ARCHIVED STORY

Supercharge Your Response to Security Incidents With AWS and FireEye Helix

By Christopher Unick · May 27, 2021

Every organization has been tasked with prioritizing a path to utilizing and benefiting from the cloud. Moving to the cloud provides tremendous upsides: agility, elasticity, scalability and resiliency. However, the ownership of securing the cloud is different than what customers historically expected on premise. While cloud providers such as AWS provide their users with a secure environment from which to operate, their tenants are responsible for protecting their own data and workloads. Customers need to understand how this shared responsibility model works, to allow them to respond to security issues in the cloud.

Shared Responsibility Model

Security and compliance is a shared responsibility between AWS and the customer. This shared model can help relieve the customer’s operational burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software, as well as the configuration of the AWS provided security group firewall. Customers should carefully consider the services they choose as their responsibilities vary depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations. The nature of this shared responsibility also provides the flexibility and customer control that permits the deployment.

As shown in the following chart, this differentiation of responsibility is commonly referred to as Security “of” the Cloud versus Security “in” the Cloud. AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services. FireEye Helix allows customers the visibility into what they need to secure in AWS, to help ensure they keep up their end of the shared responsibility model.

Reducing Your Response Time

Owning and securing your piece of the cloud is critical to your organization's overall security posture. It is imperative to have visibility into what's happening in the cloud, so you can respond and investigate security incidents. In the latest M-Trends 2021 report, organizations are now detecting incidents in only 24 days—more than twice as fast as 2019. These improvements in detection hold true regardless of the notification source. Global median dwell time for incidents that were detected internally dropped to just 12 days and incidents with external notification sources came in at 73 days. This is very important for customers owning their role in public cloud environments, and FireEye helps customers reduce dwell time and response through their integrations with AWS.

Supercharge Your Visibility

FireEye has created eight integrations with AWS that allow customers to instantly start prioritizing alerts. These integrations allow customers to spend time on what matters; not aggregating, formatting and uploading data. FireEye Helix helps customers reduce their dwell time by seeing across their ecosystem. Our integrations bring together AWS with Helix to provide enhanced insight into malicious activity, unauthorized behavior, threat visibility, and threat hunting in the cloud. Customers of FireEye Helix and AWS gain visibility in mere minutes by ingesting metadata from AWS. This data is then enriched with threat intelligence, evaluated with behavior analysis and machine learning to prioritize those alerts that are most actionable. FireEye Helix provides investigate content and rules against this AWS data, derived from our front-line Mandiant expertise. This allows customers to take control of any incident from detection to response and prioritizes all threats happening across their ecosystem.

• AWS Network Firewall - This allows mutual customers to deploy network security via firewall rules across their Amazon Virtual Private Cloud (Amazon VPC). FireEye Helix provides visibility into the traffic, those requests that were allowed or blocked, and enriches with threat intelligence to help prioritize alerts.
• Amazon VPC Flow Logs - Capture information about the IP traffic going to and from network interfaces in a Amazon VPC. FireEye Helix can alert on malicious traffic and help with threat hunting.
• Amazon CloudWatch - Monitor and capture data and actionable insights about applications, respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health. FireEye Helix uses this to understand if operational issues in cloud applications are related to security incidents.
• AWS CloudTrail - Automatically record and store event logs for actions made within an AWS account. With FireEye Helix, this provides a convenient way to search through log data, identify out-of-compliance events and accelerate security incident investigations.
• Amazon GuardDuty -Continuously monitor malicious activity and unauthorized behavior in AWS accounts, workloads, and data stored in Amazon S3. Combined with FireEye Helix, this will be enriched with threat intelligence and prioritized to help teams respond faster.
• AWS Security Hub - Comprehensive view of security alerts and security posture across AWS accounts. Combined with FireEye Helix, this will give customers a holistic view of all third-party tools and alerts, allowing the top security incidents to be focused on first.
• Amazon Route 53 - Capture DNS Firewall information to corollate user requests to infrastructure running in AWS. FireEye Helix can use this information to evaluate the source of these requests and provide risky asset scores when malicious activity is suspected.
• Amazon S3 - An object storage service that offers scalability, data availability, security, and performance. Combined with FireEye Helix, logs from anywhere can be stored and quickly ingested. Integrations can happen in minutes and customers can start responding to security incidents faster.

The following image shows one of many custom dashboards that FireEye Helix provides to help users quickly review all AWS logs and help prioritize alerts. When coupled with our front-line investigative tips, Helix will help teams find, prioritize and respond to alerts even faster.

Owning (and securing) your piece of the cloud is critical to securing your business and your customers. FireEye Helix provides in depth dashboarding across all AWS metrics and leverages FireEye’s deep expertise to highlight risks and help mitigate them. By having visibility into cloud usage and data, organizations will be able to respond to issues faster and help ensure their side of the cloud is secure with AWS and FireEye Helix.

Ready to get started? Connect with us today to see a demo or to learn more. Already using Helix, but not familiar with the latest integrations available? Reach out to your sales engineer to get more information and a walkthrough of how we can help!