Automated Infrastructure Security: Monitoring using FOSS

Automated Infrastructure SecurityMonitoring using FOSS

#AllDayDevOps

@madhuakula, Automation NinjaAppsecco

https://twitter.com/madhuakula

http://appsecco.com/

About Me !Automation Ninja at Appsecco

Appsecco is a specialist application security company

Interested in Security, DevOps & Cloud

Found bugs in Google, Microsoft, Yahoo, etc

Never ending learner!

Follow (or) Tweet to me @madhuakula

2



What we are covering today?ELK stack to analyse and visualise logs in near realtime

ElastAlert to create rules to automatically defend against SSHbruteforce attacks

AWS Lambda to do this, since our infra is hosted on AWS

Python based Chalice framework for using AWS Lambda

3

Architecture

4

Automated Defence DemoAppsecco Automated Infrastructure Security Monitoring Demo (ELK + AWS Lambda)

http://bit.ly/addoaism

5

https://www.youtube.com/embed/ThHcP6wR_oc

https://www.youtube.com/watch?v=ThHcP6wR_oc

http://bit.ly/addo-aism

AWS Lambda Chalice Code

https://github.com/appsecco/alldaydevopsaism

6

https://github.com/appsecco/alldaydevops-aism

Security for our AWS LambdaWe are primarily doing the following two things

1. A sufficiently random token to protect the request when wepost the IP address from ElastAlert

2. Whitelist the IP address of the host where the HTTP POST request originates from

7

Use Cases for Automated Defence1. Automated Defender (Attack Alerts + Automated Firewall)

2. Security Analytics + Reports

3. Near realtime Centralised Log Monitoring

8

Attack Scenario : Wordpress XMLRPC

https://blog.appsecco.com/analysingattacksonawordpressxmlrpcusingan

elkstack3bf25a7e36cc

9

https://blog.appsecco.com/analysing-attacks-on-a-wordpress-xml-rpc-using-an-elk-stack-3bf25a7e36cc/

Needs ImprovementMore attack signatures required

For example OSSEC Wazuh Ruleset

Improve the ElastAlert Alerter custom code

Any suggestions from your side

10

http://documentation.wazuh.com/en/latest/ossec_ruleset.html

Alternatives to our stackStack Elastic Graylog TICK Stack Prometheus + Grafana

Serverless AWS Lambda Azure Functions Cloud Functions

11

https://elastic.co/

https://www.graylog.org/

https://www.influxdata.com/use-cases/introducing-the-tick-stack/

https://prometheus.io/

http://grafana.org/

https://aws.amazon.com/lambda

https://azure.microsoft.com/en-in/services/functions/

https://cloud.google.com/functions/

Our assumptionsYou are already monitoring in near realtime using the ELKstack

You are under attack for a specific service

You have configured ElastAlert for your alerting

12

In SummaryWe created attack threshold rules in ElastAlert

We created an AWS Lambda endpoint to be able to modifyAWS VPC Network ACLs

We have a realtime blocking system infinitely scalable

13

ReferencesBlog Post

Elastic

Elast Alert

AWS Lambda

Chalice

14

https://blog.appsecco.com/analysing-attacks-on-a-wordpress-xml-rpc-using-an-elk-stack-3bf25a7e36cc

https://www.elastic.co/

https://github.com/Yelp/elastalert

https://aws.amazon.com/lambda

https://github.com/awslabs/chalice

Thanks@madhuakula | @appseccouk | http://appsecco.com


https://twitter.com/appseccouk


Automated Infrastructure Security: Monitoring using FOSS

Software