Amazon Detective pulls Kubernetes security data into a broader threat detection and CSPM context as IT pros at large orgs seek integrated multi-cloud security workflows.
BOSTON -- As security operations teams struggle with multi-cloud tool sprawl, AWS has deepened the tie-ins between Kubernetes security and broader threat investigation, CSPM and SIEM services that could help consolidate analysis on disparate data sets.
Amazon Detective, a managed threat investigation service first launched in 2020, uses a graphing database to map the relationships between data feeds from AWS cloud logging and monitoring services. These include Amazon GuardDuty, a threat detection service that added support for the Amazon Elastic Kubernetes Service (EKS) in May.
Amazon GuardDuty EKS Protection already alerts Kubernetes security administrators to potential threats within EKS clusters, such as API operations performed by anonymous users. As of an update this week, Amazon Detective now pulls in GuardDuty EKS data, alongside records of login attempts, API calls and network traffic from AWS CloudTrail and Amazon VPC flow logs. Detective can then show whether cloud resources attached to EKS have also been compromised.
"It's agentless and helps secure Kubernetes deployments," said Melinda Marks, senior analyst at Enterprise Strategy Group (ESG), an IT research and advisory firm. "If there is an incident, it helps organizations investigate with EKS activity, API usage, containers, user behavior and pod details."
Both tools' data also rolls up into the AWS Security Hub cloud security posture management (CSPM) tool, which further aggregates and prioritizes security data alerts for a bird's-eye view of the entire cloud deployment. AWS Security Hub can also feed data into third-party partner tools such as Splunk's security information and event management (SIEM) and security orchestration automation and response (SOAR) software or Atlassian's Opsgenie incident response product.
If you think about all of the subscribers to AWS, all of the services, all the EKS subscriptions, the ability to have that kind of baseline when you're doing anomaly detection is really compelling.
Doug CahillSenior analyst, Enterprise Strategy Group
It's a many-layered set of services, but using AWS Security Hub as a kind of clearinghouse for AWS-specific security data before it's fed into multi-cloud tools seems like the most efficient approach, said Fernando Montenegro, senior principal analyst at Omdia.
"That's a pretty scalable way of doing it, rather than having data going straight to Splunk, then Splunk to GuardDuty, and Splunk going straight to PagerDuty, and so on," Montenegro said. "One of the biggest problems in Kubernetes is how to correlate its audit log with other things -- the fact that AWS is adding in those technical details also helps."
In fact, tools like AWS Detective for EKS may be able to glean insights about the cloud infrastructure "under the water line" of its shared responsibility model that no one else can get to, said Doug Cahill, senior analyst at ESG.
"Another thing [to consider] is the volume of what [cloud providers] see, if you think about all of the subscribers to AWS, all of the services, all the EKS subscriptions," Cahill said. "The ability to have that kind of baseline when you're doing anomaly detection is really compelling."
Amazon Detective puts Kubernetes security information into broader context for threat investigation.
Kubernetes defense in depth -- but at a cost
Video conferencing and communications service provider Zoom is an example of the kind of large enterprise that tends to look for such an extensive tool stack. Zoom feeds AWS Security Hub data into third-party SIEM and SOAR tools from Splunk, which give it an overarching picture of its hybrid cloud environment that encompasses the AWS infrastructure, colocated data centers and SaaS apps. The company's security teams mainly rely on Splunk for visibility, but AWS Security Hub is necessary to pipe data into those tools, according to presenters here at AWS re:Inforce this week.
"This is where we use multiple lenses [to view] our cloud," said Vijay Chepuri, engineering manager for security monitoring and logging at Zoom, during the presentation. "CPSM is like having a camera on outside your house, because of the visibility it gives into API calls, specifically targeted for our cloud footprint."
This is in keeping with the concept of Defense in depth, particularly in highly complex Kubernetes security environments. Large enough organizations such as Zoom also have cloud engineers, security engineers and DevSecOps teams using different interfaces within those tooling layers, depending on the depth of information they need.
This segregation of duties might also be advisable from a compliance standpoint in heavily regulated environments, but it runs counter to the principle of collaboration and cross-functional teams under DevSecOps. The plethora of tools available can also lead to confusion and miscommunication between teams about what organizations have in use and how it all fits together, said ESG's Marks.
"This is a big issue in general," she said. "Many AWS tools are overlapping with vendors, but customers don't know about them or how to enable them."
For even midsize organizations, each of the integrated services that comprises the AWS security stack comes at a cost that might not make sense compared with third-party tools that can cover multiple such layers as well as multiple cloud service providers.
For example, AWS GuardDuty for EKS is a prerequisite for Detective for EKS, and in turn ties in with logging services users also must pay for, such as CloudTrail, and audit logs. GuardDuty analysis for these services is priced per million events per month, starting at $1.60 per million Amazon EKS audit logs. Detective pricing starts at $2 per gigabyte of data ingested per account, per region, per month.
For some AWS users, increasing overlap between AWS security and third-party tools means they must continually evaluate what they're using and whether it's the most cost-effective option.
"We already have GuardDuty and Detective, though we're still moving toward Kubernetes and EKS," said one re:Inforce attendee, an IT analyst from a regional insurance provider in the Northeast who requested anonymity because he is not authorized to speak to press. "We also have CrowdStrike, and tend to want a holistic view that's service-agnostic, but it comes down to who makes the better tool and cost -- we routinely have to reassess our vendors each year."
Enterprise Strategy Group is a division of TechTarget.
Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.
Dig Deeper on IT systems management and monitoring
