Automated Event Analysis with AWS GuardDuty

RightBrain has been using AWS CloudTrail since its release. We welcomed the new service with open arms, as we could finally audit changes and who made them. The detailed logging led to a lot more data to parse through to get to actionable intelligence, so we built a Lambda function that inspected each log line looking for things that were obviously out of place. Our Lambda function tied to our managed service telemetry, opening tickets when it found things out of place, but it was noisy and raised a lot of false flags.

We’ve moved to a much simpler solution and enabled AWS GuardDuty on all of our accounts. GuardDuty does what our Lambda aimed to do, but with a machine learning algorithm that sees a lot of training. As a result, RightBrain and our clients, see fewer false flags, and more meaningful analysis of the events at hand.

In addition to monitoring CloudTrail, GuardDuty also actively monitors Amazon Virtual Private Cloud (VPC) Flow Logs. Before GuardDuty, stand-alone VPC Flow Logs were only used for debugging network issues. To make use of them for security analysis they had to be streamed to another system for anomaly analysis. Now we have a powerful anomaly detection tool built directly into the platform, and RightBrain can take advantage of this by enabling the service.

This service helps shift the role of managed AWS services from active human monitoring to enabling automation and providing a Well-Architected system on a platform built for success.