©opyright   2015  Cloudten   Industries

Copyright 2015  Cloudten   Industries

SecurityInformation  &EventManagement

Copyright 2015  Cloudten   Industries

• Centralised collection  and  management  of  security  logs.

• Aggregates  data  from  a  wide  variety  of  sources  (  firewalls,  IDS,  WAF,  anti-­‐virus  etc )

• Analyses  and  correlates  events  to  provide  statistical  information  and  real-­‐time  monitoring.

Copyright 2015  Cloudten   Industries

Copyright 2015  Cloudten   Industries

• Threat  Detection  (  before  an  event  )

• Incident  Management  (  post  event  )

• Auditing  and  Reporting

• Compliance

Copyright 2015  Cloudten   Industries

• Hardware  or  virtual  appliances

• Various  Licensing  Models:• EPS  – Events  Per  Second• FPM  – Flows  Per  Minute• Number  of   log  sources• Log  size  per  day

• Various  Log  Collection  Methods• Agent  (  Log  forwarders,  probe  connectors  …  )• Agentless  (  via  SSH,  syslog,  Windows  Event  Collector  )

Copyright 2015  Cloudten   Industries

Appliances

Software

Copyright 2015  Cloudten   Industries

• The  basic  premise  is  the  same.

• Can  be  easier,  cheaper  and  quicker  to  set  up.

• It’s  just  as  (  if  not  more  )  important.

• Potentially  much  greater  “blast  radius”

Copyright 2015  Cloudten   Industries

Copyright 2015  Cloudten   Industries

…aaaaand  lost  it  in  2

Copyright 2015  Cloudten   Industries

• Make  Security  “Job  Zero”

• Don’t  make  security  an  afterthought.

• Architect  security  into  the  foundations

Copyright 2015  Cloudten   Industries

• AWS  provide  a  number  of  really  useful  security  tools  and  services  “out  of  the  box”

• Nearly  all  of  AWS  services  have  APIs  that  integrate  with  the  security  services.

• This  provides  centralised inputs  into  either  a  custom  built  SIEM  or  3rd party  solution.

Copyright 2015  Cloudten   Industries

• User  accounts,  groups  and  roles

• Create  and  map  fine  grained  access  policies

• Provides  authenticated  and  auditable  access  to  all  resources.

• Federate    to  an  external  directory  

Copyright 2015  Cloudten   Industries

• a  webservice  that  records  all  kinds  of  API  calls  made  by  AWS  resources.

• Eg.  Changes  to  security  groups,  modify  IAM  permissions  etc.

• Stores  logs  in  a  secure  S3  bucket

• One  of  the  most  important  services  from  a  SIEM  and  auditing  perspective.

Copyright 2015  Cloudten   Industries

• Track  and  compare  infrastructure  changes  over  time

• The  ability  to  restore  environment  configurations

• Able  to  snapshot  an  environment  into  CloudFormation  templates  in  S3

• Integrates  with  CloudTrail

Copyright 2015  Cloudten   Industries

• Define  rules  for  how  resources  are  created  (eg.  All  EBS  volumes  must  be  encrypted)

• Can  monitor  config changes  and  provide  a  dashboard  to  check  compliance  status’

• Makes  it  easy  to  see  when  and  how  a  resource  became  non  compliant.

Copyright 2015  Cloudten   Industries

• Not  just  basic  performance  metrics  anymore

• Agent  based  log  collection

• Filtering  language  to  monitor  and  alert

• Ingests  logs  from  CloudTrail

Copyright 2015  Cloudten   Industries

• Essentially  gives  the  ability  to  monitor  network  traffic  within  a  VPC    

• Also  logs  dropped  packets  (  firewall  logs  )

• Outputs  to  CloudWatch  Logs

• “Free”

Copyright 2015  Cloudten   Industries

• Can  block  malicious  HTTP/S  requests

• Sits  in  front  of  CloudFront

• Generates  CloudWatch  metrics  

Copyright 2015  Cloudten   Industries

Copyright 2015  Cloudten   Industries

{"Records": [

{"eventVersion": "1.0","userIdentity": {

"type": "IAMUser","principalId": "EXAMPLE_PRINCIPAL_ID","arn": "arn:aws:iam::123456789012:user/Jeff","accountId": "123456789012","accessKeyId": "EXAMPLE_KEY_ID","userName": "Jeff","sessionContext": {

"attributes": {"mfaAuthenticated": "false","creationDate": "2015-08-25T04:04:11Z"

}}

},"eventTime": "2015-08-25T04:12:22Z","eventSource": "iam.amazonaws.com","eventName": "AddUserToGroup","awsRegion": "ap-southeast-2","sourceIPAddress": "127.0.0.1","userAgent": "AWSConsole","requestParameters": {

"userName": “Bob","groupName": "admin"

},"responseElements": null

}]

}

Copyright 2015  Cloudten   Industries

Copyright 2015  Cloudten   Industries

Copyright 2015  Cloudten   Industries

• You  have  all  the  logs  but  what  do  you  do  with  them  ?

• CloudWatch/Logs  is  good  …  but

• There  are  a  number  of  specialist  log  management  vendors  who  have  adapted  their  products  to  work  as  a  SIEM.

• They  provide  compliance,  auditing  and  pro-­‐active  monitoring  capabilities.  

Copyright 2015  Cloudten   Industries

Copyright 2015  Cloudten   Industries

Copyright 2015  Cloudten   Industries

Collect  &  Aggregate• Many  and  varied  sources• Across  environments• Safe,  secure  &  fast

Visualize  &  Alert• Real-­‐time  dashboards• Proactive  alerting• Out-­‐of-­‐the  box  apps

Investigate  &Take  Action• Search  and  troubleshoot• Identify  unknowns• Analyze,  triage  and  isolate

Monitor  &  Optimize• Detect  anomalies• Predict  and  preempt  issues• Streamline  and  improve  processes

Copyright 2015  Cloudten   Industries

Copyright 2015  Cloudten   Industries

• Security  is  a  full  time  job

• Many  companies  don’t  have  time/resources  to  keep  on  top  of  everything

• Skilled  security  resources  are  expensive.

• Many  high  profile  organisations choose  to  outsource  SIEM  responsibilities  .

Copyright 2015  Cloudten   Industries

Copyright 2015  Cloudten   Industries

• Security  focused  AWS  consulting  partner

• AWS  Certified  to  the  highest  level

• Consulting/Managed  Services

• Come  and  talk  to  us  !  

©opyright   2015  Cloudten   Industries