News, news analysis, and commentary on the latest trends in cybersecurity technology.

Amazon Adds Malware Detection to GuardDuty TDR Service

The new GuardDuty Malware Protection and Amazon Detective were among 10 products and services unveiled at AWS re:Inforce in Boston this week.

Large sign that reads AWS, with the Amazon smile, hanging from a ceiling
Source: Joao-Pierre S. Ruth via InformationWeek

Amazon Web Services (AWS) has added malware protection to its GuardDuty threat detection service for EC2 compute instances and container workloads backed by Elastic Block Storage (EBS) volumes. The new GuardDuty Malware Protection option is designed to detect suspicious files that could be malware and then alert administrators through the AWS Security Hub.

The release of GuardDuty Malware Protection was among 10 new products and services that the cloud provider revealed during its AWS re:Inforce security conference in Boston this week. Amazon hosted thousands of security professionals at the event, which included a broad agenda of technical sessions, training and certification workshops, and panel discussions.

AWS Platform VP Kurt Kufeld outlined the cloud provider's latest security announcements during the event's opening keynote session. Explaining how the new GuardDuty Malware Protection feature works, Kufeld said when it detects suspicious files, it takes a snapshot of the associated EBS volume as the workload is processing.

GuardDuty then sends its findings to the AWS Security Hub via Amazon EventBridge, the same way it handles other threat activities. Amazon Detective, a tool AWS added in 2020 that uses machine learning to investigate events by analyzing log data, detects if any malware is present. 

"Use the integration to gain visibility into your overall security state for your organization, as well as easily search, filter, triage, investigate, or take action on any of the security findings that you do have," Kufeld said.

GuardDuty then analyzes what it finds with compute that runs in the AWS service account, "not your account, so as not to disturb the workload or require any agents or security software to be deployed inside your workload," Kufeld added. "When malware is detected, GuardDuty malware protection automatically sends additional and contextualized malware findings to GuardDuty console."

Curtis Franklin, a senior analyst who covers enterprise security management and security operations at Omdia, said AWS is taking an aggressive step with the addition of GuardDuty Malware Protection. 

"Calling it malware protection is a stretch; it's malware detection, and that's a critical difference," Franklin said. "It is not a fully featured offering, but it does plant a stake in the market for them."

AWS identified nine partners whose threat protection can integrate with its new malware offering: Bitdefender, CloudHesive, CrowdStrike, Fortinet, Palo Alto Networks, Rapid7, Sophos, Sysdig, and Trellix.

Kubernetes Support for Amazon Detective

Among other new offerings, AWS has added support for Kubernetes workloads with the addition of Amazon Detective for EKS, which builds on the managed threat analytics service. Amazon Detective ingests a wide variety of events, such as login attempts, API calls, and traffic, from various AWS services, including GuardDuty, AWS CloudTrail, and Amazon VPC. Since launching Amazon Detective two years ago, AWS has added support for identity and access management (IAM) roles, IP address analytics, integration with Splunk, Amazon S3, and AWS Organizations.

Amazon Detective for EKS was created in response to organizations moving to containers, which has resulted in growth of AWS' Elastic Kubernetes Service (EKS).

"Amazon Detective for EKS analyzes, investigates, and identifies the root cause of security findings for suspicious control-plane activity on EKS clusters," Kufeld said. "With a single-click setting and no agent requirements, it is much easier to start analyzing Amazon EKS specific activity. It uses advanced correlation and graph-based analytics to investigate security findings from suspicious container images or container misconfigurations that may allow access to the underlying EC2 nodes."

About the Author(s)

Jeffrey Schwartz, Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights