Upgrade to Pro — share decks privately, control downloads, hide ads and more …

All Day DevOps - Automated Infrastructure Secur...

Madhu Akula
November 15, 2016
Technology
2
2k

All Day DevOps - Automated Infrastructure Security Monitoring and Defence (ELK + AWS Lambda)

Slides from my http://www.alldaydevops.com talk on Automated Infrastructure Security Monitoring using FOSS

Madhu Akula

November 15, 2016
Tweet

More Decks by Madhu Akula

See All by Madhu Akula
Interactive Kubernetes Security Learning Playground - Kubernetes Goat @ Black Hat Asia 2023 Arsenal
madhuakula
0
39
Mastering Kubernetes Security with Kubernetes Goat - Cloud-Native Modernization @ TechTarget
madhuakula
0
77
Kubernetes Security Detection Engineering – Mapping Back To MITRE ATT&CK Matrix | HITB 2023 AMS
madhuakula
0
93
Interactive Playground to Learn Kubernetes and Cloud Native Security - KubeCon + CloudNativeCon EU 2023
madhuakula
1
350
Practical Guide to Kubernetes Security for Developers 🚀
madhuakula
0
51
Scaling Kubernetes Security with Kubernetes Goat - All Day DevOps 2022
madhuakula
0
60
Scaling Kubernetes Security with Kubernetes Goat
madhuakula
0
110
Defenders Guide to Kubernetes Security - Dutch Microsoft & Security NL - Summer Security Night (+BBQ)
madhuakula
0
87
Kubernetes Goat - Interactive Kubernetes Security Playground: 2022 Edition
madhuakula
0
65

Other Decks in Technology

See All in Technology
Figma Dev Modeで進化するデザインとエンジニアリングの協働 / figma-with-engineering
cyberagentdevelopers
PRO
1
430
Amazon FSx for NetApp ONTAPを利用するにあたっての要件整理と設計のポイント
non97
1
160
日経電子版におけるリアルタイムレコメンドシステム開発の事例紹介/nikkei-realtime-recommender-system
yng87
1
500
なんで、私がAWS Heroに!? 〜社外の広い世界に一歩踏み出そう〜
minorun365
PRO
6
1.1k
AWS re:Inventを徹底的に楽しむためのTips / Tips for thoroughly enjoying AWS re:Invent
yuj1osm
1
560
Product Engineer Night #6プロダクトエンジニアを育む仕組み・施策
hacomono
PRO
1
470
[JAWS-UG金沢支部×コンテナ支部合同企画]コンテナとは何か
furuton
3
250
10分でわかるfreee エンジニア向け会社説明資料
freee
18
520k
独自ツール開発でスタジオ撮影をDX!「VLS(Virtual LED Studio)」 / dx-studio-vls
cyberagentdevelopers
PRO
1
180
Jr. Championsになって、強く連携しながらAWSをもっと使いたい!~AWSに対する期待と行動~
amixedcolor
0
190
顧客が本当に必要だったもの - パフォーマンス改善編 / Make what is needed
soudai
24
6.8k
とあるユーザー企業におけるリスクベースで考えるセキュリティ業務のお話し
4su_para
3
320

Featured

See All Featured
GraphQLの誤解/rethinking-graphql
sonatard
66
9.9k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
GraphQLとの向き合い方2022年版
quramy
43
13k
For a Future-Friendly Web
brad_frost
175
9.4k
Docker and Python
trallard
40
3.1k
Designing the Hi-DPI Web
ddemaree
280
34k
Music & Morning Musume
bryan
46
6.1k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
Visualization
eitanlees
144
15k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
The Invisible Side of Design
smashingmag
297
50k

Transcript

  1. Automated Infrastructure Security Monitoring using FOSS #AllDayDevOps @madhuakula, Automation Ninja

    Appsecco

  2. About Me ! Automation Ninja at Appsecco Appsecco is a

    specialist application security company Interested in Security, DevOps & Cloud Found bugs in Google, Microsoft, Yahoo, etc Never ending learner! Follow (or) Tweet to me @madhuakula 2

  3. What we are covering today? ELK stack to analyse and

    visualise logs in near real­time ElastAlert to create rules to automatically defend against SSH bruteforce attacks AWS Lambda to do this, since our infra is hosted on AWS Python based Chalice framework for using AWS Lambda 3

  4. Architecture 4

  5. Automated Defence Demo Appsecco Automated Infrastructure Security Monitoring Demo (ELK

    + AWS Lambda) http://bit.ly/addo­aism 5

  6. AWS Lambda ­ Chalice Code https://github.com/appsecco/alldaydevops­aism 6

  7. Security for our AWS Lambda We are primarily doing the

    following two things 1. A sufficiently random token to protect the request when we post the IP address from ElastAlert 2. Whitelist the IP address of the host where the H T T P P O S T request originates from 7

  8. Use Cases for Automated Defence 1. Automated Defender (Attack Alerts

    + Automated Firewall) 2. Security Analytics + Reports 3. Near real­time Centralised Log Monitoring 8

  9. Attack Scenario : Wordpress XML­RPC https://blog.appsecco.com/analysing­attacks­on­a­wordpress­xml­rpc­using­an­ elk­stack­3bf25a7e36cc 9

  10. Needs Improvement More attack signatures required For example OSSEC Wazuh

    Ruleset Improve the ElastAlert Alerter custom code Any suggestions from your side 10

  11. Alternatives to our stack Stack Elastic Graylog TICK Stack Prometheus

    + Grafana Serverless AWS Lambda Azure Functions Cloud Functions 11

  12. Our assumptions You are already monitoring in near real­time using

    the ELK stack You are under attack for a specific service You have configured ElastAlert for your alerting 12

  13. In Summary We created attack threshold rules in ElastAlert We

    created an AWS Lambda endpoint to be able to modify AWS VPC Network ACLs We have a real­time blocking system infinitely scalable 13

  14. References Blog Post Elastic Elast Alert AWS Lambda Chalice 14

  15. None
  16. None

  17. Thanks @madhuakula | @appseccouk | http://appsecco.com