2021-09-03, 16:00–16:40, Main track
“DIAL: Did I just alert lambda?”, is a centralised monitoring and alerting system completely running stateless, which gives us end to end visibility on internal threats, security misconfigurations like database going public, over permissive IAM policies, happening across different AWS accounts. It runs on the top of AWS Lambda, thus making it infinitely scalable which is easily deployable across multiple AWS accounts.
What is DIAL and what are the features of DIAL?
- An In house monitoring and alerting system which gives us alerts on any malicious activity happening across our different AWS accounts over Slack or email,
- Assigns severity to each alert based on our severity classification module
- Stores all the generated alerts in DynamoDb and also forwards it to an open source incident response tool - theHive for further an analysis and enrichment
- Modular tool which makes it easy to add more alerting modules
- Improved error handling capabilities
What advantages this has over traditional SIEM for detection and alerting?
- Detection time of DIAL for any malicious activity over AWS is < 5 seconds. Traditional SIEM detection time is > 5-10 minutes.
- Completely stateless, infinitely scalable and cost effective
- Modular which makes it easy to increase our security coverage to any of the AWS resources
- Easy to deploy in multiple AWS accounts which we spawn
- While it does not replace the capabilities of a SIEM architecture, it gives us a huge advantage when it comes to detection time and complete control over granularity of an alert.
AWS Services that DIAL is currently covering:
- Guard Duty
- RDS & Dynamo DB
- SSM (Parameter Store)
- Secrets Manager
- VPC & VPC Peering Connections
- Internet Gateway
- Route Tables & Subnet Associations
- Security Groups
Security Engineer @ CRED