Host Intrusion Detection for Compliance in AWS and Multicloud Environments
June 5, 2019
To be compliant, an organization must ensure continuous awareness of every action that might affect configurations. These are not a one-size-fits-all type of occurrence, either; they happen at the application, ID, workload, and host layers of the cloud. This is where organizational and user data is being transacted, and because of the AWS Shared Responsibility Model, these are the domain of the customer.
A logical starting point is meeting the demands of the CIS Foundations Benchmark best practices. These are the guidelines from the Center for Internet Security (CIS) that outline the application of configurations to the layers within the AWS infrastructure. Used in conjunction with a continuous monitoring tool that delivers insights into configuration changes and anomalous activity, a security team can identify where issues exist that would prevent them from being compliant.
Lacework applies a continuous auditing approach, so security and compliance teams are immediately aware of any issues. The identification and analysis that Lacework applies is done at the velocity and pace of the cloud and generates reports with detailed information about where issues occur, who is responsible, and how they impact other events occurring in AWS.
Keep in mind that audits don’t investigate for present-state only; auditors are looking at the historical impact of an organization’s security posture and the measures used to ensure ongoing adherence to policies. Once out of compliance, the issue can be remediated, but if that particular setting is unknown, then you’re out of compliance until the audit reveals it. If auditors determine your cloud isn’t compliant with standards like PCI, SOC-2, or other compliance frameworks that are related to your business, you could lose your ability to operate. Most organizations understand this but still don’t have an organized approach for awareness. Automating the continuous activity in your cloud will provide a framework that can enable you to operate in compliance and securely.
AWS Account Security and CloudTrail Analysis
As we’ve seen, AWS is specific in how security responsibility is distributed. That should make the job of AWS customers easier because it’s more defined. However, maintaining awareness and an applicable and actionable security posture over their organization’s data, users, and resources demands an effort that goes beyond just oversight.
AWS provides a variety of security-related tools that collect data about events and activities. These tools capture data but do not provide analysis nor do they compare actions to normalized behaviors in order to assess the severity of issues.
One of these tools is AWS CloudTrail, which is a service that collects important data about the activities of your AWS Accounts. CloudTrail logs provide an overview of changes and updates, but they are not necessarily relevant to your actual environment until you can view them through the context of how these events impact your configurations and settings.
To use CloudTrail effectively, you need to first frame the data that’s most relevant to you. Many use CloudTrail logs as a storehouse to reference when something goes awry. That requires forensic analysis of where and how issues happened. Nothing wrong with that, although that’s mostly after-the-fact data and won’t necessarily help you get smarter about the security and compliance of your organization. Threats cannot be averted unless you identify issues before they happen, and CloudTrail isn’t prepared to deliver that.
What’s really needed is an analysis of CloudTrail logs, and Lacework applies visibility, insight, and analysis capabilities to CloudTrail logs, so users get both a continuous and automated view into their environment.
Lacework can act on account anomalies that are critically relevant to AWS Account security. By integrating with AWS CloudTrail and analyzing CloudTrail data means that Lacework can detect issues within AWS accounts, including:
- Irregular activity across AWS resources. This can be done in regions and/or accounts and can identify when new S3 buckets are launched and when there are changes within those resources.
- Unusual changes to users, roles, and any other type of access to apps and resources. This includes changes to security groups and when multi-factor authentication (MFA) is bypassed. Lacework employee machine learning to understand the normalized behaviors of users, accounts, services, and API calls, and alerts when there is an anomaly. Additionally, it is always monitoring defined, high-value events like S3 bucket creation and security group changes.
- All changes to AWS infrastructure services, which include changes to access master keys, route table modifications, and anything related to network interfaces and services. High-risk anomalies are presented with insights so that the security team can rapidly investigate and fix potential incidents.
Host-based Intrusion Detection
Even after applying best practices and creating an organizational mindset around security, you can only really know what’s happening if issues are identified at the point at which data is collected. That requires an agent to be operating in workloads or containers, so insights can be discovered at the host-based level rather than the network level.
Lacework’s host-based intrusion detection system (HIDS) uses anomaly detection algorithms and machine learning to analyze every application and user behavior inside a workload. The coverage includes all issues on SSH, parent hierarchy, user privilege change, process communication, machine communication, internal and external data transfers, and other cloud events.
Whether changes were intentional or the result of an attack, configuration changes open the cloud environment to potential bad actors and threats. Intrusion detection done at the host-level, like with Lacework, detects anomalies across all layers, leaving no hidden space at the application and data layer for bad actors to hide.
One of the key differentiators for Lacework’s approach is that events are analyzed against normalized behavior, which eliminates unending alerts and instead only surfaces those issues that are truly problematic. Lacework addresses issues with behavior baselining. Rather than looking at every machine, user, and application individually, our approach is to cluster these together based on historical behavior analysis, and alert when behavior is abnormal. The result is that, rather than being alerted multiple times for activities on multiple machines that all operate according to the same behaviors, we can alert you on the few issues that deviate from the norm.