Amazon’s AWS cloud computing division today announced a new threat detection service that aims to help the company’s users safe from potential security threats. The service applies machine learning to identify threats (think an EC2 instances that starts mining Bitcoin without your knowledge or an instance that launches in a region you’ve never used before) and then provides recommendations for mitigating this issue.
AWS users can enable this service with a single click and there’s no agent to install. The service watches all of the usual data streams that could hint at security issues, including AWS CloudTrail logs, DNS logs and other sources, but the service also monitors API usage and looks for other unusual AWS account usage.
If it detects an issue, GuardDuty categorizes it according to three levels (low, medium and high) and provides the user with detailed data and recommendations for how to handle this issue. Users can also push these alerts directly to third-party services like Splunk, Sumo Logic and PagerDuty, as well as tools like JIRA, SeriveNow and Slack.
The company trialed this service with companies like Twilio, Netflix, Atlassian and others.
As the AWS team also noted during today’s keynote, most security errors are caused by misconfigurations. Among other things, GuardDuty watches for these, too. The best way to avoid these, the company argues, is tooling. If you keep the humans away from the data, you can avoid lots of issues. Indeed, at AWS, only a single security engineer works on any particular shift (with the backup of some on-call engineers). That’s only possible because AWS built the necessary tooling to do this.
This tooling automatically looks at what happens in the infrastructure to detect security issues and those issues are automatically ticketed and often automatically resolved. A lot of this tooling was built on top of AWS’ own Lambda service and with Guard Duty (and, previously, Macie), it’s now starting to bring more of this tooling directly to its customers, too.