Cloudanix’s Real-Time Threat and Anomaly Detection for Workloads on AWS
By Sujay Maheshwari, Co-Founder and Technology Head – Cloudanix
By Purusottam Mupunu, Co-Founder and CTO – Cloudanix
By Bharath S, Sr. Partner Solutions Architect – AWS
In the ever-changing realm of cyber threats, ensuring the security of cloud infrastructure and maintaining visibility across your landscape has become of utmost importance. As cyber threats continue to grow in sophistication, conventional security measures often fall short in safeguarding against emerging risks.
In the domain of cybersecurity, time is of the essence. Swift detection and response can mean the difference between a minor incident and catastrophic breach. Embracing real-time threat detection as a fundamental pillar of your cybersecurity strategy is imperative, as it helps fortify your digital assets against the persistent perils of the digital world.
Cloudanix provides a holistic approach to identifying threats and anomalies by leveraging Amazon Web Services (AWS) cloud infrastructure logs. This encompasses various types of logs, such as AWS CloudTrail logs, Amazon Virtual Private Cloud (VPC) flow logs, Amazon Route 53 domain name system (DNS) logs, and Amazon API Gateway logs.
Cloudanix employs machine learning (ML) and anomaly detection algorithms to promptly detect and alert against potential threats. By offering a centralized perspective, Cloudanix enables real-time tracking of all threats and anomalies within your AWS infrastructure. This aids in distinguishing between malicious actions carried out by attackers and legitimate activities performed by team engineers.
Cloudanix is an AWS Partner and AWS Marketplace Seller that’s on a mission to maximize return on investment (ROI) of your security stack by giving you one platform instead of multiple different solutions and products.
Cloudanix’s Approach to Solve the Challenges
Cloudanix actively monitors AWS CloudTrail logs, VPC flow Logs, Amazon Route 53 DNS logs, Amazon API Gateway logs, and Amazon Elastic Kubernetes Services (Amazon EKS) logs in real-time. It thoroughly analyze these logs to discern behavioral patterns and assess the security significance of the activities.
Here are some sample instances threats and anomalous activities supported by Cloudanix:
- Cryptojacking within workloads (containers or Amazon EC2 instances)
- Inbound security rule permitting traffic from the entire internet (0.0.0.0/0 or: :/0)
- Console login originating from an unforeseen location, employing a non-standard device and operating system (OS)
- Trial to generate an extensive volume of resources in a brief timeframe
The platform supports over 300 such threat patterns as part of the real-time threat detection engine.
Cloudanix also possesses the capability to instantaneously identify anomalies, fostering the creation of proactive security measures that ensure comprehensive visibility. It maintains constant vigilance over Amazon Elastic Compute Cloud (Amazon EC2) instances, VPC networks, endpoints, and containers, identifying possible threats and malicious behaviors.
The Cloudanix dashboard offers seamless real-time threat and anomaly detection, employing an agentless approach to identify potential risks by linking logs to cloud resources and categorizing them according to severity levels.
Continuous monitoring is maintained through the implementation of Amazon EventBridge rules, which facilitate the transmission of relevant regulations for assessment. These events are then channeled to the threat and anomaly detection engine for a comprehensive analysis, aligning them with cloud resources to determine security implications.
Instant notifications are configured to keep users informed, allowing for quick triage and remediation actions to address any detected issues promptly.
Figure 1 – Cloudanix threat detection platform.
Cloudanix uses several AWS components for end-to-end real-time threat and anomaly detection:
- User activity log capture: Interactions within the AWS environment, facilitated through the command line interface (CLI), APIs, or software development kits (SDKs) are meticulously recorded in AWS CloudTrail. As a security best practice, CloudTrail is automatically enabled, serving as a vital measure. To meet compliance and regulatory obligations, these logs are further stored within a designated Amazon Simple Storage Service (Amazon S3) bucket for long-term retention. The orchestration of this data flow to Cloudanix is orchestrated via Amazon EventBridge.
- Amazon VPC flow log integration: Flow logs originating from the VPC level can be seamlessly channeled into Amazon CloudWatch logs, and subsequently funneled through Amazon Kinesis to be incorporated into Cloudanix’s data stream.
