4 ways to detect and investigate security events


April 8, 2022 • 4 min read

A huge part of how you secure your workload will depend on how you detect and investigate security events. Capturing and analyzing events from logs and metrics will help you gain visibility to be able to take action on security events and potential threats. According to AWS best practices, there are four key ways to improve the ways in which you detect and investigate security events improve the security of your workload. We will discuss each of them in detail in the article below.

  1. Configuring service and application logging
    You should make it a point to appropriately configure logging through your entire workload. This includes application logs, resource logs, and AWS service logs. To begin with, enable the logging of AWS services in a way that is appropriate for your specific requirements. Logging capabilities include VPC Flow Logs, ELB logs, S3 bucket logs, CloudFront access logs, Route53 query logs, and Amazon RDS logs. You should also thoroughly evaluate and enable logging of operating systems and any existing application-specific logs so that you can detect any suspicious behavior.nnIn most, if not all cases, logs contain sensitive information that should only be visible to authorized users. It’s for this reason that you should apply appropriate control to the logs. For example, you can restrict permissions to S3 buckets and CloudWatch Logs log to a specific group.
    There are a number of AWS technologies that can help you optimize the way in which you configure service and application logging. You can protect your AWS accounts and workload by using Amazon GuardDuty, a threat detection service that is continuously looking for malicious activity and unauthorized behavior and will provide the relevant people with alerts if there are any issues. nnYou can also configure a customized trail in CloudTrail. This will enable you to store logs for longer than the default period of time so that you can analyze them later. AWS Config is also a great tool. It will provide you with a detailed view of the configuration of AWS resources in your AWS account, including the way in which resources are related to among themselves, and any previous configurations, allowing you to see changes in relationships and configurations over time.
    To get a comprehensive view of your security state in AWS, you can use AWS Security Hub, which also helps you check your compliance with security industry standards and best practices. Using AWS Security Hub, you can collect security data across different AWS accounts, services, and supported third-party partner products. It also helps you analyze your security trends and identify the highest priority threats.
    Useful resources:
    AWS Answers: native AWS security-logging capabilities
    Getting started with CloudWatch Logs
    Authentication and Access Control for Amazon CloudWatch
    Identity and access management in Amazon S3
    Amazon GuardDuty
    Creating a trail in CloudTrail
    AWS Security Hub
  2. Analyzing logs, findings, and metrics centrally
    One of the main ways in which you can improve how you detect and investigate security events on AWS is to make sure all logs, metrics, and telemetry are collected centrally and that there’s a process in place to automatically analyze them to detect anomalies or indicators of unauthorized activity.nnAll your GuardDuty and Security Hub logs, for example, should be sent to a central location for alerting and analysis. You can use a dashboard to obtain easily accessible real-time insight into your health in AWS.nnYou should start by evaluating all available options when it comes to processing logs.nnYou can use Amazon Athena to analyze CloudTrail logs.nn
    Useful resources:
    Logging and Monitoring
    Configuring Athena to analyze CloudTrail logs
  3. Automating your response to events
    Knowing how to prepare to prevent security issues is not everything there is to success. You should also pay attention to the way you respond to threats once they’re realized. nnAutomation will be one of your main strengths when investigating and remediating security events. By automating your responses, your investigations and remediation capabilities become scalable and more dependable. You can, for example, implement automated alerting using Amazon GuardDuty to monitor for malicious activity or unauthorized behavior and provide automated security alerts. nnYou can also save time and minimize human effort by developing automated processes to investigate security events and report information.
    Useful resources:
    Lab: Automated Deployment of Detective Controls
    Lab: Amazon GuardDuty hands-on
  4. Implementing actionable security events
    Optimize the way in which your team uses their time at work by making sure that any alerts created are sent to specific people that can take action on them.
    Alerts should include all the relevant details for your team members to take action to make the responses more time-efficient. One of the ways in which you can achieve this is by configuring CloudWatch alarms.
    Useful resources:
    AWS service documentation
    Using Amazon CloudWatch Metrics
    Using Amazon CloudWatch Alarms

Have more questions?