AWS Announces Three New Amazon GuardDuty Capabilities to Help Customers Protect Container, Database, and Serverless Workloads

AWS Announces Three New Amazon GuardDuty Capabilities to Help Customers Protect Container, Database, and Serverless Workloads

April 25, 2023 Off By David

Amazon Web Services, Inc. (AWS) announced three new capabilities for Amazon GuardDuty, AWS’s threat detection service, that further strengthen customer security through expanded coverage and continuous enhancements in machine learning, anomaly detection, and integrated threat intelligence. GuardDuty is part of a broad set of AWS security services that help customers identify potential security risks, so they can respond quickly, freeing security teams to focus on tasks with the highest value. The three new capabilities expand GuardDuty protection to container runtime behavior, as well as database and serverless environments. EKS Runtime Monitoring deepens threat detection inside customers’ containerized workloads. GuardDuty RDS Protection helps customers protect data stored in Amazon Aurora databases. GuardDuty Lambda Protection helps customers detect threats to their serverless applications. To get started with Amazon GuardDuty, visit aws.amazon.com/guardduty.

The ability to gather, synthesize, and alert on security-relevant events is fundamental to any organization’s risk management program. The evolving cybersecurity landscape and multitude of security tools from different vendors, combined with a shortage of IT security professionals, make it challenging for customers to integrate and scale security detection and response across their environments. Many security teams today have to build or integrate multiple tools to detect anomalies, such as web server vulnerabilities, compromised instances used to serve malware or mine cryptocurrency, or compromised access credentials. Integration challenges can lead to inefficiencies, data inconsistencies, and increased costs. In addition, the workplace and threat landscape continue to evolve, requiring chief information security officers (CISOs) to continually raise the bar on enterprise security to account for cloud adoption, remote working, and third-party infrastructure integration. Demand for technologies and services such as cloud threat detection, security analytics, cloud security posture management, and threat intelligence has been rising to tackle new vulnerabilities, misconfigurations, and other IT risks emerging from this digital transformation.

GuardDuty helps protect customers from the latest threats through ongoing innovation in machine learning, anomaly detection, and integrated threat intelligence continuously derived from the broad visibility AWS has across the global threat landscape. With a few clicks in the AWS Management Console, customers can activate GuardDuty across multiple accounts in multiple AWS Regions on highly trusted and secure-by-design AWS Cloud infrastructure and mitigate threats early by initiating automated responses. Since its launch in 2017, GuardDuty has added more than 100 new threat detection capabilities, including the ability to detect credential exfiltration and compromise even when highly evasive techniques are used. GuardDuty uses machine learning detections trained to identify highly suspicious data access and any potential Amazon Elastic Compute Cloud (Amazon EC2) compromise, and uses integrated threat intelligence to detect malware and malicious container, database, and serverless access. GuardDuty comes with pre-integrated and continuously updated threat intelligence feeds from AWS and industry-leading, third-party providers such as CrowdStrike, Proofpoint, and Bitdefender. AWS-developed threat intelligence offers customers unique coverage against the latest global threat landscape, including emerging Linux-based malware, evolving credential exfiltration techniques, and new malicious domains identified through machine learning-based reputation models.

The three new capabilities added to GuardDuty build on the hundreds of features and enhancements available since its launch and expand security coverage to other AWS workloads and core deployment use cases. The capabilities can all be easily enabled organization-wide with a few steps and no other requirements or prerequisites, resulting in actionable, contextual, and timely security findings with resource-specific details to help quickly investigate and respond. The new capabilities include:

