AWS Monitoring

The Challenge

Monitoring cloud-based infrastructure for potential security threats presents unique challenges. When infrastructure is located in a cloud, such as AWS, it does not have all the same attributes associated with on-premises hardware. AWS does provide two means (CloudTrail and CloudWatch) of collecting additional data about the interactions associated with a cloud-based environment that can provide the raw data to identify suspicious activity. While these services provide data, it can be overwhelming and difficult to dig through the raw data to find actionable intelligence.

Why Does AWS Monitoring Matter?

AWS infrastructure can include a wide range of assets and data. Elastic Computing Cloud (EC2) instances can host massive quantities of data and applications that may be targeted by cyber attackers. To ensure the security of your cloud-based infrastructure, it’s important to implement security best practices, including continuous security monitoring.

CloudTrail is an API call monitor from AWS that provides the details of changes made to EC2 instances and security groups, including a timestamp with the IP address of the user and the specific changes being made. This is useful for keeping track of what changes are being made and by whom, and serves as an important security feature. Leveraging CloudTrail data in combination with other security information and event data allows organizations to monitor the environment for suspicious changes or activity within the virtual infrastructure.

CloudWatch is a monitoring solution from AWS that can collect Virtual Private Cloud (VPC) flow logs to capture information about the IP traffic going to and from network interfaces in your VPC. These logs provide another method of monitoring the traffic that is reaching your instance.

CloudWatch provides additional details by storing VPC flow logs which capture details about the traffic reaching your instance. These details can provide key visibility into what information is being exchanged, which is useful in identifying suspicious activity.

How Does EiQ Help?

SOCVue Security Monitoring has introduced support for AWS CloudTrail and CloudWatch in cloud-based deployments. SOCVue is now able to integrate data provided by CloudTrail and CloudWatch into our log management and SIEM technology, to correlate and alert on the data. This enables customers to save time and reduce the complexity associated with these raw data sources and, instead, focus on actionable information. The AWS details provide a new level of monitoring of the actual API calls being made as well as VPC flow logs, beyond the simple log data the nodes themselves might report. EiQ’s 24/7/365 SOC team will monitor for any anomalous activity and provide alerts with remediation guidance should any be discovered. The data may also be included in reporting for compliance audits or executive review.

Learn More About SOCVue Security as a Service

Let's Talk
We can now see our network activity as a whole with 24x7 eyes and ears notifying us when there is an alert. We also now have a dedicated pool of analysts and engineers from EiQ who are familiar with us and our environment to quickly advise and assist in the case of an emergency.
Jeremy Mio Security and Research Manager, County of Cuyahoga