SlideShare a Scribd company logo

AWS security monitoring and compliance validation from Adobe.

Splunk
Splunk

The document outlines a security engineering presentation focused on AWS security monitoring and compliance at Adobe, emphasizing the necessity for improved visibility and data sources in handling security incidents. It details the use of Splunk for log aggregation and analysis from various AWS components and provides insights into the setup and management of these data sources. The presentation also touches on AWS account management, data collection practices, and automation of security policy audits to enhance operational security.

Technology
1 of 30
Downloaded 17 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Copyright  ©  2016  Splunk  Inc.   Sco8  Pack   Security  Engineer,  Adobe     AWS  Security  Monitoring  &  Compliance   ValidaFon  From  Adobe  
Presenter   2   •  Sco8  Pack   –  Security  Engineer  @  Adobe   –  SLC,  UT   –  4  Year  Splunker   –  Proudly  DQd  at  3  Pinewood  Derbies   •  Agenda   –  Background   –  AWS  Security  Data  Sources   –  AggregaFon  &  Ingest   –  Bit  of  Analysis  
The  Background   3     Digital  MarkeFng  &  AnalyFcs     55k  hosts  across  30  sites     CollecFon  of  ~20  admin  teams.   –  Different  tech  stacks,  but  mostly  *nix     Monitoring  Toolset:     –  Ne]low,  FPC,  IDS,  Network  TransacFon  
Security  OperaFons  At  Adobe   4   Splunk  as  a  Core  Service   –  Used  for  all  logs:  applicaFon,  network,  host,  etc     Security  Engineering:  Own  the  data  sources   –  Set  up  systems  that  feed  Splunk     Security  OperaFons:  SplunkES  Analysis  &  InvesFgaFon   –  Consume  the  data  
Shi`ing  To  AWS   5     Lots  of  accounts  …    >  200     Dozens  of  teams,  thousands  of  instances     Missing  data  to:   –  Detect/respond  to  incidents   –  Making  assurances  to  Compliance       We  received  a  mandate:  Fix  this   –  Get  whatever  visibility  you  can   –  Minimize  risk  of  operaFons  impact   –  Be  cost  sensiFve  
AWS  Security  Incidents?    Wut?   6     AWS  Account  Compromise:   –  Baddie  interacts  w/  AWS  as  an   authenFcated  user     Host  compromise   –  Baddie  has  some  control     of  a  host    
Make  Our  Lives  Easier:     Follow  the  same  model:    Data  -­‐>  Splunk  ES  -­‐>  SOC     Don’t  juggle  hundreds  of  AWS  API  keys     Out-­‐of-­‐band  monitoring     Quick  setup     Reduce  future  need  to  redeploy     Keep  it  to  AWS  NaFve  data  sources   7  
Data  Sources                                                                     8   CloudTrail   API  Usage  &  Logging   VPC  FlowLogs   Virtual  Interface  ConnecFvity   Config   Account  ConfiguraFon  &   Inventory   ELB  Access  Logs   Load  Balancer   Logging   Trusted  Advisor   Security  PracFce  Checks   IdenFty  &  Access  Management   CredenFal  Report  
Data  Examples   9   CloudTrail   VPC  Flows   ELB  Access  Logs   Config   CredenFal  Report  
OK,  So  This?   10   •  Has  input  types  for:   –  Config  Snapshots   –  Config  Rules   –  CloudTrail   –  CloudWatch  Logs   –  ELB  Access  Logs   –  S3  Buckets   •  But…   –  Input  Stanza  Explosion   ê  Account  x  sourcetype  x  (region)   ê  ~  28  Inputs  per  account   –  API  Keys  for  each  account  
Cross-­‐Account  AuthenFcaFon   11     IAM  Users   –  Use  API  Keys  directly     Roles   –  AWS  Security  Token  Service   –  Can  be  “Assumed”  by  a  specified  Principal   ê  Principal:  AWS  User,  Account,  Service,  Other  Role   –  AuthenFcate  to  an  AggregaFon  Account  user   ê  Assume  the  cross-­‐account  role   ê  Retrieve  temporary  access  keys   ê  Make  calls  with  temporary  keys     h8p://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-­‐account-­‐with-­‐roles.html  
12   AggregaFon                                                                     12   CloudTrail   VPC  FlowLogs  Config   ELB  Access  Logs   Trusted  Advisor  IAM   AWS  S3   Per  Region   CloudWatch   Kinesis   Per  Region   CloudWatch   DesFnaFon   Lambda   Schedule   Each   Monitored  Account   AggregaFon  Account  
