Defense-in-Depth Principles for Protecting Workloads with CrowdStrike and AWS
By Brett Shaw, Sr. Product Marketing Manager, Strategic Partnerships – CrowdStrike
By Sameer Kumar Vasanthapuram, Partner Solutions Architect – AWS
Migrating to the cloud has allowed many organizations to reduce costs, innovate faster, and deliver business results more effectively.
However, as businesses expand their cloud investments, they must adapt security strategies to stay one step ahead of threats that target their expanded environment.
Managing, securing, and having visibility across endpoints, networks, and workloads is not an easy feat. It requires a unified defense-in-depth approach.
Defense-in-depth is an architectural design that originates from a military strategy. In the context of protecting cloud workloads, defense-in-depth relies on mechanisms to protect valuable data, information, and intellectual property.
The collaboration between CrowdStrike and Amazon Web Services (AWS) brings together a principled defense-in-depth approach to securing cloud environments.
CrowdStrike’s leading endpoint protection, workload protection, and threat intelligence directly integrate with AWS services to build an effective defense-in-depth solution to stay ahead of threats.
CrowdStrike is an AWS Security Competency Partner, and to apply a defense-in-depth approach AWS and CrowdStrike believe the following principles need to be considered:
- Remediation and response
In this post, we describe the different event-driven architectures and services that operate in tandem to provide defense-in-depth cloud security.
Visibility Drives Clarity
Visibility into all of an organization’s deployed assets and workloads allows operations and security teams to gain clarity into the current state of their environment.
The tools that enable visibility need to allow teams to:
- View configurations of all components.
- Aggregate network traffic entering and leaving the workload.
- Audit API calls.
- Provide runtime visibility by introspecting system calls made by applications in an Amazon Elastic Cloud Compute (Amazon EC2) instance or a container.
Regardless of whether an organization has home-grown, cloud-native, or third-party workloads, the data gathered across these parameters needs to be treated as a point-in-time assessment of a continuously monitored environment.
To operationalize these capabilities, it’s crucial to understand and compartmentalize workloads based on the data, users, and applications that use it.
One of the first considerations for applying defense-in-depth for workloads focuses on visibility into, and auditing resources for, environments where applications and data reside.
At this point, AWS and CrowdStrike together provide the insight into what data, applications, and assets are being utilized so you are ready to face attacks.
CrowdStrike’s Falcon platform leverages real-time indicators of attack (IOAs), threat intelligence, evolving adversary tradecraft, and enriched telemetry from across the enterprise. It delivers hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.
Organizations can achieve the first layer of the defense-in-depth framework by leveraging both AWS and CrowdStrike through:
- Centralized logs: AWS CloudTrail enables organizations to log every API call made to an AWS service while virtual private cloud (VPC) flow logs capture network traffic logs. Centralizing these logs from multiple AWS accounts and storing them separately with access based on least privileges enables organizations to ensure immutability of the logs for audit and forensics.
- Cloud security posture management: CrowdStrike Falcon Horizon uses a combination of Describe API calls and event-driven architectures using Amazon EventBridge to gather inventory, configuration, user, service, and network activity to provide organizations a real-time assessment of their cloud security posture. As deployments become more complex and workloads span across AWS accounts, it enables visibility from when an AWS account is created, as well as an understanding if there are misconfigurations or compliance violations associated with it.
- Automatic visibility: AWS Control Tower lifecycle events allow organizations to implement asynchronous workflows as AWS accounts are spun up using the account factory. By hooking into these lifecycle events, CrowdStrike Horizon simplifies visibility by building it into every AWS account that’s used.
Figure 1 – CrowdStrike Falcon Horizon + AWS Control Tower.
Prevention Through Aggregation and Correlation
Once organizations have visibility into all of their resources, the next principle of preventative controls is to detect anomalous behavior in their workloads.
This requires bringing together discovery and audit information with runtime visibility from multiple sources, such as Amazon EC2, Amazon Elastic Kubernetes Service (Amazon EKS), AWS Fargate, and AWS Lambda.
Organizations that need to enable runtime visibility into their EC2 instances can use CrowdStrike’s SSM distributor package to dynamically deploy their sensors across thousands of EC2 instances.
