A naukri.com initiative
Amazon
1M
187
Image Credit: Amazon
Get to know Amazon GuardDuty Runtime Monitoring for Amazon EC2
- Amazon GuardDuty Runtime Monitoring is a feature that detects threats against Amazon Elastic Compute Cloud (EC2) instances and workloads. The feature relies on a lightweight security agent that collects operating system events and sends them to GuardDuty for evaluation to identify potential threats. The runtime agent can identify running malicious files, can collect command arguments, and correlate multiple events to identify scenarios that present threats to your environment.
- GuardDuty EC2 Runtime Monitoring can generate runtime findings aligned with MITRE ATT&CK tactics, and the findings can be consumed through the AWS Management Console for GuardDuty, or through AWS Security Hub. The detailed findings are intended to help you understand the threat and plan your response. GuardDuty Runtime Monitoring currently supports 41 finding types, with five new finding types introduced with the release of EC2 Runtime Monitoring.
- GuardDuty EC2 Runtime Monitoring relies on a lightweight security agent that sends operating system events to GuardDuty. The events are thoroughly evaluated to identify potential threats to the associated EC2 instance. Five new finding types are supported by the agent, which include Execution:Runtime/SuspiciousTool, Execution:Runtime/SuspiciousCommand, DefenseEvasion:Runtime/SuspiciousCommand, DefenseEvasion:Runtime/PtraceAntiDebugging, and Execution:Runtime/MaliciousFileExecuted.
- GuardDuty Runtime Monitoring is the latest addition to AWS customers’ managed threat detection capabilities. Runtime Monitoring enables GuardDuty to provide operating system insight to detect possible threats to workloads running on AWS by utilizing the new capabilities of the security agent. GuardDuty has expanded its coverage across AWS resources, providing comprehensive compute coverage for GuardDuty across containers and EC2 instances.
- GuardDuty EC2 Runtime Monitoring has several deployment strategies. Customers can use managed installation, tag-based installation, or manual installation techniques. Each installation option is tailored to accommodate the various strategies for deploying and maintaining instances in your environment.
- GuardDuty doesn't charge customers for processing VPC flow logs while the runtime agent is active on an instance. When exploring the Runtime Monitoring feature, it's essential to understand that the foundational level of protection for your account and workloads is still present. GuardDuty processes VPC Flow Logs and DNS logs data for each instance, providing substantial defense-in-depth protection for detecting threats.
- The GuardDuty security agent can generate findings more quickly than that of processing log sources such as VPC Flow Logs and DNS logs. GuardDuty can consume runtime-related findings within a few minutes compared to the 15 minutes for log file-based findings.
- With runtime findings, it's best to enable an event-based response that can be invoked once the runtime finding is generated. Response to findings can involve sending to an AWS target service, such as AWS Lambda function, AWS Systems Manager runbook, or AWS service for further evaluation and remediation. AWS customers can investigate runtime findings in the GuardDuty or Security Hub console, research the details and formulate a response to remediate the finding.
- GuardDuty EC2 Runtime Monitoring is an essential security feature that provides customers with managed threat detection on their AWS accounts and workloads for comprehensive compute coverage in targeting threats across containers, EC2 instances, Amazon Elastic Kubernetes Service, and Amazon Elastic Container Service on Fargate.
- GuardDuty EC2 Runtime Monitoring is designed to analyze and capture operating system events to detect threats. The service provides detailed findings and insights for focused operational response and management. Use runtime monitoring in GuardDuty to get a better understanding of how to implement EC2 Runtime Monitoring for your instances and enhance your security posture.
Read Full Article
11 Likes
For uninterrupted reading, download the app