Amazon GuardDuty—Intelligent Threat Detection That Keeps Getting Better
By 2028, 70% of workloads will run in the cloud according to Gartner. Today, 67% of enterprise infrastructure is now cloud-based. According to Zippia, 48% of businesses choose to store their most important data in the cloud.
In fact, as of 2023, 60% of all corporate data is stored in the cloud. That means that a majority of businesses use the cloud for storage, and nearly half trust its security and reliability enough to store their more crucial data.
Mitigating Cyber risks is the C-suite’s top priority this year
Cloud security tops the list of concerns for nearly half of respondents from the PWC 2024 Global Digital Trust Insights Survey.
As companies continue to invest and innovate with the cloud, savvy tech teams are taking an agile approach to cloud security. AWS places a high premium on cloud security and continues to innovate in the space.
An Overview of Amazon GuardDuty
Last week, I had a chance to chat with Ryan Holland, GM GuardDuty at Amazon Web Services.
Ryan’s team is responsible for helping to ensure that GuardDuty provides the best security value to customers. This includes threat intelligence, behavioral analytics and finding quality.
Amazon GuardDuty is a security monitoring service that analyzes and processes foundational data sources, such as AWS CloudTrail management events, AWS CloudTrail event logs, VPC flow logs (from Amazon EC2 instances), and DNS logs from Amazon EKS clusters. GuardDuty combines machine learning (ML), anomaly detection and malicious file discovery to analyze this data.
GuardDuty, also processes features such as Kubernetes audit logs, Amazon RDS login activity, S3 logs, EBS volumes, Runtime monitoring, and Lambda network activity logs.
Before we dig further into product, let me provide a little perspective first, thanks to Ryan. Today there are millions of AWS accounts, including over half a billion EC2 instances and millions of S3 buckets that are being monitored at any given moment. And just to give you a kind of an idea around data scale, there are tens of billions of different events every minute that go through AWS processors. All of these data provides Ryan and his team an amazing amount of visibility across AWS.
According to Ryan, GuardDuty is primarily looking for activity that could be an indicator of compromise. For instance, credential exfiltration or anomalous behavior are types of behaviours GuardDuty can detect with machine learning models.
AWS launched GuardDuty in late 2017 to be a simple and cost effective way to bake in security to a client’s AWS cloud footprint. AWS continues to grow capabilities within the tool. In 2023, GuardDuty added support for Lambda functions with network detection capabilities. Early in 2023 (March), GuardDuty expanded threat detection coverage to monitor Amazon EKS container runtime activity via a runtime agent that allows GuardDuty to look at the activity within the operating system. Late in 2023, support was added to ECS, Fargate, and now EC2 instances as well. This feature addition provides a much deeper visibility into the activity of users, as well as applications, and even the processes themselves, providing expanded visibility into a whole host of additional potential threats. GuardDuty can be integrated with AWS Security Hub and Amazon Detective. Security Hub aggregates security findings cross a customer’s AWS accounts, services, and supported third party partner products to assess the security state of the client’s environment. Security Hub continuously checks for security misconfigurations aligned to industry standards and best practices
In addition to evaluating security posture, Security Hub creates a central location for findings across integrated AWS services, and AWS Partner products. Enabling Security Hub with GuardDuty will automatically allow GuardDuty findings data to be ingested by Security Hub.
Amazon Detective uses log data from across a customer’s AWS accounts to create data visualizations for resources and IP addresses interacting with the client environment. Detectives visualizations help a customer to quickly and easily investigate security issues. Customers of both products can pivot from GuardDuty finding details to information in the Detective console once both services are enabled.
Runtime security is the latest feature enhancement to GuardDuty
AWS brought 3 Runtime Security Enhancements to GuardDuty in 2023–GuardDuty Runtime Protection, Agent Deployment for Enhanced Portection and Setting up Runtime Protection for EC2 instances. GuardDuty can look for discrete events (file access, process execution, and similar) that can indicate a runtime threat. Ryan shared that one of the challenges with runtime or just agents in general has kind of always been twofold. “One is how do I make sure I have consistent coverage? And, the second is, how do I make sure that all of my workloads have an agent present and it’s up to date, it’s got the latest definitions or rules”.
When the GuardDuty team developed its runtime agent, the goal was to really help solve some of these challenges that have always existed. The GuardDuty team did this by working hand in hand with EKS, ECS and EC2 teams in order to make sure that the heavy lifting of the agent management work was taken away from customer and managed for them by AWS. Customers that opt in for auto management enable automatic notification to AWS of any new EKS cluster. The same happens for Fargate. This provides consistent coverage for an organization anywhere that any of these workloads are running. With delegated admin and organization integration, IT and security teams can easily turn on functionality across all accounts.
If you’re running ECS on EC2 or if you’re using just EC2 without any containers, GuardDuty will leverage AWS Systems Manager in order to deploy the agent on your behalf. So as the customer creates a new ECS cluster or a new EC2 instance gets launched, GuardDuty will get a notification on the backend that this new resource exists and it can leverage Systems Manager to go and push that agent out onto that instance for the client automatically. Systems Manager removes the need for customers to manage the deployment, and same goes for upgrades too. When GuardDuty offers a new version, AWS will automatically go and upgrade those for customers as well. This automatic refresh really helps reduce a lot of the overhead and management of agents that customers would otherwise have to do.
Ryan points out that with GuardDuty Runtime Monitoring, customers can have GuardDuty automatically manage the security agent—including the creation of the VPC endpoint and installing, deploying, and updating the agent—at no extra cost.
Who Doesn’t Like a Free Proof Of Value?
With this launch, existing or new customers who are already opted into automated agent management in GuardDuty will benefit from a renewed 30-day trial of GuardDuty Runtime Monitoring where AWS will automatically start monitoring the resources (clusters) deployed in shared VPC setup. In the console, GuardDuty will show a client what the estimated charge would be during the trial, so that way customers have a pretty good estimate of what it would be when you move outside of your trial.
I’m sure we’ll be hearing more GuardDuty updates at some point his year and I’m excited to catch up with Ryan again at AWS reInforce June 10-12th in Philly.
Join us: https://reinforce.awsevents.com/
cc: Al Sadowski Mary McCahon Ryan Holland
#cloud #cloudsecurity #cloudai #aisecurity
https://www.techrepublic.com/article/gartner-cloud-computing-future/
https://www.zippia.com/advice/cloud-adoption-statistics/
https://www.pwc.com/gx/en/issues/cybersecurity/global-digital-trust-insights.html