It seems clear to everyone that availability and performance are the main concerns when monitoring a platform.

But... what happens if suddenly you discover that you were hacked some weeks ago and you have intruders on your servers?

It has been always scary, from long time ago, but now it might affect personal data and the GDPR fine can be much more than "scary".

Do not ask "if" your servers can be hacked, ask "when" will happen instead. And my question is... how long will it take you to get notice that you are being or were hacked?

In this talk we want to show the architecture we have in place to monitor several different platforms from several different websites (such as Infojobs, Fotocasa, Milanuncios, Vibbo...), with distributed teams, diverse technologies, using a pragmatic approach for investing a very reasonable effort and money. We will explain the options when using an opensource but mature component such as ossec, combined with commercial software such as Splunk, heavily optimizing the costs. We will also approach the components that AWS provides to detect attacks and intrusions, both the success cases as the not-so-successful ones. We will address monitoring live HTTP requests, log analysis, intrusion detection on servers and also on the network.

Our global approach: monitor good-quality events, not gathering big quantity of "simple" logs.

All this with an expense lower than 1K per month, monitoring platforms with millions of monthly users. So it can work for both big and small pockets!

Comments

Comments are closed.

Buitaker at 18:43 on 6 Jun 2019

Great talk for non sec engineers, great summary.

Rubén Vazquez at 19:06 on 6 Jun 2019

Awesome talk. Not directly connected with DevOps but very interesting point of view and tools

Miguel A. at 19:21 on 6 Jun 2019

Good explanation.

Really good talk and interesting topic.

Jaume at 12:39 on 7 Jun 2019

Great info. Can be used as reference as all the things you want to monitor in your AWS stack.