After enabling the GuardDuty service, data is collected from the aforementioned three sources and begins to be analyzed. The service can analyze tens of billions of events from multiple data sources, which are vetted for threat intelligence; it looks for abnormal activity on your account in this manner.
If GuardDuty notices anomalous or malicious activity, it will give a ranking to the item as high, medium, or low. This ranking helps you, as the security professional, decide which events you should follow up on and in which order. The findings that GuardDuty produces are delivered to Security Hub, your designated S3 bucket, and CloudWatch Events/Eventbridge simultaneously. This setup of delivering findings assumes that you have the Security Hub service up and running.
Connecting GuardDuty to Security Hub allows you to view and manage all the events from the GuardDuty service and the other security services with which Amazon Security Hub can connect. Adding a connection to Amazon EventBridge can allow near-real-time notifications using the SNS service, especially when a high-ranking event has been discovered. With a deeper understanding of how the GuardDuty service works, you can now move on to the different types of detections that the GuardDuty service can carry out.
This is what you will explore in the next section.
What GuardDuty Can Detect
From the moment you enable it, Amazon GuardDuty harnesses threat intelligence from various sources. These sources include the following:
• AWS security intelligence
• AWS partners CrowdStrike and Proofpoint
• Customer-provided threat intelligence
Using a combination of this intelligence from the preceding sources allows the GuardDuty service to identify the following types of threats:
• Known malware-infected hosts
• Anonymizing proxies or Tor gateways
• Cryptocurrency mining pools and wallets
• Sites hosting malware and hacker tools
Now that you know what types of detections GuardDuty can help you find, examine the differences between the two GuardDuty and Amazon Macie services to prevent confusion, especially as they relate to questions on the AWS Certified Security Specialty exam.
Thant Zin Phyo@Cracky (MCT, MCE, MVP)
No comments:
Post a Comment