Monitoring | Fluid Attacks Help

Monitoring

General

For general monitoring process we use different types of tools and services that help us to be aware of issues in our stack.

  1. We monitor AWS infrastructure with CloudWatch.

Fluid Attacks AWS infrastructure with CloudWatch

  1. For management purposes on AWS accounts, we register events related to them using CloudTrail.
Fluid Attacks use of Cloudtrail

  1. With VPC Flow Logs we can capture ingoing and outgoing IP traffic information from network interfaces in our VPC.

Fluid Attacks use of VPC Flow Logs

  1. BugSnag is a tool we use for error monitoring, tracking and alerting.

Fluid Attacks use of Bugsnag

Threat Detection

For threat detection purposes, we adopted Amazon GuardDuty. It continuously monitors for malicious activity and unauthorized behavior to protect AWS accounts, Amazon Elastic Compute Cloud (EC2) workloads, container applications, and data stored in Amazon Simple Storage Service (S3).

GuarDuty uses machine learning, anomaly detection, network monitoring, and malicious file discovery for threat and intrusion detection tasks.

Fluid Attacks use of Amazon GuardDuty

It is capable of analyzing tens of billions of events across multiple AWS data sources, such as AWS CloudTrail event logs, Amazon Virtual Private Cloud (VPC) Flow Logs, Amazon Elastic Kubernetes Service (EKS) audit and system-level logs, and DNS query logs.


S3 Protection

S3 protection is a feature offered by Amazon GuardDuty that enhances the monitoring capabilities for data stored in Amazon S3 buckets. By default, GuardDuty monitors bucket-level API operations related to S3 resources. However, with S3 protection enabled, GuardDuty expands its monitoring to include object-level API operations within S3 buckets. This means it can detect suspicious or potentially malicious activities at a more granular level.


Fluid Attacks use of S3 Protection in Amazon GuardDuty

EKS Protection

EKS Protection in Amazon GuardDuty offers threat detection coverage for Amazon Elastic Kubernetes Service (Amazon EKS) clusters in your AWS environment. It includes two key components: EKS Audit Log Monitoring and EKS Runtime Monitoring.

EKS Audit Log Monitoring focuses on detecting suspicious activities within EKS clusters by analyzing Kubernetes audit logs. These logs capture a sequential record of actions performed by users, applications using the Kubernetes API, and the control plane.

On the other hand, EKS Runtime Monitoring provides real-time threat detection for Amazon EKS nodes and containers in your AWS environment. By leveraging the Amazon EKS add-on GuardDuty security agent, it monitors and analyzes runtime events within your EKS clusters, helping to identify potential security threats.

By configuring your accounts with both EKS Audit Log Monitoring and EKS Runtime Monitoring, you can achieve comprehensive EKS Protection. This setup enables monitoring at the cluster control plane level and extends down to the individual pod or container operating system level, providing optimal security coverage for your EKS environment.


Fluid Attacks use of EKS protection

Malware Protection

Malware Protection in Amazon GuardDuty is a feature designed to identify potential malware presence in Amazon EC2 instances and container workloads within your AWS account. It performs scans on the Amazon Elastic Block Store (EBS) volumes attached to these instances or workloads.


There are two types of scans offered by Malware Protection:

  1. GuardDuty-initiated malware scan: This scan is initiated by GuardDuty on a periodic basis. It automatically scans the EBS volumes associated with your EC2 instances and container workloads to detect any signs of malware.
  2. On-demand malware scan: With this option, you can manually trigger a malware scan for specific EBS volumes. It allows you to initiate a scan whenever needed, providing flexibility in scanning resources on-demand.

By leveraging these scanning capabilities, Malware Protection helps you proactively detect the potential presence of malware in your EC2 instances and container workloads. For more detailed information about the differences between these scan types, you can refer to the GuardDuty Malware Protection documentation.


Fluid Attacks use of Malware Protection

AWS GuardDuty Summary

While GuardDuty generates detailed findings and insights based on the last 10,000 events, it does not directly generate predefined reports summarizing these findings. However, by analyzing the generated findings, you can gain valuable insights into common attack vectors, suspicious user behavior, unauthorized access attempts, data exfiltration attempts, malicious IP addresses, vulnerable EC2 instances, anomalous network traffic, cryptocurrency mining activity, suspicious DNS activity, and policy violations. Regularly reviewing and addressing these findings enables you to proactively strengthen your security measures and protect your AWS resources against potential threats and attacks.


Fluid Attacks use of AWS GuardDuty Summary

AWS Inspector

Amazon Inspector is a comprehensive automated security assessment service designed to evaluate AWS workloads for software vulnerabilities and potential unintended network exposure. This tool assists Fluid Attacks in identifying and resolving security issues within the AWS environment, covering areas such as EC2 instances, container images, and Lambda functions.

Fluid Attacks use of AWS Inspector

The AWS Inspector alert review process is managed by Fluid Attacks' engineering team. Each critical patch identified thanks to this service must be installed within 30 days.

