• Blog Content
  • About Burns and This Blog
  • To the Hackers and Script Kiddies
  • SE Skills Survey – Help!!

Eric Burns Online

My Virtual Take on Tech

  • Blog Content
  • About Burns and This Blog
  • To the Hackers and Script Kiddies
  • SE Skills Survey – Help!!

Can You Learn from the Cloud and Be More Secure?

November 30, 2018 High Level Tech Intro No Comments

The Internet has been described as the Wild West.  It is expansive, diverse and chaotic.  In old Westerns a new visitor to town often learned important details by talking to the local saloon bartender.  Everyone tended to pass through for a drink.  So the bartender saw and overheard a lot of what was going on.  What if I told you there was a firm tapped into a large number of metaphorical “saloons” around the world?  Someone that might even know what evil traffic is coming from many of the “wretched hive(s) of scum and villainy” that dot the Internet . . . *

Western Saloon photo courtesy of Pixaby

GuardDuty

I’m speaking about Amazon’s GuardDuty.  If you think this analogy is a stretch then read on.  Once you know more you’ll find it is an offering you can’t pass on.  And if you are using PagerDuty, I’ll conclude with some suggestions on being proactive with your integration.  This will get you farther along in your Digital Operations Maturity.

With GuardDuty, Amazon combines several pieces of knowledge and insight.  Some of this is from having experts apply their experience, some Machine Learning.  Lastly they leverage their expansive network visibility into attacks and attempted break-ins.

Buckets of Findings

AWS breaks down the information into 42 distinct buckets called “findings” – each of which comes with an urgency level from 1 to 8.  You might think that 42 is a lot, but InfoSec is typically more noisy than that.  It’s impressive that Amazon reduces the roar this much.  (And with PagerDuty you can reduce it even more.  I cover how in the second half.)

Some of those buckets are what we all see in our logs.  Items like SSH or RDP Brute Force Attacks.  But others highlight Amazon’s expansive visibility.  With all of the systems and IP addresses they are involved with, they have visibility into attacks coming in from other parts of the world.  With that they have built up a large list of “bad actors” out there, complete with their IP addresses.  Wouldn’t you want to know if someone logged into your console from one of those addresses?  GuardDuty would be able to alert you if they saw a bad guy they were tracking unlock the door to your business with keys they probably stole.

They also leverage Machine Learning to track activity that is out of the norm.  This might include actions like turning off logging.  Or perhaps logins from locations where you never have activity.  The list goes on and on, but trust me they have a lot of insight and seem to regularly be adding more.

Kirk Punches, the Sr. Director of Strategic Cloud Alliances at PagerDuty and Jay Yeras, the DevOps Partner Solutions Architect from Amazon present PagerDuty’s integration with GuardDuty

After looking at GuardDuty, it is very easy to see how you want to leverage Amazon’s expertise and expansive view of the Internet to help make your applications more secure.  But once you are sold on Amazon, how can PagerDuty help even more?  The best way to go about this is to leverage our simple integration and then take a few other simple steps during quiet times to be proactive.

4 Steps

With the Digital Operations Maturity Model, the more you can prepare for and automate the quicker you can respond or be proactive when unplanned events happen.  Just take 4 steps:

  1. Follow our simple integration guide with GuardDuty.  Pipe the information into the appropriate service.
  2. From the GuardDuty Settings, use the “Generate sample findings” button.  You’ll get 42 sample findings sent to your PagerDuty instance.  Note that it can take up to 15 minutes for these findings to be generated.

    GuardDuty Generate Sample Findings Sample Screen
    GuardDuty Generate Sample Findings
  3. Sit down with your InfoSec team and walk down each finding.  Ask them if this is something that they want to be woken up at 3am for, is something that can wait until normal business hours, or is something that should be suppressed.
  4. For each of those, proactively create rules to route and set urgency accordingly.

Event Intelligence

And if you enable our Event Intelligence you’ll find that we also merge similar alerts into single incidents.  This will reduce the noise even more.  The two solutions feel like they were meant to go together.

PagerDuty Event Intelligence automatically merging similar Alerts (EC Instances querying Bitcoin-related domains) into one Incident

GuardDuty gives you that visibility to what is happening across Amazon’s expansive network.  And PagerDuty helps you get that actionable information to the team that needs it the most and can do something about it.  In Part 2 I’ll cover how you can bring visibility into Business Impact to key stakeholders with PagerDuty Visibility.

 

* I’m not mixing metaphors.  Star Wars A New Hope is very much influenced by Westerns . . .

Does That Startup Have a Bright Future?

Are You Asking Questions the Right Way?

Leave a Reply Cancel reply

Recent Posts
  • Always On Culture and Global Teams
  • Google Dorking Against the Competition
  • API Guides Are Not Textbooks, Don’t Expect Your Users To Use Them That Way
  • ECHOGEAR Open Rack
  • Getting RAID Inside a Dell
Categories
  • Analytics
  • Attitude
  • CDNs
  • Conversational AI
  • Creative Projects
  • Gear
  • Getting Hired
  • High Level Tech Intro
  • Hiring Process
  • Message/Chat/Collaboration
  • Monitoring
  • Random Notes
  • Raspberry Pi
  • Sales Engineers
  • SE Skills
  • Startups
  • Uncategorized
Recent Comments
  • Peter Cohan on The Best Conference Demo
  • E Berry on Do You Know About These Female Trail Blazers?
Meta
  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org
Archives
  • March 2025
  • February 2025
  • January 2025
  • December 2024
  • November 2024
  • October 2024
  • September 2024
  • August 2024
  • July 2024
  • June 2024
  • May 2024
  • April 2024
  • March 2024
  • January 2024
  • December 2023
  • November 2023
  • October 2023
  • September 2023
  • August 2023
  • July 2023
  • June 2023
  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
Proudly powered by WordPress | Theme: Doo by ThemeVS.