セキュリティログ分析基盤の構築 on AWS

ηΩϡϦςΟϩά෼ੳج൫ͷߏங PO"84 ΫοΫύουגࣜձࣾΠϯϑϥετϥΫνϟʔ෦ ਫ୩ਖ਼ܚ 8FE

ࣗݾ঺հˍൃද֓ཁ wਫ୩ਖ਼ܚ !N@NJ[VUBOJ w ೔ຊ*#.ೖࣾ w ౦ژجૅݚڀॴ w ηΩϡϦςΟࣄۀ෦5PLZP40$
w ΫοΫύουגࣜձࣾೖࣾ w ΠϯϑϥετϥΫνϟʔ෦ηΩϡϦςΟνʔϜ wࠓ೔ͷൃද ݄ʹฐࣾ5FDI$POGͷ-5Ͱ࿩ͨ͠಺༰ͷ࠷৽൛Ͱ͢

ηΩϡϦςΟϩά෼ੳͱ͍͑͹4*&.ɺ͔͠͠Ϋϥ΢υ্ͩͱʜ wϩάͷૹ৴ݩΛಈతʹ੍ޚͰ͖ͳ͍ w ૹ৴ݩʴϩάͷܗࣜͷΤϯτϦΛ؅ཧ͢Δ"1*͕ͳ͍ w Χλϩά্͸ࣗಈొ࿥͢Δͱݴ͍ͬͯΔ͕͏·͘௥Ճ͞Εͳ͍ w ΠϯελϯεɾαʔϏεͷ௥Ճɾ࡟আʹରԠ͢Δͷ͕େม wશମߏ੒Λؾܰʹ͍͡Εͳ͍ w
ߏ଄্εέʔϧΞ΢τ͢Δ͕खಈˍࣦഊ͢Δͱഁ໓ w εέʔϧΞ΢τͨ͠΋ͷͷதʹϩά͕࢒ΔͷͰεέʔϧΠϯෆՄ w ϩά͕όʔετͨ͠ͱ͖ͷରԠ͕େม wϧʔϧͷςετ͕೉͍͠ w ςετͷͨΊʹෳ਺ߏ੒༻ҙ͢ΔPS࣮؀ڥͰ΍Δ w "1*ͳͲͳ͍ͷͰɺ౰વਓखͰؤுΔ w ΫΠοΫʹϧʔϧͷௐ੔͕Ͱ͖ͳ͍มߋʹΑΔαΠυΤϑΣΫτͰۤ࿑͢Δ ˞ҰൠԽ͞Εͨ࿩Ͱ͸ͳ͘ɺͱ͋Δ੡඼ͷܦݧʹج͍ͮͨ૝ఆͰ͢

ઃܭཁ݅ wো֐΁ͷ଱ੑ wੑೳɿ਺ඦ(#೔ͷྲྀྔˍ༰қͳεέʔϧΞ΢τ͕Մೳ wมߋཤྺ؅ཧ w؇͍ϦΞϧλΠϜੑɿ਺෼ఔ౓ͷ஗Ԇ͸ڐ༰ wঢ়گʹԠͨ͡ηΩϡϦςΟ෼ੳ w ύλʔϯ ೔ৗతʹൃੜ͢ΔΞϥʔτͷ෼ੳ w
ύλʔϯ Πϯγσϯτൃੜ࣌ͷ௕ظ෼ੳ w ύλʔϯ ௕ظؒͷ౷ܭ৘ใऔಘ w෼ੳɾରԠͷࣗಈԽ

ΞʔΩςΫνϟ֓ཁ ϩάϑΝΠϧઃஔͷ ΠϕϯτΛݕग़ Lambda Lambda Lambda Kinesis Stream S3 S3
Athena ϧʔϧΛ༻͍ͨ Ξϥʔτͷݕ஌ Ξϥʔτͷൃใ ϩάͷม׵ EC2 Elasticsearch Service ߴ଎ͰΠϯλϥΫςΟϒͳ ୹ظతϩάͷݕࡧ ௕ظؒʹΘͨΔ ϩάͷݕࡧ GHE PagerDuty Slack Ξϥʔτͷൃใɾ؅ཧ Ξϥʔτͷௐࠪ CloudWatch Logs/Event, GuardDuty, CloudTrail EC2 instances ͦͷଞϓϩμΫτ Kinesis Stream Kinesis Stream ˞ࡉ͔͍ͱ͜Ζ͸ͪΐͬͱ୺ંͬͯ·͢