CollecFon  Plumbing:  S3     S3  Buckets:   –  ELB  (1  per  region)   ê  Permit  PutObject  from  AWS  ELB  IAM  Roles   –  Config   ê  Permit  PutObject  from  config.amazonaws.com   –  Config  Parsed   –  CloudTrail   ê  Permit  PutObject  from  cloudtrail.amazonaws.com   –  Trusted  Advisor  Results   ê  Permit  PutObject  from  Lambda  ExecuFon  IAM  role   13   AWS  ELB  Account  IDs  for  Log  Delivery:  h8p://docs.aws.amazon.com/elasFcloadbalancing/latest/classic/enable-­‐access-­‐logs.html#a8ach-­‐bucket-­‐policy  
CollecFon  Plumbing:  Rest  of  it     AggregaFon  AWS  Account     Kinesis  Stream:     –  1  Per  region   CloudWatch  LogDesFnaFons   –  1  Per  region   –  Directs  to  region-­‐local  kinesis  stream   14  
RegistraFon   15  
16   CloudFormaFon   Resources:   Config  Role   FlowLogs  Role   SecEng  Role     SNS   NoFficaFon   Role’s  Done!   Inputs:   DescripFon   Jira  Queue   RegistraFon   Lambda   RegistraFon   DynamoDB   RegistraFon   Setup  &  Retrieval   Daily  Setup   FuncFons   RegistraFon   DynamoDB   Assumed  Role  
Enrollment  Via  Web  UI   –  Describes  all  permissions,  documents  WebUI  use   17  
CollecFon   +   Analysis   18  
Splunk  App     –  Input  Methods:  S3   –  Input  Sourcetypes:  CloudTrail,  VPC  Flows,   ELB  Access  Logs   –  Parsing  Handler:  GZIPMessageHandler     (Thanks  Damien!)   19   AggregaFon  reduces  amount  of  Splunk  inputs:  26  Total  Inputs   •  S3:  14   •  Kinesis  Inputs:  10   •  AddiFonal  Logging:  2     Currently  running  on  a  dedicated  Heavy  Forwarder.   •  If  needed,  split  regions  to  different  forwarders.  
Sourcetypes,  Lookups,  And  Other  Fun   20   Sourcetypes:  Cheated  off  the  Splunk  App  for  AWS.   –  Set  json  KV  format  and  check  line-­‐breaks     Use  HTTP  Event  Collector  to  dump  DynamoDB  account  registraFons   –  Scheduled  lookup-­‐generaFng  search   –  Every  event  has  the  account  ID  somewhere  in  it  (Almost).     Tagging  into  Enterprise  Security  data  models   –  ELB  Access  Logs  &  VPC  Flows  right  out  of  the  box    
Ge{ng  Dashboard  Approval     GETTING  DASHBOARD  APPROVAL   21  
“Gotchas”   22  
Data  Frequency/Latency   • Daily  Snapshots  Config   • Daily  Snapshots  Trusted  Advisor   • 5-­‐8  minute  latency  CloudTrail   • 5-­‐10  minute  latency  ELB  Access  Logs   • 5-­‐10  minute  latency  VPC  Flow  Logs   23  
Splunk  Gotchas:   24     Kinesis  Modular  Input   –  Can  chew  up  memory   –  Increase  what  it  gets:   ê  /opt/splunk/etc/apps/kinesis_ta/bin   java_args  =  [  JAVA_EXECUTABLE,  "-­‐classpath",CLASSPATH,"-­‐Xms512m","-­‐ Xmx512m",   "-­‐Dsplunk.securetransport.protocol="+SECURE_TRANSPORT,JAVA_MAIN_CLASS]   Config  Snapshots  are  jsonormous   –  Use  lambda  to  split  up  the  resources  
AWS  Gotchas:     SFll  no  packet-­‐level  visibility     ELB  Permission  Granularity  RestricFons   –  ModifyA8ributes     Keep  an  eye  on  capacity.    Watch:   –  DynamoDB  Reads   –  Kinesis  Shard  Usage   25  
Where  We’re  At  Right  Now   –  40  AWS  accounts  currently  enrolled   –  500-­‐800  GB/day   –  Haven’t  broken  any  accounts  yet!   –  Finding  more  data  sources   ê Config  Rules   ê Inspector   –  Automated  our  AWS  security  policy  audit   –  Wri8en  a  handful  of  Splunk  Enterprise  correlaFon  rules   ê AcFoned  by  SOC   –  Automated  Jira  FckeFng  for  remediaFon   26  
QuesFons?   27     Contact:   sco8jpack@gmail.com   github.com/sco8jpack   Twi8er:          @sco8jpack  
THANK  YOU  
Permissions   29  
DynamoDB:  Account  RegistraFon  Item   { [-] DevPhaseOutput: Yep InspectorRoleARN: arn:aws:iam::555555555555:role/InfoSec-InspectorIamRole-1WPVBFHJ3CQM1 ProdPhaseOutput: Yep StagePhaseOutput: Yep account_id: 55555555555 config_pull_enable: true config_role_arn: arn:aws:iam::555555555555:role/InfoSec-ConfigIamRole-1CCXRZ8SN2IL5 description: CampaignOps elb_access_log_enable: true flowlogs_role_arn: arn:aws:iam::555555555555:role/InfoSec-FlowLogsIamRole-7R1QLDHRXS1F jira_queue: CPGNTEAM role_arn: arn:aws:iam::555555555555:role/InfoSec-SecEngRole-9W6HAJ8SNOEK trusted_advisor_collect: true vpc_flow_logs: true   }   30  

