Skip to main content

What does AWS’ latest GuardDuty update mean for you?

1 September 2022      
Image
AWS GuardDuty update

AWS GuardDuty Update


Protecting infrastructure and workloads from threats requires a lot of time, expertise, and upfront costs. A cloud-compatible, cost-effective way of meeting that demand is with Amazon GuardDuty. The threat detection service continuously monitors your AWS workloads for malicious activity. It then shares those findings with your team so they can take the necessary action.

GuardDuty improves security operation visibility, assists analysts in their investigations, and its latest release takes its capabilities to the next level. Revealed at the recent AWS re:Inforce security conference, Amazon GuardDuty now also offers malware protection.

Nasstar’s Technical Practice Lead & AWS Ambassador Jason Oliver discusses the new capabilities and the benefits this release brings.

What can you tell us about GuardDuty’s latest update?

Essentially, with this new update, AWS can now detect malware that can be used to modify access permissions, compromise workloads, repurpose resources for malicious use, and gain unauthorised access to data.

Amazon GuardDuty Malware Protection scans Amazon Elastic Block Store (EBS) for files that might have been exposed to malware, or that have malware-creating suspicious behaviour in customer instances or container workloads running on Amazon EC2. It’s also an excellent solution for sanitising transient data. 

With Malware Protection, GuardDuty can now limit the time of an infection and take action before issues turn into disasters that could impact wider business operations.

Most security experts have likely experienced malware solutions, application dependencies, and scans that bring performance to a near standstill. This update is revolutionary because it operates quietly alongside other AWS services.

How does the malware protection update fit into AWS’s security offering?

From now on, if GuardDuty detects malicious files, it will take a snapshot of the associated EBS volume as the workload is processing. GuardDuty then shares its findings with Amazon Detective and AWS Security Hub via Amazon EventBridge.

Malware Protection also works well with Amazon Inspector, a service that scans AWS workloads for software vulnerabilities and unintended network exposure.  

Inspector offers proactive protection by identifying and remediating known software and application vulnerabilities that serve as an entry point for attackers to compromise resources and install malware.

All of these security services offer complementary layers of protection.

When can organisations start using GuardDuty Malware Protection?

Right now! To enable the Malware Protection feature, you just need to head over to the GuardDuty console or use the GuardDuty API.

Security professionals can even try it out before committing through the Amazon GuardDuty Tester repo. These scripts can be used as a proof-of-concept to generate several Amazon GuardDuty findings, including Malware Protection findings.

GuardDuty tester scripts make it easier to assess the potential integration of GuardDuty with other security frameworks, so you’ll be ready when a real threat is detected.

Also, you only pay for the GB you’ve scanned in the file systems (not for the size of the EBS volumes) and for the EBS snapshots when they are kept in your account. All the EBS snapshots created by GuardDuty are automatically deleted after they’re scanned - unless you enable snapshot retention when malware is found.

As our AWS Ambassador, how will you be utilising this new product?

I’m keen to explore the suspicious activity detection capabilities. For example, when a malware scan is triggered due to an instance or container communicating with a command-and-control server that’s known to be malicious or performing denial of service (DoS).

I’m also looking forward to evaluating the service in Nasstar’s Cloud Centre of Excellence (CCoE). If adopted, I’d be glad to leverage it as our new security standard.
 



About Jason

Jason Oliver is an accomplished AWS ambassador, technical practice lead, principal Cloud architect and builder with over 25 years of transformational IT experience working with organisations of all sizes and complexity.

Jason is an SME in AWS, Azure, and security with strong domain knowledge in central government. He has extensive knowledge of cloud, the Internet and security technologies in addition to heterogeneous systems spanning Windows, Unix, virtualisation, application and systems management, networking and automation.

Jason is also an author, digital music producer, and a black belt and instructor in Karate.

At Nasstar

At Nasstar, security is job number one. This ethos has been proven year after year as we design, build, and manage some of the most highly visible UK workloads in the cloud.

As a leading consultancy partner for both Microsoft Azure and AWS, and with decades of experience in cyber security, Nasstar’s team of certified cloud experts can work with you to realise the power of cloud, securely.

                      Talk to the cloud experts: Book a cloud security consultation at a time that suits you.