Upgrade to Pro — share decks privately, control downloads, hide ads and more …

All Day DevOps - Automated Infrastructure Secur...

Madhu Akula
November 15, 2016
Technology
2
2k

All Day DevOps - Automated Infrastructure Security Monitoring and Defence (ELK + AWS Lambda)

Slides from my http://www.alldaydevops.com talk on Automated Infrastructure Security Monitoring using FOSS

Madhu Akula

November 15, 2016
Tweet

More Decks by Madhu Akula

See All by Madhu Akula
Interactive Kubernetes Security Learning Playground - Kubernetes Goat @ Black Hat Asia 2023 Arsenal
madhuakula
0
42
Mastering Kubernetes Security with Kubernetes Goat - Cloud-Native Modernization @ TechTarget
madhuakula
0
78
Kubernetes Security Detection Engineering – Mapping Back To MITRE ATT&CK Matrix | HITB 2023 AMS
madhuakula
0
96
Interactive Playground to Learn Kubernetes and Cloud Native Security - KubeCon + CloudNativeCon EU 2023
madhuakula
1
350
Practical Guide to Kubernetes Security for Developers 🚀
madhuakula
0
53
Scaling Kubernetes Security with Kubernetes Goat - All Day DevOps 2022
madhuakula
0
60
Scaling Kubernetes Security with Kubernetes Goat
madhuakula
0
110
Defenders Guide to Kubernetes Security - Dutch Microsoft & Security NL - Summer Security Night (+BBQ)
madhuakula
0
88
Kubernetes Goat - Interactive Kubernetes Security Playground: 2022 Edition
madhuakula
0
66

Other Decks in Technology

See All in Technology
B2B SaaSから見た最近のC#/.NETの進化
sansantech
PRO
0
880
Evangelismo técnico: ¿qué, cómo y por qué?
trishagee
0
360
Adopting Jetpack Compose in Your Existing Project - GDG DevFest Bangkok 2024
akexorcist
0
110
Platform Engineering for Software Developers and Architects
syntasso
1
520
iOS/Androidで同じUI体験をネ イティブで作成する際に気をつ けたい落とし穴
fumiyasac0921
1
110
日経電子版のStoreKit2フルリニューアル
shimastripe
1
140
Making your applications cross-environment - OSCG 2024 NA
salaboy
0
190
開発生産性を上げながらビジネスも30倍成長させてきたチームの姿
kamina_zzz
2
1.7k
OCI 運用監視サービス 概要
oracle4engineer
PRO
0
4.8k
OTelCol_TailSampling_and_SpanMetrics
gumamon
1
190
Taming you application's environments
salaboy
0
190
TypeScriptの次なる大進化なるか!? 条件型を返り値とする関数の型推論
uhyo
2
1.7k

Featured

See All Featured
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
How GitHub (no longer) Works
holman
310
140k
Music & Morning Musume
bryan
46
6.2k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
The World Runs on Bad Software
bkeepers
PRO
65
11k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
The Cost Of JavaScript in 2023
addyosmani
45
6.8k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
How to Think Like a Performance Engineer
csswizardry
20
1.1k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k

Transcript

  1. Automated Infrastructure Security Monitoring using FOSS #AllDayDevOps @madhuakula, Automation Ninja

    Appsecco

  2. About Me ! Automation Ninja at Appsecco Appsecco is a

    specialist application security company Interested in Security, DevOps & Cloud Found bugs in Google, Microsoft, Yahoo, etc Never ending learner! Follow (or) Tweet to me @madhuakula 2

  3. What we are covering today? ELK stack to analyse and

    visualise logs in near real­time ElastAlert to create rules to automatically defend against SSH bruteforce attacks AWS Lambda to do this, since our infra is hosted on AWS Python based Chalice framework for using AWS Lambda 3

  4. Architecture 4

  5. Automated Defence Demo Appsecco Automated Infrastructure Security Monitoring Demo (ELK

    + AWS Lambda) http://bit.ly/addo­aism 5

  6. AWS Lambda ­ Chalice Code https://github.com/appsecco/alldaydevops­aism 6

  7. Security for our AWS Lambda We are primarily doing the

    following two things 1. A sufficiently random token to protect the request when we post the IP address from ElastAlert 2. Whitelist the IP address of the host where the H T T P P O S T request originates from 7

  8. Use Cases for Automated Defence 1. Automated Defender (Attack Alerts

    + Automated Firewall) 2. Security Analytics + Reports 3. Near real­time Centralised Log Monitoring 8

  9. Attack Scenario : Wordpress XML­RPC https://blog.appsecco.com/analysing­attacks­on­a­wordpress­xml­rpc­using­an­ elk­stack­3bf25a7e36cc 9

  10. Needs Improvement More attack signatures required For example OSSEC Wazuh

    Ruleset Improve the ElastAlert Alerter custom code Any suggestions from your side 10

  11. Alternatives to our stack Stack Elastic Graylog TICK Stack Prometheus

    + Grafana Serverless AWS Lambda Azure Functions Cloud Functions 11

  12. Our assumptions You are already monitoring in near real­time using

    the ELK stack You are under attack for a specific service You have configured ElastAlert for your alerting 12

  13. In Summary We created attack threshold rules in ElastAlert We

    created an AWS Lambda endpoint to be able to modify AWS VPC Network ACLs We have a real­time blocking system infinitely scalable 13

  14. References Blog Post Elastic Elast Alert AWS Lambda Chalice 14

  15. None
  16. None

  17. Thanks @madhuakula | @appseccouk | http://appsecco.com