Best Practices for an Amazon GuardDuty Proof of Concept (PoC)

8 minute read
Content level: Advanced
1

Unlock the power of Amazon GuardDuty with the new guide on conducting a successful Proof of Concept (PoC). GuardDuty is AWS's intelligent threat detection service that provides managed, centralized security monitoring across your accounts. This comprehensive guide covers key use cases, deployment steps, validation, and integration with other AWS security services. Enhance your security posture and streamline threat response with GuardDuty.

Best Practices for an Amazon GuardDuty Proof of Concept (PoC)

Introduction

The purpose of this document is to help you understand how to approach and effectively execute a proof of concept for Amazon GuardDuty to determine GuardDuty’s functionality and value added in your environment. The PoC steps that will be enumerated in this document include are:

  1. Understand GuardDuty’s functionality
  2. Determine success criteria
  3. Define desired GuardDuty configuration
  4. Prepare for deployment
  5. Deploy GuardDuty
  6. Validate deployment

Understand GuardDuty’s functionality

The following diagram summarizes the functionality and context on how to use the Amazon GuardDuty:

Enter image description here

To start, you should understand the functions Amazon GuardDuty is supporting and how it can simplify the life of a security engineer.

There are three primary functions GuardDuty can help you with:

  1. Managed Intelligent threat detection – Amazon GuardDuty gives you intelligent threat detection by collecting, analyzing, and correlating billions of events from AWS CloudTrail, Amazon VPC Flow Logs, and DNS Logs across all of your associated AWS accounts.
  2. Centralized threat detection – Many organizations use multiple AWS accounts to help provide proper cost allocation, agility, and security. With a few clicks in the AWS Management Console, you can centralize your threat detection by enabling Amazon GuardDuty across any of your AWS accounts.
  3. Strengthens security through automation – In addition to detecting threats, Amazon GuardDuty also makes it easy to automate how you respond to these threats, reducing your remediation and recovery time.

There are five primary use cases GuardDuty can help you with:

  1. Improve security operations visibility – Gain insight of compromised credentials, unusual data access in Amazon S3, suspicious logins in Aurora, and API calls from known malicious IP addresses.
  2. Assist analysts in investigations and automate remediation – Receive findings with context, metadata, and impacted resource details. Route findings to AWS Security Hub and Amazon EventBridge.
  3. Protect against ransomware and other types of malware – Initiate scans of your Amazon EBS volumes associated with your Amazon EC2 instances and container workloads to detect the presence of malware, such as backdoor intrusions, cryptocurrency-related activity, and trojans.
  4. Centralize threat detection for AWS container workloads – Remove complexity for security and application teams with a single place to identify, profile, and manage threats to your AWS container environments across Amazon EKS and Amazon ECS - including both instance and serverless container workloads.
  5. More easily meet compliance requirements, like PCI DSS – Demonstrate ability to meet intrusion detection requirements mandated by certain compliance frameworks.

Determine success criteria

First, start by determining your success criteria and the goals you want to achieve with the proof of concept. Establishing success criteria helps ensure the product will help solve the problem(s) you’re facing. Some examples include: • Centrally setup and enable GuardDuty across AWS organization. • Create sample findings. • Generate your own findings. • Create a sample alert for findings. • Remediate security issues discovered by GuardDuty. • Create retention period for GuardDuty findings. • Estimate GuardDuty cost.

In this guide, we will walk you through the required configurations in the next section to achieve your chosen success criteria according to the specific needs of your organization. For example, do you have full control over creating AWS services that are deployed in an organization? Do you have resources that can dedicate time to implement and test? Is this time convenient for all the relevant stakeholders to evaluate the service?

The timeframe of your PoC will largely depend on the answers to these questions.

Important Note: GuardDuty has a 30-day free trial (per-account and per-region) that you can take advantage of from the time you turn it on. You can get a cost estimate throughout the trial, which is important to consider when configuring your PoC.

