Improving AWS security services with Sysdig Secure
content:Table of Contents Shared Responsibility Model Cloud Native Security AWS Security Offerings Sysdig Improvements Endnotes
One of the primary goals of information security is to protect data, which of course entails protecting the resources that store and provide access to that data.
According to the NIST Cybersecurity Framework, organizations need to develop and implement the necessary protections to restrict or mitigate the effect of a possible cybersecurity incident.
Security should be integrated right from the source of the cloud architecture design process. Today, threat prevention and continuous security assessment are essential elements of enterprise cloud strategy today. This article will focus on these protection mechanisms.
AWS Shared Responsibility Model
The modern cloud architecture strategy requires a shared security model, which means that even though cloud providers such as AWS, offer considerable advantages for security and compliance efforts, they do not absolve the customer from protecting their users, applications, data, and service offering(s).
It is critical to understand the shared responsibility model, including which security tasks handled by the cloud provider and tasks handled by you, the customer. The workload responsibilities vary depending on whether the workload is hosted on Software as a Service (SaaS), Platform-as-a-Service (PaaS), Infrastructure-as-a-service (IaaS), or in on-premises data centers.
The monitoring, logging, and alerting policies are important aspects of the customers’ responsibility in the AWS Shared Responsibility. These policies enable the customers to improve their chances of detecting malicious behavior on systems and networks.
Monitoring is an important part of maintaining the reliability, availability, and performance of AWS solutions. AWS provides tools and features that enable the customers to record and monitor cybersecurity-related events on a continuous basis within the AWS environment.
Understanding cloud native security
As we covered in our blog post Guess who in cloud security landscape, about 50% of organizations recognize that they have a lack of internal knowledge about cloud-native security.
We want to help the reader be able to understand by themselves the “what and why” of each service. To do so we will contextualize security services leveraging two different methods:
- Security industry approaches
- Documentation from AWS Well-Architected Framework security pillar.
Security industry approaches
- CWPP (Cloud Workload Protection Platform) → Runtime detection, system hardening, vulnerability management, network security, container compliance, and incident response.
- CSPM (Cloud Security Posture Management) → Cloud controls plane protection by verifying the static configuration, best practices, frameworks, and benchmarks.
- CIEM (Cloud Infrastructure Entitlement Management) → Track and find gaps in cloud permissions and policies aimed to enforce least privilege access.
- CAASM ** (Cyber Asset Attack Surface Management) → Cyber asset attack surface management. Discover, inventory, and track assets (plain hosts, network devices, S3 buckets, containers, etc.)
(We avoid listing CNAPP because it basically contains all the previous elements).
There are many other classifications and layers on the security side of things but we want to keep this blog post as simple as possible.
AWS Well Architected Framework approach
Before going into details, let’s classify AWS services into two main groups:
- Elements with implicit security features: Foundational services that incorporate some security related traits or have a direct impact on the overall security (AWS Artifact, IAM, EC2, etc.)
- Explicit security services: Components aimed to address security issues like vulnerabilities, threats, risk management, etc. (e.g. AWS Security Hub, Amazon Guard Duty, Amazon Inspector, Amazon Macie, …)
The range of security services AWS offers is rich in options and inter-connection possibilities, although it generates some additional levels of complexity that we will analyze later. Let’s have a look at the main AWS native security services like AWS CloudTrail, Amazon GuardDuty, Amazon Inspector, AWS Config, AWS IAM service, AWS Security Hub, etc.
Understand AWS security offerings
After examining the wide variety of security tools offered by AWS, let’s focus on native solutions meant to address CNAPP and related (CWPP, CSPM, CIEM) requirements using the aforementioned AWS security approach as our lens:
|Amazon Inspector||Config detection and vulnerability scanning||Infrastructure|
|Extends vulnerability scanning capabilities for host instances and images also applying runtime intelligence to provide risk spotlight. Extends CSPM and Compliance features by combining dynamic and static checks into an unified experience.|
|Amazon Guard Duty||Cloud Security Monitoring and intelligent threat detection||Mainly CWPP, also CSPM||Rich OOTB set of rules for CWPP and cloud security monitoring. Deep runtime detection for workloads and cloud.|
|AWS Cloudtrail*||Audit Logging||Enables detection||Native integration with CloudTrail|
|AWS IAM*||Granular permission||Enables access||Easy application of least privilege access. CIEM|
|AWS Security Hub||Compliance and Data Security||CSPM, Standardization, React/Alert||Sysdig unifies Continuous Compliance for cloud and workloads with remediation capabilities|
|Amazon Macie||Monitor sensitive Data||Data related CSPM||Sysdig reinforces Secure Posture and Compliance related to data like GDPR and HITRUST|
|AWS Config*||Helps with Detection, Configuration Drifts and Data Protection||Helps with CSPM||Detect runtime threats and vulnerabilities leading to reaction, remediation and forensic analysis|
Security and compliance for EC2 via vulnerability management, configuration, network ports exposure, unsafe protocols, detection, and prioritization by severity rating.