  • New container runtime protection for Amazon Elastic Kubernetes Service (Amazon EKS): GuardDuty EKS Runtime Monitoring introduces a fully managed, lightweight security agent that profiles and monitors on-host operating system-level behavior such as file access, process execution, and network connections. In tight collaboration with Amazon EKS, the agent performs without requiring customers to deploy, maintain, or update it.This allows GuardDuty to add security coverage comparable to other agent-based solutions, while maintaining easy-on enablement. It deepens GuardDuty protection for Amazon EKS deployments and decreases the operational overhead and complexity often required to achieve this level of coverage, especially in highly dynamic, containerized compute environments. GuardDuty now makes it easier to achieve runtime coverage across all Amazon EKS workloads in an account or organization. Account and data compromise can often start with a single compromised endpoint or container that then escalates to credential compromise and can spread to the broader AWS environment and data stored in it. With GuardDuty’s visibility across runtime events, Kubernetes audit logs, and broader AWS control plane and networking logs, customers can identify steps in an attack and are signaled early to contain potential security threats before the threat escalates to broader business-impacting breaches. This capability builds on the initial integration of GuardDuty EKS Protection, which monitors control plane activity by analyzing Kubernetes audit logs from existing and new Amazon EKS clusters in customers’ accounts.
  • Extended coverage for data stored in Amazon Aurora: GuardDuty RDS Protection identifies potential threats to data stored in Aurora databases without compromising performance, productivity, or availability. GuardDuty RDS Protection profiles and monitors access activity to existing and new databases in customer accounts, and using integrated threat intelligence and a machine learning model that is trained with highly contextual RDS login activity, it can detect suspicious login activity to Aurora databases.
  • Support for serverless applications in AWS Lambda: GuardDuty Lambda Protection mitigates security risks in customers’ serverless applications, which can be challenging for traditional threat detection methods to identify due to the added abstraction layers in serverless workloads. Once enabled, GuardDuty Lambda Protection continuously monitors serverless workloads, analyzing network communications mapped back to individual Lambda functions to detect malicious communications and popular compromise activity, such as cryptocurrency mining.

Tens of thousands of organizations across virtually every industry and geography use Amazon GuardDuty, including more than 90% of our 2,000 largest customers, helping to protectmore thanhalf a billion EC2 instances and millions of S3 buckets,said Jon Ramsey, vice president for Security Services at AWS. “GuardDuty’s new capabilities build on this powerful foundation to expand security detection and monitoring even further, to where customers tell us they need it most: containers’ runtime monitoring, databases, and serverless applications. We’ve now more than tripled the number of managed detections since we introduced GuardDuty.”

Arctic Wolf Networks is a global leader in security operations that provides security monitoring to detect and respond to cyberthreats. “Continuous monitoring is a required component for effective security operations, and as both a customer and partner of AWS, GuardDuty is a service we entrust across all of our AWS workloads,” said Adam Marrè, CISO at Arctic Wolf. “With real-time threat detection, Amazon EKS audit log monitoring, and now database protection provided via RDS Protection, GuardDuty plays a key role in helping us secure our internal security tooling and processes with the most advanced technologies, allowing us to stay focused on our mission of ending cyber risk for our customers.”

Best Buy is an American multinational consumer electronics retailer. “Security is always top of mind for us, especially as we expanded our use of Amazon Aurora for our migrated and cloud native applications,” said Vaibhav Sonawane, enterprise risk and compliance cloud security engineer at Best Buy. “With GuardDuty RDS Protection, our security posture around legitimate and nonlegitimate login attempts remains strong thanks to its machine learning and intelligent threat detection capabilities. We are excited to see Amazon GuardDuty expand into new categories in AWS environments like databases because of its seamless integration, cost-effectiveness, and ease of use.”

GE Digital, a business unit of General Electric (GE), is an industrial software leader bringing simplicity, speed, and scale to their customers’ digital transformations. “As a longtime customer of GuardDuty, we’re very pleased to see the continued additions of critical detections and increased coverage across AWS’s compute native services,” said Chuck Rees, senior director of cyber engineering and architecture at GE Digital. “We rely on GuardDuty and its machine learning detections to monitor access to our S3 buckets, allowing us to safeguard our sensitive data. Using GuardDuty is an easy choice for us, and the service is an integral part of securing our workloads on AWS.”

Siemens, a technology and industrial manufacturing company based in Munich, produces equipment and components for energy, healthcare, and other industries around the world. “We initially selected Amazon GuardDuty to monitor our AWS accounts for malicious activity,” said Scott Schwartz, senior infrastructure engineer at Siemens. “One of the primary drivers of our decision to use AWS was to strengthen our security posture and automate important tasks. We also wanted to have centralized access to all of our information by aggregating it from accounts across the organization. The ease with which we could adopt AWS services and integrate them into our existing tools made GuardDuty a clear choice for us.”

Wiz is a cybersecurity startup with a mission to help organizations create secure cloud environments that accelerate their business. “Wiz uses Amazon GuardDuty, fully integrated with the Wiz platform’s Cloud Events & Detection, to continuously monitor our AWS environment,” said Ryan Kazanciyan, CISO at Wiz. “We are excited to see GuardDuty broaden as a comprehensive threat detection solution with the addition of detections for databases and container environments.”