Monitoring your AWS environment for vulnerabilities and threat detection

Managing the security of your Amazon Web Services (AWS) environment requires constant vigilance. Your strategy should include identifying potential threats to your environment and proactively monitoring for vulnerabilities and system weaknesses that malicious actors might exploit. In a complex environment—such as your AWS account with a multitude of services, coupled with various architectures and applications—the ideal solution should be both comprehensive and straightforward.

On this page, we’re going to explore some of the security intelligence services available from Sumo Logic and discuss how they can help you stay ahead of potential threats to your environment. We’ll cover what each service does, how you can make the most of it, and where to find more information. Finally, we’ll introduce you to some of the security dashboards Sumo Logic provides for its users. Security dashboards provide an easy way to observe the health and security of all your systems and provide your security teams with real-time data they can use to make critical business and security decisions.

Getting started with Sumo Logic

If you’re new to Sumo Logic, you should know that it’s a platform that extends beyond security management and threat intelligence services. Sumo Logic supports cloud monitoring and log management as well. The platform provides a centralized platform that can aggregate data from multiple sources. It provides tools and dashboards to view and analyze data and provide users with a holistic view of their entire cloud ecosystem.

If you’re interested to see how Sumo Logic can help you monitor, troubleshoot, and secure your cloud environment, check out a 30-day free trial.

Let’s explore some of the sources you can integrate with your Sumo Logic account, as well as how to connect and begin gathering data from those sources for AWS monitoring.

Bringing cloud metrics into Sumo Logic

Connecting your AWS account data

At the time of writing, Sumo Logic supports integrations with over thirty of Amazon’s most popular AWS services. Most of these services are connected to Sumo Logic using a hosted collector. Typically this involves creating a new role within your AWS account, using AWS Identity and Access Management (IAM) with read-only permissions to the services from which you need to collect data. The Sumo Logic documentation includes step-by-step instructions and even CloudFormation templates to ensure this process is as straightforward as possible.

Once the process is complete, the relevant AWS data will be available as a source within your Sumo Logic account. The next step is to install the appropriate app and connect it to the data source. You’ll immediately have access to a variety of preconfigured, handy dashboards that you can use to view data, troubleshoot problems, and identify anomalies.

Collecting machine metrics

In addition to AWS services, your AWS environment might also include a variety of virtual machines and containers. Sumo Logic uses installed collectors to gather such metrics as network activity, CPU usage, memory usage, and storage access. Sumo Logic supports these collectors on Windows, Linux, and Docker, among other systems.

You can manually install the collector. In dynamic and scalable environments, including the collector as part of your base image ensures that all new machines and containers can report their metrics to your Sumo Logic account. As with the AWS data sources above, once configured, you’ll have access to the metrics from a data source within your Sumo Logic account, following which you can install the relevant App and immediately view your data through a variety of preconfigured dashboards.

Gathering application data

Last, but by no means least, are your applications. Most cloud applications execute with a web server environment. Some of the more popular servers include Apache, Tomcat, and various flavors of NGINX. You can find a listing of all supported web servers here.

Web servers typically support log management and metric reporting as core functionality. You can add the appropriate configuration to direct those logs and metrics to your Sumo Logic account, referencing the Sumo Logic documentation.

Once you have configured the web server as a data source, this data too will become available as a source within your Sumo Logic account. Many of the existing security applications and dashboards within Sumo Logic will aggregate this data with other data points from your environment and give you a well-rounded view of the state of security within your environment.

Connecting your security tools to Sumo Logic

Sumo Logic provides integrations with many of the most popular and advanced security monitoring tools around. From Akamai Security Events and Barracuda WAF to Carbon Black, Twistlock, and Zscaler. You can find a complete list of supported security and threat detection products and platforms that you can connect to Sumo Logic. Each product includes comprehensive instructions on collecting logs and events and installing the respective App and associated dashboards in your Sumo Logic account.

Now that we have our metrics and data sources from our cloud environment and our security tools, we can take a deep dive into several of the security and threat detection dashboards available within your Sumo Logic account.

CrowdStrike Threat Intelligence

This app correlates threat intelligence data from CrowdStrike with log data from your environment to detect and mitigate threats to your environment. The CrowdStrike Falcon platform is an industry-leading security platform that actively monitors your cloud environment for threats and automatically mitigates most malicious attempts to infiltrate your system. The Sumo Logic Threat Intel Quick Analysis App is especially adept at protecting your environment against sophisticated and persistent cyber-attacks.

