How does the Amazon GuardDuty threat detection service work?

At Amazon Web Services' re:Invent conference, the company introduced Amazon GuardDuty, a new threat detection service for cloud customers. How does Amazon GuardDuty work, and what makes it different from other advanced threat detection products?

At the last re:Invent conference, Amazon released an unholy amount of new services. I'm honestly not sure how they're able to keep up with the documentation on their offerings, let alone develop and create new services at such a fast rate.

That being said, one of the new offerings they released at the re:Invent conference was Amazon GuardDuty -- a service that detects threats at a quick rate to accelerate the incident response procedures within an organization and minimize the impact of intruders. These actions are commonly seen as mean time to detect (MTTD) and mean time to respond (MTTR).

By utilizing machine learning, many security vendors are using this technology to lower MTTD and MTTR for their clients. Since Amazon is no different, they have also created their own offering that utilizes machine learning with third-party intelligence to help customers using Amazon Web Services (AWS).

Within the console, it really only takes a few clicks for this threat intelligence offering to start looking for anomalies within your AWS instances and networks. Turning on Amazon GuardDuty will start the analysis of the logs generated within AWS and begin the hunt for threats. This is done via machine learning and by injecting third-party intelligence -- mainly from CrowdStrike and Proofpoint -- to help train the system and give it more context to recognize malicious traffic.

If an alert appears through this console, security teams are able to review it and take action based off of particular criteria. By using this technology to understand the findings of what's normal within a network and the contextual data to known bad actors, GuardDuty can detect anomalies, such as compromised accounts attempting to use credentials on a server that aren't normally used, followed by the exfiltration of data shortly afterwards to a malicious IP address.

Having this knowledge assists with the MTTD, but by using automation that's built into the cloud, the MTTR is also reduced; organizations can set up Lambda functions to initiate from GuardDuty events. When this occurs, you can automate responses to events, respond to detected events and send alerts as the response is taking place. If an account is being used maliciously to infiltrate data, then your automation can set up a filtering rule to block the IP from sending outbound on your network.

Amazon GuardDuty is different than competitors in the behavioral space because there is no hardware or software that needs to be installed.

Amazon GuardDuty is different than competitors in the behavioral space because there is no hardware or software that needs to be installed. Many of these competitors require a tap of the network traffic and additional architecture changes to acquire data. Since these systems are already living within the AWS ecosystem, there is no install needed, nor do you have to make network changes to get data -- it's a simple and quick method to see what's occurring within your AWS traffic.

Furthermore, the recent acquisition of Sqrrl, a tool that enables analysts to perform threat hunting and investigations into security events, will likely end up playing very nicely with GuardDuty in future releases.

Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)