Continuously monitor network traffic and resources

Security doesn’t end with architecting and configuring resources just once. Continuous monitoring to detect changes and malicious behavior is a key to keeping a network secure in the long run. Automation is a key benefit of cloud—the ability to script for thresholding and remediation, so the monitor > detection > action cycle can take place without human intervention. Monitoring should also be expansive, including multiple sources of information such as network traffic, application logs, and operating system logs. (With cloud, you can easily do analytics on your security analytics.) Figure 14 highlights some of these best practices.

• Maintain a digital asset inventory, monitor and analyze network traffic — A key component in maintaining a secure ICS network is to be able to identify maintain and control the inventory of both hardware and software assets in the industrial network. After establishing the networked assets inventory, a network interaction baseline mapping all device connections should be created and continuously monitored for any deviations. Local network traffic should be monitored and analyzed using network analysis.

Specialized OT network analysis tools can help create the hardware asset inventory by passively monitoring network traffic. They can also provide deeper insights by analyzing industrial protocols and providing information on specific data and commands exchanged among network devices. Automated rules to send alerts on deviation from baseline should also be configured. Apart from proprietary tools, open-source tools like Zeek can provide such capabilities, to gain a comprehensive view of the network interaction within the plant. AWS Systems Manager can complement these capabilities by providing an automated way to gather software inventory from managed resources.

On the AWS Cloud, turn on Amazon GuardDuty to continuously detect threats, malicious activities and unauthorized behavior. GuardDuty is a “one-switch” shop that uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty analyzes tens of billions of events across multiple AWS data sources such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs. By integrating with AWS CloudWatch Events, GuardDuty alerts are actionable, easy to aggregate across multiple accounts, and straightforward to push into existing event management and workflow systems.

• Collect local application, operating systems and infrastructure logs and metrics — Application, operating system, infrastructure logs, and metrics are an important source of information, not only in managing and detecting security threats, but also in troubleshooting and early alerting on application issues. In Industrial Control Systems (ICS), these logs typically stay local and are only analyzed when troubleshooting. AWS services such as CloudWatch and Kinesis can be used to collect logs into a central place. Services like AWS Glue, Amazon EMR, or Amazon OpenSearch Service can be used to analyze the log data at scale and to create automated rules for alerting on any detected malicious behavior. For example, SCADA / MES systems application logs and host server logs can be collected using a CloudWatch agent and sent to CloudWatch and OpenSearch for search and analysis. CloudWatch events and alarms can also be configured to detect anomalous conditions.

Hardware/server performance metrics can provide indicators (like sudden high CPU/network usage) of malicious behaviors and should be continuously collected, monitored and analyzed. Amazon CloudWatch is again a key service to use to collect and monitor performance metrics. A CloudWatch agent can be used with on on-premises servers/virtual machines to collect metrics directly.

Metrics and logs can also be forwarded to the cloud via an edge gateway. The edge gateway can be configured for real-time analysis and detection, providing customers the ability to detect threats on-premises. Third party AWS partner products provide another option for collecting this data in this manner.

Use of AWS-provided solutions for on-premises infrastructure can further simplify this performance and log data gathering by providing built in mechanisms and deeper integration with cloud services. AWS Outposts, for example, provides built in integration with CloudWatch, CloudTrail, and VPC Flow Logs for monitoring and analysis.

• Use AWS IoT Device Defender to audit and monitor IoT devices — AWS IoT Device Defender is a fully managed service that helps you secure your fleet of IoT devices. AWS IoT Device Defender continuously audits IoT configurations to make sure that they aren’t deviating from security best practices. A configuration is a set of technical controls you set to help keep information secure when devices are communicating with each other and the cloud. AWS IoT Device Defender makes it easy to maintain and enforce IoT configurations, such as ensuring device identity, authenticating and authorizing devices, and encrypting device data. AWS IoT Device Defender continuously audits the IoT configurations (a full list of audit checks is available in the AWS IoT Defender developer guide) on your devices against a set of predefined security best practices. AWS IoT Device Defender sends an alert if there are any gaps in your IoT configuration that might create a security risk, such as identity certificates being shared across multiple devices, or a device with a revoked identity certificate trying to connect to AWS IoT Core.

AWS IoT Device Defender can also continuously monitor security metrics from devices and AWS IoT Core for deviations that are defined as appropriate behavior for each device. If a deviation occurs, AWS IoT Device Defender sends out an alert to act to remediate the issue (as shown in Figure 13). For example, traffic spikes in outbound traffic might indicate that a device is participating in a DDoS attack. AWS IoT Greengrass and FreeRTOS automatically integrates with AWS IoT Device Defender to provide security metrics from the devices for evaluation.

AWS IoT Device Defender can send alerts to the AWS IoT Console, Amazon CloudWatch, and Amazon SNS. AWS IoT Device Management can be used to take mitigating actions based on the alert, such as pushing security fixes.

Refer to the “Elevate your IoT security with AWS multi-layered security approach” re:Invent talk for the principles of IoT defense in depth, and a demonstration of AWS IoT Device Defender capabilities.

AWS IoT Device Defender

Continuously monitoring network traffic and resources