AWS CloudTrail Best Practices, SIEM, and Lacework
March 15, 2021
Security and the move to the Cloud
A cornerstone of comprehensive cybersecurity programs is the ability to operationalize log data, such as alerting, reporting, or automation. Traditionally, this meant logging servers, firewalls, directories, intrusion prevention, and related tooling to your Security Information and Event Management (SIEM) platform of choice and hiring a dedicated team to manage and review this myriad of data. Our migration to the cloud compounds this problem with new logs, such as AWS CloudTrail, that reflect the virtual, ephemeral, and highly transactional nature of this new infrastructure.
AWS is nearly synonymous with “the cloud” in the minds of many, as the company continues to grab year-over-year market share. AWS hosts an ostensibly boundless array of service offerings for their customers. These span from relatively simple virtual servers (EC2) and storage (S3) to more complex platforms such as Kubernetes container orchestration (EKS) and a growing menu of managed database services such as Amazon RDS, Aurora, and DynamoDB. Each of these services produces volumes of API-driven CloudTrail logs.
Why do you need AWS CloudTrail?
CloudTrail contains the raw history of activity from each of these AWS services, which may reside in one or many AWS accounts. CloudTrail logs each API action from the AWS Management Console and some AWS services, but also from the AWS command-line tools and AWS Software Development Kits. Every time one of these cloud services performs an access, add, delete, or modify, a corresponding CloudTrail event is recorded.
What are some challenges with AWS CloudTrail?
One consideration involves scope, cost, and scale. CloudTrail provides a veritable one-stop shop to query or act on vital security, compliance, or troubleshooting logs. AWS supplies their somewhat anemic CloudTrail console for ad hoc searches within the 90-day default time window; therefore, many Enterprise IT shops will ingest CloudTrail logs into their SIEM platform for deeper analysis and querying. But therein lies the rub—these logs are prolific and are essentially duplicated, verbatim, into your environment. Given that SIEM vendors often license by events per second or by gigabytes per day, either of these models is an expensive proposition that continues to scale up over time.
For context, cybersecurity spend is quickly on the rise in response to the growing trend of large-scale financially motivated incidents and breaches headlining the news at a near daily pace. Countless records have been exfiltrated from well-intentioned companies and organizations, with the count growing at a rapid cadence. The recent SolarWinds supply chain attack demonstrated how vulnerable even the most cautious and prepared among us are. Entities, including the US Government, are still unraveling the threads from that attack, and they will be for years to come. Post-incident forensic analysis can easily reference billions (trillions?) of logs from months or years ago to track down the intruder and logging of that caliber isn’t free.
Why do AWS Cloudtrail Costs Increase?
A SIEM provides a centralized means for security teams to query an array of log data, not only from AWS CloudTrail but from other log sources, including cloud providers such as Google Cloud Platform (GCP) and Microsoft Azure. With an astronomically high volume, finding the logs for a given incident is akin to finding a needle in a needle stack, much less a haystack! To further complicate the matter, many logs amount to little more than white noise for security analysts. Some research puts the signal-to-noise ratio at roughly 1:25,000. Put another way, companies are challenged with paying for one usable log entry buried within tens of thousands of fillers.
What Causes AWS CloudTrail Complexity?
Mature security teams preplan use cases in their SIEM to generate reports and alerts when specific log criteria are met, but even the largest teams cannot plan ahead for every eventuality. The reality is that a typical SIEM is often less proactive than reactive after the damage to your organization and reputation is already done. To compound matters, modern information systems can be incredibly complex. This is ever more so with newer technology stacks such as Kubernetes-orchestrated microservice architectures. The resultant mesh of disparate systems and logs provides a difficult and somewhat incomplete picture, where it is all too easy to miss a correlation of events or traffic. The cost of staffing out a team to manage, monitor, and act at this scale can be prohibitive, leaving many teams feeling understaffed and overworked.
7 Best Practices for AWS CloudTrail
Security practitioners should consider some best practices when working with AWS CloudTrail:
- Enable CloudTrail. Everywhere. This includes AWS regions where you may not have a presence since an adversary could spin up instances, services, or whole accounts without your noticing.
- To counter the default CloudTrail 90-day limit, centrally log to a dedicated and strictly controlled AWS S3 bucket. Consider creating a separate AWS account solely for this purpose.
- Enable CloudTrail log file integrity so that you can ensure the integrity of your logs.
- Augment S3 bucket logs with AWS Key Management Service (KMS) to reduce the complexity of tasks such as key rotation for your data at rest.
- Pay special attention to the policy settings on the S3 bucket where you store your CloudTrail logs to include separation of duties for bucket management.
- Enable MFA delete on the bucket to require additional authentication for log file deletion.
- Consider pairing AWS CloudTrail with AWS CloudWatch for metric data; an unusual spike in CPU utilization may be a sign of an active attack.
Lacework Cloud Security Platform easily ingests logs from the most complex multi-cloud and containerized systems, with little initial setup or ongoing maintenance. Unique machine learning allows it to identify connections and interdependencies that humans simply cannot, at least not within real-world budgets. This allows for truly proactive alerting on anomalous activity within your environment, with few false positives.
IT shops can see a potential SIEM licensing cost reduction of 75% or more by exporting a Lacework Channel instead of ingesting all AWS CloudTrail logs, wholesale, without a fear of losing data fidelity or integrity. Lacework provides a highly graphical unified interface for you to quickly and easily deep-dive into your investigations – historically or to a point in time – and show the data you need in a manner that makes sense.
One More Thing…
Lacework utilizes the same platform to produce compliance reports for PCI-DSS, CIS, HIPAA, ISO 27000, NIST and SOC 2 by AWS Account, Recommendation Severity, or Status. File integrity monitoring allows for quick searches of files and metadata such as path, hash value, owner, command line, and modified times. Vulnerability management offers visibility from the host down to the container and repository level. You can quickly gauge which hosts or containers are vulnerable and how many you have running. Then focus your efforts by generating reports of fixable vulnerabilities with instructions for remediation.
- Don’t be the breach in the headlines tomorrow.
- AWS CloudTrail logs should be an integral part of your overall security program.
- Modern service architectures can be incredibly complex and difficult to correlate the veritable plethora of separate event sources for.
- Your SIEM remains essential to your layered security architecture, but you can reduce license and staffing costs.
Let Lacework shoulder the volume and compute analysis of your CloudTrail logs and reallocate your SIEM budget and staffing to solve problems elsewhere.
To learn more about how to reduce your SIEM costs by 75%+ by pre-processing your AWS CloudTrail logs, join us on April 1, 2021 at 10:00 am PT | 1:00 pm ET for our upcoming webinar.