Amazon GuardDuty Introduction

Amazon GuardDuty
Intelligent threat detection and continuous monitoring

to protect your AWS accounts and workloads.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What do customers want to do?
Protect their AWS Account & Workloads

Amazon GuardDuty helps customers identify unusual or unauthorized
activity, like crypto-currency mining, unusual infrastructure
deployments, or unauthorized access to their accounts.
What problems are they experiencing?
Large datasets Signal to noise Skills shortage
What challenges are they facing?
Find the Needle, Skip the Haystack

GuardDuty helps security professionals quickly
find the threats to their environments.
Amazon GuardDuty:
All Signal, No Noise
Introducing GuardDuty
Threat Detection Service Re-imagined for the Cloud
Protects your AWS Detects known Detects unknown

accounts and Threats (threat threats (behavior
workloads intelligence based) based)
Easily integrate
findings with 3rd
Less noise, more One click activation
party solutions &
actionable findings automated
& enterprise ready
remediation
Table of contents
Introduction
How Does Amazon GuardDuty Work?
What can GuardDuty Detect?
Getting Started
Pricing
Service Availability
Customer References
Amazon GuardDuty
Summary
FAQ
Additional Resources
Introducing Amazon GuardDuty
Threat Detection and Notification
Amazon GuardDuty is a managed threat detection service that

continuously monitors for malicious or unauthorized behavior to
help you protect your AWS accounts and workloads.
GuardDuty Monitors:
• Unusual API calls.
• Potentially unauthorized deployments that indicate a possible account
compromise.
• Potentially compromised instances or reconnaissance by attackers.
Introducing Amazon GuardDuty
Threat Detection and Notification
Data Sources
VPC flow DNS Logs CloudTrail
logs Events
Integrated Threat Intel ML/AI Anomaly Detection Detections
Findings
GuardDuty Findings
Threat Detection: Log Data Inputs
VPC Flow Logs DNS Logs

AWS CloudTrail
IP traffic to/from Log of DNS queries in
Track user activity
network interfaces a VPC when using the
and API usage
in your VPC VPC DNS resolver
What can GuardDuty detect?
Detecting Known Threats, using Threat Intelligence
• GuardDuty consumes feeds from various sources (Threat Intelligence)
• AWS Security
• Commercial feeds
• Open source feeds
• Customer provided threat intel
• The feeds enable GuardDuty to identify the following:

• Known malware infected hosts
• Anonymizing Proxies
• Sites hosting malware & hacker tools
• Crypto-currency mining pools and wallets
• Great catch-all for suspicious & malicious activity
What can GuardDuty detect?
Using ML - detecting Unknown Threats
Anomaly Detection
• Algorithms to detect unusual behavior
• Inspecting signal patterns for signatures
• Profiling normal and looking at deviations
• Machine Learning Classifiers
What can GuardDuty detections?
Reconnaissance Instance compromise Account compromise
Instance recon: • C&C activity • Malicious API call (bad IP)
• Port probe / accepted comm • Malicious domain request • Tor API call (accepted)
• Port scan (intra-VPC) • EC2 on threat list • CloudTrail disabled
• Bruteforce attack (IP) • Drop point IP • Password policy change
• Drop point (IP) • Malicious comms (ASIS) • Instance launch unusual
• Tor communications • Cryptocurrency mining • Region activity unusual
• Spambot activity • Suspicious console login
Account recon: • Outbound SSH bruteforce • Unusual ISP caller
• Tor API call (failed) • EC2 Credential Exfiltration • Mutating API calls (create, update,
• Unusual network port delete)
• Unusual traffic volume/direction • High volume of describe calls
• Unusual DNS requests • Unusual IAM user added
• Domain generated algorithms
Covering the Attackers Kill Chain
Anonymizing Proxy
Malicious or Connect to Blacklisted Site Unusual Traffic Volume Unusual ISP Caller
Suspicious IP
Bitcoin Activity
Recon
Exfiltrate
Probe API Attempt to
RDP Brute temp IAM
RAT Installed with temp compromise
Force creds over
creds account
DNS
Unusual Instance Launch

