Post banner
Cloud SecurityGeneralThreat Stack 3 Min Read

Shrink Mean Time-To-Know With Real-Time AWS EC2 Metadata

When the cybersecurity team receives an indicator of a potential attack, every minute counts. The longer it takes to determine whether an alert is nothing to worry about or a serious threat to the business gives attackers more time to penetrate your defenses and do additional damage if they’re already inside. Shrinking the mean time-to-know when it comes to cyberthreats has to be a top priority for the cybersecurity team. 

Any cybersecurity professional whose cloud security defenses have been penetrated sees behavioral anomalies in the after action report that would have enabled the team to stop the breach from ever happening had they been quickly identified as a real threat. So, while more information about events within your cloud environment can help, that information needs to be placed within the proper context. 

New data is only useful if it helps speed up the process of identifying genuine risks. The goal is to reduce the signal-to-noise ratio, and more context can make it easier to find that signal faster.

Understanding “what” is great — but also knowing “where” is even better

In cloud security, alerts can provide great insight into what is happening at the host level, but the cybersecurity team can act much more quickly when it’s also immediately evident where the anomalous behavior is occurring as detected. To determine how critical the alert is, IT needs to be able to answer questions such as:

  • Where is the host running? 
  • What is running on the host in question? 
  • What can the host talk to
  • What can talk to the host? 

Threat Stack’s telemetry data and associated rules engine have proven themselves over more than six years in the field, helping cybersecurity teams quickly identify true risks. Our solutions continuously monitor systems across the full cloud stack to collect a rich set of vital telemetry, and we make it simple to export this data for audit purposes and later analysis. 

We’ve been very good at telling organizations what is happening in their environment. Now, we’re also going to show exactly where anomalies are occurring, as well. Threat Stack has always collected EC2 context information for inventory purposes. But, now, there will no longer be any need to go to archive data to run it down. The location and all the relevant context will show up in the alert itself so that cybersecurity teams can determine the threat level far faster and, if necessary, take corrective action.

Richer Data, Auto-populated into Events

Specifically, Threat Stack is now enriching Linux host and container events and alerts in real time to include AWS EC2 metadata like virtual private cloud (VPC), security group, and domain name server (DNS) names. Additionally, if those events have associated alerting rules, they, too, will auto-inherit this information. With this additional context, cybersecurity teams can now build alerts that target critical, relevant parts of the infrastructure. 

By correlating workload events with cloud trail events in the Threat Stack Cloud Security Platform, Threat Stack customers will also be able to more rapidly identify threats that span multiple layers of cloud infrastructure.  

With the host name ready at hand, security professionals can double click on it to drill down and see what else may be going on with connections, activity and other risk factors. What’s more, cybersecurity teams can use this enhanced telemetry in their own tools for SIEM and log aggregation workflows.  

The end result is that all this new context will enable organizations to sharply reduce their mean-time-to-know.

The road ahead

But we’re not stopping there. Going forward, Threat Stack will bring EC2 metadata into our machine learning anomaly detection engine, ThreatML, which collects, normalizes, and analyzes over 60 billion events per day from customer cloud infrastructure. 

Additionally, security professionals will be able to organize and prioritize alerts based on the environment, instance type, IP addresses and a number of other factors. Soon, customers will be able to build targeted, infrastructure-aware rules that employ machine learning models to dramatically reduce the number of false positives, 

Threat Stack already had the most comprehensive cloud security telemetry in the industry, and with the addition of EC2 metadata to our security telemetry only makes it more valuable and useful. Organizations can significantly reduce their mean-time-to-know and spend more time focusing on proactive security.