Analyzing cloud environment access roles and user behavior requires resources that are in short supply for many organizations. Sophos is excited to transform this time intensive process with new AI-powered analysis of AWS CloudTrail user activity data, integrated with a single Amazon Web Services (AWS) Level 1 Managed Security Service package, validated by AWS.
Managing an explosion of identities
As organizations accelerate IT infrastructure modernization with the help of cloud provider services like AWS, 83% have seen an explosion in the number of identities accessing system resources in the past year, according to the Identity Defined Security Alliance (IDSA).
These roles accessing cloud environment resources can be a significant blind spot for organizations, and as highlighted in the Sophos 2022 Threat Report the root cause of many security incidents is now through insecure user access roles, with the emergence of a new class of criminal now specifically focused on initial access.
Distinguishing between routine and malicious activity
The challenge for IT security teams is in distinguishing between routine, accidental and malicious user activity within AWS accounts. As DevOps practices increase the pace of change within environments as new teams on-board and roles or projects change, the number of one-off actions performed by users can be overwhelming for security teams, and near impossible to connect and analyze as a series of events.
“We’re proud to transform this picture, with new SophosAI models continuously analyzing AWS CloudTrail user logs in Sophos Cloud Optix, the Sophos cloud security posture management solution,” said Scott Barlow, Sophos vice president of global MSP and cloud alliances.
This extension of AWS CloudTrail helps Sophos build a picture of individual user role activity to identify both accidental changes as well as malicious activity from compromised roles. It brings AWS CloudTrail events to life in a clear and detailed timeline view of user activities, identifying high risk anomalies such as actions performed outside of normal working hours as well as those never performed before. Alerting customers in a risk prioritized view of security and compliance incidents across all AWS accounts and providing remediation guidance for security teams to easily address.
“With this update we can dramatically shrink alert totals for security teams and help them focus on investigating high-risk patterns of behavior that could lead to a security incident in a fraction of the time that it took them before,” adds Barlow.
Fig 1. Sophos Cloud Optix, Actions Timeline view helps security teams prevent major incidents early on, where compromised IAM roles are used to gather information to determine if the environment is susceptible. In this scenario anomalies would be raised if the cloud account began receiving increased get, describe, or list operations, such as, DescribeInstances, GetRolePolicy, or ListAccessKeys. These actions can then be investigated, and the compromised role blocked.
Securing access on multiple levels
Adding multifactor authentication to every possible login a user might want to use is also a massively effective preventative tool. As is identifying over-privileged IAM roles and identifying common cloud resource misconfigurations like leaving RDP exposed to the internet.
To tackle these human and non-human resource misconfigurations, security vulnerabilities and network access misconfigurations, Sophos Cloud Optix offers extensive AWS security service integrations including – the new Amazon Inspector, AWS Security Hub, Amazon GuardDuty, AWS CloudTrail, New Amazon Inspector, Amazon Macie, AWS Systems Manager and Patch Manager, AWS Firewall Manager, AWS IAM Access Analyzer, AWS Trusted Advisor and Amazon Detective.
Data from these services is presented in a clear, prioritized view of compliance and security best practice incidents, including CIS benchmarks through the Sophos Central management console, and extended with prevention, detection and response capabilities from Sophos endpoint and workload protection with XDR, Firewall and Managed Threat Response.
“Ease of integration with your existing systems is the true test of great security,” said Barlow. “That’s why we’ve engineered Sophos Cloud Optix to integrate with Amazon Simple Notification Service, security information and event management (SIEM) solutions, widely used collaboration and ticketing services, and more to reduce mean time to resolve incidents.”
Take the weight of cloud security off your shoulders
As an AWS Level 1 Managed Security Service Partner, this connected approach in one management console is crucial for delivering the highest levels of prevention, detection and response across cloud environments.
“As an AWS Level 1 Managed Security Service (MSSP) Competency partner, we know that a proactive defense requires 24/7 monitoring and response, but for a lot of IT teams, large and small, it’s not realistic to keep a team monitoring and responding to security incidents around the clock,” adds Barlow.
This is where The Sophos threat protection, monitoring and response package comes in. Available in AWS Marketplace, the package combines cloud security posture management and compliance integrated with AWS CloudTrail, Amazon GuardDuty and AWS Security Hub, firewall, cloud workload and endpoint protection, and the Sophos Managed Threat Response service to continuously monitor AWS environments, analyze and triage security events. This support helps you increase the efficiency of your security program and internal teams, pre-emptively advising you on recommended next steps and acting on your behalf, if you wish.
To learn more or speak with an expert visit sophos.com/aws-mssp