Professional Documents
Culture Documents
Amazon GuardDuty Introduction
Amazon GuardDuty Introduction
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What do customers want to do?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What problems are they experiencing?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What challenges are they facing?
Amazon GuardDuty:
All Signal, No Noise
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introducing GuardDuty
Threat Detection Service Re-imagined for the Cloud
Easily integrate
findings with 3rd
Less noise, more One click activation
party solutions &
actionable findings automated
& enterprise ready
remediation
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Table of contents
Introduction
Getting Started
Pricing
Service Availability
Customer References
Amazon GuardDuty
Summary
FAQ
Additional Resources
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introducing Amazon GuardDuty
Threat Detection and Notification
GuardDuty Monitors:
• Unusual API calls.
• Potentially unauthorized deployments that indicate a possible account
compromise.
• Potentially compromised instances or reconnaissance by attackers.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introducing Amazon GuardDuty
Threat Detection and Notification
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How Does Amazon GuardDuty Work?
Data Sources
VPC flow DNS Logs CloudTrail
logs Events
Findings
GuardDuty Findings
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How Does Amazon GuardDuty Work?
Threat Detection: Log Data Inputs
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What can GuardDuty detect?
Detecting Known Threats, using Threat Intelligence
• GuardDuty consumes feeds from various sources (Threat Intelligence)
• AWS Security
• Commercial feeds
• Open source feeds
• Customer provided threat intel
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What can GuardDuty detect?
Using ML - detecting Unknown Threats
Anomaly Detection
• Algorithms to detect unusual behavior
• Inspecting signal patterns for signatures
• Profiling normal and looking at deviations
• Machine Learning Classifiers
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What can GuardDuty detections?
Reconnaissance Instance compromise Account compromise
Instance recon: • C&C activity • Malicious API call (bad IP)
• Port probe / accepted comm • Malicious domain request • Tor API call (accepted)
• Port scan (intra-VPC) • EC2 on threat list • CloudTrail disabled
• Bruteforce attack (IP) • Drop point IP • Password policy change
• Drop point (IP) • Malicious comms (ASIS) • Instance launch unusual
• Tor communications • Cryptocurrency mining • Region activity unusual
• Spambot activity • Suspicious console login
Account recon: • Outbound SSH bruteforce • Unusual ISP caller
• Tor API call (failed) • EC2 Credential Exfiltration • Mutating API calls (create, update,
• Unusual network port delete)
• Unusual traffic volume/direction • High volume of describe calls
• Unusual DNS requests • Unusual IAM user added
• Domain generated algorithms
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Covering the Attackers Kill Chain
Anonymizing Proxy
Malicious or Connect to Blacklisted Site Unusual Traffic Volume Unusual ISP Caller
Suspicious IP
Bitcoin Activity
Recon
Exfiltrate
Probe API Attempt to
RDP Brute temp IAM
RAT Installed with temp compromise
Force creds over
creds account
DNS
18
8
17
18
18
8
17
18
7
8
l-1
l-1
-1
-1
-1
-1
-1
-1
-1
-1
n-
n-
n-
b-
-
-
ct
ov
ec
r
g
g
ar
ay
ay
Ju
Ju
Ap
Fe
Ju
Ja
Ju
Au
Se
Au
O
M
N
D
M
M
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Findings Dashboard
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Findings Formats
AWS Management Console API / JSON Format
See Threat
Information Including:
• Severity
• Region
• Count/Frequency
• Threat Type
• Affected Resource
• Source Information
• Viewable via
CloudWatch Events
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Findings Severity Level
LOW MEDIUM HIGH
Suspicious or malicious Suspicious activity deviating Resource compromised and
activity blocked before it from normally observed actively being used for
compromised a resource. behavior. unauthorized purpose.
Suggestion: Suggestion: Suggestion:
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Responding to Findings: Remediation
Automatic Remediation
• Remediate a Compromised Instance
• Remediate Compromised AWS Credentials
Automatic Remediation
Lambda Function removes
Finding: CloudWatch Event Alarm instance from current Security
Backdoor:EC2/XORDDOS triggers Lambda Group(s) and adds to one with all
ingress and egress blocked.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Getting Started
This enable the service to get the a holistic view on the account:
• Monitor AWS CloudTrail events for global AWS services such as IAM.
Note: There’s a little to no additional cost for GuardDuty to monitor a region where
you do not have active workloads deployed.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Getting Started
GuardDuty Account Relationships
• Adding accounts to the services can be done via the console or API.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Getting Started
GuardDuty Account Relationships
Member Account Actions and
Visibility is Limited to the
Master Account Member Account.
Can Do the Following to ALL accounts:
Each Account Billed Separately.
• Generate Sample Findings
• Configure and View/Manage
Findings
• Suspend GuardDuty Service
• Upload and Manage Trusted IP and
…. .
Threat IP Lists (coming soon!)
Member Member
Can only disable own account. Member Account Account 1000 (max)
accounts must all be removed first and by
the member account.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
GuardDuty Pricing
Simple Low Cost Pricing Model.
