ML Powered Intelligent Threat Detection to Safe Guard your Cloud Environment against Security Threats using Amazon Guard Duty

asankab

Asanka Boteju

Posted on July 19, 2023

ML Powered Intelligent Threat Detection to Safe Guard your Cloud Environment against Security Threats using Amazon Guard Duty

Threat detection is key in the defense against security breaches. Therefore, Having the ability to respond to a potential threat as it is detected significantly reduces the chance of a breach. With AWS you have the Amazon Guard Duty service to help you stay on top of it.

Amazon Guard Duty is one of the services of AWS's security services stack that enables you to defend against malicious attacks. It is a regional-based intelligent threat-detection service which allows users to monitor your AWS account for unusual and unexpected behavior by analyzing 3 datasets to monitor your AWS accounts. These services are **CloudTrail Event logs, VPC Flow Logs and DNS Logs.

Lets take a look at these 3 services to identify what each of these services do at a high-level.

  • CloudTrail Event Logs: CloudTrail generated JSON formatted logs that captures all API calls that have been made within your AWS account.

  • VPC Flow Logs: These logs capture and store network traffic information within your VPC. They are used to troubleshooting networking issues and monitor the traffic reaching your instances.

  • DNS Query Logs: These logs contains queries that DNS resolvers forwarded to AWS Route53. These logs typically contains information such as The requested domain, request timestamp, the DNS record type, DNS response code.

With the continues data collected, Amazon Guard Duty then assess the data gathered from logs against multiple security feeds (both public and AWS) to look for anomalies and known malicious sources such as IP addresses and URLs.

This service itself is powered by ML (Machine Learning) to continuously learn and evolve by understanding the operational behavior of the infrastructure.

Amazon Guard Duty then uses this data to look for erroneous patterns within your AWS account that could indicate potential threats to your AWS environment.

Some of these threats can be Behavioral-based:

  • Where resources has been compromised by credential or account exposure.
  • Unexpected API calls that sits outside to the security best practices.
  • Even communications from suspicious sources and so forth.

Using different threat-detection feeds generated by AWS and also from public sources, Amazon Guard Duty provides automatic and continuous security analysis to safe guard your entire AWS environment against malicious attacks and threats.

Any findings generated by the Amazon Guard Duty service are tagged with a severity level to enable you to investigate the issue further to make sure your AWS environment is not compromised or exposed unnecessarily for your AWS account to be vulnerable.

About setting up Amazon Guard Duty in your AWS Account, With just a few easy steps you can activate Amazon Guard Duty in your account. You don't need to install any agents or software on your resources to help collect logs from your AWS resources. All these are provided with a Zero performance impact on your resources.

Important: Treat Security as the #1 priority, because otherwise it could have an adverse long term impact to your business and business reputation. Therefore, Any finding marked with the high severity based on the security score has to be investigated immediately. remediating this issue is your first priority until the threat could further spread and have adverse impact to your AWS account.

Medium severity indicates that the guard duty has detected a suspicious activity against a specific resources, therefore, it is equally important to consider those as important as high severity issues and start investigating and address them in parallels or soon after the high severity Amazon Guard Duty findings are remediated.

The Low severity issue does not need to take actions immediately. but it is still worth looking into to prevent those from happening again in future for the safety of your AWS environment.

Always treat security as a key consideration and put all possible safe guard mechanisms to protect and secure your cloud environment against security threats.

Benefits to the Enterprise.

  • Intelligent automatic thread-detection across your AWS environment: provides continual and automatic analysis of your logs such as CloudTrail Event logs, VPC Flow Logs and DNS Logs. and threat-detection powered by machine learning.

  • High Level of full force threat detection capability to enhance your security posture regardless of the deployment size:
    You get the same high level of detection regardless your deployment is a 10 instance deployment or 1000 instance deployment.

  • Centralized Management: It is possible to integrate all the findings into a single master account: This allows your team to monitor any finding from a single AWS console.

  • Not agents or other software's needed to be installed into the environment.

  • Comes with no upfront cost: you only pay for the processing of your log files.

  • In terms of setting up and configuration, you simply click 'enable' and it will start to run immediately.

  • Automation of remediation: You can use Cloud watch in conjunction with AWS Lambda to automatically respond to findings:
    With the ability to trigger automated responses you are able to lock down a particular resource by restricting permissions that could stop an attack. Always use fine-grained permissions with least previledge principal regardless of whether there is threat or not as it helps you to safe guard your cloud resources and content.

Ex: To block from a brute force attack to a resource via SSH instance, you can automate the blocking of SSH access or any sort of threat that can cause a threat to your AWS environment.

Costing (Free for first 30 days)

Pricing of this service can be broken down into two sections.

  • Cloud Trail Event Analysis: charged per 1 million events per month.

  • VPC Flow Logs and DNS Logs Analysis: Charged per GB logs analyzed per a month duration.

Note that the pricing differs from the region you are running these services. therefore look at the AWS pricing calculator to get the sense of the actual cost based on the region you are going to run the service.

Link to Amazon Guard Duty Pricing Calculator: https://www.amazonaws.cn/en/guardduty/pricing/

Let me reiterate the same. Treat Security as the #1 priority, because otherwise it could have an adverse long term impact to your business financials as well as business reputation. Therefore, put all possible security guardrails to keep your organization as well as your AWS account safe.

With that we have come to the end of this article.

Thank you for your time...

💖 💪 🙅 🚩
asankab
Asanka Boteju

Posted on July 19, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related