Visibility
Other services offered by AWS provide different visibility and insights into your accounts to help you understand where malicious activity or an incident could occur.
Amazon Detective is a security service that helps simplify the investigative process for security teams by using machine learning and statistical analysis to show the interactions between users and resources over time in an empirical view. Amazon Detective collects log data from several sources, such as VPC Flow Logs, CloudTrail, and Amazon GuardDuty, and then creates a unified interactive view of your resources and users over time.
Amazon GuardDuty is a region-based managed service powered by machine learning, specifically designed to be an intelligent threat detection service. It monitors logs from other services and features, including VPC Flow Logs, DNS Logs, and AWS CloudTrail event logs. AWS GuardDuty looks at these logs to detect unexpected and unusual behavior and cross-reference these analytics with many threat detection and security feeds that can help identify potentially malicious activity and anomalies.
Amazon Macie is the machine-learning-powered service that discovers and helps classify sensitive data stored in your account, such as personally identifiable information (PII), so you can assign a business value and keep both a closer track of this data and tighten the security policies as your organization sees fit.
AWS Security Hub integrates with other services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. This is in addition to various AWS Partner products and toolsets.
This scope of integration allows AWS Security Hub to act as a single-pane-of-glass view across your infrastructure, thus bringing all your security statistical data into a single place and presenting it in a series of tables and graphs. For those that manage multiple AWS accounts, Security Hub can operate across all of them using a primary-subordinate relationship. The service operates as an always-on service, continuously running and processing data in the background, automatically allowing the service to identify any discrepancies against best practices. The analysis of the data received by the different integrated services is checked against industry standards, such as the Center for Internet Security (CIS) benchmarks, thus enabling the service to spot and identify potential vulnerabilities and weak spots across multiple accounts against specific resources. Early detection of weaknesses and non-compliance is valuable in safeguarding your data.
Note
You will take a deeper look into AWS Security Hub and GuardDuty, along with a sample walkthrough, in Chapter 6, Event Management with Security Hub and GuardDuty.
These services are in conjunction with, not in competition with, the logging, monitoring, and alerting services discussed earlier. Running compute, network, and data environments is a complex operation and needs a defense-in-depth strategy to maintain the environment’s safety.
With a solid grasp of how logging ties into your IR strategy, you are now ready to move on to see how to handle the actual response to the incident. This will be covered in the next section.
After the incident has been detected, you need to be able to respond to the alert. Often, this will be a manual operation involving disabling any access gained in an unauthorized manner or removing any resources or instances created without prior consent.