
Amazon GuardDuty – Continuous Security Monitoring and Threat Detection - moritzplassnig
https://aws.amazon.com/blogs/aws/amazon-guardduty-continuous-security-monitoring-threat-detection/
======
cddotdotslash
This is a really good addition. AWS has all this data, so it's good to see
they're putting it to good use. We had just launched a service called
CloudSploit Events [1] that does much the same thing, but I think now we'll be
able to treat this as an additional data source to build out our report data
using the machine-learning and vast expertise of AWS.

[1] [https://cloudsploit.com/events](https://cloudsploit.com/events)

~~~
jcims
How much of your product can customers self-host? I know the scanner is at
least partly available as open source, but we would want support.

~~~
cddotdotslash
Technically you can host the scanner yourself by running it as a Lambda
function, but we don't have a full featured AMI/self hosted installation with
the dashboard and other components at this point. We have done support-only
deals in the past where we'll support your use of the open source scans, but
full disclosure, you'd be missing out on a lot of the UI and API pieces that
the SaaS has. Other companies have taken the open source part and run it
entirely on their own with their own added tools, so it is possible. Happy to
answer more questions or you can reach out to support@cloudsploit.com and we
can discuss the options if you're interested in going that route.

------
Saaster
The pricing page
[https://aws.amazon.com/guardduty/pricing/](https://aws.amazon.com/guardduty/pricing/)
is a bit confusing.

"First 500 GB / month, $1.00". Not bad! <Looks at pricing example>. Oh...
$1.00/GB :)

On the other hand, 250GB of only VPC flow logs sounds really high to me, for
the "small" environment example.

------
kainosnoema
Just enabled it for our account (incredibly easy, single-button activation),
and by morning we had results showing some minor vulnerabilities in our public
subnets that we were able to patch immediately. Highly recommend.

------
reducesuffering
Can anyone explain how this works? They're scanning logs of what? Suspicious
interaction of a service, or suspicious command line fu? You know, for
science.

~~~
cddotdotslash
They're ingesting several data sources, including CloudTrail (IAM events in
the account) and VPC flow logs (network activity) to look for suspicious
behavior. For example, if someone disables CloudTrail logging, that API event
is suspicious, especially if it comes from outside your organization. If your
EC2 instances start pinging known Bitcoin mining servers, that's probably
something you want to fix as well.

------
Sephr
From the title I was hoping for security event tracking/categorization for
video feeds like Google Cloud Video Intelligence.

------
A1kmm
It seems very similar in scope to Amazon Macie - it would be good if they
mentioned how the two services are different.

~~~
jcims
GuardDuty and Macie are complementary. GuardDuty primarily covers network,
Macie covers CloudTrail events/anomalies and S3 content policies.

------
jlgaddis
Are these flow logs generated for an AWS account even if one doesn't use
GuardDuty?

~~~
strongbad
VPC flow logs can be created a subnet, eni or the whole
VPC.[http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-l...](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-
logs.html)

