Professional Documents
Culture Documents
Analytics-based
Investigation & Automated
Response with AWS +
Splunk Security Solutions
Scott Ward
Principal Solutions Architect | Amazon Web Services
Wissam Ali-Ahmad
Lead Solutions Architect | Splunk
Forward- During the course of this presentation, we may make forward‐looking statements regarding
future events or plans of the company. We caution you that such statements reflect our
Looking current expectations and estimates based on factors currently known to us and that actual
events or results may differ materially. The forward-looking statements made in the this
Statements presentation are being made as of the time and date of its live presentation. If reviewed after
its live presentation, it may not contain current or accurate information. We do not assume
any obligation to update any forward‐looking statements made herein.
In addition, any information about our roadmap outlines our general product direction and is
subject to change at any time without notice. It is for informational purposes only, and shall
not be incorporated into any contract or other commitment. Splunk undertakes no obligation
either to develop the features or functionalities described or to include any such feature or
functionality in a future release.
Splunk, Splunk>, Data-to-Everything, D2E and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States
and other countries. All other brand names, product names or trademarks belong to their respective owners. © 2020 Splunk Inc. All rights reserved
© 2020 SPLUNK INC.
Scott Ward
Principal Solutions Architect | Amazon Web Services
© 2020 SPLUNK INC.
Wissam Ali-Ahmad
Lead Solutions Architect | Splunk
© 2020 SPLUNK INC.
5) Next Steps
Resources
© 2020 SPLUNK INC.
AWS is
responsible for REGIONS
Successful security
practices in AWS
Identify, investigate, and
respond to threats in your AWS
environments at scale
© 2020 SPLUNK INC.
?
• Who do the IAM credentials belong to?
• What access do the credentials have?
• Impact if the credentials are blocked?
• Why is this happening?
• How should I respond?
• How do I prevent this in the future?
© 2020 SPLUNK INC.
?
• What is the severity of the threat?
• What is the purpose of this instance?
• Why is this happening?
• What should my response be?
• How do I prevent this in the future?
© 2020 SPLUNK INC.
• Am I currently in compliance?
• Am I aligning with compliance best practices on AWS?
• I need to know as soon as I go out of compliance.
• I need to quickly fix things when I am out of compliance.
© 2020 SPLUNK INC.
?
• What is out of compliance?
• How did I get out of compliance?
• How do I get back into compliance?
• How do I prevent this in the future?
© 2020 SPLUNK INC.
Compliance
AWS CloudTrail
Checks
AWS CloudTrail
Finding Finding
VPC Flow logs
Amazon AWS Security Amazon Amazon Kinesis
GuardDuty Hub CloudWatch Data Firehose
Events
DNS Logs
Kinesis Data
Firehose
Benefits
Scalable architecture
with event
acknowledgement
– Push architecture allows for high
volume data sent to Splunk without
a forwarder
– Data stored in S3 if unable to send
to Splunk
– Scales to large volume data
sources, like CloudTrail, VPCFlow
logs, Application Logs etc.
– Leverages Splunk HTTP Event
Collector (HEC)
– Enables automation such as
Project Grand Central
– Reduces complexity for data
collection
© 2020 SPLUNK INC.
Security posture of
your AWS workloads
Detection and Investigation Use Cases
© 2020 SPLUNK INC.
SPLUNKBASE
APPLICATIONS
Operations,
Framework
Adaptive,
SIEM SOAR
Security
PLATFORM
DATA
SOURCES Amazon Amazon AWS AWS Amazon AWS Amazon AWS
S3 EC2 CloudTrail IAM CloudWatch Config Kinesis Lambda
Let’s look first at some detection and investigation use cases with
AWS and Splunk Enterprise Security (SIEM)
© 2020 SPLUNK INC.
AWS Data Source Source type in Add-on CIM Model Detection in Splunk ES
AWS Data Source Source type in Add-on CIM Model Detection in Splunk ES
CloudTrail aws:cloudtrail Change Analysis EC2 Instance Started In Previously Unseen Region
EC2 Modified by Previously Unseen User
All AWS activities from
AWS Data Source Source type in Add-on CIM Model* Detection in Splunk ES
Automated Threat
Mitigation
Automated decision making and response with
AWS and Splunk
© 2020 SPLUNK INC.
See Appendix
Detection Visibility Analysis Correlation Decisions Actions
for resources
© 2020 SPLUNK INC.
1 2 3
AWS SecurityHub Playbook: EC2 Instance Playbook: Instance
• SecHub detects potential threat with an Investigation Isolation
exposed EC2 instance
• Automated steps to gather: • Automated step to:
• SecHub triggers a findings as a
CloudWatch event – Finding risk level and details • Add instance to an isolated security
group
• Cloudwatch event rule forwards the – EC2 instance configuration
findings to an SQS Queue – Host activity
• Phantom App for SecurityHub collects • Get connections probing instance
events from SQS Queue
– Check IP reputation
– Check Geolocation
• Create service ticket
• Send a Slack message
‒ Notify security team
© 2020 SPLUNK INC.
SESSION SURVEY
© 2020 SPLUNK INC.
Appendix
End State: Comprehensive AWS Visibility
© 2020 SPLUNK INC.
© 2020 SPLUNK INC.
https://splunkbase.splunk.com/apps/#/search/aws/
© 2020 SPLUNK INC.
Amazon
GuardDuty
Amazon
Macie
https://github.com/splunk/splunk-for-securityHub
Amazon
Inspector Amazon AWS Splunk HTTP
CloudWatch Lambda Event Collector
Events Function
AWS
AWS Security Hub
Firewall
Manager
Amazon
Simple Queue (Splunk Phantom App
Integrated Service for AWS Security Hub)
Partner
Solutions https://splunkphantom.s3.amazonaws.com/phantom-sechub-setup.html