Analytics-Based Investigation and Automated Response with AWS + Splunk Security Solutions

Organizations are migrating an increasing amount of their infrastructure into the cloud. The cloud provides organizations with a number of benefits like greater scalability, improved reliability and faster time to value. However, these potential benefits can be offset if security is an afterthought. Cloud providers offer customers a baseline level of security, but a healthy security posture across the entire enterprise application stack requires monitoring and detecting threats beyond baseline infrastructure. 

Providers such as AWS, Azure and Google Cloud have added security capabilities either for free or through easily accessible premium services. Features typically support workload security, network security policies, IAM integration, data encryption and more. While some customers can achieve better security outcomes using what’s natively provided, others require additional third-party functionality. This functionality can provide security consistency across environments, and address more specific use cases, such as industry-specific compliance mandates.

We’ll use Amazon Web Services (AWS) as an example. Here are some AWS monitoring tools that can generate security relevant alerts:

1. GuardDuty

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts. With the cloud, the collection and aggregation of account and network activities is simplified, but it can be time-consuming for security teams to continuously analyze event log data for potential threats. With GuardDuty, you now have an intelligent and cost-effective option for continuous threat detection in AWS.

2. Macie

Amazon Macie automates the discovery of sensitive data at scale and lowers the cost of protecting your data. Macie automatically provides an inventory of Amazon S3 buckets and applies machine learning and pattern matching techniques to the buckets you select to identify and alert you to sensitive data.

3. Inspector

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities and produces a detailed list of security findings prioritized by level of severity.

4. Security Hub

Amazon Security Hub gives you a single place that aggregates, organizes and prioritizes your security alerts, from multiple AWS services like the ones listed above. AWS Security Hub continuously monitors your environment using automated security checks based on the AWS best practices and industry standards that your organization follows. 

How can these tools be an integral part of your security monitoring? That’s where Splunk can help. Splunk is a flexible platform that allows you to gain visibility into your highest priority security concerns. Splunk Enterprise Security (ES) delivers an end-to-end view of an organizations’ security posture, consolidating your analysis of on-premises data and security events from AWS accounts into a single view. Splunk Phantom orchestrates and automates your response to threats, helping your team work smarter, respond faster, and strengthen your defenses. Together, AWS and the Splunk security ecosystem help teams create consistent and automated mitigation processes.

In the webinar "Analytics based investigation and automated response with AWS + Splunk Security Solutions," we’ll walk you through how AWS and these Splunk products work together to help you strengthen your security posture and defend against threats to your environment.

Olivia Courtney

Posted by