Amazon Introduces GuardDuty Continuous Security Monitoring and Threat Detection for AWS

Amazon has introduced GuardDuty, a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help protect AWS accounts and workloads.

Announced at AWS re:Invent, the new service was detailed in a blog post by Jeff Barr, chief evangelist for AWS.

According to Barr, GuardDuty is informed by a multitude of public and AWS-generated data feeds and powered by machine learning, and can analyze billions of events to identify trends, patterns, and anomalies that are recognizable signs that something is wrong.

GuardDuty consumes multiple data streams, including several threat intelligence feeds, staying aware of malicious IP addresses, devious domains, and learning to accurately identify malicious or unauthorized behavior in your AWS accounts. In combination with information gleaned from VPC Flow Logs, AWS CloudTrail Event Logs, and DNS logs, Barr notes, this enables GuardDuty to detect dangerous and mischievous behavior including probes for known vulnerabilities, port scans and probes, and access from unusual locations.

On the AWS side, Barr says, GuardDuty looks for AWS account activity such as unauthorized deployments, unusual CloudTrail activity, patterns of access to AWS API functions, and attempts to exceed multiple service limits. GuardDuty will also look for compromised EC2 instances talking to malicious entities or services, data exfiltration attempts, and instances that are mining cryptocurrency.

Operating on AWS infrastructure, GuardDuty does not affect the performance or reliability of workloads and organizations do not need to install or manage any agents, sensors, or network appliances.

Suspicious findings are rated at one of three levels (low, medium, or high), accompanied by evidence and recommendations for remediation. The findings are also available as Amazon CloudWatch Events which allows users to leverage their own AWS Lambda functions to automatically remediate specific types of issues. This mechanism also allows users to push GuardDuty findings into event management systems such as SplunkSumo Logic, and PagerDuty and to workflow systems like JIRAServiceNow, and Slack.