Home > Quick Wins > Detect common threats

Detect common threats

Leverage Amazon GuardDuty for threat detection and investigate findings

It is recommended to configure alerts via SNS for critical findings.

Amazon GuardDuty

Amazon GuardDuty is the simplest way to detect threats that are common to find cloud environments, with one click you can enable the service (or few for an organization), and it will detect multiple threats such as Command & Control, Reconnaissances activities, escalation of privileges, anomalies, and more. GuardDuty Protection Plans

Why GuardDuty ? How else can I detect threats in AWS Cloud

While you could use 3rd party solutions such as Security Information and Event Management (SIEM) , User and Entity Behavior Analytics (UEBA), Network Behavior Anomaly detection (NBAD), and runtime monitoring solutions to analyze the sources that GuardDuty uses, the effort and cost of deploying these solutions, integrating them, and generating VPC Flow Logs on all your VPCs would represent a much higher cost and require much more effort, therefore we recommend other solutions for custom threat detections, in a later phase. Other solutions can be “wins”, but not “QuickWins”.

GuardDuty Mindmap

https://www.xmind.net/m/K3fmSB

Workshops

https://catalog.workshops.aws/security

Risk Mitigation

GuardDuty can detect adversaries early through their reconnaissance activities and identify the most common threats.
GuardDuty is a threat detection service, therefore, to be effective someone should be taking action on the findings (or have an automation configured to respond)

Guidance for assessments

Do you have AWS GuardDuty enabled in all your organization ?
Is your team trained to understand GuardDuty findings ?

Pricing

https://aws.amazon.com/guardduty/pricing
The service has a 30-day trial period (free trial)
You can verify current usage and estimate future usage of this service.