What is AWS CloudTrail?
AWS CloudTrail is a management service offered by Amazon Web Services (AWS) that supports auditing, governance, compliance, and security operations. CloudTrail logs, continuously monitors, and retains events related to API calls across your AWS infrastructure.
What information does CloudTrail monitor?
CloudTrail logs AWS API calls. These calls capture meaningful activities in an AWS account, from security and compute resource changes to storage and network access.
How does Lacework work with CloudTrail?
Lacework Polygraph uses CloudTrail data to monitor AWS account activity and establish a baseline of normal behavior. Lacework then detects any deviation from the baseline to surface potential security incidents, facilitate investigations, and improve operations. Lacework for AWS CloudTrail is a zero-touch solution that requires minimal software and configuration.
I’m using CloudTrail today. Why do I need Lacework?
Although CloudTrail captures comprehensive and detailed information, it presents that information as simple log files. Lacework aggregates and organizes CloudTrail data into useful maps and dashboards that illustrate conceptual relationships, causes and effects, and interactions between AWS entities.
Lacework also automatically generates alerts whenever a CloudTrail event represents a security risk. These alerts are triggered when AWS account activity deviates from the baseline. Lacework Polygraph is integrated with a number of alerting and workflow management tools (like Slack and Splunk) so you can easily integrate Lacework into your existing security workflow.
Lacework automatically performs all capabilities - mapping, alerting, aggregating, and organizing - without rules, policies, or signatures. Lacework makes CloudTrail far more powerful without adding any administrative rteMs, applications, processes, users, and containers powering your runtime cloud environment. To use IT security jargon, this is the “attack surface” the solution protects. In comparison, the attack surface protected by Lacework for AWS CloudTrail is the AWS account itself, where administrators establish and maintain AWS infrastructure, including user accounts, storage and compute resources, and security infrastructure.
The attack surface protected by the two solutions can overlap. For example, CloudTrail monitors AWS APIs that start new machine instances or create new storage buckets. Lacework for cloud workloads typically detects new hosts even when Lacework for CloudTrail is not in use.
On the other hand, CloudTrail provides insights on certain events that Lacework for cloud workloads does not see. For example, CloudTrail captures every identity and access management (IAM) event on an AWS account. These events can’t be seen by Lacework for cloud workloads. Abuse of IAM commands can result in attackers gaining the ability to create new EC2 or S3 instances for nefarious purposes, such as bitcoin mining.
To clarify, note that IAM activities on AWS are different than the similar-sounding user management tasks that are a part of the lifecycle of a virtual machine or container. Though Lacework for cloud workloads does not see AWS IAM events, the solution sees user permission changes on the workloads themselves.
Is it easy to install Lacework with CloudTrail?
Yes. You only need to configure CloudTrail to ensure that the correct information is being sent. Lacework even offers a template to easily create a basic CloudTrail configuration.
Can I use Lacework with CloudTrail to avoid using Lacework agents?
Yes, with a qualification: it depends on what you want to protect. Agents are the only way to extend Lacework’s capabilities to the production elements of your cloud solution. Without agents, Lacework for CloudTrail protects administrative and some production activities on your AWS solution (for example, starting/stopping new EC2 instances or S3 buckets), but it provides very little protection for your in-production servers, applications, containers, and processes. Our CloudTrail solution complements our cloud workload solution. It does not replace it.
Does Lacework baseline and analyze all the APIs offered by CloudTrail?
No. Lacework analyzes the CloudTrail management APIs that are relevant to security and operational tasks. We do not, for example, track Amazon CloudSearch API calls (even though CloudTrail does) because those calls aren’t relevant to Lacework’s use cases. See Lacework’s data sheet for a full listing of AWS APIs we track.
Does Lacework support trails from different regions?
Yes. Currently Lacework can ingest data from only one trail. Lacework recommends using the default trail (which includes all AWS regions associated with the account). Region tags are available as filters within Lacework if you need to analyze data by region.
How does Lacework compare to AWS CloudWatch?
CloudWatch is a monitoring solution offered by AWS. Its focus on performance monitoring and metrics complements Lacework’s focus on security, compliance, and incident investigation.
CloudWatch monitors log files, including files from CloudTrail, and can generate security alerts based on unusual log activity. However, these alerts are rule-based and must be manually developed and maintained. Lacework’s zero-touch solution is a more comprehensive and easier-to-use alternative to CloudWatch for security alerting.
What are some of the use cases supported by Lacework for CloudTrail?
Lacework supports two primary use cases: breach detection very early in the cyber kill chain and investigation support for security incidents.
The cyber kill chain model, originally developed by security thought leaders at Lockheed, describes the phases a typical cyber attack passes through before it becomes a damaging incident. Reconnaissance, for example, happens early in most cyber attacks as the adversary probes for weaknesses. Exfiltration of sensitive data is one of the final phases in the kill chain.
Lacework for CloudTrail excels at detecting attacks during the early phases of the kill chain. By correlating and assessing information across different AWS services, Lacework can highlight especially suspicious events, such as a new user attempting to create a new key in AWS KMS, a user trying to change access control policies on an S3 bucket, or the creation of a new EC2 instance in a new region. Each of these behaviors is an early red flag for potential cybercrime activity.
Incident investigation is another compelling Lacework for CloudTrail use case. Evaluating security breaches can be a tedious process: without the right tools, investigators are often left to deal with incomplete and confusing logs from disparate systems. Even with CloudTrail, correlating AWS account events with logs from production workloads (i.e. the containers, applications, and servers running your production solution) is not an easy task.
With Lacework, events from every corner of your cloud solution - including those from AWS CloudTrail - can be visualized in the context of the overall cyber kill chain. Once the attack’s structure and strategies are understood, security professionals can quickly and definitively remediate problems and evaluate impacts.
What kind of threats are caught by Lacework for AWS CloudTrail?
Lacework for AWS CloudTrail focuses on administrative activities that underpin every solution hosted on AWS. Here’s a sample of the types of attacks that can take place in the AWS administrative domain:
- Deleting EC2 instances or keys to deny or degrade service
- Changing S3 bucket permission to expose or steal sensitive data
- Starting unauthorized EC2 or S3 instances for bitcoin mining or file sharing
- Restoring AWS snapshots to steal data that was thought to be unavailable
- Adding new privileged users with wide administrator privileges in the AWS account
What information about CloudTrail events is available in Lacework for AWS CloudTrail?
Lacework for AWS CloudTrail does not retain full event records for CloudTrail events. We provide a link to the source CloudTrail file if the user needs more detail. Here are the fields available from within Lacework for CloudTrail:
- Time period
- Originating IP address