Datadog Overview

Log Management

datadog log management
Datadog Log Management enables us to collect, monitor, manage, and analyze large volumes of logs as well as unify metrics and traces. The platform provides comprehensive log analytics with several key functionalities:

Advanced Log Analytics and Search
  1. Frequently, logs have more contextual information, and by adding custom facets as we need them, we are able to very quickly break things down in new dimensions and find issues
  2. Real-time log exploration through the Log Explorer interface
  3. Full-text search capabilities across all ingested logs
  4. Custom filtering and faceting for dimensional analysis
Log-to-Metric and Trace Correlation
  1. Correlate our logs and metrics to gain context of an issue and map it throughout our service
  2. The correlation between Datadog APM and Datadog Log Management is improved by the injection of trace IDs, span IDs, env, service, and version as attributes in logs
  3. Datadog automatically brings together all the logs for a given request and links them seamlessly to tracing data from that same request
Distributed Tracing Capabilities
datadog apm
  1. End-to-End Request Tracking: Datadog APM (Application Performance Monitoring) provides complete visibility into distributed transactions across microservices and cloud infrastructure
  2. Performance Analysis: Identify bottlenecks, latency issues, and performance degradation with detailed trace analytics
  3. Service Dependencies Mapping: Automatically discover and visualize service-to-service communications and dependencies
  4. Error Tracking and Root Cause Analysis: Link errors in traces directly to corresponding logs and metrics for faster troubleshooting
  5. Trace Search and Analytics: Query and analyze traces using tags, facets, and custom attributes for deep performance insights
  6. Integration with Logs and Metrics: Seamlessly pivot between traces, logs, and metrics to understand the full context of application behavior

Cloud SIEM capabilities

datadog cloud siem
  1. Machine learning-powered threat detection with continuous analysis
  2. Integration with the MITRE ATT&CK framework for comprehensive threat coverage
  3. Real-time correlation of security events across multiple data sources
  4. Automated alert generation based on predefined and custom security rules
  5. Centralized security event management and incident response
  6. Integration with existing security tools
  7. Comprehensive audit trail and compliance reporting capabilities

Integration Benefits: Enhanced Audit Log Capabilities

Endpoints
The Endpoint integration allows you to send MDM Audit Logs to Datadog, providing:
  1. Mobile Device Management: Comprehensive audit trails for device configuration changes
  2. Security Policy Enforcement: Real-time monitoring of security policy violations
  3. User Activity Tracking: Detailed logs of user interactions with managed devices
Collaboration
Datadog's Google Workspace Integration gives us the ability to:
  1. Identity and Access Management: Monitor user authentication, authorization, and access patterns
  2. Administrative Actions: Track configuration changes, user management, and policy modifications
  3. Data Loss Prevention: Audit file sharing, downloads, and sensitive data access
Cloud Audit
Datadog's Amazon Web Services integration collects logs, events, and most metrics from CloudWatch for several AWS services, delivering:
  1. Infrastructure Security: Monitor AWS resource configurations and access patterns
  2. Service Activity Tracking: Comprehensive audit logs for all AWS service interactions
  3. Cost and Resource Optimization: Detailed usage analytics and anomaly detection
  4. Multi-Account Visibility: Centralized monitoring across multiple AWS accounts
  5. Automated Compliance: Built-in compliance frameworks for various industry standards
Authentication
Datadog's Okta integration provides comprehensive visibility into identity and access management activities:
  1. Authentication Monitoring: Track all user authentication attempts, successful logins, failed attempts, and suspicious authentication patterns
  2. User Lifecycle Management: Monitor user provisioning, deprovisioning, role changes, and group membership modifications
  3. Multi-Factor Authentication (MFA) Tracking: Audit MFA enrollment, usage, and bypass events for security compliance
  4. Single Sign-On (SSO) Analytics: Analyze SSO activity across integrated applications and identify access patterns
  5. Policy and Configuration Changes: Track administrative changes to authentication policies, password policies, and security settings
  6. Privileged Access Monitoring: Enhanced visibility into administrative actions and privileged user behavior
  7. Anomaly Detection: Identify unusual login patterns, impossible travel scenarios, and potential account compromise
  8. Real-Time Alerting: Automated notifications for critical security events such as account lockouts, admin privilege escalation, and policy violations
Network
Monitor Cloudflare Web traffic, DNS queries, security threats, and more with enhanced capabilities:
  1. Web Traffic Analysis: Detailed insights into web application performance and security
  2. DNS Security Monitoring: Real-time analysis of DNS queries and potential threats
  3. DDoS Protection Analytics: Comprehensive attack pattern analysis and mitigation tracking
  4. Zero Trust Integration: Datadog's out-of-the-box log processing pipeline will automatically parse and normalize your Cloudflare Zero Trust logs
  5. Content Delivery Network Monitoring: Performance and security analytics for CDN operations