How do you detect and investigate security events?

A huge part of how you secure your workload will depend on how you detect and investigate security events. Capturing and analyzing events from logs and metrics will help you gain visibility to be able to take action on security events and potential threats. According to AWS best practices, there are four key ways to improve the ways in which you detect and investigate security events improve the security of your workload. We will discuss each of them in detail in the article below.

Configuring service and application logging

You should make it a point to appropriately configure logging through your entire workload. This includes application logs, resource logs, and AWS service logs. To begin with, enable the logging of AWS services in a way that is appropriate for your specific requirements. Logging capabilities include VPC Flow Logs, ELB logs, S3 bucket logs, CloudFront access logs, Route53 query logs, and Amazon RDS logs. You should also thoroughly evaluate and enable logging of operating systems and any existing application-specific logs so that you can detect any suspicious behavior.

In most, if not all cases, logs contain sensitive information that should only be visible to authorized users. It’s for this reason that you should apply appropriate control to the logs. For example, you can restrict permissions to S3 buckets and CloudWatch Logs log to a specific group.

There are a number of AWS technologies that can help you optimize the way in which you configure service and application logging. You can protect your AWS accounts and workload by using Amazon GuardDuty, a threat detection service that is continuously looking for malicious activity and unauthorized behavior and will provide the relevant people with alerts if there are any issues. You can also configure a customized trail in CloudTrail. This will enable you to store logs for longer than the default period of time so that you can analyze them later. AWS Config is also a great tool. It will provide you with a detailed view of the configuration of AWS resources in your AWS account, including the way in which resources are related to among themselves, and any previous configurations, allowing you to see changes in relationships and configurations over time. To get a comprehensive view of your security state in AWS, you can use AWS Security Hub, which also helps you check your compliance with security industry standards and best practices. Using AWS Security Hub, you can collect security data across different AWS accounts, services, and supported third-party partner products. It also helps you analyze your security trends and identify the highest priority threats.


Useful resources:

AWS Answers: native AWS security-logging capabilities

Getting started with CloudWatch Logs

Authentication and Access Control for Amazon CloudWatch

Identity and access management in Amazon S3

Amazon GuardDuty

Creating a trail in CloudTrail

AWS Security Hub


Analyzing logs, findings, and metrics centrally

One of the main ways in which you can improve how you detect and investigate security events on AWS is to make sure all logs, metrics, and telemetry are collected centrally and that there’s a process in place to automatically analyze them to detect anomalies or indicators of unauthorized activity. All your GuardDuty and Security Hub logs, for example, should be sent to a central location for alerting and analysis. You can use a dashboard to obtain easily accessible real-time insight into your health in AWS. You should start by evaluating all available options when it comes to processing logs. You can use Amazon Athena to analyze CloudTrail logs.


Useful resources:

Logging and Monitoring

Configuring Athena to analyze CloudTrail logs


Automating your response to events

Knowing how to prepare to prevent security issues is not everything there is to success. You should also pay attention to the way you respond to threats once they’re realized. Automation will be one of your main strengths when investigating and remediating security events. By automating your responses, your investigations and remediation capabilities become scalable and more dependable. You can, for example, implement automated alerting using Amazon GuardDuty to monitor for malicious activity or unauthorized behavior and provide automated security alerts. You can also save time and minimize human effort by developing automated processes to investigate security events and report information.


Useful resources:

Lab: Automated Deployment of Detective Controls

Lab: Amazon GuardDuty hands-on


Implementing actionable security events

Optimize the way in which your team uses their time at work by making sure that any alerts created are sent to specific people that can take action on them. Alerts should include all the relevant details for your team members to take action to make the responses more time-efficient. One of the ways in which you can achieve this is by configuring CloudWatch alarms.


Useful resources:

AWS service documentation

Using Amazon CloudWatch Metrics

Using Amazon CloudWatch Alarms