More Related Content

What's hot (8)

PPTX
AWS on Splunk, Splunk on AWS
Splunk
 
PDF
Combining logs, metrics, and traces for unified observability
Elasticsearch
 
PDF
Grab: Building a Healthy Elasticsearch Ecosystem
Elasticsearch
 
PDF
Keynote
Elasticsearch
 
PDF
Combinação de logs, métricas e rastreamentos para observabilidade unificada
Elasticsearch
 
PDF
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
RightScale
 
PPTX
How McGraw Hill Uses Sumo Logic and AWS for Operational and Security Intellig...
Sumo Logic
 
PPTX
AWS and Sumo Logic Webinar: Simplify Compliance with Proactive Machine Data A...
Sumo Logic
 
AWS on Splunk, Splunk on AWS
Splunk
 
Combining logs, metrics, and traces for unified observability
Elasticsearch
 
Grab: Building a Healthy Elasticsearch Ecosystem
Elasticsearch
 
Keynote
Elasticsearch
 
Combinação de logs, métricas e rastreamentos para observabilidade unificada
Elasticsearch
 
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
RightScale
 
How McGraw Hill Uses Sumo Logic and AWS for Operational and Security Intellig...
Sumo Logic
 
AWS and Sumo Logic Webinar: Simplify Compliance with Proactive Machine Data A...
Sumo Logic
 

Viewers also liked (19)

PDF
Marketo Customer Presentation
Splunk
 
PPTX
Driving Efficiency with Splunk Cloud at Gatwick Airport
Splunk
 
PDF
The Joy of Proactive Security
Andy Hoernecke
 
PDF
Design, Build and Map IT and Business Services in Splunk
Splunk
 
PPTX
Hp Fortify Cloud Application Security
Ed Wong
 
PPTX
Fortify - Source Code Analyzer
n|u - The Open Security Community
 
PDF
Herbalife Customer Presentation
Splunk
 
PPTX
AWS Services overview and global infrastructure
Schibsted Tech Polska
 
PPTX
Web Application Security Vulnerability Management Framework
jpubal
 
PDF
Splunk Enterprise for InfoSec Hands-On
Splunk
 
PDF
SAP-SuccessFactors Customer Presentation
Splunk
 
PDF
Building Business Service Intelligence with ITSI
Splunk
 
PPTX
Delivering Business Value from Operational Inisights at ING Bank
Splunk
 
PDF
Machine Learning + Analytics in Splunk
Splunk
 
PPTX
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Splunk
 
PDF
Machine Data 101
Splunk
 
PPTX
Delivering business value from operational insights at ING Bank
Splunk
 
PPTX
Softcat Splunk Discovery Day Manchester, March 2017
Splunk
 
PPTX
Building a Security Information and Event Management platform at Travis Per...
Splunk
 