GuardDuty PoC configuration steps

After establishing your success criteria, here are the steps to be achieved in this PoC guide:

  1. Select a delegated administrator – Nominate an account as the GuardDuty delegated administrator to manage GuardDuty for your AWS Organization. The security tooling account is recommended by the Security Reference Architecture.
  2. Select GuardDuty features – Define the type of additional GuardDuty protections you may need. See the GuardDuty documentation for GuardDuty protection plans.
  3. Generate sample findings – You can generate a sample finding and explore basic operations. See the GuardDuty documentation for Generate sample findings.
  4. Generate your own findings – You can use the Amazon GuardDuty Tester to generate Amazon GuardDuty findings related to real AWS resources.
  5. Create a sample alert – You can setup automated response with CloudWatch events to send notification to email, Slack, or Amazon Chime by setting up an SNS topic. See the GuardDuty documentation for GuardDuty Findings Alert Notification.
  6. Remediate security issues –You can review and understand finding details. Follow the recommended remediation steps for different scenarios. See the GuardDuty documentation for Remediating security issues discovered by GuardDuty.
  7. Define finding retention period – Configure automatic exporting of your findings Export findings to an S3 Bucket so you can maintain records past 90-day findings retention period.
  8. Estimate GuardDuty cost – In the GuardDuty console, you will be able to see a usage page to verify GuardDuty cost in your environment is in line with expectations and budgets. See the GuardDuty documentation for Estimating GuardDuty cost, Amazon GuardDuty pricing.

Prepare for deployment

After deciding your success criteria and your GuardDuty configuration, you should have an idea of your stakeholders, any prerequisites, and a realistic timeframe. In this step, you will want to complete as much as possible before deploying GuardDuty.

  1. Create a project plan and timeline so everyone involved understands what success look like and what is the defined scope and timeline.
  2. Define all of the relevant stakeholders and consumers of the GuardDuty PoC. Some common stakeholders example include: SOC analysts, Incident Responders, Security Engineers, Cloud Engineers, and others.
  3. Define who will be responsible, accountable, consulted, and informed during the deployment. Ensure team members understand their respective roles.
  4. Ensure you have the proper access in your management account to delegate an administrator. See the GuardDuty documentation on IAM permissions required to designate the delegated administrator for further details.
  5. Complete any other technical prerequisites that need to be accomplished. For example, if you need roles for GuardDuty integration as listed in Identity and Access Management for Amazon GuardDuty, can you work with the team in charge of that process before the PoC?

Deploy GuardDuty

During the deployment step, it’s time to actual deploy GuardDuty in your environment and configure your region.

  1. Deploy GuardDuty in all supported region(s). GuardDuty is a regional service. See the GuardDuty documentation on Regions and endpoints for the current available options.
  2. Choose from using Single-account deployment or a Multi-account deployment.
  3. Configure any GuardDuty integrations (if any) that are in scope for your PoC.
  4. Configure any automation tools in scope for your PoC.

Validate deployment

During the validation step you will want to confirm that everything is working and evaluate if you met your success criteria.

  1. Centrally setup and enable GuardDuty across AWS organization – Verify that you are able to assign a delegated administrator account from your AWS organization. This will help to centrally setup and enable GuardDuty across accounts in your organization.

Enter image description here

  1. Create sample findings – Verify you are able to generate sample findings from the GuardDuty console.

Enter image description here

  1. Generate your own findings – Verify that you are able to use the GuardDuty tester template script Amazon GuardDuty Tester to generate your own findings in the specified account and region.

Enter image description here

  1. Create a sample alert for findings – Verify that you can use the GuardDuty Findings Alert Notification to generate a sample alert for GuardDuty findings.

Enter image description here

  1. Remediate security issues – Verify that you are able to use Remediating security issues discovered by GuardDuty in remediating security issues discovered by GuardDuty found under the Resource affected section.

Enter image description here

  1. Create retention period – Verify that you are able to configure automatic exporting of your findings Export findings to an S3 Bucket, so you can maintain records past 90-day findings retention period.

Enter image description here

  1. Estimate GuardDuty cost – Verify that you are able to view the average estimated costs based on most recent usage in the GuardDuty console.

Enter image description here

Next Steps

Next steps will largely depend on your decision to move forward with GuardDuty.

  1. Final approval from responsible parties and the budget to move forward with GuardDuty.
  2. Expand to other data sources that can help you provide more security outcomes for your business.
  3. Check out Amazon Detective to further investigate security events, AWS Security Hub to have a comprehensive view of your security state in AWS, and see how they fit in.

Further Resources

AWS Labs - Amazon GuardDuty TesterAmazon GuardDuty User GuideAmazon GuardDuty Best Practices