There's nothing more satisfying to a security-conscious Amazon Web Services client than the gift of configuration controls.
With AWS CloudTrail, Amazon CloudWatch and VPC Flow Logs, Amazon Web Services (AWS) automatically indexes network metadata. AWS Config then creates and enforces configurations. Finally, in comes Amazon Inspector to audit virtual server configurations and identify weak spots in applications. A report is generated that provides recommendations for where security can be improved, and voila – you're now guarded against:
Known deviations from preset configurations
Inadequate enforcement of security standards
However, there are many cyber threats not detected by examining configuration vulnerabilities. Here are three cyber threats that AWS log data and tools don't show you. You're not guarded against:
Network breaches occur in stages. A would-be attacker must establish a foothold by exploiting some vulnerability, make a lateral movement to a valuable target, and then exfiltrate data or implant malware.
Raw flow logs will tell you about individual connections and attempts, but they won’t show you behavior changes and patterns. The logs might show you there’s a single break-in attempt from a foreign machine, but no single log line will tell you that this has happened every day for the last three days.
Endpoint modeling is good at identifying “new” things – the discovery phase of the attack – and “persistent” things – the probing to find a foothold phase of the attack. When a new interaction becomes persistent, you will get an alert so you can react before things can proceed further.
So although VPC Flow Logs and the AWS resource description APIs are excellent data sources, in isolation they aren’t able to spot threats that unfold over time.
Identity access management tools are useful until a hacker obtains login credentials for applications living in your AWS network. Thanks to VPC Flow Logs and Amazon CloudWatch, every connection via every endpoint is logged.
Identity access management tools are useful until a hacker obtains login credentials.
Again, this doesn't mean anything as long as no rules are broken. We realize that the beauty of your cloud-based applications is that they're accessible on the go, allowing for uninhibited productivity and collaboration. It's hardly unusual for a new device to make a connection, especially for mid-market and larger organizations with a spread-out workforce and client base. AWS Config and Amazon Inspector know this, too. What they don't know is how to differentiate between a legitimate user session and a hacker who's managed to steal account credentials with the intent of exfiltration of sensitive data.
Fortunately, because every endpoint connection is logged and time-stamped – and because all subsequent activities are also logged – the metadata is a map through the mayhem. Analyze this metadata on an ongoing basis, determine a model for standard behavior, detect when there's a deviation from this behavior, and only then can you respond to threats swiftly.
In late October, the Internet of Things (IoT) came to life, and bombarded a DNS company, Dyn, with requests. Because of what was cited as one of the most colossal distributed denial-of-service attacks of its kind, Dyn was unable to route legitimate web requests, causing downtime for some of the biggest names in industry, including Netflix, Twitter, Spotify and Amazon.
The attack was possible because of a type of malware called Mirai, which commandeered IoT devices that still had default passwords, and forced them to issue connection requests toward Dyn.
Here's the terrifying part of this incident: IoT devices enabled by an AWS network may make millions of online connections every day. Again, this is the type of activity that the AWS Config can govern within reason. But the moment a hacker tells those devices to do something they've never done before, be it to join a botnet army bent on breaking almost half of the internet, or something much worse, you're basically on your own.
Unless, of course, you have a system in place that can automatically flag this behavior as anomalous. Our newly named Observable Cloud solution’s learning algorithms use network metadata to glean a more holistic understanding of an endpoint's role, so the moment it goes off course, you'll know about it. When all's said and done, your configurations can only tell you how endpoints should be behaving. To know what they're actually doing, and further, to diagnose threatening activity, requires endpoint modeling.
Protecting your AWS infrastructure by identifying insider and external threats faster couldn't be easier. Sign up for a free, no-risk trial of Observable’s Endpoint Modeling solution, and change the way you see security.