CLOUDTHREAT FOR AWS 1
DETECTING AND ALERTING ON CYBER ATTACKS IN EC2 As adoption of Amazon Web services (AWS) surges, the number of critical applications and databases moving to the cloud is increasing dramatically. Servers hosted in AWS become a prime target for hackers to gain access to corporate data and an ideal distribution point for malware to infect employees and customers’ that trust your site. In the IaaS model, the responsibility for securing the applications and data on the customer’s virtual machines rests with the customer, not the service provider.
OBSERVEIT CLOUDTHREAT FOR AWS ObserveIT CloudThreat protects Amazon EC2 instances from insider threats and cyber attacks by monitoring user activity to detect and alert on suspicious behavior. ObserveIT for CloudWatch is a lightweight Linux agent that can be easily deployed on any Amazon Linux AMI that integrate with CloudWatch Web Services APIs without the need for any additional management infrastructure, leveraging the native Amazon CloudWatch management, alerting, and notification capabilities.
KEY BENEFITS
REAL-‐TIME DETECTION OF CYBER ATTACKS
ObserveIT CloudThreat integrates natively into the CloudWatch API, leveraging CloudWatch’s metrics and alerting capabilities. This enables alarms on suspicious activity such as an attempt to log into a server, upload software or run commands as a privileged root user. This is important in protecting against cyber attacks targeting web servers or other services running on AWS.
VISIBILITY INTO ALL PRIVILEGED ACTIVITY
User activity logs provide a detailed record of the actual commands being run during every session. This provides clear visibility into the specific administrative actions being taken, including access to sensitive data, critical system configuration changes, adding/modifying user accounts, etc. The visibility and granularity this provides addresses security and regulatory compliance requirements in ways that syslog cannot approach.
FULL ADMINISTRATIVE ACCESS ACCOUNTABILITY
ObserveIT CloudThreat tracks the original user ID throughout the session, even after the user impersonates or elevates privileges to root. This ensures that administrative accountability is maintained, so that when an incident occurs, the actual person responsible can be held accountable for any improper actions.
UP AND RUNNING IN MINUTES -‐ FULLY INTEGRATED INTO CLOUD WATCH
Ready-‐to-‐use alerts for common security events are included in the package. This provides immediate value and can later be extended by the user with any number of additional alerts.
IT’S FREE!
CloudThreat for AWS is a free offering that can be quickly and easily deployed from the Amazon Marketplace.
CLOUDTHREAT FOR AWS 2
CAPABILITIES
COMMAND RECORDING
ObserveIT records all commands executed by users. The captured user activity logs are sent to CloudWatch, where they can be viewed in the Amazon console or through the command line (CLI) interface:
CANNED AND CUSTOM ALERTS
Out of the box alarms come pre configured with ObserveIT CloudThreat for AWS. The following alerts are provided as a part of the solution and can be used immediately via the CloudWatch console:
§ Privileged activity – Alert on any activity performed when the effective user is root. § Change to user privileged access – Alert when the sudoers file (that grants root permissions to run
commands) is edited, as this could enable unauthorized root permissions for the user. § Data exfiltration – Alert when a user tries to transmit sensitive data or configuration files from the server
via SFTP. § User added – Alert any time a local user is created. § User added with duplicate ID – Alert when a new user is created with the same ID as an existing user. This
opens the door for ambiguity and less reliable accountability. § Sudo abused to run su – Alert when a regular user runs a program that opens a root shell using "sudo su".
This provides the user with full root permissions without knowing the root password. § Sudo abused to run shell – Running the sudo command to interactively open a root shell bypasses the
sudo controls because the user is not limited to specific commands. § Setting a program to run as root – Alert when a user tries to change a program to a setuid program that
automatically provides it unlimited permissions and could enable a potential backdoor. § Cron job abused to run root – Alert when the crontab command is used with the –e option to modify cron
jobs that will later run with root permissions, enabling a potential backdoor. § Custom alerts – Admins may define an unlimited number of metrics and alerts based on user activity log
data, enabling comprehensive real-‐time monitoring of all sensitive data and questionable activities.
CLOUDTHREAT FOR AWS 3
Alerts, triggered when the occurrences of defined events exceed pre-‐set thresholds, are displayed on the CloudWatch console and optionally sent to administrators via email.
In addition to these out of the box alerts, custom alerts can be defined using the CloudWatch interface, without requiring any additional software or services.
PROGRAMATIC ACCESS
ObserveIT’s user activity data is integrated directly into CloudWatch. This enables full programmatic access to the user activity logs and alert configuration through the native Amazon APIs, allowing straightforward integration with third-‐party monitoring tools.
CLOUDTHREAT FOR AWS 4
FAR AHEAD OF SYSLOG Native Syslog auditing is not sufficient for the purposes of cyber attack alerting, user activity logging, regulatory compliance reporting, and ensuring the accountability of administrative actions. ObserveIT fills the void.
ObserveIT Syslog Why is this important?
ObserveIT logs the actual commands and arguments
Syslog only logs logins and application/system events
Details are needed for forensic investigation and for providing meaningful alerts.
ObserveIT logs the detailed activity even after sudo/su
Syslog only shows that sudo was used to run bash, but not the actual activity after that.
Shell or Root access is highly risky. Very dangerous to leave such a big blind spot unmonitored.
ObserveIT records commands and alerts out-‐of-‐the-‐box
To log commands, complex DTrace configuration is required which doesn’t scale in production.
Fast time-‐to-‐value and reduced overall cost of ownership.
ObserveIT tracks the original user and the effective user performing administrative actions
Syslog only tracks the effective user and cannot track the original user performing the actions.
Accountability of privileged actions is critical to hold administrators accountable for their actions.
OBSERVEIT CLOUDTHREAT FOR AWS IS FREE This free ObserveIT offering dramatically increases your ability to monitor administrative activity, close security gaps and improve regulatory compliance. Download CloudThreat for AWS from the Amazon Marketplace or www.ObserveIT.com.