Enriching Cloud Threat Intelligence and Visibility – Cloud Workload Security and AWS GuardDuty

This blog was written by Stan Golubchik.

Using cloud-native threat intelligence to enhance workload security

Risk assessment is crucial in today’s public cloud. In Amazon Web Services (AWS), native monitoring services for ingress and egress network data can shed light on potential network threats and anomalies. A service of AWS, GuardDuty, bridges the capability to ingest this data to and from an AWS tenant’s environments for continuous monitoring of the following data sources:

  • VPC Flow Logs
  • AWS CloudTrail event logs
  • DNS logs

With these threat intelligence feeds, GuardDuty can enrich the context of potentially unauthorized and malicious activity within a AWS environment. This context can be visualized through the GuardDuty console, or via the Amazon CloudWatch events, informing the security status of your AWS environment.

While GuardDuty can act as a standalone service with substantial benefit for security and risk assessment in an AWS environment, converging GuardDuty threat intelligence into a broader cloud workload protection platform can provide extended benefits:

  • Automated detection capabilities
  • A single pane of glass for visibility over AWS, along with Azure and VMware
  • Actionable remediation workflows

By bridging native AWS API driven data sources such as GuardDutty with a cloud workload protection platform like McAfee Cloud Workload Security (CWS), tenants of AWS can use the data-rich sources of AWS within CWS manage and secure mission critical workloads with advanced security from a single console.

Discover and protect with Cloud Workload Security

CWS directly integrates with the AWS GuardDuty API – An optimal scenario for visualizing anomalous network activity, and threat events. GuardDuty events which are categorized as low and medium events within AWS are subsequently flagged as medium severity events within the CWS console.

Setting up the connection between GuardDuty and McAfee CWS is straight forward. The pre-requisite configuration requirements are as follows:

  • Enable GuardDuty through your AWS management console.

  • The security credentials used for registering your account within CWS should have GuardDuty permissions assigned for read access to GuardDuty’s threat intelligence and network flow data.

Once the initial configuration has been instantiated, GuardDuty data will immediately be pulled by CWS.  Through the CWS management console (McAfee ePolicy Orchestrator, or ePO), you are able to visualize threat information directly from GuardDuty. The GuardDuty events you will see include:

  • Brute force attacks
  • Port scans
  • Tor communications
  • SSH brute force
  • Outbound DDoS
  • Bitcoin mining
  • Unusual DNS requests
  • Unusual traffic volume and direction

IAM related events are currently not supported. An immediate pivot into an action can be taken at the point GuardDuty provides a severity verdict to a potential threat. Such actions which can be taken include:

  • Shutting down the compromised EC2 instance(s) which have been flagged.
  • Through micro-segmentation, altering firewall settings via security groups i.e. altering the port, protocol, or IP to limit and control network connectivity to any EC2 instance.

For more information on McAfee Cloud Workload Security, please visit the following page for feature and solution documentation: https://www.mcafee.com/us/products/cloud-workload-security.aspx

 

Leave a Comment

twelve − 3 =