Intrusion Prevention System (IPS) Policy - Security Operations


Intrusion Prevention System (IPS) is classified into several types, Business concentrates on the following as part of its prevention systems:


Accurate, account-level threat detection

Amazon GuardDuty gives you accurate threat detection of account compromise which can be particularly difficult to detect quickly if you are not continuously monitoring for factors in near real-time. GuardDuty can detect signs of account compromise, such as access of AWS resources from an unusual geo-location at an atypical time of day. For programmatic AWS accounts, GuardDuty checks for unusual API calls, such as attempts to obscure account activity by disabling CloudTrail logging or taking snapshots of a database from a malicious IP address.


Continuous monitoring across AWS accounts without added cost and complexity

Amazon GuardDuty continuously monitors and analyzes your AWS account and workload event data found in AWS CloudTrail, VPC Flow Logs, and DNS Logs. There is no additional security software or infrastructure to deploy and maintain. By associating your AWS accounts together you can aggregate threat detection instead of having to work on an account-by-account basis. In addition, you do not have to collect, analyze, and correlate large volumes of AWS data from multiple accounts. So, you can focus on how to respond quickly, how to keep your organization secure, and continuing to scale and innovate in the AWS Cloud.


Threat detections developed and optimized for the cloud

Amazon GuardDuty gives you access to built-in detection techniques that are developed and optimized for the cloud. The detection algorithms are maintained and continuously improved upon by AWS Security. The primary detection categories include:

Reconnaissance -- Activity suggesting reconnaissance by an attacker, such as unusual API activity, intra-VPC port scanning, unusual patterns of failed login requests, or unblocked port probing from a known bad IP.

Instance compromise -- Activity indicating an instance compromise, such as cryptocurrency mining, backdoor command and control (C&C) activity, malware using domain generation algorithms (DGA), outbound denial of service activity, unusually high volume of network traffic, unusual network protocols, outbound instance communication with a known malicious IP, temporary Amazon EC2 credentials used by an external IP address, and data exfiltration using DNS.

Account compromise -- Common patterns indicative of account compromise include API calls from an unusual geolocation or anonymizing proxy, attempts to disable AWS CloudTrail logging, changes that weaken the account password policy, unusual instance or infrastructure launches, infrastructure deployments in an unusual region, and API calls from known malicious IP addresses.


GuardDuty offers these advanced detections by using machine learning and anomaly detection to identify previously difficult to find threats, such as unusual patterns of API calls or malicious IAM user behavior. GuardDuty has integrated threat intelligence, which includes lists of malicious domains or IP addresses from AWS Security and industry-leading third-party security partners. It gives you an alternative to building in-house solutions, maintaining complex custom rules, or developing your own threat intelligence of known malicious IP addresses. GuardDuty removes the undifferentiated heavy lifting and unnecessary complexity of monitoring and protecting your AWS accounts and workloads.


Threat severity levels for efficient prioritization

Amazon GuardDuty provides three severity levels (Low, Medium, and High) to help customers prioritize their response to potential threats. A “Low” severity level indicates suspicious or malicious activity that was blocked before it compromised your resource. A “Medium” severity level indicates suspicious activity. For example, a large amount of traffic being returned to a remote host that is hiding behind the Tor network, or activity that deviates from normally observed behavior. A “High” severity level indicates that the resource in question (e.g. an EC2 instance or a set of IAM user credentials) is compromised and is actively being used for unauthorized purposes.


Automate threat response and remediation

Amazon GuardDuty offers HTTPS APIs, CLI tools, and AWS CloudWatch Events to support automated security responses to security findings. For example, you can automate the response workflow by using CloudWatch Events as an event source to trigger an AWS Lambda function.


Highly available threat detection

Amazon GuardDuty is designed to automatically manage resource utilization based on the overall activity levels within your AWS accounts and workloads. GuardDuty adds detection capacity only when necessary and reduces utilization when capacity is no longer needed. You now have a cost-effective architecture that ensures you have the security processing power you need while minimizing expenses. You only have to pay for the detection capacity you use, when you use it. GuardDuty gives you security at scale, no matter your size.


One-click deployment with no additional software or infrastructure to deploy and manage

With one-click in the AWS Management Console or a single API call, you can enable Amazon GuardDuty on a single account. With a few more clicks in the console, you can enable GuardDuty across multiple accounts. Once enabled, GuardDuty immediately starts analyzing continuous streams of account and network activity in near real-time and at scale. There are no additional security software, sensors, or network appliances to deploy or manage. Threat intelligence is pre-integrated into the service and are continuously updated and maintained.

Control Tower

If you’re an organization with multiple AWS accounts and teams, cloud setup and governance can be complex and time consuming, slowing down the very innovation you’re trying to speed up. AWS Control Tower provides the easiest way to set up and govern a new, secure, multi-account AWS environment based on best practices established through AWS’ experience working with thousands of enterprises as they move to the cloud.

Guardrails are governance rules for your AWS environment. A guardrail enabled on an organizational unit (OU) continuously enforces or detects compliance with the stated intent on all resources in the child accounts under the OU.

Guardrails express intent using simple and clear language. For example, by enabling the Disallow public read access to S3 buckets guardrail, you can monitor public read access settings for all S3 buckets for all accounts under an OU. When you enable guardrails on an OU, they are applied to all child accounts under the OU that were created through AWS Control Tower.