Figure 2 – CrowdStrike Falcon Discover + AWS Systems Manager.
The distributor package leverages CrowdStrike APIs to dynamically authorize every sensor install while building the package for delivery to an Amazon EC2 instance. In addition, organizations can use predefined policies and sensor versions via their Falcon console.
Building the package during the time of distribution and install enables organizations to avoid multiple versions of install scripts—for example, different scripts depending on the operating system.
Finally, using a combination of AWS Systems Manager and AWS Config, organizations are able to audit compliance of their workloads for the presence of the CrowdStrike sensor and take action by sending non-compliant events to AWS Security Hub.
Because AWS Security Hub natively integrates with AWS Config, it can trigger an automated SSM document to install the sensor on the non-compliant resource.
Automated Remediation Scales Security Teams
Security teams are overwhelmed with alerts and false positives and can only respond to a fraction of the potential events detected each day. With multiple tools to monitor their environments, a centralized location to view events allows organizations to kick-off remediation workflows while taking into context all of the associated anomalous activity.
To reduce their operational burden, security teams should consider a mechanism to aggregate security events across all accounts and then deploy automated runbooks to solve for common non-compliant configurations and low-risk events.
AWS Security Hub allows organizations to centralize security events across AWS and third-party tools in a common finding format called Amazon Security Finding Format (ASFF). This allows organizations to easily understand the resource, type of event, normalized severity levels, and the reporting tool so they can hook in automated remediation frameworks.
To view security events detected during runtime, CrowdStrike provides the Falcon Integration Gateway—a containerized application that resides within an AWS account and polls the CrowdStrike streaming API for security events, converts them to ASFF, and publishes it to AWS Security Hub.
- VPC-level automation: AWS Network Firewall protects the VPC level against network-based attacks, while a combination of stateless and stateful rules can guard against various attack vectors. One common control is limiting the domains or IP addresses a workload has access to either inbound or outbound. However, organizations need to subscribe to the right threat intelligence feeds to block the latest set of IPs or domains that adversaries use for reconnaissance and to launch their exploits.
- Host-level automation: CrowdStrike sensors protect at the host level where the sensor is able to detect network activity by monitoring system calls to open new sockets. This intelligence can be extended by monitoring host-based activity and generating stateful rules for AWS Network Firewall, allowing organizations to use CrowdStrike threat intelligence across assets that may not have CrowdStrike sensors on them.
The Falcon Integration Gateway enables this workflow by pushing a high-risk event into AWS Security Hub. Organizations can then trigger a remediation workflow, which is automated or manual based on Amazon EventBridge rules, allowing a Lambda function to create a stateful AWS Network Firewall rule to block the specific domain or IP that is considered malicious.
Figure 3 – CrowdStrike Falcon + AWS Security Hub.
Workload protection requires a tight integration between security solutions and services to provide end-to-end visibility and the ability to defend against threats wherever they are—from the network edge to the cloud and across endpoints and workloads.
CrowdStrike Falcon capabilities such as the Falcon Agent, Hosts, Detections, Event Streams, and Custom Indicators of Attacks operate in concert with AWS services like AWS CloudTrail, VPC Flow Logs, Amazon EventBridge, AWS Control Tower, AWS Lambda, and AWS Security Hub to apply defense-in-depth.
With an integrated security solution, organizations gain visibility across their AWS accounts, inventory and configuration information, runtime activity, and correlation of events. This provides actionable security events and a framework for centralizing logging of security events and automating remediation workflows.
How to Try This Yourself
You can access CrowdStrike to experience how the defense-in-depth principles come together to mitigate and remediate threats. In CrowdStrike’s Dev Days sessions, you can set up the attack using Capture the Flag challenges to understand how it will succeed. Then, you’ll learn how to install CrowdStrike agents and use AWS services to address the different aspects of the attack.
CrowdStrike – AWS Partner Spotlight
CrowdStrike is an AWS Security Competency Partner whose endpoint protection, workload protection, and threat intelligence directly integrate with AWS services to build an effective defense-in-depth solution to stay ahead of threats.
*Already worked with CrowdStrike? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.