Many organizations are adopting a cloud-first philosophy when it comes to application development and IT infrastructure. There are a variety of benefits to using a cloud platform like AWS, but the cloud also poses some unique challenges—particularly when it comes to managing access to resources and maintaining compliance with mandates like GDPR and HIPAA. Alert Logic has enhanced managed threat detection and response to provide greater visibility by integrating with the new AWS Identity and Access Management (IAM) Access Analyzer capability.
Elevating Detection and Response
Organizations use an array of tools and applications designed to prevent cyber attacks and unauthorized access. Firewalls, spam filters, antimalware solutions, and other tools are deployed with the intent that they will detect and block suspicious or malicious activity. They do a relatively good job with the vast majority of threats circulating on the internet, but there is no such thing as impervious cybersecurity. The reality is that some attacks will slip through those defenses.
For those threats, rapid detection and response are key. You need to minimize dwell time—the amount of time an attacker remains undetected on your network, conducting reconnaissance to find vulnerable systems and moving laterally throughout the network to find sensitive systems or data.
Forrester analysts noted in a recent report, “While preventive controls play an important role in helping an organization become more resilient to attack, detection capabilities are critical for identifying ongoing attacks that may have evaded such preventive controls.”
The analysts compared detection and response capabilities to a safety net for a trapeze artist. Hopefully the trapeze artist won’t fall, but if (when) she does, at least the net is there to save her. Similarly, your cybersecurity tools should prevent unauthorized access, but if (when) they don’t, detection and response enable you to avoid or minimize the potential damage.
Understanding what external accounts, roles, users, services, or other entities have access to your cloud resources—and why—is an important element of detection and response and help to minimize your attack surface.
AWS IAM Access Analyzer
AWS IAM Access Analyzer monitors and analyzes resource policies to inform you of resources that are shared with external principals. When you enable Access Analyzer, you create a zone of trust—essentially a white list—of principals that are considered trusted. Access Analyzer performs an initial analysis when enabled, and then periodic analysis every 24 hours. The exception is that Access Analyzer will analyze a new policy or any change to an existing policy within 30 minutes.
When Access Analyzer identifies a new policy or a policy change that grants access to an external principal not in your zone of trust, it generates a finding. According to AWS, “Each finding includes details about the resource, the external entity that has access to it, and the permissions granted so that you can take appropriate action. You can view the details included in the finding to determine whether the resource access is intentional or a potential risk that you should resolve.”
Visibility Provides Confidence and Peace of Mind
Alert Logic has several planned integrations with AWS IAM Access Analyzer. The initial integration of Alert Logic managed threat detection and response with the new AWS capability will notify businesses via the Alert Logic Console that an externally shared resource must be verified by a customer as being authorized and having appropriate permissions.
"Visibility is key to any threat detection effort, particularly in dynamic cloud and hybrid IT environments," said Chris Noell, Head of Product Management for Alert Logic. "By notifying customers in near real-time of the resource being shared externally we allow IT teams to respond rapidly when necessary thereby thwarting or minimizing the impact of costly, damaging, and potentially high-profile breaches."
The Alert Logic integration with AWS IAM Access Analyzer will be available to Alert Logic Professional customers. For more information, visit Alert Logic booth 2334 at AWS re:Invent 2019.