AWS re:Inforce 2024
Explore Cloud Workload Protection with Guardduty Feat Bookingcom Tdr304

Title: AWS re:Inforce 2024 - Explore cloud workload protection with GuardDuty, feat. Booking.com (TDR304)

Insights:

  • Introduction and Overview: The session began with introductions from Shakar Hirschberg, Sujay Doshi, Georgia Bekeridou, and Kuchagul Sharma, who are senior product managers and engineers at Amazon GuardDuty and Booking.com. They emphasized the importance of securing cloud environments and the role of GuardDuty in threat detection.
  • GuardDuty as a Threat Detection Tool: GuardDuty is described as a "canary in the coal mine" for AWS environments, providing early detection of suspicious activities. It helps in identifying potential threats, including crypto mining, denial of service attacks, and data exfiltration.
  • Evolution and Capabilities of GuardDuty: Since its inception seven years ago, GuardDuty has expanded its coverage to include various AWS services such as EC2, S3, EKS, RDS, and Lambda. It uses multiple data sources and detection techniques, including threat intelligence, machine learning, and stateful/stateless algorithms.
  • New Features and Announcements: The session highlighted a new capability released for mitigating malware related to S3 buckets. This feature allows for automatic monitoring and detection of malware in new object uploads to S3, providing tags and generating event notifications for further action.
  • Technical Implementation at Booking.com: Booking.com leverages GuardDuty extensively to monitor its large-scale AWS infrastructure. They have integrated GuardDuty alerts into their Threat Intelligence platform for enhanced triaging and investigation. The company has automated the activation of GuardDuty across all AWS accounts and regions to ensure comprehensive coverage.
  • Operational Insights: Key takeaways from Booking.com's implementation include the importance of automation, visibility from day one, and the misconception about the cost of enabling GuardDuty in all regions. They emphasized that minimal active workloads in a region result in minimal costs.
  • Runtime Protection and Agent Management: GuardDuty's runtime monitoring provides additional visibility and fidelity by monitoring operating system-level events. The session detailed the deployment and management of lightweight security agents across EC2, ECS Fargate, and EKS workloads.
  • Customer Benefits and Use Cases: GuardDuty's new features, such as malware protection for S3, offer quick enablement, reduced complexity, and seamless integration into existing workflows. This is particularly beneficial for applications involving untrusted uploads, such as social media platforms and healthcare applications.

Quotes:

  • "I think about GuardDuty as the canary in the coal mine, where the coal mine is obviously their AWS environment."
  • "We protect millions of AWS accounts, S3 buckets, and hundreds of millions of EC2 instances to detect potential threats related to them."
  • "Crypto mining remains a top threat targeting cloud environments. It's an easy way for adversaries to gain financially without having to deal with the company directly."
  • "We have tens of thousands of customers across virtually any geography and industry leveraging GuardDuty, including Amazon.com and AWS."
  • "GuardDuty runtime monitoring helps you get additional visibility and fidelity on your detections as it allows us to gain visibility across new events on the operating system levels."
  • "We are now happy to introduce GuardDuty malware protection for S3 where using GuardDuty, you can protect your S3 buckets from new object uploads that are masked as malware."
  • "Automation is the key when it comes to security services or any service in general."
  • "You can only defend what you can see. So for your security teams, it's very important to have the visibility into your cloud landscape and see how your cloud infrastructure is growing."
Explorations of Cryptography Research Sec204 IntFind an Aws Partner Faster Credentials Resources and Success Ptn221