Marketo Customer Presentation
Splunk
 
Driving Efficiency with Splunk Cloud at Gatwick Airport
Splunk
 
The Joy of Proactive Security
Andy Hoernecke
 
Design, Build and Map IT and Business Services in Splunk
Splunk
 
Hp Fortify Cloud Application Security
Ed Wong
 
Fortify - Source Code Analyzer
n|u - The Open Security Community
 
Herbalife Customer Presentation
Splunk
 
AWS Services overview and global infrastructure
Schibsted Tech Polska
 
Web Application Security Vulnerability Management Framework
jpubal
 
Splunk Enterprise for InfoSec Hands-On
Splunk
 
SAP-SuccessFactors Customer Presentation
Splunk
 
Building Business Service Intelligence with ITSI
Splunk
 
Delivering Business Value from Operational Inisights at ING Bank
Splunk
 
Machine Learning + Analytics in Splunk
Splunk
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Splunk
 
Machine Data 101
Splunk
 
Delivering business value from operational insights at ING Bank
Splunk
 
Softcat Splunk Discovery Day Manchester, March 2017
Splunk
 
Building a Security Information and Event Management platform at Travis Per...
Splunk
 
Ad

Similar to AWS security monitoring and compliance validation from Adobe. (20)

PPTX
AWS Monitoring & Logging
Jason Poley
 
PPTX
Cloudifying your Security Operations on AWS
CloudHesive
 
PDF
Cumulonimbus fortification-secure-your-data-in-the-cloud
David Busby, CISSP
 
PDF
DEF CON 24 - Rich Mogull - pragmatic cloud security
Felipe Prado
 
PPTX
Hackproof Your Cloud: Responding to 2016 Threats
CloudCheckr
 
PDF
So verarbeiten Sie AWS Sensordaten, um Anwendungen zu sichern - AWS Security ...
AWS Germany
 
PDF
Security @ (Cloud) Scale Deep Dive
Kristana Kane
 
PDF
Manage Security & Compliance of Your AWS Account using CloudTrail
Cloudlytics
 
PPTX
test-sgsgsgs.pptx
shramangupta2
 
PPTX
Native cloud security monitoring
John Varghese
 
PPTX
Blue Chip Tek Connect and Protect Presentation #3
Kimberly Macias
 
PPTX
Hack proof your aws cloud cloudcheckr_040416
Jarrett Plante
 
PPTX
CIS Compliance Automations Eevidence Collection, Security and Compliance Be...
Faiza Mehar
 
PDF
Aws Architecture Fundamentals | Dallas
Nicole Maus
 
PDF
AWS Systems manager 2019
John Varghese
 
PPTX
004 - Logging in the Cloud -- hide01.ir.pptx
nitinscribd
 
PPTX
Using AWS To Build A Scalable Machine Data Analytics Service
Christian Beedgen
 
PPTX
[HUN] 2023_Hacker_Suli_Meetup_Cloud_DFIR_Alapok.pptx
hackersuli
 
PDF
What is AWS and What can you do with it | by Kunal Yadav | Noteworthy - The J...
AmitKuraria2
 
PDF
20190223 JAWSDAYS 2019 AWS の Management Tools を使ったハイブリッドアーキテクチャ
Yukitaka Ohmura
 
AWS Monitoring & Logging
Jason Poley
 
Cloudifying your Security Operations on AWS
CloudHesive
 
Cumulonimbus fortification-secure-your-data-in-the-cloud
David Busby, CISSP
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
Felipe Prado
 
Hackproof Your Cloud: Responding to 2016 Threats
CloudCheckr
 
So verarbeiten Sie AWS Sensordaten, um Anwendungen zu sichern - AWS Security ...
AWS Germany
 
Security @ (Cloud) Scale Deep Dive
Kristana Kane
 
Manage Security & Compliance of Your AWS Account using CloudTrail
Cloudlytics
 
test-sgsgsgs.pptx
shramangupta2
 
Native cloud security monitoring
John Varghese
 
Blue Chip Tek Connect and Protect Presentation #3
Kimberly Macias
 
Hack proof your aws cloud cloudcheckr_040416
Jarrett Plante
 
CIS Compliance Automations Eevidence Collection, Security and Compliance Be...
Faiza Mehar
 
