Amazon Web Services (AWS) offers a feature-rich environment for hosting and managing cloud-based applications on a flexible, highly scalable infrastructure. However, security remains a challenge. Amazon Security Hub and Amazon GuardDuty provide some visibility into log data and security events in AWS environments, but they lack advanced analytics and other features needed to detect and respond to threats.
CYBERSHIELD is a fast-to-deploy cloud-based SIEM designed to quickly detect sophisticated attacks. It aggregates data from AWS sources like CloudTrail and GuardDuty, together with information from on-premises networks, endpoints, and other cloud platforms. It employs User Behavior Analytics (UBA), industry-leading threat intelligence, and automated workflows to help security teams uncover and investigate threats in AWS environments and across the organization’s entire IT footprint.
CYBERSHIELD is integrated with critical AWS services, making it easy to collect detailed log data from:
– AWS CloudTrail, which monitors and logs account activity and administrative actions on services such as the AWS Management Console, AWS SDKs, and command-line tools
– AWS GuardDuty, which provides insight into potentially malicious activity inside AWS – including things like misuse of credentials and privilege escalation
Beyond native integrations, the Agent can be installed on AWS EC2 instances, allowing CYBERSHIELD to pull back real-time EDR telemetry to detect malicious activity and processes, collect forensic data on-demand, and contain threats by killing processes or isolating the instance from the network.
CYBERSHIELD also allows for the installation of honeypots in any AWS environment through a native AMI. An alert in CYBERSHIELD is triggered whenever a potential attacker tries to access these honeypots. In addition, CYBERSHIELD can collect any data through it’s AWS SQS integration. This includes items such as VPC flow logs and Route 53 DNS logs.
CYBERSHIELD combines log data from these services with information from hundreds of other sources across the enterprise, normalizes and enriches the data, and makes it available for searching, reporting and analysis by security teams.
Traditional vulnerability assessment solutions can’t keep up with the highly dynamic nature of cloud environments. Vulnerable assets can come online and operate for extended periods of time before traditional solutions identify their risk (if they do so before the asset spins down, that is). We ensure assets are continually assessed, without requiring scan engines or waiting for scan windows. As a result, we know before attackers do when vulnerable assets have been introduced to their environments.
User Behavior Analytics measures baseline activities by users and generate alerts when it detects anomalous actions such as atypical authentication requests and unusual single sign-on (SSO) activities. It enables our security team to uncover threat actors using stolen user credentials. Our SIEM solution also generates alerts based on behaviours that indicate the suspicious use of computing resources and compromised administrative credentials. These include:
– Activities in new AWS regions
– Use of new AWS services
– Provisioning of new types of virtual machines (for example, a service optimized for cryptocurrency mining)
CYBERSHIELD provides pre-built detections, and organizations can also build custom alerts based on AWS CloudTrail activities. For example, they can create custom alerts that flag actions to access, modify, and remove objects in S3 buckets.
GuardDuty alerts can be sent to CYBERSHIELD, so our security team can follow up immediately, using the full power of CYBERSHIELD to correlate data from multiple platforms, retrace user behaviours, pivot to additional log sets, and directly query AWS resources with the CYBERSHIELD Agent.