,
17 tweets,
6 min read
Read on Twitter
#BSidesLV next talk: Cloud Rules Everything Around Me 🐝 by @KyleHaxWhy
#BSidesLV cloudsec* typos aint nuthin ta fuck with
#BsidesLV agenda:
1. basics on cloud concepts.
2. Logging
3. Config mgmt
4. IR
Shared responsibility model is a thing.
1. basics on cloud concepts.
2. Logging
3. Config mgmt
4. IR
Shared responsibility model is a thing.
#BSidesLV logging: easy to DoS yourself if done improperly.
AWS: CloudTrail, VPC Flowlogs (now with VPC mirroring), Cloudwatch metrics & alarms
AWS: CloudTrail, VPC Flowlogs (now with VPC mirroring), Cloudwatch metrics & alarms
#BSidesLV cloudtrail tells you who, what, when. User agent tells you if it was cli, browser, etc.
Need to centralise life (can do with azure event logs as well). Single point to consume logs. Has benefit off-account DR. Gotcha: 20kb bucket policy limit.
Need to centralise life (can do with azure event logs as well). Single point to consume logs. Has benefit off-account DR. Gotcha: 20kb bucket policy limit.
#BsidesLV info visualisation is key. Usage over time, error rates. Top error names & top event names.
#BSidesLV Alarms: 
#BSidesLV Azure: Activity Logs (diagnostic, AD reporting, storage analysitics) and Network Security Logs
Prior art: Sean Metcalf at BSides Charm “You moved to Office 365 Now What”
Office365: some logs not enabled by default
Prior art: Sean Metcalf at BSides Charm “You moved to Office 365 Now What”
Office365: some logs not enabled by default
#BSidesLV continuous compliance.
Inventory management “if you don’t know what you got, how can you Protect Ya Neck?”
Tracking Shadow IT. “Here’s this new account I added”
Inventory management “if you don’t know what you got, how can you Protect Ya Neck?”
Tracking Shadow IT. “Here’s this new account I added”
#BSidesLV AWS Config Rules makes it easy to stand up CIS benchmarks. Used to be $2 a config rule, so some price/scalability issues. It’s a per-region cost. Now it’s per-invocation so cost should be lower.
#BSidesLV tools:
- prowler by Toni Blyx. “Forensic Readniess Test”
- Security Monkey by Netflix & cross-account role authentication
- commercial: Redlock
- prowler by Toni Blyx. “Forensic Readniess Test”
- Security Monkey by Netflix & cross-account role authentication
- commercial: Redlock
#BSidesLV “IAM... standing in front of you”
#BSidesLV AWS switch role method. Federates identity between accounts. Scalable, auditable.
azure: federated identity from AD already.
considerations: MFA MFA MFA. Federated Identities. User Lifecycle Policies (tags & automation)
azure: federated identity from AD already.
considerations: MFA MFA MFA. Federated Identities. User Lifecycle Policies (tags & automation)
#BSidesLV tool: “AWS IR” for key disabling.
Incident Response:
- Have a per-cloud IR plan
- ensure IR team has sufficient access
- run game days & runbooks
Incident Response:
- Have a per-cloud IR plan
- ensure IR team has sufficient access
- run game days & runbooks
#BSidesLV all tools will be linked on twitter: @KyleHaxWhy
#BSidesLV q&a: SNS is minute level resolution, can we get faster? A: can’t really get faster than they’ll provide it to us
Q: thought about automation of IR?
A: yes, valuable. Tools like margarita-shotgun to capture memory
Q: thought about automation of IR?
A: yes, valuable. Tools like margarita-shotgun to capture memory
#BSidesLV a: data transfer costs are a thing & can suck. Any advice?
A: yes, will tweet out a diagram @KyleHaxWhy & need to monitor closely
A: yes, will tweet out a diagram @KyleHaxWhy & need to monitor closely
