AWS Security Services: Incident Response
Detect Threats Early with Amazon GuardDuty
There are 5 broad categories of AWS security services best practices used to design the security posture in AWS Cloud.
AWS Cloud is very clear that its services run on a shared responsibility model:
“AWS manages security of the cloud. You are responsible for security in the cloud. This means that you retain control of the security you choose to implement.”
Your organization can’t rely on luck or hope to manage your cloud security. As our Colonial Pipeline data breach example shows, even a single compromised password can cause disaster.
Incident Response and AWS Security Services
Incident response describes the plans and procedures your organization has in place to deal with security incidents and their fallout. Examples of incident response plans are provided by the SANS Institute, ISA Cybersercurity and Infosavvy. Specifics vary, but all incident response plans follow this basic pattern:
- Prepare: Assess your security risk to prevent incidents, and know what to do when an incident occurs (you don’t want to be left searching the internet for “incident response plan” after the fact)
- Monitor, Detect and Alert: Monitoring should be in place to instantly alert you to any threats (this is where Amazon GuardDuty really comes into play)
- Contain, Eliminate and Recover: Limit the scope of the incident, eradicate the breach and recover your system.
- Communicate: Follow the laws and ethics that pertain to your organization about communicating the incident, i.e, alerting users that their data may have been compromised
- Retrospective: Learn from what happened and take steps to prevent it from happening again
Now We’re Ready to Discuss the AWS Security Service, Amazon GuardDuty
Amazon GuardDuty is a threat intelligence service by AWS which monitors for malicious behavior to help customers protect their AWS workloads. It can be an important part of your security posture (but as we reviewed above, it’s only one part of incident response).
Amazon GuardDuty can generate a wide variety of alerts on potential threats, including:
- Instance compromise
- Account compromise
- Bucket compromise
GuardDuty automates threat detection through machine learning, anomaly detection and “integrated threat intelligence.” This AWS Security Service analyzes and processes data from:
- AWS CloudTrail event logs
- VPC Flow Logs
- DNS logs
It’s important to know that GuardDuty will only monitor the Route53 for DNS logs. Many organizations make use of Active Directory DNS. The logs from these servers will not be monitored.
When Amazon GuardDuty Needs Guarding
Alerts generated by Amazon GuardDuty don’t always indicate a true security threat. Your organization needs to identify which alerts are safe to ignore. For example, let’s say there is a central security server that performs port-scans as part of penetration testing on all the production servers. This can lead to GuardDuty alerts like port scans or brute force being triggered.
GuardDuty has some built-in ways to prevent inaccurate threat reporting. It allows customers to create a “Trusted IP” list, and won’t generate findings for those IP addresses.
AWS Security Services Video: Amazon GuardDuty
For a visual overview of GuardDuty, check out this AWS video:
Pricing for GuardDuty is complex and can be challenging to calculate. An AWS Partner like Bloomip collaborates with AWS customers to right-size both their security posture and spend. Get confident in your cloud security. Start a conversation with our AWS cloud experts and contact us.