Yesterday’s reports showed that Amazon AWS continues to grow rapidly--up almost 50% for the last quarter over the quarter the year before. This reflects the steady move by companies adopting cloud infrastructure to realize cost savings, and particularly companies choosing AWS to deliver these services.
If your organization is one of the many that has embraced moving some or all of your servers to the AWS cloud, or planning to do so soon, you may be wondering what this means for your security monitoring plans. Do your existing tools still work? Will you require new services? Is security monitoring already part of AWS?
Monitoring cloud-based infrastructure for potential security threats presents unique challenges. When infrastructure is located in a cloud, such as AWS, it does not have all the same attributes associated with on-premises hardware. AWS does provide two means (CloudTrail and CloudWatch) of collecting additional data about the activity associated with a cloud-based environment:
CloudTrail is an API call monitor from AWS that provides the details of changes made to EC2 instances and security groups, including a timestamp with the IP address of the user and the specific changes made. This functionality is useful for keeping track of what changes have occurred and by whom and serves as an important security feature. Leveraging CloudTrail data in combination with other security information and event data allows organizations to monitor the AWS environment for suspicious changes or activity within the virtual infrastructure.
CloudWatch is a monitoring solution from AWS that can collect Virtual Private Cloud (VPC) flow logs to capture information about the IP traffic going to and from network interfaces in your VPC. These details can provide visibility into what information has exchanged, which is useful in identifying suspicious activity.
CloudTrail and CloudWatch can provide the raw data to identify suspicious activity but it can be overwhelming and difficult to dig through the raw data to find actionable intelligence. These tools alone are not sufficient to detect and respond to threats without a great deal of manual effort. You will still want to ensure you have continuous security monitoring of your AWS assets.
Cygilant SOCVue Security Monitoring provides support for AWS CloudTrail and CloudWatch. SOCVue can digest data provided by CloudTrail and CloudWatch into our log management and SIEM technology, to correlate and alert on the data, in combination with other data sources. This allows you to save time compared with manually reviewing the data and gain additional insight by seeing behavior across your cloud or hybrid cloud environment. Cygilant’s 24x7x365 Global SOC team also provides the eyes and ears to detect any anomalous activity, analyze alerts and provide remediation guidance, saving you from chasing false positives.
Learn more about SOCVue Security Monitoring in the brief video: