Securonix for Amazon Web Services
Organizations around the world are moving their workloads, applications, and services to cloud. Amazon Web Services (AWS) is one of the most common infrastructure-as-a-service platforms for hosting these critical services.
However, as organizations are making the transition to cloud, cyberattacks on cloud infrastructure is on the rise. Monitoring your cloud infrastructure is critical in order to detect and mitigate these threats before they lead to a major cyber incident or a data breach.
Streamlined Integration
Direct API integration allows you to collect relevant events.
Context Enrichment
Events are enriched with additional context.
Threat Modeling
Detect suspicious behavior patterns which indicate an advanced threat.
Data Insights
Visualize activities and changes with customizable dashboards and reports.
Securonix Integration with AWS
Securonix monitors various AWS components for signs of advanced threats and targeted attacks.
Securonix has direct API integration with AWS in order to collect and analyze logs across various AWS activities including:
- Login events
- Amazon Elastic Compute Cloud (EC2) configuration events
- Elastic load balancing (ELB) logs
- Amazon Virtual Private Cloud (VPC) connection logs
- Identity and access management (IAM) activities
- API activity logs
Common Use Case Scenarios
Securonix enriches and correlates events from AWS with contextual data and event logs from other on-premises and cloud data sources in order to monitor for insider and cyber threat patterns.
Key use cases include:
- Unauthorized access such as a login from a rare IP or geolocation, a spike in failed logins, a land speed anomaly, or a malicious IP.
- Amazon EC2 configuration anomalies such as a spike in instance creation or deletion, suspicious admin activities, or a rare instance.
- Suspicious AWS IAM activity such as suspicious user creation, admin privilege changes, password policy changes, or rare privileged activity.
- Anomalous API connections including from a rare IP or geolocation, or a malicious IP address.
- Suspicious Amazon VPC traffic including port scans or connections on anomalous ports.
Threat Modeling by Correlating Violations from Other Systems
Securonix threat models stitch together indicators of compromise across data sources – including AWS – in order to detect targeted attacks.
For example, when it comes to a cryptojacking attack, some indicators of compromise that Securonix could connect across data sources could include:
- A suspicious console login, such as a login from a rare location or a land speed violation found in the AWS console logs.
- A related permission elevation found in the AWS IAM logs.
- A spike in start instances in AWS or rare start instances found in the Amazon EC2 configuration logs.
- AWS CloudTrail logging being disabled according to the AWS IAM logs.
Data Insights
Securonix enables you to visualize activities and changes in your AWS infrastructure with out-of-the-box dashboards and reports that can be easily customized.