As more organizations adopt AWS (Amazon Web Services) for their cloud computing needs, ensuring the security of their infrastructure becomes increasingly complex. The persistence of cybercriminals continues to pose a significant threat to organizations, with compromises becoming an inevitable aspect of modern reality. What contributes to this complexity is the current state of security responders. Many security teams are small, understaffed, and lack the skills needed to efficiently secure organizations. In this blog we take a deep dive into the best practices for securing an AWS cloud environment from the emerging landscape of threats.
Every organization has vulnerabilities in their environment; identifying where these vulnerabilities are, pinpointing how fast they can be patched, or classifying which have been previously patched can be a challenge. Organizations need to deploy a vulnerability management program within their AWS cloud environment using risk-based analysis. This ranks vulnerabilities from highest priority to lowest to help security responders understand which action to take first.
The MITRE ATT&CK framework and the Lockheed Cybersecurity kill chain are valuable resources for security responders to understand how to efficiently map their security controls to an AWS environment. In addition, security consultants at AWS or third-party organizations can help conduct gap assessments to help identify gaps in your security framework minimize the risk of compromise.
A common cause of compromise within an AWS environment is a misconfiguration of security controls or resources. AWS has a great series of security benchmarks that we recommend utilizing and applying surrounding this area. Additionally, the Center for Internet Security (CIS) benchmarks provides an in-depth overview of some key topics about Kubernetes, threat discovery in the cloud, log resources, and how to measure and monitor your security posture.
AWS has invaluable assets to successfully detect threats within their cloud. Monitoring and evaluating VPC flow logs about network traffic sources and destinations allows organizations to spot any anomalous activities from a threat actor. We know over the last few years that user identity is the focal point for cybercriminals, so understanding everything you can about users and administrators is critical. AWS Cloud Trail is a powerful tool to help document data on this by recording actions, logins, application access, user creations/deletions, and new system spin ups or downs. AWS Guard Duty collects security logs about different signature-based malware attacks, API calls, identity access management, and suspicious DNS movements. Implementing an AWS Web Application Firewall (WAF) will allow you to rely less on your IDS functionality. Every organization must have some form of endpoint protection and next generation firewall inside your environment.
The next best practice for securing your AWS cloud environment is to use a Security Information Event Monitoring (SIEM) solution. Having a 24×7 monitoring capability helps filter through massive amounts of security data to identify indicators of compromise, critical events, and reduce false positives to help security responders understand quickly what action needs to be taken. A SIEM is just part of the detection piece, and therefore you need some type of Security Orchestration, Automation and Response (SOAR) capability or open XDR to automatically respond to an event by blocking an IP address, isolating a device or resource, or suspending an account if you do not have a 24×7 response team.
Partnering with an MSSP such Proficio will help with gap coverage (staff, hours of operation, skill), elevate and enhance your security posture, and improve your Mean time to detect (MTTD), respond, and remediate threats.
In Proficio’s environment we use a ProSOC Managed Detection and Response (MDR) service which is cloud native. This service combines threat intelligence, AI-based threat hunting, and the best-in-class technologies to detect indicators of compromise quickly with comprehensive SOARs solutions.
For a detailed overview of overcoming cloud security challenges in the AWS cloud, watch our webinar with CEO, Brad Taylor.