Using Amazon GuardDuty to Centrally Manage and Monitor Security Risks
Mar 14, 2018
The financial industry is especially susceptible to attacks from any number of outside entities. The security challenges posed by intrusion or attacks weighing heavily on financial institutions is exacerbated by the fact that the methods employed by untoward individuals or groups consistently change and evolve. To stay on top of the latest security challenges, companies will often look to outside help that specializes in security acumen and expertise.
One such company was attempting to find ways to solve this for their banking institutional client base. The company provides development and managed services for different banking institutions. They approached ClearScale, an AWS Premier Consulting Partner, to see if there was an efficient way to support different banks with similar environments and security monitoring in place without compromising their environments.
The Challenge – Centrally Managing Multiple AWS Accounts
Creating AWS accounts and managing the banks’ services within that environment is a straightforward process. Where the client was running into challenges was when it came to managing the accounts of each bank in a centralized manner. They not only needed to set up and deploy these separate AWS accounts — three to four for each bank — but they also wanted to have their Security department centrally store, secure, and process log data and findings, as well as provide and manage audit and compliance monitoring services from a central location.
This was further complicated by the fact that banks, like all financial institutions, are highly regulated, with regulatory requirements that vary between the national, state, and local levels. Trying to find a way to centralize security monitoring and management for each bank and have the information sent and analyzed in a central location, all while making certain the security protocols were stringent enough to meet the needs of the regulations being imposed, was the greatest challenge.
The Solution – Amazon GuardDuty
ClearScale used AWS Organization to create a security account structure for managing multiple accounts. Organizational units (OUs) were used to group accounts together to administer as a single unit and simplify the management. The client could then use this to set up and manage each banks’ environment.
Security Account Structure
Where the solution really found a benefit to the client was how it addressed the security requirement. ClearScale turned to Amazon GuardDuty, a centrally managed threat detection service designed to monitor and protect AWS accounts and workloads, and updated often to stay on top of the latest threats. Once implemented and configured, GuardDuty allowed ClearScale to start monitoring billions of events in the environment to determine if there were any unusual API calls or account activity that might indicate the account was compromised.
Unlike other security tools or products, Amazon GuardDuty takes the activity monitoring one step further by leveraging machine learning technologies to actively analyze in near real-time potential threats. To do so, it looks for anomalies in traffic patterns, service usages, and account and workflow activities. The information being analyzed is streamed into a separate environment from the production environment, thus allowing members of the Security department to review and act on issues identified by GuardDuty.
ClearScale leveraged AWS Config multi-account data aggregation capability, enabling centralized auditing and governance.
The Team also streamed log data from AWS services that were created for each environment, such as Virtual Private Cloud (VPC), Relational Database Service (RDS), Elastic Load Balancer (ELB), S3, CloudFront, and CloudTrail, and put the logs into dedicated, bank-specific information security account.
Centralized Logging Diagram
The final implementation streamed log files and findings for each of the AWS services implemented into bank-specific, security department-managed accounts so that even if the logs were compromised the Security team would have visibility of what was going on in the specific environment. This centralization of security information also provided each bank the ability to monitor all environments at once without necessarily going into each individual AWS account, which reduced the time and overhead needed to gather an enterprise-wide view of the status of AWS environments.
In an ever-evolving world of security threats, finding the right balance between actively monitoring and determining how to address issues as they appear can be a huge challenge. With the AWS service expertise that ClearScale has accumulated since its founding in 2011, overcoming these challenges and others are no longer barriers for companies that need to find solutions to complex problems. Partnering with ClearScale gives our clients confidence that the solutions we design, build, and deploy will meet their organization’s needs far into the future.