RDP Brute Force
Unusual Ports DNS Exfiltration
Temp credentials
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Used off-instance
Rapid Pace of Iteration & innovation
Amazon GuardDuty Finding Types
60
50
50
42
40 GA
34
30
28
30
24
20
20
14
12
10
18
8
17
18
18
8
17
18
7
8
l-1
l-1
-1
-1
-1
-1
-1
-1
-1
-1
n-
n-
n-
b-
-
-
ct
ov
ec
r
g
g
ar
ay
ay
Ju
Ju
Ap
Fe
Ju
Ja
Ju
Au
Se
Au
O
M
N
D
M
M
Findings Dashboard
Findings Formats
AWS Management Console API / JSON Format
See Threat
Information Including:
• Severity
• Region
• Count/Frequency
• Threat Type
• Affected Resource
• Source Information
• Viewable via
CloudWatch Events
Findings Severity Level
LOW MEDIUM HIGH
Suspicious or malicious Suspicious activity deviating Resource compromised and
activity blocked before it from normally observed actively being used for
compromised a resource. behavior. unauthorized purpose.
Suggestion: Suggestion: Suggestion:
No immediate recommended Investigate Further Take Immediate Action(s)

steps – but take note of info as • New software? AV scan on • Terminate instance(s)
something to address in the resource • Rotate IAM access keys
future • Changes to settings?
• Examine permissions
attached to IAM entity
implicated
Responding to Findings: Remediation
Automatic Remediation
• Remediate a Compromised Instance
• Remediate Compromised AWS Credentials
GuardDuty Finding CloudWatch Events Lambda
Amazon AWS Lambda

Amazon CloudWatch
GuardDuty CloudWatch Lambda Function
Event
Responding to Findings: Remediation
Automatic Remediation
Lambda Function removes
Finding: CloudWatch Event Alarm instance from current Security
Backdoor:EC2/XORDDOS triggers Lambda Group(s) and adds to one with all
ingress and egress blocked.
GuardDuty Finding CloudWatch Events Lambda
Amazon AWS Lambda

Amazon CloudWatch
GuardDuty CloudWatch Lambda Function
Event
Getting Started
Getting Started
Amazon GuardDuty should be turned on in all regions
This enable the service to get the a holistic view on the account:
• Identification of unauthorized or unusual activity even in regions that your

customer is not actively using.
• Monitor AWS CloudTrail events for global AWS services such as IAM.
Note: There’s a little to no additional cost for GuardDuty to monitor a region where
you do not have active workloads deployed.
Getting Started
GuardDuty Account Relationships
• Adding accounts to the services can be done via the console or API.
• Invites accepted from an account will be designated as “Member” accounts.
Getting Started
GuardDuty Account Relationships
Member Account Actions and
Visibility is Limited to the
Master Account Member Account.
Can Do the Following to ALL accounts:
Each Account Billed Separately.
• Generate Sample Findings
• Configure and View/Manage
Findings
• Suspend GuardDuty Service
• Upload and Manage Trusted IP and
…. .
Threat IP Lists (coming soon!)
Member Member
Can only disable own account. Member Account Account 1000 (max)
accounts must all be removed first and by
the member account.
GuardDuty Pricing
Simple Low Cost Pricing Model.
Free Trial: Any new account to Amazon GuardDuty can try the service for 30-
days at no cost. Provides access to the full feature set and detections during the
free trial. GuardDuty will display the volume of logs processed and estimated
daily average service charges to provide a tailored price estimate for GuardDuty
to protect all AWS accounts.
GuardDuty Pricing
Simple Low Cost Pricing Model. Enabled on a Regional Basis.
Canada (Central)
Asia Pacific (Mumbai) EU (Frankfurt)
US East (N. EU (Ireland) Asia Pacific (Seoul)
Virginia) EU (London) Asia Pacific
US East (Ohio) US West (N. (Singapore) Asia Pacific South America
US West (Oregon) California) Asia Pacific (Sydney) (Tokyo) (Sao Paulo)
VPC Flow Log and DNS Log Analysis
First 500 GB / month $1.00 $1.10 $1.15 $1.18 $1.75
Next 2000 GB / month $0.50 $0.55 $0.58 $0.59 $0.88
Over 2500 GB / month $0.25 $0.28 $0.29 $0.29 $0.44
AWS CloudTrail Event Analysis
Per 1,000,000 events /