This solution is agent-based (Inspector classic agents were switched with AWS Systems Manager agents in, Inspector v2).
Amazon Guard Duty
This service helps to identify unexpected and potentially unauthorized or malicious activities like Malware, crypto mining or attacks. GuardDuty ingests audit logs from multiple sources like CloudTrail event logs, VPC, S3, DNS, and EKS.
AWS Security Hub
AWS Security Hub provides a comprehensive view of the security state of your AWS resources by ingesting actionable events from other sources and services such as Amazon GuardDuty, Amazon Inspector, Amazon Macie as well as from Certified Partner Solutions or some Open Source Tools. These security alerts are standardized, aggregated and prioritized. Actions based on these findings can be triggered using for instance Amazon Detective or Amazon CloudWatch Event rules.
AWS CloudTrail allows monitoring AWS deployments in the cloud by getting a history of AWS API calls for your account, including API calls made by using the AWS Management Console, the AWS SDKs, the command line tools, and higher-level AWS services. Sysdig consumes this service among others as part of cloud security and compliance continuous feedback.
Security in AWS begins with the foundation of Identity, which is managed by the Identity and Access Management (IAM) service with fine-grained access control policies.
Amazon Macie is a fully managed data security and data privacy service. Macie uses machine learning and pattern matching to help discover, monitor, and protect your sensitive data in Amazon S3 and receive alerts about sensitive data, exposed information, and intellectual property. Combined with other tools, it can help to meet regulations like HIPAA, GDPR, etc.
AWS Config provides a detailed view of the resources associated with your AWS account, including how they are configured, how they are related to one another, and how the configurations and their relationships have changed over time. It is not explicitly related to security but it has too many security implications to not be listed in this article. Continuous monitoring/audit configuration, change management, continuous assessment, and operational troubleshooting.
Sysdig offering: How to complement AWS security services
Sysdig enforces Least privilege for AWS IAM
Identity is (almost) the new perimeter in the cloud.
Privilege escalation is a common technique attackers use to gain unauthorized access to systems within a security perimeter. Inadequate security controls, or failure to follow the principle of least privilege, with users having more privileges than they actually need are just some of the ways they find the “doors wide open” to cloud environments.
In other cases, attackers exploit serverless services, like the Lambda function, using specific techniques to elevate privileges. In addition, it’s possible to affect software vulnerabilities to overcome an operating system’s permissions mechanism and then move to your infrastructure using Lateral Movement technique.
Even though we find a good amount of resources in AWS around the importance of applying the Principle of Least Privilege access to cloud identities, there is no easy way to accomplish that.
We talked about the different AWS security services that can help us realize the permissions granted to identities (e.g., AWS IAM), the actions (e.g., AWS Config) that can be done over a resource (e.g., Amazon Macie), and the information related to the activity the human and non-human identities perform over a daily basis (e.g., CloudTrail). Nevertheless, all that information is spread across multiple AWS service offerings.
Sysdig CIEM offering is something different.
We complement AWS service offering regarding permissions and identities with a dashboard that unifies all the configuration, insights, and the meaningful information from AWS so you can perform the necessary tasks to really enforce this least privilege access principle.
With a CIEM dashboard, you can unveil the identities no longer working in the organization, the roles, the serverless identities you created for a POC that had granted way too many permissions and are no longer needed.
Remember, attackers are there scanning whatever hints they may find.
Many times, engineers get assigned to projects that were to be done by yesterday. For the sake of the project, we may end up granting more permissions than needed. We do not want to be the ones stopping the business. If we analyze the behavior of that cloud identity, we find it is using just a defined amount of permissions over a limited pool of resources.
Sysdig will save you and your team a good amount of manual investigation through AWS services with auto-suggested policies, analyzing what entitlements are granted versus what’s actually used/needed.
