eyes everywhere: monitoring today's borderless landscape · pdf fileeyes everywhere:...
TRANSCRIPT
![Page 1: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/1.jpg)
SESSION ID:
#RSAC
Bill Shinn
Eyes Everywhere: Monitoring Today's Borderless Landscape
CMI1-R09
Principal Security ArchitectAmazon Web Services@packet791
![Page 2: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/2.jpg)
#RSAC
What we’ll cover today
Event & Finding Reference Architecture
Generating Events and Findings – Old and New
Design Patterns for Collection/Ingestion/Aggregation
Approaches to Processing
Analysis and Workflow
Call to Action
2
![Page 3: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/3.jpg)
#RSAC
Event & Finding Reference Architecture
![Page 4: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/4.jpg)
#RSAC
Simple Definitions - Events & Findings
Events - one time record - or series of records that fire - where you can't change the state of what happened.
Examples: record of user activity, details of a network flow, parameters of an API call request/response
4
![Page 5: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/5.jpg)
#RSAC
Simple Definitions - Events & Findings
Events - one time record - or series of records that fire - where you can't change the state of what happened.
Examples: record of user activity, details of a network flow, parameters of an API call request/response
Finding - longer-lived information which reflect the state of something that can be changed.
Examples: vulnerability scan result, patch state, software defect, build status, threat level, undesireable state of user entitlements
5
![Page 6: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/6.jpg)
#RSAC
Event & Finding Reference Architecture
Event & Finding Generation
Event & Finding Collection/Ingestion
Aggregation
Event & Finding Processing
Event & Finding Analysis & Workflow
6
![Page 7: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/7.jpg)
#RSAC
Event & Finding Generation
![Page 8: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/8.jpg)
#RSAC
Event Generation – Traditional Sources
• Source code you write (e.g log.debug(“fooDebug”); )
• Source code you configure (e.g. log4j.properties )
• Source code you configure with json, inf, xml files - DEBUG, WARN, INFO, etc.)
8
![Page 9: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/9.jpg)
#RSAC
Event Generation – Traditional Sources
• Source code you write (e.g log.debug(“fooDebug”); )
• Source code you configure (e.g. log4j.properties )
• Source code you configure with json, inf, xml files - DEBUG, WARN, INFO, etc.)
• Operating System log configuration (*nix syslog.conf, Windows Event Log properties)
• Network devices (router/switch log configuration, firewall changes and drop/accept configuration, IDS/IPS signature set/severity configuration)
• Security services (application source code scanner job status, vulnerability scanner job status)
9
![Page 10: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/10.jpg)
#RSAC
Finding Generation - Traditional Sources
Traditional Sources
• Patch evaluation task results – missing patches
• Vulnerability scanner results – open CVEs
• Unit test results – failed classes/code base + error, failed build
• Application security assessments (software defects)
• Questionnaires - 1000’s of vendor due diligence output
• Access/Entitlement review results (elevated privileges, affirm/reapprove)
10
![Page 11: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/11.jpg)
#RSAC
Demo #1
Events vs Findings from a CVE Assessment Tool
11
![Page 12: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/12.jpg)
#RSAC
Streaming Reference Architecture
flow logs
Assessment/CVE Agent (egAmazon Inspector)
Server Image Factory
CI/CD TaskSource Code Repository
Build Target
12
![Page 13: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/13.jpg)
#RSAC
Streaming Reference Architecture
flow logs
Assessment/CVE Agent (egAmazon Inspector)
Server Image Factory
CI/CD TaskSource Code Repository
Build Target
Events (ticketing to ops on failure)
Findings (backlog or Jira issue to devs or server build team)
13
![Page 14: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/14.jpg)
#RSAC
Event Generation – Modern Sources
• Cloud platform logs (entitlement management events, infrastructure events such as instance launches or network configuration changes)
• Server-less application logs/streams (cloud-based functions, object storage notification)
• PaaS & managed database services logs (not in a file, but accessible only via API or table)
• SaaS logs delivered via download or API feed
14
![Page 15: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/15.jpg)
#RSAC
Demo #2
Cloud Service Provider Platform Logging
15
![Page 16: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/16.jpg)
#RSAC
“Demo” #3
Server-less Architecture Logging
16
![Page 17: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/17.jpg)
#RSAC
“Demo” #3 (reference architecture)
17