$4.00 $4.40 $4.60 $4.72 $7.00
month
GuardDuty Pricing
Clear visibility on cost based on actual usage.
Global Availability
US East (N. Virginia) EU (London)

US East (Ohio) EU (Paris)
US West (N. California) Asia Pacific (Singapore)
US West (Oregon) Asia Pacific (Sydney)
Canada (Central) Asia Pacific (Seoul)
EU (Ireland) A s i a P a c i f i c ( To k y o )
EU (Frankfurt) Asia Pacific (Mumbai)
South America (Sao Paulo)
Customers
One of the Fastest Growing

Services in AWS History
Partners
Summary
One Click Away
• Managed Threat Detection Service
• Easy One-Click Activation without Architectural or Performance Impact
• Continuous Monitoring of AWS Accounts and Resources
• Discover Threats Related to EC2 and IAM
• Instant On Provides Findings in Minutes
• No Agents, no Sensors, no Network Appliances
• Global Coverage, Regional Results
• Built In Anomaly Detection with Machine Learning
• Partner Integrations for Additional Protections
• Cost Effective Simple Pricing
Frequently Asked Questions
•.
Is Amazon GuardDuty a replacement to IPS / IDS?
Amazon GuardDuty and IPS/IDS complement each other as they act on different
sections of the systems with little overlapping.
e.g. you can have file integrity monitoring as part of the HIDS/HIPS that would alert
you on changes done to OS which GD doesn't cover, but with GD you have holistic
view of traffic flowing through the VPC and not focused on a single host (as VPC Flow
Logs gathers data from every ENI).
Having said that Amazon GuardDuty covers both deterministic signature-based checks
and behavioral checks.
•.
Is there any performance or availability impact to enabling Amazon GuardDuty
on my account?
No.
Amazon GuardDuty operates completely on AWS infrastructure.
There is no footprint in you AWS account and therefore, no risk of impacting your
accounts or workloads.
Do I have to enable AWS CloudTrail, VPC Flow Logs, and DNS logs for Amazon
GuardDuty to work?
No.
Amazon GuardDuty pulls independent streams of data directly from AWS CloudTrail, VPC
Flow Logs, and AWS DNS logs. You don’t have to manage S3 bucket policies, modify the
way you may collect and store your logs today, or worry about Amazon GuardDuty
accessing your account to pull log data.
Does Amazon GuardDuty manage or keep my logs?
No, Amazon GuardDuty does not manage or retain your logs.
All data consumed by Amazon GuardDuty is analyzed in near real-time and discarded.
How long are security findings made available in Amazon GuardDuty?
Security findings are retained and made available through the Amazon GuardDuty findings
dashboard and APIs for 90-days. After 90-days, the findings are discarded. To retain findings
for longer than 90-days, you can enable AWS CloudWatch Events to automatically push
findings to an Amazon S3 bucket in your account or other data store for long-term retention.
•. After enabling the service, when will I see findings?
Once enabled, Amazon GuardDuty immediately starts working. It depends on the activity in
your account if, and when, security findings will be delivered. Amazon GuardDuty does not
look at historical data, only activity as of enablement. If it identifies any immediate threats,
you’ll receive a finding to the Amazon GuardDuty console in as little as two minutes.
How long does machine learning and behavioral anomaly detections take?
The more advanced behavioral and machine learning detections take between 7 and 14
days to set a baseline of behavior in your account. After that time, the anomaly detections
flip from a learning mode to an active mode. Once active, you will only see findings
generated from these detections if the service observes behavior that suggests a threat.
How long are security findings made available in Amazon GuardDuty?

