Enhanced security tooling in the cloud
I have been reviewing the current security tools used by the following cloud services; Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP). The following is what I discovered about the tooling from the openly available sales literature (hence the US English spellings). I make no comment on what is said by them as I have not used the tools myself, but the research may be of some use:
AWS Security Hub provides a view of security alerts and security posture across your AWS accounts. There are a range of security tools available from firewalls and endpoint protection to vulnerability and compliance scanners. Security Hub enables a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, AWS Systems Manager, and AWS Firewall Manager, as well as from AWS Partner Network (APN) solutions. AWS Security Hub continuously monitors your environment using automated security checks based on the AWS best practices and industry standards that your organization follows. You can also take action on these security findings by investigating them in Amazon Detective or by using Amazon CloudWatch Event rules to send the findings to ticketing, chat, Security Information and Event Management (SIEM), Security Orchestration Automation and Response (SOAR), and incident management tools or to custom remediation playbooks.
Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. GuardDuty uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs. The AWS Management Console, GuardDuty can be enabled without software or hardware to deploy or maintain. By integrating with Amazon CloudWatch Events, GuardDuty alerts are actionable, easy to aggregate across multiple accounts, and straightforward to push into existing event management and workflow systems.
Amazon Detective helps to analyze, investigate, and identify the root cause of potential security issues or suspicious activities. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations.
Amazon Detective simplifies the process of identifying the root cause of security findings. It helps in the collection and combining of logs from many separate data sources, using extract, transform, and load (ETL) tools or custom scripting to organize the data. Amazon Detective can analyze events from multiple data sources such as Virtual Private Cloud (VPC) Flow Logs, AWS CloudTrail, and Amazon GuardDuty, then automatically creates a unified, interactive view of your resources, users, and the interactions between them over time. With this unified view, you can visualize all the details and context in one place to identify the underlying reasons for the findings, drill down into relevant historical activities, and quickly determine the root cause.
Useful links for theAWS tooling:
Azure Security Center is a unified infrastructure security management system created to provide advanced threat protection across your hybrid workloads in the cloud. It is a built-in tool that provides threat protection for workloads running in Azure, on premises and in other clouds. It delivers XDR (eXtended Detection and Response) capabilities to protect multi-cloud and hybrid workloads, including virtual machines, databases, containers, IoT, and more. Azure Defender is an evolution of the Azure Security Center threat protection capabilities and is accessed from within Azure Security Center.
Azure Sentinel is a cloud-native security information and event manager (SIEM) platform that uses built-in AI to help analyse large volumes of data across an enterprise.
New innovations from Azure Sentinel Sept 2020
- UEBA + Entity Profile - Azure Sentinel is launching User and Entity Behavioral Analytics, to help detect unknown and insider threats.
- Threat Intelligence - security analysts can view, filter, tag and search indicators imported from threat intelligence providers as well as add new indictors discovered while hunting and investigating threats in Azure Sentinel. Commercial sources include Recorded Future, RiskIQ, ThreatConnect, ThreatQuotient, EclecticIQ
- Watchlists - customers can import collections of data from external sources as a watchlist such as critical assets, trusted systems, or terminated employees
- Enterprise-Wide Data Collection - simplify the process of collecting data at scale from you users, decides, apps, and infra, both on-premises and in the cloud, Azure Sentinel is continuing to deliver new connectors for Microsoft 365 and Azure, as well as other clouds and data collection pipelines. External connectors can be found here.
- Machine Learning - developing and refining machine learning models to extend coverage across the MITRE ATT&CK kill chain and address evolving threats
- IoT/OT - Insights from CyberX will be integrated with Azure Defender for IoT
Useful YouTube link for the Azure tooling:
Google Cloud Security Command Centre is an intuitive, intelligent risk dashboard and analytics system for surfacing, understanding, and remediating Google Cloud security and data risks across an organization.
Standard tier features
- Security Health Analytics: provides managed vulnerability assessment scanning for Google Cloud that can automatically detect the highest severity vulnerabilities and misconfigurations for your Google Cloud assets.
- Web Security Scanner custom scans: supports custom scans of deployed applications with public URLs and IPs that aren't behind a firewall.
Premium tier features
- Event Threat Detection monitors your organization's Cloud Logging stream and consumes logs for one or more projects as they become available to detect the following threats: Malware, Cryptomining, Brute force SSH, Outgoing DoS, IAM anomalous grant, Data exfiltration.
- Container Threat Detection detects the following container runtime attacks: Added binary executed, Added library loaded, Reverse shell.
- Security Health Analytics: in the Premium tier, Security Health Analytics provides monitoring for many industry best practices, and compliance monitoring across your Google Cloud assets. These results can also be reviewed in a Compliance dashboard and exported as manageable CSVs. In the Premium tier, Security Health Analytics includes monitoring and reporting for:
§ CIS 1.0 - CIS benchmarks are configuration baselines and best practices for securely configuring a system
§ PCI DSS v3.2.1 - For companies that transmit and use payment card information from consumers, the Payment Card Industry Data Security Standard (PCI DSS) provides the most comprehensive information security standards
§ NIST 800-53 - the standards and guidelines for federal agencies to architect and manage their information security systems
§ ISO 27001 - a specification for an information security management system (ISMS), a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes
- Web Security Scanner provides managed scans that identify the following security vulnerabilities in your Google Cloud apps: Cross-site scripting (XSS), Flash injection, Mixed-content, Clear text passwords, Usage of insecure JavaScript libraries.
Google Chronicle is a global security telemetry platform for investigation and threat hunting within an enterprise network (a cloud-based system similar to a SIEM). Chronicle Detect, launched September 2020, a threat detection solution rules engine built on the power of Google’s infrastructure to help enterprises identify threats.
Useful YouTube link for the Chronicle tooling: