Amazon Web Services (AWS) this week unveiled a new service called Amazon GuardDuty that the cloud giant says will play an important role in helping keep AWS accounts and workloads safe from cyber criminals.

The service works in the background, continuously monitoring account activity for malicious or unauthorized behavior, and automatically flagging anomalies to the AWS account owner.

Keynote at re:Invent 2017
Keynote at re:Invent 2017 – AWS

For clouds large and small

The rising popularity of cloud services means that organizations often find themselves with multiple accounts, running large workloads that can amount to hundreds of thousands of instances.

Identifying and assessing anomalous behavior across such environments can be a highly challenging proposition.

AWS says GuardDuty is not intended to replace existing cloud-centric security solutions, but to complement them by identifying threats that might slip through the cracks. The service works across multiple AWS accounts, and can scale to meet the needs of the largest organizations.

GuardDuty is enabled from the AWS management console. Once activated, it will analyze API calls and network usage to establish a baseline of what constitutes normal account activity. This is then correlated with both AWS-developed threat intelligence sources and third-party sources, and machine learning is applied to identify events that fall outside the normal patterns – and to allow false positives to be kept to a minimum.

The service incorporates threat intelligence feeds from external sources such as CrowdStrike, Proofpoint, as well as from the AWS security team, to help identify and protect customers from known bad actors.

In addition, GuardDuty supports API endpoints and will hence interoperate with third-party solutions for deeper analysis and automated prevention. AWS says providers such as Palo Alto Networks, Splunk and Trend Micro have already built integrations with Amazon GuardDuty, with others expected to follow.

Security with no overheads

While at re:Invent, Stephen Schmidt, chief information security officer (CISO) of AWS, spoke about how the cloud provider manages security, revealing that it does not run a SOC, or security operations center.

“If you have people in a room watching a screen for something to happen, you are already too late,” he said. Instead, cloud giant had created a system of event-driven services to monitor and automate security responses, as opposed to “waiting for a time interval to elapse.”

Thanks to this system, a single security engineer is all it takes to keep an eye on the vast AWS cloud at any one time: “[Working in shifts] they rotate every six hours, across four locations in the world. It goes from Hayden to Seattle to Sydney and Dublin. There is a primary on-call [contact] and secondary on-call, and an escalation [contact].”

Drawing from its experiences, AWS created GuardDuty from the ground up with a similar event-driven design. Since it does not rely on agents or sensors, there is no reliability issues with existing workloads or network overheads to consider. Once enabled, the service operates with no performance impact and zero account footprint.

“Customers often tell us that the best way we can help them stay secure is to give them smarter tools that make it easier to get security right,” Schmidt said. “We designed Amazon GuardDuty to be so simple and cost effective that turning it on would be an easy choice for every AWS customer, regardless of their security expertise or the existing security services they use.”