Security findings are retained and made available through the Amazon GuardDuty findings
dashboard and APIs for 90-days. After 90-days, the findings are discarded. To retain findings
for longer than 90-days, you can enable AWS CloudWatch Events to automatically push
findings to an Amazon S3 bucket in your account or other data store for long-term retention.
Additional Resources: Amazon GuardDuty
Name Description Source

Resources to learn more: Full list of GuardDuty
• Full list of GuardDuty Detections (Docs) Detections (Docs)
• Intro to GuardDuty (Video) Intro to GuardDuty (Video)
• Deep Dive on GuardDuty (Video) Deep Dive on
GuardDuty (Video)
Resources to deploy and test GuardDuty multi-account

GuardDuty: • GuardDuty multi-account enablement enablement
automation (Python Script) automation (Python Script)
GuardDuty Tester for triggering
• GuardDuty Tester for triggering GuardDuty GuardDuty detections (Docs +
detections (Docs + Artifacts) Artifacts)
Additional Resources: Amazon GuardDuty
Name Description Source

How we reduce complexity and
AWS Security Blog posts on • How we reduce complexity and rapidly iterate rapidly iterate on Amazon GuardDuty:
twelve new detections added (AWS
GuardDuty: on Amazon GuardDuty: twelve new Security Blog)
detections added (AWS Security Blog)
How to Manage Amazon GuardDuty
• How to Manage Amazon GuardDuty Security Security Findings Across Multiple
Findings Across Multiple Accounts (AWS Accounts (AWS Security Blog)
Security Blog) Alexa – Give me my GuardDuty flash
briefing (AWS Security Blog)
• Alexa – Give me my GuardDuty flash
briefing (AWS Security Blog)
Additional Resources: GuardDuty and Lambda
Name Description Source GitHub Repo
Patrol Rules Processes new AWS GuardDuty MapBox https://github.com/mapbox/patr
alerts and sends alerts meeting a www.mapbox.com ol-rules-guardduty
minimum severity threshold to an
SNS topic.
GuardDuty to Slack Demonstrates sending Amazon AWS https://github.com/aws-
GuardDuty findings to your Slack www.aws.amazon.com/guardduty samples/amazon-guardduty-to-
Channel slack
GuardDuty Multiple Account This script automates the process AWS https://github.com/aws-
Scripts of running the GuardDuty multi- www.aws.amazon.com/guardduty samples/amazon-guardduty-
account workflow across a group multiaccount-scripts
of accounts that are in your
control.
Deep Security Integration An AWS Lambda function to TrendMicro https://github.com/deep-
create a joint workflow between https://www.trendmicro.com/aws/g security/amazon-guardduty
Amazon GuardDuty and Deep uardduty/
Security.
AWS Marketplace
https://aws.amazon.com/marketplac
e/pp/B01AVYHVHO?qid=151578600
2801&sr=0-
2&ref_=srh_res_product_title
Thank You!
Amazon GuardDuty

Amazon GuardDuty Introduction

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Amazon GuardDuty Introduction

Uploaded by

Copyright:

Available Formats

Amazon GuardDuty

Intelligent threat detection and continuous monitoring

Protect their AWS Account & Workloads

Large datasets Signal to noise Skills shortage

Find the Needle, Skip the Haystack

Protects your AWS Detects known Detects unknown

How Does Amazon GuardDuty Work?

What can GuardDuty Detect?

Amazon GuardDuty is a managed threat detection service that

Integrated Threat Intel ML/AI Anomaly Detection Detections

VPC Flow Logs DNS Logs

• The feeds enable GuardDuty to identify the following:

Unusual Instance Launch

No immediate recommended Investigate Further Take Immediate Action(s)

GuardDuty Finding CloudWatch Events Lambda

Amazon AWS Lambda

GuardDuty Finding CloudWatch Events Lambda

Amazon AWS Lambda

Amazon GuardDuty should be turned on in all regions

• Identification of unauthorized or unusual activity even in regions that your

• Invites accepted from an account will be designated as “Member” accounts.

Next 2000 GB / month $0.50 $0.55 $0.58 $0.59 $0.88

Over 2500 GB / month $0.25 $0.28 $0.29 $0.29 $0.44

AWS CloudTrail Event Analysis

Per 1,000,000 events /

US East (N. Virginia) EU (London)

One of the Fastest Growing

Amazon GuardDuty operates completely on AWS infrastructure.

Does Amazon GuardDuty manage or keep my logs?

No, Amazon GuardDuty does not manage or retain your logs.

How long are security findings made available in Amazon GuardDuty?

•. After enabling the service, when will I see findings?

How long are security findings made available in Amazon GuardDuty?

Name Description Source

Resources to deploy and test GuardDuty multi-account

Name Description Source

You might also like