I’ve always agreed with Richard Clarke, former head of counterterrorism for the National Security Council, who said:
“If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.”
I was recently reminded just how pervasive hackers are during a talk at last month’s AWS re:Invent conference in Las Vegas. Tom Stickle and Michael Fuller were presenting to a packed room about the launch of Amazon GuardDuty, a new service designed to help you detect anomalies and potential security threats in your AWS cloud environment. Tom spun up a few public server instances to help demonstrate the capabilities of GuardDuty, and the system immediately detected some unexpected activity. Within seconds of starting up, Tom’s servers were being scanned for vulnerabilities by computers in Russia!
I tell this story not to incite fear but to raise awareness. Cloud-based services give organizations the ability to create personalized experiences for their customers, drive operational efficiency and open new frontiers in areas like personalized medicine and autonomous vehicles at a pace we have never seen. But, cloud computing also introduces new kinds of risks and vulnerabilities, and digital organizations must adapt their security strategies appropriately.
In this series, I’ll introduce AWS GuardDuty, describe the thinking behind the product, and explore how it fits into a broader information security strategy for cloud-enabled organizations.
What Is GuardDuty?
AWS GuardDuty is a new capability of the Amazon cloud. Launched in late 2017, it uses artificial intelligence (AI) and machine learning technologies to help detect anomalies and potential security threats within your virtual network running in AWS. The same team of data scientists and engineers who created Amazon’s famous product recommendation engine are constantly testing, validating, and improving the algorithms that GuardDuty uses to protect your AWS workloads and data.
How Much Does GuardDuty Cost?
Amazon’s primary business goal for AWS is to drive higher consumption levels across all products and service offerings. As a result, Amazon positioned GuardDuty very differently from traditional threat detection software products. Amazon is not motivated to sell a large number of expensive software licenses like most software vendors are. Instead, the company wants customers to trust the platform to keep their data and workloads safe, encouraging them to consume more AWS services. GuardDuty is a means to an end for Amazon, so the company has positioned it as a relatively low-cost security solution that is easy to get up and running.
Accelerate your transition to the cloud with our AWS expertise
Explore Our AWS Consulting Services →
The product is free to try for 30 days and can be can be deployed into your account with “one click” configuration in the AWS console. Although many advanced configuration options are available and highly encouraged, the default configuration will automatically monitor network traffic, DNS activity and API usage, and detect suspicious types of activity. After 30 days, pricing is consumption-based—you pay for the number of events and system logs the platform analyzes. In general, the larger your AWS workloads are the more you can expect to pay for GuardDuty.
Where Does GuardDuty Fit In?
GuardDuty fully supports AWS’s multi-account linking strategy. This makes it easy to integrate into your organization’s existing security processes and workflows. Security teams can monitor multiple AWS accounts without having full access to them. Using AWS’s Identity and Access Management system, you can define policies that clearly separate security teams’ roles and responsibilities from developers, enabling each to focus on what they do best.
Is GuardDuty All I Need?
In a word, no. GuardDuty is not a “one-stop shop” security solution. It is intended to complement and integrate easily into a broader information security strategy. GuardDuty is a reactive solution, helping you identify vulnerabilities that already exist in your environment and remediate them. It is not a replacement for security auditing, event logging, penetration testing, systems hardening, SecDevOps, or other proactive secure software development practices.
In part two of this blog post, we will explore getting started with GuardDuty in more detail. We will also go deeper into what GuardDuty is and is not, and where it fits into an overall enterprise security posture. Feel free to reach out to us at firstname.lastname@example.org with any questions, we’d love to help you explore GuardDuty.