Thursday, 14 March 2019

Amazon Guard​Duty

Amazon GuardDuty is a threat detection service which continuously monitors for malicious or unauthorized behavior to help customer protect their AWS accounts and workloads. GuardDuty monitors for activities such as unusual API calls or potentially unauthorized deployments that indicates a possible account compromise. It also notices potentially compromised instances or reconnaissance by attackers.
 

Amazon GuardDuty does not require an IT team to deploy, manage and scale additional security software. Instead, an administrator or security analyst enables GuardDuty via the AWS Management Console, and the service immediately begins to analyze cloud environment. However, some of the more advanced threat detection capabilities require one or two week to establish normal baselines for comparison.
 

How It Works :
 

Amazon GuardDuty continuously analyzes cloud events in AWS CloudTrail, Amazon Virtual Private Cloud (VPC) Flow Logs and domain name system (DNS) logs for possible malicious activity.
 

Enable it with a few clicks in the AWS Management Console, Amazon GuardDuty can immediately start analyzing billions of events across AWS accounts for signs of risk. It recognizes suspected attackers through integrated threat intelligence feeds and uses machine learning to find anomalies in account and workload activity. Whenever a potential threat is detected, the service delivers a detailed security alert to the GuardDuty console and AWS CloudWatch Events. This flow makes alerts actionable and easy to integrate into existing event management and workflow systems.
 

The service utilizes built-in threat intelligence, anomaly detection and machine learning potentials developed by the AWS security team to do analysis in near real time.
 

GuardDuty Detects Following Types Of Threats On The AWS Cloud :

  • Attacker Reconnaissance : These types of threats contains failed login patterns, unusual API activity and port scanning.
  • Compromised Resources : This category of threats includes cryptojacking, unusual spikes in network traffic and temporary access to EC2 instances by an external IP address.
  • Compromised Accounts : Examples of these threats contains API calls from an odd location, attempts to disable CloudTrail and unusual instance or infrastructure deployments.

While an admin can supply GuardDuty with his or her own list of "safe" IP addresses, the service does not otherwise support customized detection rules. An admin can, however, respond to each GuardDuty finding with thumbs-up or thumbs-down responses to provide feedback for future detections.
 
Amazon GuardDuty compiles and delivers security findings in a JSON format to the Management Console, which enables an admin or automated workflow to take action accordingly. For example, Amazon CloudWatch Events can accept findings from GuardDuty, then trigger an AWS Lambda function to modify security configurations. The GuardDuty console and APIs retain security findings for 90 days.

GuardDuty Management and Costs :
 
Amazon GuardDuty works independently from cloud resources, which means it has no performance impact on running systems. Additionally, GuardDuty uses service-linked roles through AWS Identity and Access Management, which means an admin doesn't have to manage or modify S3 bucket policies or log collection.
 
Amazon GuardDuty is cost effective and easy. It does not require customer to deploy and maintain software or security infrastructure. There are no upfront costs with GuardDuty, no software requires to be deploy, and no threat intelligence feeds required.
 
An AWS customer pays for GuardDuty based on the quantity of AWS CloudTrail Events and volume of VPC Flow Logs and DNS logs the service analyzes. AWS provides a 30-day free trial for GuardDuty.  
Amazon Macie, another machine learning-enabled security service, differs from GuardDuty in that it focuses on data classification and protection.

No comments:

Post a Comment

AWS CodeGuru Elevating Code Security

  Security and code quality are paramount in today’s fast-paced software development landscape. As the cornerstone of DevSecOps, Static Appl...