Upgrade to Pro — share decks privately, control downloads, hide ads and more …

All Day DevOps - Automated Infrastructure Secur...

Madhu Akula
November 15, 2016

All Day DevOps - Automated Infrastructure Security Monitoring and Defence (ELK + AWS Lambda)

Slides from my http://www.alldaydevops.com talk on Automated Infrastructure Security Monitoring using FOSS

Madhu Akula

November 15, 2016
Tweet

More Decks by Madhu Akula

Other Decks in Technology

Transcript

  1. About Me ! Automation Ninja at Appsecco Appsecco is a

    specialist application security company Interested in Security, DevOps & Cloud Found bugs in Google, Microsoft, Yahoo, etc Never ending learner! Follow (or) Tweet to me @madhuakula 2
  2. What we are covering today? ELK stack to analyse and

    visualise logs in near real­time ElastAlert to create rules to automatically defend against SSH bruteforce attacks AWS Lambda to do this, since our infra is hosted on AWS Python based Chalice framework for using AWS Lambda 3
  3. Security for our AWS Lambda We are primarily doing the

    following two things 1. A sufficiently random token to protect the request when we post the IP address from ElastAlert 2. Whitelist the IP address of the host where the H T T P P O S T request originates from 7
  4. Use Cases for Automated Defence 1. Automated Defender (Attack Alerts

    + Automated Firewall) 2. Security Analytics + Reports 3. Near real­time Centralised Log Monitoring 8
  5. Needs Improvement More attack signatures required For example OSSEC Wazuh

    Ruleset Improve the ElastAlert Alerter custom code Any suggestions from your side 10
  6. Alternatives to our stack Stack Elastic Graylog TICK Stack Prometheus

    + Grafana Serverless AWS Lambda Azure Functions Cloud Functions 11
  7. Our assumptions You are already monitoring in near real­time using

    the ELK stack You are under attack for a specific service You have configured ElastAlert for your alerting 12
  8. In Summary We created attack threshold rules in ElastAlert We

    created an AWS Lambda endpoint to be able to modify AWS VPC Network ACLs We have a real­time blocking system infinitely scalable 13