ΞʔΩςΫνϟ֓ཁ ύʔτ෼͚ ϩάϑΝΠϧઃஔͷ ΠϕϯτΛݕग़ Lambda Lambda Lambda Kinesis Stream S3
S3 Athena ϧʔϧΛ༻͍ͨ Ξϥʔτͷݕ஌ Ξϥʔτͷൃใ ϩάͷม׵ EC2 Elasticsearch Service ߴ଎ͰΠϯλϥΫςΟϒͳ ୹ظతϩάͷݕࡧ ௕ظؒʹΘͨΔ ϩάͷݕࡧ GHE PagerDuty Slack Ξϥʔτͷൃใɾ؅ཧ Ξϥʔτͷௐࠪ EC2 instances ͦͷଞϓϩμΫτ Kinesis Stream Kinesis Stream ϩάऩूύʔτ ϩάॲཧύʔτ Ξϥʔτॲཧύʔτ CloudWatch Logs/Event, GuardDuty, CloudTrail

ϩάॲཧύʔτ wϑΝΠϧੜ੒Πϕϯτͷॲཧ  4ˠ-BNCEBˠ,JOFTJT4USFBN w 4ͷ$SFBUF0CKFDUΠϕϯτΛ-BNCEBͰड͚ͯ,JOFTJT4USFBNʹྲྀ͢ w -BNCEBʹ͸௚઀ϩά͸ྲྀͣ͞ʹ4্ͷϑΝΠϧͷΩʔͳͲ࠷௿ݶͷ
৘ใ͚ͩΛྲྀ͢ w ,JOFTJT4USFBNͰΠϕϯτ৘ใΛड͚औͬͨޙଓͷ-BNCEB͕4಺ͷ ϑΝΠϧΛಡΈࠐΈϩάσʔλΛऔಘ͢Δ ϩάϑΝΠϧઃஔͷ ΠϕϯτΛݕग़ Lambda Lambda Kinesis Stream ϧʔϧΛ༻͍ͨ Ξϥʔτͷݕ஌ ϩάͷม׵ Kinesis Stream

ϩάॲཧύʔτ wϩάͷม׵UP(SBZMPH w ,JOFTJT4USFBN͔ΒϩάϑΝΠϧઃஔͷΠϕϯτΛड͚औͬͨޙɺ ϑΝΠϧΛ4͔ΒಡΈऔΔˠϩάͷύʔεˠ(SBZMPH΁సૹ w ύʔα͸ࣗલͰ༻ҙ4ͷόέοτʴύεͰϑΥʔϚοτΛ൑ผ w (SBZMPHͷ(&-'ܗࣜʹม׵ͨ͠ޙ5$1Ͱసૹ
wϩάͷม׵UP"UIFOB w -BNCEBͰ"UIFOBʹରԠͨ͠+40/ܗࣜʹม׵ w (MVFΛ࢖ͬͨม׵ʹͰ͖ͳ͍͔ݕ౼த ϩάϑΝΠϧઃஔͷ ΠϕϯτΛݕग़ Lambda Lambda Kinesis Stream ϧʔϧΛ༻͍ͨ Ξϥʔτͷݕ஌ ϩάͷม׵ Kinesis Stream

Ξϥʔτॲཧύʔτ w(JU)VC&OUFSQSJTF ()& Λ৘ใू໿ͷج఺ʹ w Ξϥʔτ͕ݕ஌͞ΕͨΒ()&ʹ*TTVFΛͨͯͯɺͦ͜ʹؔ࿈৘ใΛί ϝϯτͱͯ͠௥ه͠ूதͤ͞Δ wؔ࿈৘ใͷࣗಈऩू w 7JSVT5PUBMͰͷݕࡧɺ(SBZMPHͰͷؔ࿈ϩάͷݕࡧͳͲ͸ఆܗ࡞ۀͳ
ͷͰࣗಈͰ()&ʹίϝϯτͤ͞Δ w௨஌͸ϝʔϧ 4MBDL w ηΩϡϦςΟάϧʔϓ಺Ͱϩʔςʔγϣϯ Ξϥʔτͷൃใ GHE PagerDuty Slack Ξϥʔτͷௐࠪ Kinesis Stream