- Advanced threat and anomaly detection: Leveraging the synergy of EventBridge logs and Kinesis streams, the Cloudanix’s intelligent threat and anomaly engine conducts a meticulous analysis of the data. This process involves contextualization, determination of security relevance, and the identification of potential threats. Employing cutting-edge ML and anomaly detection algorithms, the engine performs proactive threat identification. Vital to this process is the utilization of resource metadata derived from a graph database, which enriches the analysis. Upon completion, the discerned insights are communicated to the Cloudanix dashboard.
- Holistic visualization: The Cloudanix dashboard stands as a collaborative interface for security teams, empowering users to gain insights into diverse threats, receive real-time notifications, engage in rapid triage, and effectuate remedial actions on the fly. This interactivity equips security teams with tools to prioritize effectively and enhance their overall security posture.
For a successful integration, the following components are required:
- AWS account
- AWS CloudTrail and Amazon S3 enabled across organizations
- Amazon VPC flow logs enabled and configured to forward to Amazon CloudWatch logs to central account
- Cloudanix account
Step 1: Connect to Your Account via AWS CloudFormation
Initiate integration with Cloudanix by setting up an AWS CloudFormation stack available in Cloudanix with your AWS account.
The CloudFormation template configures a read-only AWS Identity and Access Management (IAM) role, granting secure access to monitor and assess logs your AWS resources. This pivotal connection ensures Cloudanix can glean valuable insights for robust security analysis, fortifying your cloud environment.
Figure 2 – Cloudanix AWS account integration.
Step 2: Unveil Security Findings on Cloudanix Dashboard
Effectively visualize the identified findings through an intuitive and informative presentation on the Cloudanix dashboard. This visual representation provides a comprehensive overview of security insights, aiding in swift understanding and informed decision-making.
The Cloudanix dashboard serves as a focal point for actionable data, enhancing your ability to prioritize and address potential vulnerabilities.
Figure 3 – Threats and alerts dashboard.
Step 3: Enhance Security with Custom Alerts
Fine-tune your security strategy by configuring tailored alerts for findings within the alerts section of your linked AWS account in Cloudanix. Customize alerts to your preference, choosing from a variety of channels such as email (default), Slack, Teams, PagerDuty, and webhooks.
This versatile alert configuration empowers you to stay informed across multiple platforms, ensuring rapid response to emerging security insights.
Figure 4 – Paging and alert configuration.
Remediation Recommendations and Response
Cloudanix not only detects and alerts on potential threats, it also recommends remediation steps for the threats. Cloudanix has comprehensive documentation focusing on different types of threats and their remediation using various mechanisms, such as the AWS Management Console, CLI, and Python).
Let’s look at a quick example: Say a team member accidentally opened inbound calls to Port 22 (SSH) from the entire world (0.0.0.0/0). Cloudanix, through the threat and anomaly engine, detects this as a threat. Based on the alert settings, Cloudanix alerts you via various channels. As part of the alert, Cloudanix also sends out remediation details hosted as part of the documentation.
In this case, the threat can be fixed by either updating the inbound port or target via AWS console, CLI, or Python.
In this post, we highlighted the significance of monitoring for threats and anomalies in real-time. This involves monitoring various sources of user activities in the AWS environment, including AWS CloudTrail logs, Amazon Route 53 DNS logs, VPC flow Logs, and Amazon API Gateway logs.
Adhering to best practices for incorporating continuous monitoring for threats and anomalies helps organizations stay ahead of attackers. Leveraging AWS-native security services enable you to confidently embrace your AWS cloud environment, ensuring malicious activities are monitored throughout the lifecycle.
Security shouldn’t be an afterthought but an integral component of your cloud journey. Embrace it, and your workloads will thrive securely within the AWS Cloud.
You can learn more about Cloudanix in AWS Marketplace.
Cloudanix – AWS Partner Spotlight
Cloudanix is an AWS Partner that’s on a mission to maximize ROI of your security stack by giving you one platform instead of multiple different solutions and products.