GuardDuty expands AWS security. Discover how this enhancement bolsters protection for cloud-based resources. Gartner reports that 99% of cloud failures are the customer’s fault due to mistakes like misconfiguration. However, many security and DevOps teams are forced to bounce back and forth between point solutions, which makes it hard to get complete visibility or protect against all threats.
Today, elastic expands its security analytics solution with three new capabilities for AWS. They include enhanced AWS security posture management, container workload security and cloud vulnerability management.
Introducing EKS Runtime Monitoring
EKS Runtime Monitoring uses machine learning to detect threats to your EKS clusters in real time. It scans logs from your Amazon Elastic Compute Service (ECS) cluster, including CloudTrail, VPC flow logs, and DNS to look for anomalous or suspicious behavior that can indicate a security threat. When it detects a threat, it generates a security finding that provides contextual information and actionable alerts to help you respond quickly.
To use this capability, you need to enable the GuardDuty event stream for your EKS cluster. GuardDuty is an intelligent security solution that continuously monitors your account for potential threats using a combination of machine learning and other security tools, and detects suspicious activity to prevent threats from escalating across your AWS environment.
When an EKS cluster is created, the IAM user or role that creates it gets full access to the cluster. Using IAM permissions, you can limit access to specific pods and containers in your EKS cluster. This can be configured in the aws-auth configmap.
As your cluster grows, it can consume a lot of resources. You can use metrics like memory, CPU, and disk utilization to see if your workload is hitting its limits. Using metrics that track storage usage, such as etcd disk space or PersistentVolumeClaims, you can also check that your EKS cluster has sufficient resources for your applications.
A key benefit of EKS is its built-in high availability. This is achieved by deploying multiple control plane nodes across several availability zones. EKS monitors these nodes to ensure they are healthy and that software updates are deployed as needed. In addition, it uses a system of continuous monitoring to detect performance issues, such as CPU or memory overutilization, and automatically replaces unhealthy nodes.
If you have deployed stateful applications on your EKS cluster, you might need to monitor the status of your load balancers. Metrics like Latency or HTTPCode_ELB_5XX can provide insights into the health of your load balancers and how they are balancing traffic to your application. You can also monitor the number of errors returned by your load balancers to identify any underlying problems.
Introducing GuardDuty RDS Protection
GuardDuty is a fully managed security service that monitors the threats that can impact Amazon Web Services environments. It analyzes various data sources like Amazon Virtual Private Cloud (VPC) flow logs, DNS logs, AWS CloudTrail and more to detect unauthorized or potentially malicious activities. Its machine learning algorithms are constantly tuned with the help of customer feedback to reduce alert fatigue and improve detection accuracy for organizations of all sizes.
With the launch of EKS Runtime Monitoring, GuardDuty has now expanded its security capabilities to protect applications running inside a containerized environment. This deep threat detection inside an organization’s workloads is made possible by using a combination of on-host operating system-level profiling and monitoring, plus pre-integrated and continually updated threat intelligence from AWS and third-party providers.
The new EKS Runtime Monitoring detection capability can identify and respond to multiple types of attacks on Amazon Elastic Kubernetes Service (EKS) environments, such as unauthorized container login attempts, potential SQL injection in database instances and more. By analyzing the results of these threat detections, GuardDuty provides customers with actionable security findings that include metadata context to help them understand and investigate what is happening within their environments.
These findings can also be correlated with other GuardDuty detections to create alerts that notify users of a potential threat and the steps they need to take to protect their environments. With GuardDuty’s visibility across RDS Runtime Monitoring, Kubernetes audit logs and broader AWS control plane and network logs, users can better identify the attack progression to contain threats before they become a broader business-impacting security breach.
For example, a pattern of repeated failed attempts to connect to a database indicates that database credentials may be compromised or exposed and need to be changed. This type of finding can trigger a recommended action to change the password for the database instance, review available audit logs for other suspicious activity and to put the database in a VPC with access restrictions to limit the number of potential attackers who have privileged access to the data.
