Anticipate, Defend Security Threats in an AWS Environment

The second in a three-part series on new ways to think about security in AWS environments.

In part one of this blog series on AWS security, we introduced our new whitepaper, “A New Way to Look at AWS Security,” and showed how AWS itself addresses fundamental security challenges in any network (on-premise or cloud-based). The article also showed how an AWS deployment can overcome traditional security challenges such as visibility, identity and access management, and policy declaration and enforcement.

In this article, we’ll take a closer look at the ways you can anticipate and defend against the known and unknown threats to network security in an AWS environment.

A simple way to think about security in AWS

To achieve these goals, there are two important questions to ask when securing your AWS footprint: “How is the AWS resource configured?” and “What is it doing?” If you can answer these questions clearly, then you can rest assured that you are keeping up with your end of the shared responsibility model for security in AWS environments. (We described this concept in more detail in the previous blog article.)

We will now take a look at what both of these questions entail.

How is the AWS resource configured?

Knowing the configuration state of all of your AWS resources is important. Why? Because if you know the configured state of all services, devices, users, and policy objects, then you can understand if those states are consistent with best practices, your expectations, and with respect to known network problems and security vulnerabilities. A thorough understanding of your configuration state and proving that you’re adhering to various policies is critical for compliance and risk governance.

The whitepaper gives the example of AWS Config and describes how it makes it easy to articulate and enforce adherence to security policies related to asset creation, access, and use. Additional services, such as Amazon Inspector, let you to install an agent on each of your AWS servers in order to regularly verify that the server a) Has an internal server configuration that is consistent with best practices, and b) does not include software that exhibits a known vulnerability.

Increased visibility into AWS asset behaviors can be a fire hose of information, and it is up to the consumer of this information to determine what represents a potential problem.

What is each resource doing?

Of course, not all problems are known in advance. Unknown software vulnerabilities, stolen credentials, user misbehavior, and unintended consequences of policy choices are all examples of things that can’t be detected through configuration management. As a result, they can lead to severe security problems.

Knowing what various resources are doing is important because there’s a big difference between “what a resource is permitted to do,” and “what behaviors the resource has been exhibiting.” This is true because most security problems can be traced to an asset’s behavior that was permitted by its configuration but still proved to be damaging.

With the right instrumentation and visibility of the AWS environment, it becomes possible to gain insight into specific behaviors demonstrated by each AWS resource. Yet keep in mind that this level of visibility can be a fire hose of information, and it is up to the consumer of this information to determine what represents a potential problem. This is where Observable Networks and our Observable Cloud solution are uniquely positioned to help.

The Observable Cloud difference

The Observable Cloud solution maintains a software model – a real-time simulation – of each of your AWS resources, including servers and users. Each model uses input from structured data feeds provided by AWS services, including VPC Flow Logs, AWS CloudTrail, Amazon CloudWatch, AWS Config, and Amazon Inspector. Dynamic Endpoint Modeling automatically discovers the role and behavior of your AWS resources, and then tracks that behavior continuously in order to detect when risky or threatening behaviors occur.

Interested in learning more? We invite you to download our whitepaper, “A New Way to Look at AWS Security,” or stay tuned for the final article in this series, which will provide more information on how Observable Cloud can improve security in AWS environments.

Detect Threats Faster – Start Your Free, No-Risk Trial