edition...
bvpxmqwie0546
 
Cloud computing and Cloud security fundamentals
Viresh Suri
 
Unified Protection for Multi-Cloud Infrastructure
MarketingArrowECS_CZ
 
The 3 Recommendations for Cloud Security
VAST
 
Cumulonimbus fortification-secure-your-data-in-the-cloud
David Busby, CISSP
 
AWS Pentesting
MichaelRodriguesdosS1
 
Top 10 cloud security tools to adopt in 2024.pdf
Sparity1
 
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24
 
Presd1 10
Niels Groeneveld
 
A Cloud Security Ghost Story Craig Balding
craigbalding
 
DEF CON 25 - Gerald-Steere-and-Sean-Metcalf-Hacking-the-Cloud.pdf
werhkr1
 
AWS Cloud Security
Amazon Web Services LATAM
 
Cloud Security Zen: Principles to Meditate On
Samuel Reed
 
Hack proof your aws cloud cloudcheckr_040416
Jarrett Plante
 
Hackproof Your Cloud: Responding to 2016 Threats
CloudCheckr
 
Automate or die! Rootedcon 2017
Toni de la Fuente
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
RootedCON
 
Ad

Recently uploaded (20)

PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Encapsulation theory and applications.pdf
gurumoop
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Approach and Philosophy of On baking technology
30anthuong17
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Cloud computing and distributed systems.
kkkkkhan
 