Aws Architecture Fundamentals | Dallas
Nicole Maus
 
AWS Systems manager 2019
John Varghese
 
004 - Logging in the Cloud -- hide01.ir.pptx
nitinscribd
 
Using AWS To Build A Scalable Machine Data Analytics Service
Christian Beedgen
 
[HUN] 2023_Hacker_Suli_Meetup_Cloud_DFIR_Alapok.pptx
hackersuli
 
What is AWS and What can you do with it | by Kunal Yadav | Noteworthy - The J...
AmitKuraria2
 
20190223 JAWSDAYS 2019 AWS の Management Tools を使ったハイブリッドアーキテクチャ
Yukitaka Ohmura
 
Ad

More from Splunk (20)

PDF
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
PDF
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
PDF
Building Resilience with Energy Management for the Public Sector
Splunk
 
PDF
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
PDF
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
PDF
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
PDF
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
PDF
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
PDF
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
PDF
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
PDF
.conf Go 2023 - Data analysis as a routine
Splunk
 
PDF
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
PDF
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
PDF
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
PDF
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
PDF
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
PDF
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
PDF
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
PDF
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
PDF
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Building Resilience with Energy Management for the Public Sector
Splunk
 
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
.conf Go 2023 - Data analysis as a routine
Splunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 

Recently uploaded (20)

PDF
TrustArc Webinar - Data Privacy Trends 2025: Mid-Year Insights & Program Stra...
TrustArc
 
PDF
Predicting the unpredictable: re-engineering recommendation algorithms for fr...
Speck&Tech
 
PPTX
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
PDF
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PPTX
Building a Production-Ready Barts Health Secure Data Environment Tooling, Acc...
Barts Health
 
PDF
NewMind AI Journal - Weekly Chronicles - July'25 Week II
NewMind AI
 
PDF
Building Resilience with Digital Twins : Lessons from Korea
SANGHEE SHIN
 
PDF
Français Patch Tuesday - Juillet
Ivanti
 
PDF
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PDF
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PDF
Women in Automation Presents: Reinventing Yourself — Bold Career Pivots That ...
DianaGray10
 
PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
PDF
Empowering Cloud Providers with Apache CloudStack and Stackbill
ShapeBlue
 
PDF
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
PDF
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
PDF
Apache CloudStack 201: Let's Design & Build an IaaS Cloud
ShapeBlue
 
PDF
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
TrustArc Webinar - Data Privacy Trends 2025: Mid-Year Insights & Program Stra...
TrustArc
 
Predicting the unpredictable: re-engineering recommendation algorithms for fr...
Speck&Tech
 
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
Building a Production-Ready Barts Health Secure Data Environment Tooling, Acc...
Barts Health
 
NewMind AI Journal - Weekly Chronicles - July'25 Week II
NewMind AI
 
Building Resilience with Digital Twins : Lessons from Korea
SANGHEE SHIN
 
Français Patch Tuesday - Juillet
Ivanti
 
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
Women in Automation Presents: Reinventing Yourself — Bold Career Pivots That ...
DianaGray10
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
Empowering Cloud Providers with Apache CloudStack and Stackbill
ShapeBlue
 
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
Apache CloudStack 201: Let's Design & Build an IaaS Cloud
ShapeBlue
 
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 

AWS security monitoring and compliance validation from Adobe.

