The Value of Enhancing Native AWS Security Tooling
July 2, 2019
In cloud environments with ephemeral servers and containers, single-layer security isn’t security at all. Cyber-threats target organizations at multiple layers. To protect your applications, workloads, and data in the cloud, multi-layered security needs to be coupled with deep visibility.
For AWS-hosted enterprise assets, security tools like AWS Config, GuardDuty, Macie, Inspector, and others are available of course, for an additional price. Each of these tools serves a separate security function.
Amazon Macie, for example, monitors how sensitive data like Personally Identifiable Information (PII) or IP are accessed and moved. In case of unauthorized access, you get an alert. Currently, Macie supports Amazon S3, support for other databases are yet to come. Amazon GuardDuty offers continuous monitoring and threat detection. Amazon Inspector monitors applications for exposure, vulnerabilities, and deviations from best practices, to assess security posture and compliance.
AWS security tooling in a multi-cloud era
The Achilles heel of native tools is the overhead of combining their point functionality for comprehensive cloud security. AWS native threat detection tools rely on managed rule-sets. Rules need to be updated every time threat intelligence uncovers new attack profiles.
Nowadays, multi-cloud environments are increasingly common where enterprise workloads could be distributed across AWS, Azure, GCP, etc. AWS tools are built for the AWS cloud. To support multi-cloud platforms, new security tools must be added to the mix. This fragments the security architecture and also drives up security expenses.
There’s no easy way to seamlessly configure, integrate, and keep using this patchwork of security tools. Also, point security solutions do not necessarily add-up in functionality when combined together. They are simply not designed that way. This impacts an enterprise’s ability to have deep visibility and continuous awareness of runtime activities in the cloud. On the other hand, building use-case specific custom security tools drain significant time and human capital.
Overcoming the challenges of native tools
An optimal way to overcome these challenges is to opt for an end-to-end security platform that protects the application, ID, workload, and host layers of the cloud – layers where enterprise and user data are typically transacted. In container-based multi-cloud architectures, a host-based IDS platform can drastically improve the cloud security posture for enterprises in many ways.
Ease of Integration
A single solution for multi-cloud environments is more cost-efficient as it simplifies integration and usage. A machine learning-based solution with process-level visibility can provide a continuous view of behavioral abnormalities for all enterprise workloads and containers in the cloud. Low alert noise and user-friendly visualization are also essential to reduce triage time.
The breadth and depth of visibility to all processes and applications across the entire scope of an organization’s cloud helps to identify potential bad actors and threats. Unlike native tools, a unified security solution from a third-party like Lacework’s host-based intrusion detection system (HIDS) uses anomaly detection algorithms and machine learning to analyze every application and user behavior inside a workload.
The coverage includes all issues on SSH, parent hierarchy, user privilege change, process communication, machine communication, internal and external data transfers, and other cloud events. This comprehensive in-depth visibility helps to detect anomalies across layers, leaving no hidden space at the application and data layer for bad actors to hide.
Accurate Threat Defense
A major differentiator for security solutions is their level of accuracy in detecting anomalies. AWS GuardDuty uses managed rule-sets for threat detection. Compared to rule-based anomaly detection, automated threat defense based on behavioral abnormalities provides greater accuracy.
When events are analyzed against normalized behavior, only truly problematic activities are surfaced. In this approach, instead of individually investigating every machine, user, and application, behavior baselining clusters these together based on historical behavior analysis. An alert is triggered only when behavior is abnormal. This drastically reduces the number of alerts and improves its accuracy.
AWS CloudTrail Analysis
AWS security tools include CloudTrail that collects important data about events and account activities. CloudTrail has a strong logging structure to track changes and updates but doesn’t include intelligence to flag problems. To correlate the logs with your configurations and settings, CloudTrail logs need to be analyzed.
Lacework analyzes CloudTrail logs to provide users a continuous and automated view into their cloud environment.
In multi-cloud environments, cyber threats are more imminent, and their consequences more severe. To prevent loss and to remain compliant, businesses need iron-clad solutions. Otherwise, security breaches become a certainty, and the odds of a quick and complete recovery shrink considerably.
In AWS, native tools are not enough to give you the threat visibility you need in single or multi-cloud domains. Lacework’s deep visibility into all cloud activity and user-friendly visualization enables quicker threat detection. After a breach is identified, security teams can create lambda scripts within AWS to rapidly remediate the incident.
So why increase cost, complexity and the attack surface with a patchwork of solutions? Instead, strengthen the security posture of your cloud environment with the reliability and cost-efficiencies of a unified, automated host-IDS platform.