Increasingly, AWS users are leveraging multiple accounts to manage their infrastructure. While doing so is a recommended best practice that enables users to achieve the highest levels of resource and security isolation and to optimize operational costs, it can also increase the amount of time and effort required for effective administration and remediation.
As a remedy to this problem (and “account sprawl” in general), and as a means of providing more granular alerting and actionable data, Threat Stack has built two key functionalities into its Cloud Security Platform®:
- The ability to view multiple AWS accounts from one central location: Our unified view reduces admin time and provides significant convenience because end users no longer need to gather information and alerts from multiple accounts. This means you can focus on business issues and not administration!
- Rulesets that are focused on giving more granular alerting and context to your interactions with the AWS control plane: Our extensive out-of-the-box rulesets give customers increased control plane visibility and more granular tracking of AWS API actions within their accounts, and you still have the flexibility of creating new rules and modifying existing rules (as we have previously documented.)
Read on for more details.
Single View for Multiple AWS Accounts
While multiple accounts are often important for operational and cost reasons, it’s important to be able to manage the data they generate — and in particular, it’s important to be able to view it in a central location that creates a unified view. Monitoring for AWS Control Plane activity across multiple accounts in a unified view enables you to:
- Integrate an unlimited number of AWS accounts and view activity globally across all accounts through one UI and workflow, while leveraging Threat Stack’s out-of-the-box rulesets for unified detection and immediate value without having to define your own policies
- Track behavior across multiple accounts, which is extremely difficult to do in a siloed environment, in order to make adjustments to user or service behaviors in real time
- Make real time, granular adjustments, either globally or by account, to ensure that the data provided is relevant and actionable, based on your specific desired behaviors, processes, and use cases
- Create a security profile that you define and expand on over time, and not force you to work with one that was defined for you
Threat Stack’s Rule-Based Approach to Threat Detection
Threat Stack’s Cloud Security Platform takes a behavior-based approach to security alerting, governed by pre-built and/or custom rules focused around events that you consider important. These rules are incredibly powerful in that they provide the clarity and transparency about what is being alerted on in the ever-changing world that is AWS. The Cloud Security Platform allows security teams to instantly exclude any unactionable data about the environment, or increase the visibility of data that does matter, something that is fundamentally unavailable in systems that rely on machine learning algorithms. This enables companies to provide immediate input and customization into their security alerts on your time, without the need for a system to “re-learn” your process on its own time.
As an example of how we architect these rules, Threat Stack has significantly expanded the CloudTrail Base Ruleset in its Cloud Security Platform. Not only have we increased the number of out-of-the-box rules from 26 to 87 — we have also provided rules for five additional AWS Services (DynamoDB, Elastic Container Service, Elastic Kubernetes Service, Security Token Service, and AWS Support). Threat Stack rules have been developed in response to working with our customers, industry requirements, and external standards such CIS benchmarks to provide actionable data and immediate value.
And don’t forget — the Cloud Security Platform also gives you the flexibility to tune existing rules and create custom rules based on any event data.
With that additional flexibility, you can customize the pre-built rules to reflect the intricacies of your own environment and services. Customizing these to your unique use cases ensures that you and your team can stay laser focused on what’s most important from a security perspective. Whether it’s specific user behavior, ensuring compliance alignment, or understanding container behavior, it’s crucial to have eyes on what’s most important in your environment without having a massive amount of irrelevant data to bog you down. Your company’s environment is unique, defined by the ever-changing needs of your business — and your security platform should be too.
Final Words . . .
While Threat Stack delivers powerful insights and operational controls out of the box through its comprehensive, ready-to-use rulesets, it also gives you the ability to create new rules and further refine and optimize existing rules to suit the specific requirements of your unique environment (unlike an ML approach that is difficult to adapt and doesn’t know your business and use cases). In addition, the Threat Stack platform provides a single, unified view of multiple accounts that enhances your ability to immediately identify specific areas of risk regardless of their location.
If you’re interested in getting started in cloud security, we invite you to schedule a demo today.
*** This is a Security Bloggers Network syndicated blog from Blog – Threat Stack authored by Stephen Fitzgerald. Read the original post at: https://www.threatstack.com/blog/leveraging-threat-stacks-out-of-the-box-rulesets-and-single-view-for-managing-multiple-aws-accounts