Using Splunk/ELK for auditing AWS/GCP/Azure security posture

  • 1. Using Splunk/ELK for Auditing AWS/GCP/Azure Security Posture By Rod Soto and José Hernandez
  • 2. $Whoami José Hernandez Principal Security Researcher at Splunk. He started his professional career at Prolexic Technologies (now Akamai), fighting DDOS attacks against Fortune 100 companies perpetrated by “anonymous” and “lulzsec.” As a engineering co-founder of Zenedge Inc. (acquired by Oracle Inc.), José helped build technologies to fight bots and web-application attacks. He has also built security operation centers and run a public threat-intelligence service. Rod Soto Principal Security Research Engineer at Splunk. Worked at Prolexic Technologies (now Akamai), and Caspida. Cofounder of Hackmiami and Pacific Hackers meetups and conferences. Creator of Kommand && KonTroll / NoQrtr-CTF.
  • 3. Security in the Cloud... ● The cloud is prevalent and pervasive in all that we do. ● Cloud providers are not invulnerable and attacks against them affect our lives. ● As cloud adoption expands, there are an increasing number of new technologies and unknowns. ● Cloud security is not an exact translation of inside-the-perimeter security. ● Every provider has its own set of technologies, features, and security items. ● While there are several cloud-security initiatives, it is still an ongoing effort. ● There are a range of emerging tools designed to assess the cloud. We chose CS Suite because it helps analysts assess Azure, AWS, and GCP.
  • 5. The Imaginary Line Between Provider And Customer
  • 6. The Imaginary Line Is Not That Imaginary… AWS
  • 8. GCP
  • 9. Cloud Attacks Highlights ● Sony (2011): 77M users ● ICloud (2014): The Fappening ● CloudHopper: (2014 - 2016 - )(IBM, Fujitsu, NTT Data, Tata, HP, DXC, Dimension, CSC) ● Ashley Madison: (2015) / AFF (2015/2016) ● Equifax (2017): 143M customers ● HBO (2017): 1.5 TB of data stolen, including unreleased GoT ● Marriott (2018): 327M accounts ● Kubernetes: CVE-2018-1002105 (PrivEsc) ● Yup…2019 Capital One: 100M accounts
  • 10. Main Cloud Attack Vectors CSA: "Treacherous 12" 1. Data breaches 2. Insufficient identity, credential, and access management 3. Insecure interfaces and application-programming interfaces (APIs) 4. System vulnerabilities 5. Account hijacking 6. Malicious insiders
  • 11. Main Cloud Attack Vectors CSA: Treacherous 12 7. Advanced persistent threats (APTs) 8. Data loss 9. Insufficient due diligence 10. Abuse and nefarious use of cloud services 11. Denial of Service (DoS) 12. Shared technology vulnerabilities
  • 12. Main Targets of Cloud Attacks ● Users: ATO, key exfil, phishing ● Providers: AZ, AWS, GCP ● Admins: Like Domain Admin, they have access to all ● Resources: Cryptomining, DDoS for rent ● Data: Everyone's private life and work information ● Third parties Partner or co-tenant gets hacked, actor pivots to your cloud, attacks affecting IdP
  • 13. DevOps Attack Surface (CI/CD Pipeline) ● Source code repository: Bitbucket, Beanstalk, Github, Gitlab, SVN, S3 buckets ● CI/CD platform: TravisCI, Jenkins, CircleCI, Gitlab ● Container repository: Docker, Vagrant ● IaaS Provider: Kubernetes flavor, OpenStack (this may also be local in some private, hybrid environments) ● IaC Ansible, Terraform, Chef, Cloudformation
  • 14. Main Cloud Attack Surface Segments HTTP, API, web services, web sockets Compute backend, distributed processing CLAN/CWAN Databases SQL/NOSQL Storage (block, object, file) Internet/intranet client
  • 15. Can We Create Common Criteria For Cloud Security?
  • 16. Common Criteria For Cloud Security 1. Network: External access, VLAN/VWAN, VPN, routing 2. Security: CIA → heavy emphasis in IAM, encryption, and FWs 3. Compute: Artifacts such as virtual machines, containers, apps, microservices 4. Database: SQL, NOSQL 5. Storage: Basically buckets and file type storage (block, object, file) 6. Management: Kubernetes flavor, logging setup, Management access
  • 17. Common Criteria for Cloud Security Audits Compute AWS: EC2, Lightsail, Lambda, Elastic Beanstalk, ECS, EKS, Batch, ECR, Kubernetes Azure: Virtual machines (VMs), load balancers, app services, batch, Mesh, disks, Kubernetes GCP: VM Instances, disks, snapshots, images, TPUs, metadata, zones, Kubernetes, "big data"
  • 18. Common Criteria for Cloud Security Audits Management AWS: Console, CloudTrail, Config, OpsWorks, Systems Manager, CloudFormation, Kubernetes Azure: Console, Monitor, Advisor, activity log, metrics, manage applications, solutions, Kubernetes GCP: Console, StackDriver, audit logs, cloud tasks
  • 19. Common Criteria for Cloud Security Audits Storage AWS: S3, EFS, FSx, S3 Glacier, storage gateway, AWS backup Azure: Data Box, Storage explorer, StorSimple, Data Lake Storage GCP: Bigtable, Buckets, DataStore, FireStore, Filestore, Spanner, Memorystore
  • 20. Common Criteria for Cloud Security Audits Security AWS: IAM, Resource Access Manager, Secrets Manager, GuardDuty, AWS SSO, Certificate Manager, Key Management Service, Dir Service, WAF & Shield, Security Hub Azure: Azure AD, Security Center (encryption, FW, WAF, etc.), Azure Vault GCP: Security Command Center, Cloud Identity-Aware Proxy, Access Context Manager, VPC, Binary Authorization, Data Loss Prevention, cryptographic keys, Access Approval, Web Security Scanner
  • 21. Common Criteria for Cloud Security Audits Network AWS: VPC, CloudFront, Route53, API Gateway, Direct Connect, AWS App Mesh, AWS Cloud Map, Global Accelerator Azure: Virtual Networks, Load Balancers, DNS zones, CDN, Traffic Manager, ExpressRoutes, IPs, route tables/filters, Virtual WANS, Network Interfaces GCP: Virtual Private Cloud network, Network Services, Hybrid Connectivity, Network Service Tiers, network security
  • 22. Common Criteria for Cloud Security Audits Database AWS: RDS, DynamoDB, ElastiCache, Neptune, Amazon Redshift, Amazon QLDB, Amazon DocumentDB Azure: SQL DB, Azure DB for PostGres/MariaDB, Redis, SQL Elastic pools, Cosmos DB GCP: Datastore, BigQuery, MongoDB, PostgreSQL
  • 23. Enter Cloud Security Suite One-stop tool for auditing the security posture of AWS/GCP/Azure infrastructure Gathers and presents unified information from the following tools: ● GScout ● Scout2 ● Prowler ● Lynis ● Azure Audit template
  • 24. Installation Github https://github.com/SecurityFTW/cs-suite ● We modified the original project to produce output logs that can be ingested by major SIEM frameworks. ● You will need CLI tools, accounts with read privileges, and an API token for authentication, in some cases. ● Your vision may vary, depending on segmented resources and organizational architecture. ● The tool, however, presents a nice report category interface.
  • 28. The Challenge Of Getting All These Sources Together... ● Logging in the cloud costs $ and requires time for setup. It is not provided by default (CloudTrail, Stackdriver, Azure Monitor, GCP Stackdriver). ● A log indexing and data streaming pipeline infrastructure (Splunk/ELK) needs to be present. ● Architecture of streaming and storage ● A framework that allows analysis and further knowledge operation (basically SIEM). ● Most of the cloud providers have JSON output. Not all monitoring logs are in JSON file, but enough to get a first comprehensive approach.
  • 30. Integration with popular SIEMS Splunk/ELK - Based on the common criteria items we can create knowledge objects that can allow the analyst have a better vision on cloud security resources - Things such as dashboards, reports can help analysts make sense of the onslaught of logs coming from such disparate sources - We can then create alerts, lookups and even SOAR playbooks that can help us automate from the onslaught of logs.
  • 31. ELK
  • 40. Splunk Alerts on Results
  • 41. Q&A Thank You! Rod Soto @rodsoto rod@rodsoto.net Jose Hernandez @d1vious josehelps.com