Security in the Cloud – Responding to AWS Threats in Real Time

A use case example shows just how endpoint modeling improves security in AWS environments or public clouds.

Data StorageIn an earlier blog, we outlined the security challenges posed by a move to Amazon Web Services (AWS) or public clouds. This article also demonstrated how Observable Networks uses Amazon VPC Flow Logs, AWS CloudTrail, and Amazon Inspector, along with our own Dynamic Endpoint Modeling technology, to significantly improve the way companies monitor traffic and recognize possible compromises in AWS public cloud environments.

Now, in part two of this series, we present a use case example to show how a security professional uses endpoint modeling with these tools to monitor their cloud assets, which is vital to responding to potential threats in their company’s cloud environment in real time.

The Need for Cloud Security

To begin, let’s first set the stage with our use case example.

Sharon is the security manager in IT operations for a midsize financial services company. She has been tasked with developing a security strategy in response to the company’s recent decision to move a majority of its data and IT operations to an AWS cloud infrastructure. This migration presents a significant security concern since AWS assets will be difficult – if not impossible – to monitor using traditional security tools.

This is a complex assignment considering the high number of cloud services the company plans to use, the complex combination of on-premise and datacenter-based applications, and the overwhelming number of users, workflows, and other processes. Sharon is not sure if her team can determine which employees are accessing what applications, where they may be accessing them, and whether or not these activities could present a threat. There’s a lot at risk, especially when you consider Sharon’s company must comply with strict industry regulations to protect its clients’ private data – no matter where it is stored and accessed.

Although Sharon’s team uses log audits, a SIEM tool, and other traditional security systems for its on-premise datacenter, she recognizes that these tools simply can’t provide a view of what’s happening in the AWS-deployed applications. To use a metaphor, it’s not enough just to see who is entering or leaving a building; you need to know what they’re doing when they’re inside in time to prevent an attack.

Sharon quickly realizes that traditional security approaches can only present a narrow view of what’s happening in the cloud, and not in enough time to take action before it’s too late.

Download Closing Cloud Security Gaps: How to Achieve Comprehensive AWS Security ebook.

Download eBook

The endpoint modeling advantage

After a colleague recommends Observable Networks, Sharon decides to implement its Dynamic Endpoint Modeling solution as part of her cloud security strategy. Dynamic Endpoint Modeling delivers valuable real-time awareness of the “what, when, and where” details that occur at the earliest point in a possible attack.

Here’s how it works:

  • Sharon’s team starts by turning on AWS VPC Flow Log data and giving Observable’s SaaS security service read-right access to this information in their AWS client portal. This gives Observable access to network metadata in the same way that NetFlow collection and analysis is performed in a traditional infrastructure.
  • If she chooses, she can also provide access to CloudWatch APIs to enable Observable to retrieve additional event data from all AWS assets. This includes traffic from Amazon EC2 instances within the VPC without the need to install agents.
  • Dynamic Endpoint Modeling monitors each endpoint and builds a model of expected behavior of each device on the network. This is unlike anything native to AWS or any other competing service. This step makes maximum use of the AWS event logs and provides the behavioral insight needed to answer questions such as “What are my assets doing? Are any of these activities potentially threatening?”
  • If an asset alters its behavior, endpoint modeling detects this change, and if it appears potentially threatening or indicative of a compromise, endpoint modeling will generate an alert. In the alert, endpoint modeling compares the new behavior to the model and helps Sharon’s team understand exactly what changed – and if these changes represent a threat.
  • Endpoint modeling also integrates with other AWS services such as Amazon Inspector for additional flexibility, insight, and control.

Sharon’s team benefits from Dynamic Endpoint Modeling’s rich operational context on each endpoint, enabling it so generate highly selective alerts that are extremely valuable to her team. (In a recent measurement, over a 30-day period, 87% of the alerts generated were rated “helpful” by Observable clients.)

The one-two punch in AWS and public cloud security

As Sharon considers her security challenge, she can compartmentalize her security needs into two components:

  1. First, Sharon needs tools and processes to help her team keep track of the configuration of every cloud asset deployed in her AWS infrastructure. She needs to know what versions of software are running, and what run-time configuration vulnerabilities might exist based on each asset’s configuration. This is provided by a number of Amazon and third-party services and software.
  2. Additionally, Sharon needs a way to know what each asset is actually doing, and whether or not any particular asset’s activities are unusual for that asset and potentially threatening. This need is met by Observable Networks. 

Experience Dynamic Endpoint Modeling on Your Own Network

Getting better visibility into your network and improving your security couldn’t be easier. Sign up for a free, no-risk trial of Observable’s Endpoint Modeling solution, and change the way you see security.

Detect Threats Faster – Start Your Free, No-Risk Trial