GuardDuty RDS Protection is available today through the GuardDuty console, CLI or APIs to monitor all the databases in your AWS accounts in supported regions. You can enable it to start monitoring and provide feedback reporting within minutes, with no additional setup or hardware requirements. If you’re not already a GuardDuty customer, you can sign up for a 30-day free trial to experience this powerful, scalable and easy-to-use threat detection service for yourself.
Introducing GuardDuty Lambda Protection
GuardDuty protects against threats to your cloud environment using continuous monitoring of network activity, data access patterns, and account behavior. It also comes pre-integrated with up-to-date threat intelligence from Amazon Web Services and third-party providers like Bitdefender, CrowdStrike, and Proofpoint to detect activities such as crypto-currency mining, credential compromise behavior, unauthorized or unusual data access, or communication with malicious IP addresses.
Unlike traditional serverless security services, GuardDuty Lambda Protection provides protection for your serverless applications by continuously monitoring your serverless workloads and analyzing the network communications mapped back to individual Lambda functions. This enables GuardDuty to identify potential threats such as cryptocurrency mining, unauthorized or unusual data access, or communications with known command-and-control servers.
It monitors VPC Flow Logs, DNS Logs, and AWS CloudTrail event logs to look for potentially unauthorized or malicious activity. When it finds a finding, it sends that information to the GuardDuty console and to a topic in Simple Notification Service (SNS). SNS can deliver the findings to your team via e-mail or to other tools such as monitoring dashboards.
As the threat landscape continues to evolve, the capabilities of GuardDuty continue to expand. GuardDuty now includes EKS Runtime Monitoring, RDS Protection for Aurora, and Lambda Protection. The addition of RDS Protection for Aurora reduces the attack surface area of Aurora databases by monitoring the security group membership for all database instances. This allows you to quickly isolate a compromised instance by removing it from the security group and adding it to a new one.
With the integration of GuardDuty with Alert Logic, you can automatically take action against findings in the GuardDuty console or with a custom Lambda function that integrates with Alert Logic and SNS to deliver notifications. The process is a simple set of steps that can be automated to enable your teams to address threats faster and more reliably.
To use the Alert Logic integration, you must have an account that serves as your delegated administrator for GuardDuty and an account that has administrative privileges in the AWS Management Console. This account must be in at least one Region for the integration to work.
Introducing Cloud Vulnerability Management
The cloud requires a different paradigm for vulnerability management. It must be integrated with a continuous threat monitoring system to detect and remediate threats before they become exploitable. The first step in this process is to conduct a security risk assessment of the cloud environment. This involves scanning the entire environment and identifying misconfigurations. It also assesses the severity of the vulnerabilities identified and prioritizes them based on their impact on the business.
Once the assets are mapped out, it becomes easier to establish and maintain consistent security policies. This is the best way to protect against threats that could lead to a data breach, which is the most serious and costly vulnerability for businesses. The resulting loss can be astronomical, and it could damage a company’s reputation.
There are many ways to improve cloud security, including implementing a multi-factor authentication (MFA) policy for all users and ensuring that passwords are secure. Using strong encryption for all sensitive information is another important security measure. Another important element is to consider using micro-segmentation, which divides the network into distinct zones so that each zone has its own security controls. Finally, it is essential to encourage good cybersecurity practices among employees and conduct corresponding training.
A robust and consistent security framework is a must for the modern enterprise. It should include elements like a firewall, a threat intelligence feed, a vulnerability scanner that is integrated with a threat database, and a security management platform. It should also cover various aspects of the cloud computing model, such as a shared responsibility security model and best practices for building and operating secure workloads.
When it comes to implementing a robust and consistent security framework, the biggest challenge is the fast pace at which assets are created in the cloud. This can create low visibility for assets, making it difficult to establish and maintain consistent security policies. It is essential to implement a security management solution that can help ensure that all assets are protected against threats and have a strong audit log of all activities. This will allow the business to quickly detect and respond to attacks, as well as recover from them.
