Amazon Guard Duty

This is a managed threat detection service.

• Uses machine learning

• Can process millions of events, captured by:

• CloudTrail

• DNS (Route 53)

• VPC Flow longs

This service learns what is normal in the account to find abnormal actions.

• Can detect connections with unisal sources.

• EG: data been exfiltrated to a remote FTP server

This is a always on service:

• Issues can be found without incurring a performance hit.

• No local agentds are requires - this is Security as a Service.

• No upfront costs with GuardDuty.

• Installs in One Click no configuration nightmares.

Additionally:

• Coverage is global.

• Can detect intel-based well known threats

• Can find behaviour based threats

• Can monitor security over different accounts

Guard Duty Data Sources

Once enabling guard duty, it will use these data sources...

• VPC Flow logs

Provide details about network communication

VPC flow logs can be turned off - because of this Guard Duty uses its onwn flow log stream.

• CloudTrail Events

Stores SDK / Command line use for future reference.

Helps build a profile of your account to understand norms.

• DNS logs

Checks for queries of known and unknown instances.

Can look at domains queries and compre them to threat intelligence.

Can be done with or without route 53 enabled.