Sysdig threat detection for cloud and containers
Amazon GuardDuty is the service AWS provides as Threat Detection to its customers. It does a phenomenal job detecting anomalies involving AWS resources like IAM access keys, EC2 instances, S3 buckets, and Amazon EKS resources.
Sysdig is especially well known for its runtime detection capabilities, not only around workload protection but also cloud security monitoring (read Falco for cloud for more details) and its stream detection approach.Sysdig Secure offers additional capabilities over Amazon GuardDuty.
- Amazon GuardDuty uses the default AWS DNS resolvers to find issues, so if a malicious actor changes the default configuration and adds a different DNS (i.e., 184.108.40.206 or 220.127.116.11), anyone could query a domain without being detected
- Amazon GuardDuty may not scan unusual activity happening inside your production workloads, unknown malware, sources, and so on.
Stream detection is a continuous process that collects, analyzes, and reports on data in motion. With a streaming detection process, logs are inspected in real-time. This real-time detection allows you to identify unexpected changes to permissions and services access rights, as well as unusual activity that can indicate the presence of an intruder or an exfiltration of data.
This way, Sysdig Threat Detection capabilities can now detect the same cloud events as GuardDuty, along with the long-term existing ones of the workload side like: spawning a shell in a container, writing below sensitive folders, delete bash history…expanding the same functionality for Fargate tasks since AWS launched platform version 1.4.0 of AWS Fargate.
When it comes to practical action, depending on the scale of your cloud deployment, GuardDuty findings can be a little overwhelming, You can get lost pretty easily with so much information. If the team needs to fix the most critical findings as soon as possible, then you will need to filter out some of the noise. Here, Sysdig can be your ally.
Sysdig’s threat detection engine uses the open source project Falco under the hood, which means you get to use the Falco language to write rules and can take advantage of the use of a real language with macros, lists, exceptions… and the Falco rule tuning to cut out unwanted noise.
Amazon GuardDuty service is exclusively available to AWS environments, which means you can’t use the power of their machine learning threat detection on any other cloud platform or on-prem deployment.
If you are planning on going multi-cloud or using hybrid cloud environments, Sysdig would pair nicely with GuardDuty, a good complement to empower security.
Sysdig continuous Compliance and CSPM
Compliance revolves around being in accordance with established guidelines or specifications, industry led and government supported.
The two main services that relate to Compliance in AWS are AWS Artifact (not covered in this article) and AWS Security Hub. But there are other services also needed to really have continuous compliance in AWS cloud: Amazon Inspector, AWS IAM, Amazon Macie, Directory Service, AWS Firewall Manager, AWS WAF, AWS Trusted Advisor, AWS Config, Amazon CloudWatch, AWS CloudTrail, AWS Control Tower…
Regarding Sysdig, you have all your compliance controls in one place: Posture.
There, you can find quite a long list of security compliance standard controls (SOC2, PCI, several NIST standards, ISO-27001, HiTrust, HIPAA, FedRAMP, GDPR and adding more standards in a regular basis…) that we have mapped for you, but also Industry Best Practices that come from the CIS Benchmarks and cloud provider’s advices, like the AWS Well arquitecture Framework.
While AWS Security Hub does a very good job providing security findings regarding the configuration of your cloud account and services, it lacks visibility into the workloads.
Here is where Sysdig can help you.
Sysdig provides an overview of your security posture in both worlds, the public cloud infrastructure, as well as the workloads you have in production (whether they are on-premise or in the cloud). You will be able to harden those to comply with security requirements, flagging violations when you haven’t configured AppArmor correctly in your cloud instances or you don’t have sudo suid set.
Also, if you happen to be working with on-prem datacenters, you will also want consistency between the two environments.
Sysdig is not an alternative to AWS security services, but it is complementary and strengthening of AWS Security Hub, and is a solution to consider if you want to simplify operations between the cloud and the on-prem infrastructure of your company.
- This flexibility generates some additional technical complexity because of the need of deploying, configuring, and interconnecting several services.
- With time, we can expect AWS to introduce more of their specialized security tools while deprecating older ones. This also might eventually lead to increased complexity for Cloud Architects and Security Specialists in integrating and managing these many sources of truth.
- It is difficult to link context and correlation coming from different AWS tools for having something close to a unified experience.
Sysdig Secure strengthens AWS and multi-cloud security by providing a powerful but simple unified experience with a predictable cost model, covering: