The Internet has been described as the Wild West.  It is expansive, diverse and chaotic.  In old Westerns a new visitor to town often learned important details by talking to the local saloon bartender.  Everyone tended to pass through for a drink.  So the bartender saw and overheard a lot of what was going on.  What if I told you there was a firm tapped into a large number of metaphorical “saloons” around the world?  Someone that might even know what evil traffic is coming from many of the “wretched hive(s) of scum and villainy” that dot the Internet . . . *

GuardDuty

I’m speaking about Amazon’s GuardDuty.  If you think this analogy is a stretch then read on.  Once you know more you’ll find it is an offering you can’t pass on.  And if you are using PagerDuty, I’ll conclude with some suggestions on being proactive with your integration.  This will get you farther along in your Digital Operations Maturity.

With GuardDuty, Amazon combines several pieces of knowledge and insight.  Some of this is from having experts apply their experience, some Machine Learning.  Lastly they leverage their expansive network visibility into attacks and attempted break-ins.

Buckets of Findings

AWS breaks down the information into 42 distinct buckets called “findings” – each of which comes with an urgency level from 1 to 8.  You might think that 42 is a lot, but InfoSec is typically more noisy than that.  It’s impressive that Amazon reduces the roar this much.  (And with PagerDuty you can reduce it even more.  I cover how in the second half.)

Some of those buckets are what we all see in our logs.  Items like SSH or RDP Brute Force Attacks.  But others highlight Amazon’s expansive visibility.  With all of the systems and IP addresses they are involved with, they have visibility into attacks coming in from other parts of the world.  With that they have built up a large list of “bad actors” out there, complete with their IP addresses.  Wouldn’t you want to know if someone logged into your console from one of those addresses?  GuardDuty would be able to alert you if they saw a bad guy they were tracking unlock the door to your business with keys they probably stole.

They also leverage Machine Learning to track activity that is out of the norm.  This might include actions like turning off logging.  Or perhaps logins from locations where you never have activity.  The list goes on and on, but trust me they have a lot of insight and seem to regularly be adding more.

After looking at GuardDuty, it is very easy to see how you want to leverage Amazon’s expertise and expansive view of the Internet to help make your applications more secure.  But once you are sold on Amazon, how can PagerDuty help even more?  The best way to go about this is to leverage our simple integration and then take a few other simple steps during quiet times to be proactive.

4 Steps

With the Digital Operations Maturity Model, the more you can prepare for and automate the quicker you can respond or be proactive when unplanned events happen.  Just take 4 steps:

1. Follow our simple integration guide with GuardDuty.  Pipe the information into the appropriate service.
2. From the GuardDuty Settings, use the “Generate sample findings” button.  You’ll get 42 sample findings sent to your PagerDuty instance.  Note that it can take up to 15 minutes for these findings to be generated.

   

3. Sit down with your InfoSec team and walk down each finding.  Ask them if this is something that they want to be woken up at 3am for, is something that can wait until normal business hours, or is something that should be suppressed.
4. For each of those, proactively create rules to route and set urgency accordingly.

Event Intelligence

And if you enable our Event Intelligence you’ll find that we also merge similar alerts into single incidents.  This will reduce the noise even more.  The two solutions feel like they were meant to go together.

GuardDuty gives you that visibility to what is happening across Amazon’s expansive network.  And PagerDuty helps you get that actionable information to the team that needs it the most and can do something about it.  In Part 2 I’ll cover how you can bring visibility into Business Impact to key stakeholders with PagerDuty Visibility.

* I’m not mixing metaphors.  Star Wars A New Hope is very much influenced by Westerns . . .