![Page 18: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/18.jpg)
#RSAC
Event & Finding Collection/Ingestion/Aggregation
![Page 19: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/19.jpg)
#RSAC
Event Collection – Traditional Forms
• Files & remote syslog (ultimately another file, but with some filtering on the way)
• Database tables
• Windows Event Log
19
![Page 20: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/20.jpg)
#RSAC
Finding Collection – Traditional Forms
• Static reports (console, csv/excel, pdf)
• Findings entered into a database table
20
![Page 21: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/21.jpg)
#RSAC
Event & Finding Collection – Modern Forms
• Event Streams
• Findings available via an API
21
![Page 22: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/22.jpg)
#RSAC
Demo #4
Event Streams
22
![Page 23: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/23.jpg)
#RSAC
Streaming Reference Architecture
Amazon ElasticsearchService
Amazon CloudWatch
(Log Group/Log Stream)
Amazon EC2
Agent-based Logging
Subscription
AWSLambda
flow logs 23
![Page 24: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/24.jpg)
#RSAC
Streaming Reference Architecture
Amazon ElasticsearchService
Amazon CloudWatch
(Log Group/Log Stream)
Amazon EC2
Agent-based Logging
Subscription
AWSLambda
flow logs
Amazon VPC Flow Logs
Amazon EC2
Elastic Network Interface
Amazon CloudWatch
(Log Group/Log Stream)
Subscription
Network Traffic Stream
24
![Page 25: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/25.jpg)
#RSAC
Event & Finding Processing
![Page 26: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/26.jpg)
#RSAC
Event & Finding Processing
• Rules-engine application
• MapReduce tasks
• Elasticsearch cluster
26
![Page 27: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/27.jpg)
#RSAC
Demo #5
Cloud-based rules engine
27
![Page 28: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/28.jpg)
#RSAC
Rules Engine Reference Architecture
Amazon CloudWatchEvents Rule
AWS CloudTrail
Event Selector Target
AWSLambda
flow logs
Output of function
28
![Page 29: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/29.jpg)
#RSAC
Event & Finding Analysis and Workflow
![Page 30: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/30.jpg)
#RSAC
Event & Finding Analysis
• Commercial log/event search tools and product consoles
• SIEM tools
• Kibana (part of ELK stack)
30
![Page 31: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/31.jpg)
#RSAC
Analyzing Ephemeral Events & Findings
• What happens when you log something from a server that no longer exists?
• Even more … with serverless architectures, what happens when you log something from a function call that didn't exist as a running set of code loaded into a servlet container or container until it was invoked?
How?
• Track the configuration, not the configuration item
• Correlate events from no-longer-existing assets with platform events
31
![Page 32: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/32.jpg)
#RSAC
Event & Finding Enrichment
• Meta data on objects
• Resolver groups
• Data classification
• Correlation or “joins” on other sources
• Extract fields and key off critical key/value pairs to perform lookups on related data such as last change, related objects
32
![Page 33: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/33.jpg)
#RSAC
Event & Finding Workflow
• Ticketing or case management system
• DevOps collaboration platforms (Slack, HipChat, etc.)
33
![Page 34: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/34.jpg)
#RSAC
Demo #6
Cloud-based event workflow
34
![Page 35: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/35.jpg)
#RSAC
Cloud-based Workflow Reference Architecture
Amazon CloudWatchEvents Rule
AWS CloudTrail
Event Selector Target
AWSLambda
flow logs 35
![Page 36: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/36.jpg)
#RSAC
Applied Architecture – Call to action - 1-2 weeks
Document event & finding flow for 2 critical applicationsKeep it to super simple documentation like this and check into revision control:
Java properties -> flat file -> file monitor agent -> aggregation microservice -> object storage -> Elasticsearch)Java properties -> flat file -> file monitor agent -> aggregation microservice -> stream processing rules engine-> ticketing API)
Pair up security analysts with developers to understand log generation and events of interest in 1-2 critical applications
36
![Page 37: Eyes Everywhere: Monitoring Today's Borderless Landscape · PDF fileEyes Everywhere: Monitoring Today's Borderless Landscape. ... Elastic Network Interface. Amazon ... Commercial log/event](https://reader031.vdocuments.us/reader031/viewer/2022030500/5aacf3c97f8b9a2e088d9edb/html5/thumbnails/37.jpg)
#RSAC
Applied Architecture – Call to action - 3 months
Stand up a centralized log ingestion platform
Create micro-services to integrate event/finding processing & analysis tiers with actionable workflow systems
37