CDSA

Amazon Web Services announced three new capabilities for Amazon GuardDuty, AWS’s threat detection service, that further strengthen customer security through expanded coverage and continuous enhancements in machine learning, anomaly detection, and integrated threat intelligence.

GuardDuty is part of a broad set of AWS security services that help customers identify potential security risks, so they can respond quickly, freeing security teams to focus on tasks with the highest value. The three new capabilities expand GuardDuty protection to container runtime behavior, as well as database and serverless environments. EKS Runtime Monitoring deepens threat detection inside customers’ containerized workloads. GuardDuty RDS Protection helps customers protect data stored in Amazon Aurora databases. GuardDuty Lambda Protection helps customers detect threats to their serverless applications.

The ability to gather, synthesize, and alert on security-relevant events is fundamental to any organization’s risk management program. The evolving cybersecurity landscape and multitude of security tools from different vendors, combined with a shortage of IT security professionals, make it challenging for customers to integrate and scale security detection and response across their environments. Many security teams today have to build or integrate multiple tools to detect anomalies, such as web server vulnerabilities, compromised instances used to serve malware or mine cryptocurrency, or compromised access credentials.

Integration challenges can lead to inefficiencies, data inconsistencies, and increased costs. In addition, the workplace and threat landscape continue to evolve, requiring chief information security officers (CISOs) to continually raise the bar on enterprise security to account for cloud adoption, remote working, and third-party infrastructure integration. Demand for technologies and services such as cloud threat detection, security analytics, cloud security posture management, and threat intelligence has been rising to tackle new vulnerabilities, misconfigurations, and other IT risks emerging from this digital transformation.

GuardDuty helps protect customers from the latest threats through ongoing innovation in machine learning, anomaly detection, and integrated threat intelligence continuously derived from the broad visibility AWS has across the global threat landscape. With a few clicks in the AWS Management Console, customers can activate GuardDuty across multiple accounts in multiple AWS Regions on highly trusted and secure-by-design AWS Cloud infrastructure and mitigate threats early by initiating automated responses.

Since its launch in 2017, GuardDuty has added more than 100 new threat detection capabilities, including the ability to detect credential exfiltration and compromise even when highly evasive techniques are used. GuardDuty uses machine learning detections trained to identify highly suspicious data access and any potential Amazon Elastic Compute Cloud (Amazon EC2) compromise, and uses integrated threat intelligence to detect malware and malicious container, database, and serverless access. GuardDuty comes with pre-integrated and continuously updated threat intelligence feeds from AWS and industry-leading, third-party providers such as CrowdStrike, Proofpoint, and Bitdefender. AWS-developed threat intelligence offers customers unique coverage against the latest global threat landscape, including emerging Linux-based malware, evolving credential exfiltration techniques, and new malicious domains identified through machine learning–based reputation models.

The three new capabilities added to GuardDuty build on the hundreds of features and enhancements available since its launch and expand security coverage to other AWS workloads and core deployment use cases. The capabilities can all be easily enabled organization-wide with a few steps and no other requirements or prerequisites, resulting in actionable, contextual, and timely security findings with resource-specific details to help quickly investigate and respond.

The new capabilities include:

–New container runtime protection for Amazon Elastic Kubernetes Service (Amazon EKS): GuardDuty EKS Runtime Monitoring introduces a fully managed, lightweight security agent that profiles and monitors on-host operating system–level behavior such as file access, process execution, and network connections. In tight collaboration with Amazon EKS, the agent performs without requiring customers to deploy, maintain, or update it. This allows GuardDuty to add security coverage comparable to other agent-based solutions, while maintaining easy-on enablement. It deepens GuardDuty protection for Amazon EKS deployments and decreases the operational overhead and complexity often required to achieve this level of coverage, especially in highly dynamic, containerized compute environments. GuardDuty now makes it easier to achieve runtime coverage across all Amazon EKS workloads in an account or organization.

Account and data compromise can often start with a single compromised endpoint or container that then escalates to credential compromise and can spread to the broader AWS environment and data stored in it. With GuardDuty’s visibility across runtime events, Kubernetes audit logs, and broader AWS control plane and networking logs, customers can identify steps in an attack and are signaled early to contain potential security threats before the threat escalates to broader business-impacting breaches. This capability builds on the initial integration of GuardDuty EKS Protection, which monitors control plane activity by analyzing Kubernetes audit logs from existing and new Amazon EKS clusters in customers’ accounts.

–Extended coverage for data stored in Amazon Aurora: GuardDuty RDS Protection identifies potential threats to data stored in Aurora databases without compromising performance, productivity, or availability. GuardDuty RDS Protection profiles and monitors access activity to existing and new databases in customer accounts, and using integrated threat intelligence and a machine learning model that is trained with highly contextual RDS login activity, it can detect suspicious login activity to Aurora databases.

–Support for serverless applications in AWS Lambda: GuardDuty Lambda Protection mitigates security risks in customers’ serverless applications, which can be challenging for traditional threat detection methods to identify due to the added abstraction layers in serverless workloads. Once enabled, GuardDuty Lambda Protection continuously monitors serverless workloads, analyzing network communications mapped back to individual Lambda functions to detect malicious communications and popular compromise activity, such as cryptocurrency mining.

“Tens of thousands of organizations across virtually every industry and geography use Amazon GuardDuty, including more than 90% of our 2,000 largest customers, helping to protect more than half a billion EC2 instances and millions of S3 buckets,” said Jon Ramsey, vice president for Security Services at AWS. “GuardDuty’s new capabilities build on this powerful foundation to expand security detection and monitoring even further, to where customers tell us they need it most: containers’ runtime monitoring, databases, and serverless applications. We’ve now more than tripled the number of managed detections since we introduced GuardDuty.”