Amazon GuardDuty & Elastic Workload Protector

Amazon-GuardDuty-vs-EWP

Even though the cloud is becoming more widespread, its security is still a major concern for IT teams. If cloud providers are fulfilling their mission, the security of applications (workloads) and data remains the companies responsibility.
In the IaaS market, Amazon Web Services is still in first place. As every year at its event re: Invent, the company presented its innovations. It was the opportunity to highlight its Cloud GuardDuty detection solution. With this one, AWS adds a brick to its edifice without totally solving the problems of enterprise cloud security.

As a reminder, the main barriers for businesses to adopt the cloud are:
– Traditional security solutions (firewalls, scanners, pentests) are no longer adapted to the AWS development.
– A few developers understand and respect AWS security best practices.
– The AWS environment is changing too fast to perform all best security practices.

Additional solutions are therefore necessary to obtain an optimal security. After studying Amazon Inspector in a previous article, we’ll see what the new GuardDuty solution brings to the AWS security offer, what security needs it meets, and how it differs and complements our cloud monitoring solution, Elastic Workload Protector (EWP).

 

GuardDuty

With GuardDuty, Amazon Web Services launches into the continuous detection of threats. Thanks to its API, GuardDuty carries out a mapping of its customers cloud infrastructures. In a few clicks in the AWS Management Console, the solution analyzes suspicious events and activities from AWS CloudTrail, VPC Flow Logs, and other AWS data sources. Similarly, the solution uses threats knowledge bases (partnership with Proofpoint and Crowdstrike) and machine learning.

When a potential threat is detected, an alert is forwarded to GuardDuty and AWS CloudWatch Events. As a result, alerts are centralized for all the AWS company accounts. This allows teams to fix problems with the inventory. In addition, the solution automates the management of resources and its intervention: it will carry out more accounts checkings in periods judged critical (after an attempt of intrusion for example).

 

Elastic Workload Protector (EWP)

The observation was made in 2011 when, following an analysis of the AWS infrastructure, SecludIT detected many vulnerabilities. To address this security issue that still exists today, SecludIT has developed an automatic and continuous solution of cloud security detection. The solution, compatible with many IaaS providers, also integrates a vulnerability assessment solution. During its automated scans, EWP looks for vulnerabilities listed by the CVE database, relies on the OWASP, ANSSI (french security agency) and PCI DSS security standards, as well as the security standards of the Cloud Security Alliance (CSA), the Center for Internet Security (CIS) and the best security practices of cloud providers (AWS, Microsoft Azure, Google Cloud …). The solution assesses the global risk exposure of the infrastructure and lists the security vulnerabilities and misconfigurations detected on the platform as well as on detailed and customizable reports.

 

GuardDuty & Elastic Workload Protector : the perfect match ?

Several cloud monitoring solutions have emerged to address security issues. While it is always difficult to choose between different solutions, it may sometimes be wise to combine them for more simplicity or a larger risk coverage. Here are some comparison elements of GuardDuty and EWP:

 

Elastic Workload Protector

GuardDuty

Monitoring mode

Continuous and automatic monitoring (send alerts in real time)
Ability to program scans

Continuous detection (send alerts in real time)

Detected objects

Vulnerabilities detection
Cloud misconfigurations detection

Unusual or potentially dangerous suspicious events detection

Monitoring tools

API + vulnerability scanner

API + anomaly detection log GuardDuty activation on an AWS account including an IAM identity

Cloning

Patented technology to clone a server so as not to affect production

N/A

Knowledge base

CVE vulnerabilities, CSA, CIS, ANSSI, OWASP, PCI DSS standards and IaaS best security practices (AWS, Google Cloud Compute, Microsoft Azure...)

AWS knowledge, machine learning, knowledges of the partners: Proofpoint and CrowdStrike

Scope

Public and private cloud, multi-Cloud, hybrid Cloud, virtualized environments from different providers (including AWS)

AWS customers accounts: one or more of any size (no more than 100 accounts on a master account)

Alerts

Yes, in real time

Yes. Alerts listed, detailed and prioritized in AWS Watch Events

Reports included

Risk level with key risk indicators
Executive view
All vulnerabilities detailed

N/A

Solutions

Detailed patches for each vulnerabilities and security breaches detected.
Action Plan provides provides security teams to intervene on critical vulnerabilities

Advice to technical teams to deal with detected problems
Enable AWS Lambda for automatic remediatio

GuardDuty partially answers the security issues faced by companies using cloud. The solution will allow companies to detect any behavior judged “suspicious”.
Companies will still need to monitor their IT budget because AWS prices are based on the amount of events analyzed by the solution. It is therefore also advisable to have analyzed its infrastructure upstream to reduce the risk of unusual behavior.

Because their analysis perimeters are not the same, the GuardDuty and EWP solutions are complementary. While one detects potential breaches and upstream vulnerabilities (prevention) by proposing remediations, the other analyzes the infrastructure activity and highlights the suspicious behavior “in live”. GuardDuty is therefore an interesting complement to Elastic Workload Protector. Together, they could form a solid foundation in the construction of a SOC.

AWS lover, you can discover our AWS best practices security white paper (in french).
Curious and eager to protect your entire infrastructure (cloud, multi-cloud, hybrid and traditional), we offer you an Elastic Workload Protector free trial on one of your public IP to know your risk exposure and to be able to remedy it. Because if a company like Apple leaves a basic security breach on macOS, this can also be your case.

Leave a Reply