CloudGuard Intelligence & Threat Hunting

Transform your Logs into Actionable Security Logic

By, CloudGuard Research team

Many companies shifting to the cloud still rely on traditional SIEM solutions and analytics tools to understand cloud logs, activities, and threats. However, analyzing cloud data is no easy task. Existing solutions provide only limited visibility and no context to shed light on malicious cloud activity.

CloudGuard Intelligence and Threat Hunting provides native threat protection and security analytics for the public cloud.

CloudGuard visualization of an AWS account’s activity traffic

CloudGuard is a cross-cloud provider solution that gives the customer the ability to see every data flow and audit logs in today’s elastic cloud environments. It bases its analysis on two main information pillars – account’s 24/7 activity (APIs and user activities) and network connections of the environment. CloudGuard combines cloud inventory and configuration information with real-time monitoring data from a variety of sources, as well as current threat intelligence feeds, IP reputation, and geolocation databases. This results in enhanced visualization that distinguishes suspicious traffic from legitimate traffic.  Intrusions detection, alerting, and investigation capabilities are all part of the solution.

Account’s activity

Detailed information is analyzed about the event history of the cloud’s account activity, including actions taken through the console, SDKs, command-line tools, and other services.

CloudGuard’s unique model enables investigation of cloud activity into 4 categories:

1. Event – The event will contain information on the executed action.

For example, when the Event.name = ‘CreateBucket’ the Event will contain information such as the bucket name, date and time, etc…

2. Identity – The Identity represents the entity that acted

This can be a User, Cloud service (EC2/VM, Lambda/Function, etc.), or any actor who has permissions to access the account.

3. Target – Target represents the entity that the action was executed on

In the ‘CreateBucket’ example, the target should be S3.

4. Issuer – The Issuer is divided into 3 categories ‘Role’, ‘AccessKey’, or ‘Console’.

Each category represents the way the ‘Identity’ actor gained permissions to access the cloud account.
The Issuer will have a method of Issuer.token, which CloudGuard tracks and follows in order to enhance the investigation process.

An example of a CloudGuard alert based on account’s activity

Network connections

CloudGuard analyzes and enriches the cloud account’s traffic metadata.
Integration with the Check Point Threat Cloud allows CloudGuard to alert on a variety of suspicious connections, such as outbound and inbound traffic to malicious actors.
CloudGuard enrichment process provides enhanced investigation capabilities, for example, querying all traffic by asset type (EC2, Lambda, etc.).

It also provides advanced analysis of unique attack techniques, network anomaly detection that alerts based on the asset’s behavior, and abnormal traffic such as malformed DNS traffic.

An example of CloudGuard alert based on account’s network connection

CloudGuard can give near real-time views of the cloud’s activity as well as the ability to investigate and analyze past activity. Real time alerts are configured for specific events or event types that occur in the cloud environment, so that the user will be aware and able to respond immediately. Utilizing the most up to date machine learning technology, CloudGuard detects new attacks and suspicious activities, such as login from abnormal locations, asset network changes, and usage of access key from an abnormal location.

Alerts are being added on a daily basis after extensive and in-depth research by Check Point Cloud security research team. The research focuses on a variety of cloud services, machine learning and anomaly detection, and cloud attacks analysis.

CloudGuard Use Cases

1. Streamline Network Security Operations:

  • Security architecture review based on real-time traffic analysis
  • Visibility into traffic flow
  • Troubleshoot and identify misconfigurations that are causing intrusions and policy violations
  • Identify unusual account activity

2. Reduce the time for threat detection:

Identify and zoom in on a suspected threat and understand the full context from both a configuration and traffic activity perspective, thereby reducing your average time to detect threats.

3. Detect Cloud Oriented Attacks:

CloudGuard has the full context of the account activity and the types of assets in the environment. If someone obtains unauthorized privileges to launch an expensive EC2 instance that can be used for crypto-mining operations or to steal API keys, CloudGuard will detect such unauthorized IAM changes or specific EC2 type traffic and immediately provide detailed alerts.

4. Expedite and assist in Compliance Validation:
A user can see a live-action replay of traffic to prove that the cloud environment is adhering to various compliance standards (Control effectiveness).

5. Detect unusual or abnormal useof your cloud resources, network activity, logins, etc.

CloudGuard uses machine-learning algorithms to detect deviances from normal baseline behavior. For example, activity from suspicious geographic locations, suspicious port usage, or abnormal login/authentication attempts.

CloudGuard guidance can be found here