At AWS re:Invent, Amazon Web Services Inc. (AWS), an Amazon.com company, announced Amazon GuardDuty, a fully managed intelligent threat detection service that helps customers protect their AWS accounts and workloads by continuously monitoring account activity for malicious or unauthorized behavior. Customers can enable Amazon GuardDuty with a few clicks in the AWS Management Console and immediately begin analyzing API calls and network activity across their accounts to establish a baseline of “normal” account activity. Then, Amazon GuardDuty continuously applies machine learning to identify any events that fall outside the normal patterns. Amazon GuardDuty correlates activity using both proprietary, AWS-developed threat intelligence sources and industry-leading third-party sources. When anomalies are detected, Amazon GuardDuty delivers a detailed security alert to the AWS account owner, making alerts actionable and easy to integrate with existing event management and workflow systems. With Amazon GuardDuty, there is no hardware or software to deploy and no third-party subscription costs; customers pay only for the events analyzed.†
As customers grow their cloud usage and increasingly deploy microservices architectures, they may have multiple AWS accounts with up to hundreds of thousands of instances. Identifying and assessing anomalous behavior across multiple accounts, networks, and instances at this scale can be like trying to find a needle in a haystack. Whether looking for attackers scanning web servers for vulnerabilities, monitoring for compromised instances being used to serve malware or mine cryptocurrency, or finding unauthorized resource provisioning, security teams have had to build or integrate multiple tools to detect anomalies. Customers also have to collect API access and network flow logs and correlate them with threat intelligence sources, applying algorithms to identify anomalies based on known threats. And, often, as soon as the algorithms are well-tuned, the threats evolve and the algorithm requires rework. Now, with Amazon GuardDuty, customers can easily deploy intelligent threat detection that takes care of all of this undifferentiated heavy lifting. Once activated, Amazon GuardDuty immediately begins consuming AWS CloudTrail and Amazon VPC Flow Logs to find indications of account-based threats that traditional solutions might miss, such as an unusual instance type being deployed in a region that has never been used, or an attempt to obscure user activity by disabling AWS CloudTrail logging. Amazon GuardDuty generates anomaly alerts that are tailored to each customer’s AWS use, and AWS continuously updates the threat intelligence sources Amazon GuardDuty employs. Amazon GuardDuty can be enabled instantly with no risk of negatively impacting existing application workloads.
“Customers often tell us that the best way we can help them stay secure is to give them smarter tools that make it easier to get security right,” said Stephen Schmidt, Chief Information Security Officer, Amazon Web Services. “We designed Amazon GuardDuty to be so simple and cost effective that turning it on would be an easy choice for every AWS customer, regardless of their security expertise or the existing security services they use. Amazon GuardDuty intelligently identifies hard-to-detect threats that might slip through the cracks of other security products and easily scales to meet the needs of any organization, whether they have two AWS accounts or two thousand.”
General Electric (GE) is the world’s Digital Industrial Company, transforming industry with software-defined machines and solutions that are connected, responsive, and predictive. “Security is a top priority at GE and ingrained in our company culture,” said Nasrin Rezai, Vice President, Global Chief Information and Product Security Officer at GE. “GE runs thousands of applications on AWS. Deploying Amazon GuardDuty across our AWS global footprint required only a matter of hours and enhances our threat detection capabilities.”
The Financial Industry Regulatory Authority (FINRA) oversees more than 3,900 securities firms with approximately 640,000 brokers and processes approximately 6 terabytes of data and 37 billion records on an average day. “We’ve found that we can be more secure in the cloud than we can on-premises,” said John Brady, CISSP, VP Cyber Security/CISO, FINRA. “With AWS, my team has access to outstanding tooling for patching, encryption, auditing and logging, entitlements, compliance, and now threat detection. We’re excited about how this new product can help us take advantage of machine learning to analyze all of our account activity, accurately detecting behavioral anomalies and enabling us to respond quickly.”
Netflix is the world’s leading internet entertainment service with over 109 million members in over 190 countries enjoying more than 125 million hours of TV shows and movies per day. “We’re excited about the capabilities of Amazon GuardDuty,” said Shaun Blackburn, Security Manager, Netflix. “By delegating the management and monitoring of flow logs to AWS, we can extend our detection capabilities and pursue Netflix-specific security work. AWS has deep knowledge of common attack patterns and trends. By leveraging their unique position as the largest cloud providers, they are able to train sophisticated models that we can immediately consume. With Amazon GuardDuty, we can continue to innovate to deliver the greatest convenience, selection, and value to our members.”
Mapbox is a location data platform for maps, search, and navigation that serves more than 300 million end users each month.†It’s all-in on AWS and runs across 10 regions. “Amazon GuardDuty vastly improves cloud intrusion detection, replacing multiple in-house systems with a more advanced, more accurate, and much lower-maintenance service,” said Ian Ward, Engineering Manager, Security at Mapbox. “We were able to enable Amazon GuardDuty instantly, replacing a large-scale engineering project with a fully managed, much more complete service.”
Autodesk is a leader in 3D design, engineering, and entertainment software. “It’s incredibly important we give our developers the freedom to be agile, while at the same time maintaining our high security standards,” said Kolby Dauler, Lead Engineer for Cloud Security at Autodesk. “Amazon GuardDuty helps us secure our AWS accounts owned by our developers, without slowing them down to install and maintain monitoring infrastructure. Using Amazon GuardDuty also gives our security team visibility into actionable metrics and involves them earlier in decisions that help drive better security practices.”
Amazon GuardDuty can send all findings to AWS CloudWatch Events and supports API endpoints through the AWS SDK, allowing for robust interoperability with third-party solutions. Leading providers such as Alert Logic, Evident.io, Palo Alto Networks, Rapid7, Redlock, Splunk, Sumo Logic, and Trend Micro have built integrations with Amazon GuardDuty, with more coming soon. These integrations allow customers to easily incorporate intelligence from Amazon GuardDuty into their existing security workflows for deeper analysis and automated prevention. Amazon GuardDuty also incorporates threat intelligence feeds from CrowdStrike, Proofpoint, and the AWS Security team to help identify and protect customers from known bad actors.
