AWS Cloud Operations Blog
How Arctic Wolf uses AWS CloudTrail Lake to Simplify Security and Operations
In this post, we’ll discuss how Arctic Wolf is using AWS CloudTrail Lake to simplify compliance, enhance security operations, and obtain new operational insights from their CloudTrail data.
Arctic Wolf, the leader in security operations, helps customers protect their organizations from rapidly evolving cyber threats with the Arctic Wolf Security Operations Cloud and Concierge Security® model. As an AWS Partner with Level 1 Managed Security Service (MSSP) Competency, Arctic Wolf provides 24×7 security protection and monitoring of essential cloud and on-premises resources through their dedicated team of security operations experts. Arctic Wolf helps organizations detect, respond, and recover from the cyber attacks of today, while proactively hardening their security posture and empowering their employees to defend against the cyber attacks of tomorrow.
Arctic Wolf runs several key workloads on AWS, leveraging various services – including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service (Amazon EKS), AWS Lambda, Amazon Simple Storage Service (Amazon S3), Amazon Simple Queue Service (Amazon SQS), Amazon Relational Database Service (Amazon RDS), Amazon Athena, AWS Security Hub, Amazon GuardDuty, and more.
The challenge
In keeping with AWS best practices, Arctic Wolf separates workloads and environments into multiple AWS accounts. To help enable governance, compliance, and auditing of these accounts, Arctic Wolf utilizes CloudTrail, which can record actions taken by users, roles, or AWS services within AWS accounts. Arctic Wolf’s Security Team routinely utilizes CloudTrail logs to perform security analysis and conduct investigations.
As Arctic Wolf’s business has grown, they have expanded into new AWS Regions. They have also scaled their number of AWS accounts – doubling in the last year alone. This growth was putting pressure on their previous audit, security, and operational investigation approaches. Arctic Wolf’s Security Team found value in consolidating all CloudTrail logs in a central audit account where they could more readily search them, and maintain backup copies. However, this wasn’t without its challenges. They had to setup S3 bucket replication to copy the CloudTrail logs from each AWS account to this central location. Furthermore, there were occasional issues with folder structures. The growing volume of accounts and events were adding more complexity to their use. As a result, this valuable data source was going largely untapped.
In late 2021, they began building a new custom solution that would let them more efficiently search and analyze this vast and growing collection of CloudTrail logs. The solution involved the use of CloudTrail, Amazon CloudWatch Logs , Amazon Kinesis Data Firehose , Lambda, and a large centralized Amazon OpenSearch Service cluster. The key requirements were capacity and speed of operation – as time is precious during an active investigation, and answers are needed quickly. This custom solution could certainly do the job, but it wasn’t a trivial effort, and there were several moving parts.
Enter CloudTrail Lake
Around that time, Arctic Wolf learned about CloudTrail Lake. CloudTrail Lake is a managed data lake that lets organizations aggregate, immutably store, and query events recorded by CloudTrail for auditing, security investigation, and operational troubleshooting. It integrates the collection, storage, search, and analysis of CloudTrail events, all in one tool. Furthermore, it provides a familiar SQL query experience, thereby helping make investigations quicker and easier, and offering a default data retention period of seven years to support common compliance requirements.
Arctic Wolf decided to try CloudTrail Lake and were immediately impressed with the ease of integration with AWS Organizations, the ease of querying, and the speed at which they could get answers during an investigation. CloudTrail Lake was the exact security operations solution that they were hoping for – delivered as a managed service, ready to use, and without the complexity, cost, or overhead of building a custom solution.
A multitude of use cases
Arctic Wolf utilizes CloudTrail Lake to support various valuable use cases:
Audit Store
CloudTrail Lake maintains a centralized, immutable collection of all CloudTrail events across the entirety of Arctic Wolf’s rapidly growing AWS account footprint. This helps with their compliance posture, as well as simplifies management, as they no longer need to set up or manage the replication of CloudTrail logs to a centralized account. CloudTrail Lake offers them an easy, managed, and trusted solution.
Security Operations
CloudTrail Lake is being used for security investigations and answering questions about user activities. The native SQL language support makes querying very accessible to Arctic Wolf’s Security Team, and the sample queries for common scenarios allow for easy customization. For example, the Investigate who called an API and Investigate user actions templates are a common starting point for the Arctic Wolf team. Ease-of-use is very important to facilitate their rapid and efficient investigations.
Moreover, the team is using data from CloudTrail Lake to drive insights for developing optimal least-privilege permissions sets, as based on actual user data. This allows the team to identify the resources most commonly required by different categories of internal users, and set basic access policies accordingly.
Operational Insights
CloudTrail Lake has also helped answer operational questions and facilitate debugging. In one example, an Arctic Wolf Team was investigating some rate limiting being experienced with Amazon Route53, and a quick query identified the Lambda functions being impacted.
Conclusion
In this post, we shared how Arctic Wolf is leveraging CloudTrail Lake to easily aggregate, store, and query their CloudTrail events. In doing so, they have greatly simplified management and usage of their CloudTrail data, enhanced and accelerated security operations, and obtained many new operational insights.
“Before CloudTrail Lake, our CloudTrail data was mostly untapped and burdensome to work with. CloudTrail Lake makes it much easier, and we now use it every day. We love it.” – Todd Snyder, Manager of DevSecOps and Infrastructure Security, Arctic Wolf
Learn more
To learn more about CloudTrail Lake, look at the documentation here .
To get started with CloudTrail Lake in your own account, follow the steps detailed here.
About the Authors