ӡ༻ͷ༷ࢠ

1BHFS%VUZ͕ൃใ ʢϝʔϧ4MBDLʣ

Ξϥʔτ͸()&ͷ *TTVFͱͯ͠ىථ

7JSVT5PUBMͷ ৘ใ΋ࣗಈͰ௥ه

(SBZMPH͔ΒϩάΛநग़ ˍ ৽ͨͳϩά΋ࢀরͰ͖ΔΑ ͏ʹΫΤϦ63-Λίϝϯτ

ඞཁʹԠͯ͡(SBZMPH ͰΞϥʔτͷৄࡉௐࠪ ·ͨ͸ *OEJDBUPS͕ྲྀΕ͖ͯͨ ͱ͖ʹΫΠοΫʹௐࠪ

ௐࠪɾ෼ੳ݁ՌΛ ίϝϯτͱͯ͠ ॻ͖࢒͢͜ͱͰ ஌ݟΛڞ༗

Thank you

セキュリティログ分析基盤の構築 on AWS

セキュリティログ分析基盤の構築 on AWS

Masayoshi Mizutani

More Decks by Masayoshi Mizutani

Other Decks in Technology

Featured

Transcript

ηΩϡϦςΟϩά෼ੳج൫ͷߏங PO"84 ΫοΫύουגࣜձࣾΠϯϑϥετϥΫνϟʔ෦ ਫ୩ਖ਼ܚ 8FE

ࣗݾ঺հˍൃද֓ཁ wਫ୩ਖ਼ܚ !N@NJ[VUBOJ w ೔ຊ*#.ೖࣾ w ౦ژجૅݚڀॴ w ηΩϡϦςΟࣄۀ෦5PLZP40$

ઃܭཁ݅ wো֐΁ͷ଱ੑ wੑೳɿ਺ඦ(#೔ͷྲྀྔˍ༰қͳεέʔϧΞ΢τ͕Մೳ wมߋཤྺ؅ཧ w؇͍ϦΞϧλΠϜੑɿ਺෼ఔ౓ͷ஗Ԇ͸ڐ༰ wঢ়گʹԠͨ͡ηΩϡϦςΟ෼ੳ w ύλʔϯ ೔ৗతʹൃੜ͢ΔΞϥʔτͷ෼ੳ w

ΞʔΩςΫνϟ֓ཁ ϩάϑΝΠϧઃஔͷ ΠϕϯτΛݕग़ Lambda Lambda Lambda Kinesis Stream S3 S3

ΞʔΩςΫνϟ֓ཁ ύʔτ෼͚ ϩάϑΝΠϧઃஔͷ ΠϕϯτΛݕग़ Lambda Lambda Lambda Kinesis Stream S3

ϩάॲཧύʔτ wϑΝΠϧੜ੒Πϕϯτͷॲཧ  4ˠ-BNCEBˠ,JOFTJT4USFBN w 4ͷ$SFBUF0CKFDUΠϕϯτΛ-BNCEBͰड͚ͯ,JOFTJT4USFBNʹྲྀ͢ w -BNCEBʹ͸௚઀ϩά͸ྲྀͣ͞ʹ4্ͷϑΝΠϧͷΩʔͳͲ࠷௿ݶͷ

ϩάॲཧύʔτ wϩάͷม׵UP(SBZMPH w ,JOFTJT4USFBN͔ΒϩάϑΝΠϧઃஔͷΠϕϯτΛड͚औͬͨޙɺ ϑΝΠϧΛ4͔ΒಡΈऔΔˠϩάͷύʔεˠ(SBZMPH΁సૹ w ύʔα͸ࣗલͰ༻ҙ4ͷόέοτʴύεͰϑΥʔϚοτΛ൑ผ w (SBZMPHͷ(&-'ܗࣜʹม׵ͨ͠ޙ5$1Ͱసૹ

Ξϥʔτॲཧύʔτ w(JU)VC&OUFSQSJTF ()& Λ৘ใू໿ͷج఺ʹ w Ξϥʔτ͕ݕ஌͞ΕͨΒ()&ʹ*TTVFΛͨͯͯɺͦ͜ʹؔ࿈৘ใΛί ϝϯτͱͯ͠௥ه͠ूதͤ͞Δ wؔ࿈৘ใͷࣗಈऩू w 7JSVT5PUBMͰͷݕࡧɺ(SBZMPHͰͷؔ࿈ϩάͷݕࡧͳͲ͸ఆܗ࡞ۀͳ

ӡ༻ͷ༷ࢠ

1BHFS%VUZ͕ൃใ ʢϝʔϧ4MBDLʣ

Ξϥʔτ͸()&ͷ *TTVFͱͯ͠ىථ

7JSVT5PUBMͷ ৘ใ΋ࣗಈͰ௥ه

(SBZMPH͔ΒϩάΛநग़ ˍ ৽ͨͳϩά΋ࢀরͰ͖ΔΑ ͏ʹΫΤϦ63-Λίϝϯτ

ඞཁʹԠͯ͡(SBZMPH ͰΞϥʔτͷৄࡉௐࠪ ·ͨ͸ *OEJDBUPS͕ྲྀΕ͖ͯͨ ͱ͖ʹΫΠοΫʹௐࠪ

ௐࠪɾ෼ੳ݁ՌΛ ίϝϯτͱͯ͠ ॻ͖࢒͢͜ͱͰ ஌ݟΛڞ༗

Thank you