The Threat Intel App specifically queries IP, URL, domain, Hash 256, and email logs together with CrowdStrike data from your environment. As this dataset can grow significantly, it’s essential to optimize the default queries to filter out unnecessary records and focus on the most critical areas of your environment. An optimization page describes these optimizations and provides clear examples of optimizing the queries based on your environment.

The app has six preconfigured dashboards that provide graphics information and count for the number of recent threats (within a 15-minute window), threat trends over time, and the type and source of threats detected. The dashboard shown below describes threats related to malicious IP addresses, including where the threat originated, the confidence of a hostile threat, and the trend in types of threat over time.

The dashboards available include:

• Overview: Consolidated threat counts from each of the threat areas the app monitors.

• Domain: Threats originating from malicious domains, including actors and sources.

• Email: Emails received from known bad actors and domains and trends over time.

• IP: Shown in the dashboard above. Source, types, and confidence of IP threats.

• URL: Threats from URLs identified as individuals, groups, or nation-states.

• Hash 256: Sources of threats involving cryptographic-related attempts by type and source.

By combining data from multiple sources, the Sumo Logic dashboards can present a holistic view of your AWS ecosystem, helping to protect your applications and email system while keeping you informed.

AWS CloudTrail insights

Within your AWS account, you have access to the CloudTrail service. CloudTrail records interactions with the AWS APIs, delivering audit capabilities to comply with various regulations and provide insights into activities that indicate potential security risks. As with many AWS services, CloudTrail is comprehensive, versatile, and rich in available data. When combined with the Sumo Logic CloudTrail App, you can visualize the data and create alerts and mitigation strategies.

The Sumo Logic CloudTrail App requires that you have CloudTrail enabled on your account. It gathers data through an IAM role that grants read-only access to the CloudTrail data. Once you’ve enabled the App on your account, you’ll have access to various dashboards, including the account overview, shown below.

Additional dashboards provide insights into:

• User Monitoring: User location, top 10 actions by users, and recent launch and terminated instances.

• Network & Security: Authorization failures, security events, short-lived critical actions, and ingress/egress concerns.

• Operations: Actions by user for the past hour, recent regional events, Elastic IP, and resource creation and deletion events.

• Console Logins: User activity relating to the AWS console, including outliers, failed logins, and logins without MFA.

The App also provides insights into public S3 objects and buckets.

AWS GuardDuty

Much like CloudTrail, AWS GuardDuty is an AWS service that monitors your AWS account and environment for malicious activity. GuardDuty works with CloudTrail logs to prevent unauthorized activity and improve your ability to monitor and investigate security incidents.

As with CloudTrail, you can install the GuardDuty App on your Sumo Logic account. Providing access to the GuardDuty data in your AWS account will enhance your ability to monitor and observe the state of security within your account. The GuardDuty dashboards present intuitive insights into security threats and their severity.

• Overview: Shown below, this includes a map and threat details by severity, IP, region, and resource type.

• CloudTrail: Details of CloudTrail threats in the past 24 hours, including trends and actions are taken.

• GuardDuty: Threats identified by GuardDuty by region, severity, resource type, and security group, among others.

• VPCs, Subnets, Security Group Details: Threats affecting your VPC, subnets, and security groups over the past 24 hours.

Cloud SIEM

For Enterprises with more sophisticated needs, Sumo Logic Cloud SIEM, a cloud-native system designed to support the security needs of single-cloud, multi-cloud and hybrid environments is available. Cloud SIEM from Sumo Logic is a Security Operations Center (SOC) platform to protect your enterprise from current and future threats.

You can use Cloud SIEM from Sumo Logic to secure AWS, your SaaS apps, infrastructure, and Kubernetes environments from a central control plane. You can even schedule a demo with a Sumo Logic expert to help you uncover all the ways that partnering with Sumo Logic can help you better secure your organization now and in the future.

Learning more

If you’d like to know more about how Sumo Logic can help your organization monitor, troubleshoot, and secure your cloud environment, please reach out to their responsive support team and a thriving community of enthusiasts. As mentioned above, you can also take advantage of a 30-day free trial test drive of each of the apps, dashboards, and features listed above.