As organizations deploy more assets into major IaaS cloud providers, like AWS and Microsoft Azure, they're realizing...
that many tried-and-true security controls are now managed by the cloud provider. While many controls have been adapted to the cloud -- and actually may gain new capabilities through automation and software-defined defenses -- there's still a definite lack of visibility into what is happening within the cloud providers' environment.
Logging services like AWS CloudTrail and Microsoft Azure Activity Log are a great start, and security teams can glean many insights from aggregating this log data and correlating it with SIEM and other tools. However, there has been a driving need to gather deeper behavioral intelligence about the overall operation of cloud environments, focusing on user activities, network traffic, system and application behaviors, and more. Unfortunately, there hasn't been any way to accomplish this -- until recently.
Both Amazon and Microsoft now have services that offer tenants much deeper cloud threat intelligence and threat detection capabilities than before.
The cloud threat intelligence service provided 34 distinct types of detection for AWS accounts when it was released in November 2017, and added another dozen in March 2018. The new detection rules within GuardDuty cover reconnaissance activities against accounts or users executing API calls looking for details about resources, post-compromise persistence through changing permissions on resources in unusual ways, failed authentication and access, attempts by hackers to cover their tracks by disabling logging, and DNS queries from AWS resources to known malware and malicious domains that are updated regularly.
Microsoft's cloud threat intelligence
Microsoft has significantly enhanced its cloud threat detection and intelligence capabilities, both within Azure and the Office 365 SaaS environment. It currently offers three distinct services that organizations can use.
- Windows Defender Advanced Threat Protection. This service provides malware sandboxing for detonation within the Microsoft Azure environment. Admins can see what the malware tried to do and gather indicators of compromise from the system to use in threat hunting or response activities.
- Microsoft Advanced Threat Analytics (ATA). ATA is an on-premises service that Microsoft has offered since 2015 that gathers intelligence from logs and events that occurred within the Windows Active Directory environment to detect account hijacks, misuse of credentials in attacks like pass the hash and Kerberos golden ticket attacks, and lateral movement within the network environment between systems. ATA provides guidance on how to remediate or respond to these activities, as well. Some of these capabilities have been ported into the Azure Security Center, too, but this offers admins less control.
- Azure Advanced Threat Protection (ATP). ATP is a service Microsoft introduced in 2018 that is similar to AWS GuardDuty, and it provides the functionality of ATA in the Azure cloud. This service builds on ATA's detection capabilities, but it requires integration with domain controllers and coordination with Microsoft to fully enable the service within the Azure account.
Microsoft and Amazon are now monitoring customer assets at a very deep level, providing significant computing resources to develop behavioral baselines and ferret out malicious activity in their cloud environments. Providing this level of cloud threat intelligence and detection to customers may significantly enhance the security posture of many cloud deployments, and it may even improve upon what organizations have been running internally.