  • 1. Copyright  ©  2016  Splunk  Inc.   Sco8  Pack   Security  Engineer,  Adobe     AWS  Security  Monitoring  &  Compliance   ValidaFon  From  Adobe  
  • 2. Presenter   2   •  Sco8  Pack   –  Security  Engineer  @  Adobe   –  SLC,  UT   –  4  Year  Splunker   –  Proudly  DQd  at  3  Pinewood  Derbies   •  Agenda   –  Background   –  AWS  Security  Data  Sources   –  AggregaFon  &  Ingest   –  Bit  of  Analysis  
  • 3. The  Background   3     Digital  MarkeFng  &  AnalyFcs     55k  hosts  across  30  sites     CollecFon  of  ~20  admin  teams.   –  Different  tech  stacks,  but  mostly  *nix     Monitoring  Toolset:     –  Ne]low,  FPC,  IDS,  Network  TransacFon  
  • 4. Security  OperaFons  At  Adobe   4   Splunk  as  a  Core  Service   –  Used  for  all  logs:  applicaFon,  network,  host,  etc     Security  Engineering:  Own  the  data  sources   –  Set  up  systems  that  feed  Splunk     Security  OperaFons:  SplunkES  Analysis  &  InvesFgaFon   –  Consume  the  data  
  • 5. Shi`ing  To  AWS   5     Lots  of  accounts  …    >  200     Dozens  of  teams,  thousands  of  instances     Missing  data  to:   –  Detect/respond  to  incidents   –  Making  assurances  to  Compliance       We  received  a  mandate:  Fix  this   –  Get  whatever  visibility  you  can   –  Minimize  risk  of  operaFons  impact   –  Be  cost  sensiFve  
  • 6. AWS  Security  Incidents?    Wut?   6     AWS  Account  Compromise:   –  Baddie  interacts  w/  AWS  as  an   authenFcated  user     Host  compromise   –  Baddie  has  some  control     of  a  host    
  • 7. Make  Our  Lives  Easier:     Follow  the  same  model:    Data  -­‐>  Splunk  ES  -­‐>  SOC     Don’t  juggle  hundreds  of  AWS  API  keys     Out-­‐of-­‐band  monitoring     Quick  setup     Reduce  future  need  to  redeploy     Keep  it  to  AWS  NaFve  data  sources   7  
  • 8. Data  Sources                                                                     8   CloudTrail   API  Usage  &  Logging   VPC  FlowLogs   Virtual  Interface  ConnecFvity   Config   Account  ConfiguraFon  &   Inventory   ELB  Access  Logs   Load  Balancer   Logging   Trusted  Advisor   Security  PracFce  Checks   IdenFty  &  Access  Management   CredenFal  Report  
  • 9. Data  Examples   9   CloudTrail   VPC  Flows   ELB  Access  Logs   Config   CredenFal  Report  
  • 10. OK,  So  This?   10   •  Has  input  types  for:   –  Config  Snapshots   –  Config  Rules   –  CloudTrail   –  CloudWatch  Logs   –  ELB  Access  Logs   –  S3  Buckets   •  But…   –  Input  Stanza  Explosion   ê  Account  x  sourcetype  x  (region)   ê  ~  28  Inputs  per  account   –  API  Keys  for  each  account  
  • 11. Cross-­‐Account  AuthenFcaFon   11     IAM  Users   –  Use  API  Keys  directly     Roles   –  AWS  Security  Token  Service   –  Can  be  “Assumed”  by  a  specified  Principal   ê  Principal:  AWS  User,  Account,  Service,  Other  Role   –  AuthenFcate  to  an  AggregaFon  Account  user   ê  Assume  the  cross-­‐account  role   ê  Retrieve  temporary  access  keys   ê  Make  calls  with  temporary  keys     h8p://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-­‐account-­‐with-­‐roles.html  
  • 12. 12   AggregaFon                                                                     12   CloudTrail   VPC  FlowLogs  Config   ELB  Access  Logs   Trusted  Advisor  IAM   AWS  S3   Per  Region   CloudWatch   Kinesis   Per  Region   CloudWatch   DesFnaFon   Lambda   Schedule   Each   Monitored  Account   AggregaFon  Account  
  • 13. CollecFon  Plumbing:  S3     S3  Buckets:   –  ELB  (1  per  region)   ê  Permit  PutObject  from  AWS  ELB  IAM  Roles   –  Config   ê  Permit  PutObject  from  config.amazonaws.com   –  Config  Parsed   –  CloudTrail   ê  Permit  PutObject  from  cloudtrail.amazonaws.com   –  Trusted  Advisor  Results   ê  Permit  PutObject  from  Lambda  ExecuFon  IAM  role   13   AWS  ELB  Account  IDs  for  Log  Delivery:  h8p://docs.aws.amazon.com/elasFcloadbalancing/latest/classic/enable-­‐access-­‐logs.html#a8ach-­‐bucket-­‐policy  