Free Trial: Any new account to Amazon GuardDuty can try the service for 30-
days at no cost. Provides access to the full feature set and detections during the
free trial. GuardDuty will display the volume of logs processed and estimated
daily average service charges to provide a tailored price estimate for GuardDuty
to protect all AWS accounts.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
GuardDuty Pricing
Simple Low Cost Pricing Model. Enabled on a Regional Basis.
Canada (Central)
Asia Pacific (Mumbai) EU (Frankfurt)
US East (N. EU (Ireland) Asia Pacific (Seoul)
Virginia) EU (London) Asia Pacific
US East (Ohio) US West (N. (Singapore) Asia Pacific South America
US West (Oregon) California) Asia Pacific (Sydney) (Tokyo) (Sao Paulo)
VPC Flow Log and DNS Log Analysis
First 500 GB / month $1.00 $1.10 $1.15 $1.18 $1.75
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
GuardDuty Pricing
Clear visibility on cost based on actual usage.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Global Availability
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customers
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Partners
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Summary
One Click Away
• Managed Threat Detection Service
• Easy One-Click Activation without Architectural or Performance Impact
• Continuous Monitoring of AWS Accounts and Resources
• Discover Threats Related to EC2 and IAM
• Instant On Provides Findings in Minutes
• No Agents, no Sensors, no Network Appliances
• Global Coverage, Regional Results
• Built In Anomaly Detection with Machine Learning
• Partner Integrations for Additional Protections
• Cost Effective Simple Pricing
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Frequently Asked Questions
•.
Is Amazon GuardDuty a replacement to IPS / IDS?
Amazon GuardDuty and IPS/IDS complement each other as they act on different
sections of the systems with little overlapping.
e.g. you can have file integrity monitoring as part of the HIDS/HIPS that would alert
you on changes done to OS which GD doesn't cover, but with GD you have holistic
view of traffic flowing through the VPC and not focused on a single host (as VPC Flow
Logs gathers data from every ENI).
Having said that Amazon GuardDuty covers both deterministic signature-based checks
and behavioral checks.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Frequently Asked Questions
•.
Is there any performance or availability impact to enabling Amazon GuardDuty
on my account?
No.
There is no footprint in you AWS account and therefore, no risk of impacting your
accounts or workloads.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Frequently Asked Questions
Do I have to enable AWS CloudTrail, VPC Flow Logs, and DNS logs for Amazon
GuardDuty to work?
No.
Amazon GuardDuty pulls independent streams of data directly from AWS CloudTrail, VPC
Flow Logs, and AWS DNS logs. You don’t have to manage S3 bucket policies, modify the
way you may collect and store your logs today, or worry about Amazon GuardDuty
accessing your account to pull log data.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Frequently Asked Questions
All data consumed by Amazon GuardDuty is analyzed in near real-time and discarded.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Frequently Asked Questions
Security findings are retained and made available through the Amazon GuardDuty findings
dashboard and APIs for 90-days. After 90-days, the findings are discarded. To retain findings
for longer than 90-days, you can enable AWS CloudWatch Events to automatically push
findings to an Amazon S3 bucket in your account or other data store for long-term retention.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Frequently Asked Questions
Once enabled, Amazon GuardDuty immediately starts working. It depends on the activity in
your account if, and when, security findings will be delivered. Amazon GuardDuty does not
look at historical data, only activity as of enablement. If it identifies any immediate threats,
you’ll receive a finding to the Amazon GuardDuty console in as little as two minutes.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Frequently Asked Questions
How long does machine learning and behavioral anomaly detections take?
The more advanced behavioral and machine learning detections take between 7 and 14
days to set a baseline of behavior in your account. After that time, the anomaly detections
flip from a learning mode to an active mode. Once active, you will only see findings
generated from these detections if the service observes behavior that suggests a threat.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Frequently Asked Questions
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Additional Resources: Amazon GuardDuty
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Additional Resources: Amazon GuardDuty
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Additional Resources: GuardDuty and Lambda
Name Description Source GitHub Repo
Patrol Rules Processes new AWS GuardDuty MapBox https://github.com/mapbox/patr
alerts and sends alerts meeting a www.mapbox.com ol-rules-guardduty
minimum severity threshold to an
SNS topic.
GuardDuty to Slack Demonstrates sending Amazon AWS https://github.com/aws-
GuardDuty findings to your Slack www.aws.amazon.com/guardduty samples/amazon-guardduty-to-
Channel slack
GuardDuty Multiple Account This script automates the process AWS https://github.com/aws-
Scripts of running the GuardDuty multi- www.aws.amazon.com/guardduty samples/amazon-guardduty-
account workflow across a group multiaccount-scripts
of accounts that are in your
control.
Deep Security Integration An AWS Lambda function to TrendMicro https://github.com/deep-
create a joint workflow between https://www.trendmicro.com/aws/g security/amazon-guardduty
Amazon GuardDuty and Deep uardduty/
Security.
AWS Marketplace
https://aws.amazon.com/marketplac
e/pp/B01AVYHVHO?qid=151578600
2801&sr=0-
2&ref_=srh_res_product_title
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank You!
Amazon GuardDuty
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.