Securonix for Amazon Web Services

Organizations around the world are moving their workloads, applications, and services to cloud. Amazon Web Services (AWS) is one of the most common infrastructure-as-a-service platforms for hosting these critical services.

However, as organizations are making the transition to cloud, cyberattacks on cloud infrastructure is on the rise. Monitoring your cloud infrastructure is critical in order to detect and mitigate these threats before they lead to a major cyber incident or a data breach.

aws_3A

Streamlined Integration

Direct API integration allows you to collect relevant events.

Context Enrichment

Events are enriched with additional context.

Threat Modeling

Detect suspicious behavior patterns which indicate an advanced threat.

Data Insights

Visualize activities and changes with customizable dashboards and reports.

Securonix Integration with AWS

Securonix monitors various AWS components for signs of advanced threats and targeted attacks.

Securonix has direct API integration with AWS in order to collect and analyze logs across various AWS activities including:

  • Login events
  • Amazon Elastic Compute Cloud (EC2) configuration events
  • Elastic load balancing (ELB) logs
  • Amazon Virtual Private Cloud (VPC) connection logs
  • Identity and access management (IAM) activities
  • API activity logs
aws_3B
aws_commonUseCase

Common Use Case Scenarios

Securonix enriches and correlates events from AWS with contextual data and event logs from other on-premises and cloud data sources in order to monitor for insider and cyber threat patterns.

Key use cases include:

  • Unauthorized access such as a login from a rare IP or geolocation, a spike in failed logins, a land speed anomaly, or a malicious IP.
  • Amazon EC2 configuration anomalies such as a spike in instance creation or deletion, suspicious admin activities, or a rare instance.
  • Suspicious AWS IAM activity such as suspicious user creation, admin privilege changes, password policy changes, or rare privileged activity.
  • Anomalous API connections including from a rare IP or geolocation, or a malicious IP address.
  • Suspicious Amazon VPC traffic including port scans or connections on anomalous ports.

Threat Modeling by Correlating Violations from Other Systems

Securonix threat models stitch together indicators of compromise across data sources – including AWS – in order to detect targeted attacks.

For example, when it comes to a cryptojacking attack, some indicators of compromise that Securonix could connect across data sources could include:

  • A suspicious console login, such as a login from a rare location or a land speed violation found in the AWS console logs.
  • A related permission elevation found in the AWS IAM logs.
  • A spike in start instances in AWS or rare start instances found in the Amazon EC2 configuration logs.
  • AWS CloudTrail logging being disabled according to the AWS IAM logs.
aws_3D
3l

Data Insights

Securonix enables you to visualize activities and changes in your AWS infrastructure with out-of-the-box dashboards and reports that can be easily customized.

Securonix Fusion Partner Program

Securonix Fusion Partners, such as AWS, are committed to providing you with robust integrated solutions.