  • 14. CollecFon  Plumbing:  Rest  of  it     AggregaFon  AWS  Account     Kinesis  Stream:     –  1  Per  region   CloudWatch  LogDesFnaFons   –  1  Per  region   –  Directs  to  region-­‐local  kinesis  stream   14  
  • 16. 16   CloudFormaFon   Resources:   Config  Role   FlowLogs  Role   SecEng  Role     SNS   NoFficaFon   Role’s  Done!   Inputs:   DescripFon   Jira  Queue   RegistraFon   Lambda   RegistraFon   DynamoDB   RegistraFon   Setup  &  Retrieval   Daily  Setup   FuncFons   RegistraFon   DynamoDB   Assumed  Role  
  • 17. Enrollment  Via  Web  UI   –  Describes  all  permissions,  documents  WebUI  use   17  
  • 19. Splunk  App     –  Input  Methods:  S3   –  Input  Sourcetypes:  CloudTrail,  VPC  Flows,   ELB  Access  Logs   –  Parsing  Handler:  GZIPMessageHandler     (Thanks  Damien!)   19   AggregaFon  reduces  amount  of  Splunk  inputs:  26  Total  Inputs   •  S3:  14   •  Kinesis  Inputs:  10   •  AddiFonal  Logging:  2     Currently  running  on  a  dedicated  Heavy  Forwarder.   •  If  needed,  split  regions  to  different  forwarders.  
  • 20. Sourcetypes,  Lookups,  And  Other  Fun   20   Sourcetypes:  Cheated  off  the  Splunk  App  for  AWS.   –  Set  json  KV  format  and  check  line-­‐breaks     Use  HTTP  Event  Collector  to  dump  DynamoDB  account  registraFons   –  Scheduled  lookup-­‐generaFng  search   –  Every  event  has  the  account  ID  somewhere  in  it  (Almost).     Tagging  into  Enterprise  Security  data  models   –  ELB  Access  Logs  &  VPC  Flows  right  out  of  the  box    
  • 21. Ge{ng  Dashboard  Approval     GETTING  DASHBOARD  APPROVAL   21  
  • 23. Data  Frequency/Latency   • Daily  Snapshots  Config   • Daily  Snapshots  Trusted  Advisor   • 5-­‐8  minute  latency  CloudTrail   • 5-­‐10  minute  latency  ELB  Access  Logs   • 5-­‐10  minute  latency  VPC  Flow  Logs   23  
  • 24. Splunk  Gotchas:   24     Kinesis  Modular  Input   –  Can  chew  up  memory   –  Increase  what  it  gets:   ê  /opt/splunk/etc/apps/kinesis_ta/bin   java_args  =  [  JAVA_EXECUTABLE,  "-­‐classpath",CLASSPATH,"-­‐Xms512m","-­‐ Xmx512m",   "-­‐Dsplunk.securetransport.protocol="+SECURE_TRANSPORT,JAVA_MAIN_CLASS]   Config  Snapshots  are  jsonormous   –  Use  lambda  to  split  up  the  resources  
  • 25. AWS  Gotchas:     SFll  no  packet-­‐level  visibility     ELB  Permission  Granularity  RestricFons   –  ModifyA8ributes     Keep  an  eye  on  capacity.    Watch:   –  DynamoDB  Reads   –  Kinesis  Shard  Usage   25  
  • 26. Where  We’re  At  Right  Now   –  40  AWS  accounts  currently  enrolled   –  500-­‐800  GB/day   –  Haven’t  broken  any  accounts  yet!   –  Finding  more  data  sources   ê Config  Rules   ê Inspector   –  Automated  our  AWS  security  policy  audit   –  Wri8en  a  handful  of  Splunk  Enterprise  correlaFon  rules   ê AcFoned  by  SOC   –  Automated  Jira  FckeFng  for  remediaFon   26  
  • 27. QuesFons?   27     Contact:   [email protected]   github.com/sco8jpack   Twi8er:          @sco8jpack  
  • 30. DynamoDB:  Account  RegistraFon  Item   { [-] DevPhaseOutput: Yep InspectorRoleARN: arn:aws:iam::555555555555:role/InfoSec-InspectorIamRole-1WPVBFHJ3CQM1 ProdPhaseOutput: Yep StagePhaseOutput: Yep account_id: 55555555555 config_pull_enable: true config_role_arn: arn:aws:iam::555555555555:role/InfoSec-ConfigIamRole-1CCXRZ8SN2IL5 description: CampaignOps elb_access_log_enable: true flowlogs_role_arn: arn:aws:iam::555555555555:role/InfoSec-FlowLogsIamRole-7R1QLDHRXS1F jira_queue: CPGNTEAM role_arn: arn:aws:iam::555555555555:role/InfoSec-SecEngRole-9W6HAJ8SNOEK trusted_advisor_collect: true vpc_flow_logs: true   }   30