INTEGRATING AWS DATA INTO MICROSOFT SENTINEL
February 26, 2023
5 min read.
Many businesses choose a multi-cloud strategy that incorporates both Microsoft Azure and Amazon Web Services (AWS). This is a valid approach, often driven by mergers, acquisitions, or other business needs. If you’re adopting a multi-cloud approach, it’s important to decide on the location for the ‘source of security truth’.
Without doing this, you may increase your cyber risk which can lead to gaps in detection and response coverage.
ParaFlare has seen a growing trend of adversaries gaining initial access through incorrectly configured AWS accounts, and we have seen sensitive data accessed and exfiltrated as a result. The most common visibility gap is misconfiguration of S3 buckets, which are commonly left publicly exposed, rendering them more vulnerable to compromise. This is almost always centrally logged, but rarely shipped to a SIEM for as-it-happens analysis, detection, and response.
How do you operationalise AWS log sources using Microsoft Sentinel?
A high-performing operational security capability depends on a security architecture that considers one’s environment as a whole.
Within AWS, customers can enable Amazon Guard Duty to receive high-quality alerting about anomalous behavior in that AWS account or organisation. Guard Duty monitors the full breadth of AWS resources such as S3 buckets, container workloads, AWS Identity and Access Management (IAM), EC2 instances, and many more. However, without further integration steps the features of this capability are left waiting for a human to manually log on and check the Guard Duty console.
Guard Duty relies on AWS' pre-built detections for AWS services. For those who run custom workloads, or have unique detection and response requirements, you will need to save these logs to S3 buckets and ship them to your SIEM. This can be done in a number of ways, such as via the native Microsoft S3 Connector or through other integrations. This allows you to centralise logs, correlate events, and conduct threat hunts across a larger pool of data within Sentinel itself. Using this approach, you can then integrate logs from other systems like Azure, M365, Duo, and Okta to develop advanced detections. Log identification, ingestion and correlation is a specialist capability that ParaFlare offers through our Managed Detection and Response services.
What should you consider when integrating AWS data into Sentinel?
Exposed and misconfigured AWS services are the most common risks within any AWS environment. However, coding or human errors can be detected early and mitigated through investigation with adequate visibility through an integrated environment.
ParaFlare always recommends customers choose a single, tightly controlled identity and access management infrastructure. This is not only easier to manage, but easier to defend. We recommend that customers adopting a multi-cloud strategy with AWS integrate your Azure AD identities with AWS IAM. This will enable Microsoft Defender for Cloud Apps to enforce session control, protecting account compromise and data exfiltration and infiltration. It also enables your MDR provider to leverage the excellent AI/ML-driven detections in Sentinel via its Fusion engine.
What are the advantages of moving your AWS data into Sentinel?
Microsoft Sentinel is a scalable, cloud-native solution that delivers intelligent security analytics and threat intelligence across the enterprise. If AWS is in your enterprise, the security data relating to it needs to be in Sentinel.
With Microsoft Sentinel, you get a single solution for attack detection, threat visibility, proactive hunting, and threat response - across all your cloud environments.
For those who operate in highly-regulated environments, shipping your security logs to another platform can make it easier to demonstrate compliance, and also enforce physical separation between teams - ensuring that only those with a need to know can access security related data.
Microsoft Sentinel is your bird's-eye view across the enterprise alleviating the stress of increasingly sophisticated attacks, increasing volumes of alerts, and long resolution time frames.
Have a comment? Join the conversation on LinkedIn