Business & Technology

Amazon GuardDuty and Automating Cloud Security with the Security Fabric

By Warren Wu | May 15, 2018

Fortinet is excited to announce the integration of the Security Fabric with Amazon GuardDuty to automate remediation and threat intelligence in Amazon Web Services. This integration accelerates time-to-protection in the cloud by using dynamic FortiGate firewall rules to block new detected threats. But more profoundly, through the Fortinet Security Fabric, this collaboration between Fortinet and AWS opens up immediate as well as longer-term opportunities for bi-directional threat intelligence sharing, analytics, and orchestration between AWS, Fortinet, and enterprise security teams.

What is Amazon GuardDuty?

Amazon GuardDuty, which was launched at re:Invent:2017, is a threat detection service that continuously monitors for malicious and unauthorized behavior to help protect AWS accounts and workloads. GuardDuty looks at several sources of endpoint and network telemetry, including CloudTrail event logs, DNS logs, and VPC Flow Logs. Using integrated threat intelligence feeds and machine learning, GuardDuty can detect anomalies in account and workload activity.

How Does the GuardDuty Integration with Fortinet Work?

Fortinet leverages AWS-native orchestration, including CloudFormation and Lambda, to make suspicious activities detected by GuardDuty more actionable. Using CloudWatch events and Lambda, this integration automatically sends updates on new threats to all FortiGate next-generation firewalls deployed in the user’s AWS environment. The ongoing GuardDuty threat feeds of malicious IP addresses or domains can then be used in dynamic firewall policies to immediately protect against future inbound traffic from those compromised sites.

Orchestration scripts make it easy to both deploy the integration as well as automate the ongoing threat feeds, and are freely available as open-source tools for FortiGate customers. Like much of our other cloud automation that leverages cloud-native DevOps tools, we’ve published these scripts as open-source, meaning end-users are free to deploy the scripts out-of-the-box for quick integration for the most common architectures and user cases, or to tailor them to their more specific needs. The scripts also support multi-region deployment and use a fabric type approach, whereby GuardDuty findings in one region are parsed and malicious IP addresses are added to FortiGate firewalls spanning multiple regions.

There are slightly different versions of these scripts available for FortiOS 5.6 and 6.0 users; both support the ability to remediate GuardDuty-detected threats via dynamic firewall policies. For Fortinet customers that have adopted our latest FortiOS 6.0 and Fortinet Security Fabric enhancements, the scripts integrate GuardDuty as a generalized threat intelligence feed that doesn’t just accelerate incident response, but can also be used for deeper Fabric intelligence and automation.


How Does the Fortinet Security Fabric Protect and Automate the Cloud?

At Fortinet we’ve developed the Security Fabric to be the means for achieving Broad, Integrated, and Automated protection across an entire organization. This is particularly applicable as organizations migrate to the public cloud to accelerate and transform their business. Fortinet is the only network security leader that can deliver a complete Security Fabric entirely within AWS, stitching together multiple layers of security from next-generation firewall to web/mail security to sandboxing to analytics. Just as importantly, the Fortinet Security Fabric enables organizations to mitigate threats across the expanded attack surface, from on-premise to public cloud and SaaS.

The significance of the script designed with FortiOS 6.0 features for Fabric-level integration is that it enables much broader and bi-directional threat intelligence sharing. This means that threat insights from GuardDuty don’t just feed into FortiGate rules, but can be combined with other FortiGuard and other third-party threat intelligence feeds in our open Fabric platform. With FortiOS 6.0, GuardDuty and broader analytics can be fed directly into security rules across multiple Fortinet security solutions deployed in a user’s AWS environment and orchestrated with new Fabric automation capabilities. Threat intelligence can also be bi-directional, and users can look forward to being able to drive Security Fabric insights and intelligence back into GuardDuty and other AWS services, as well to further enhance threat detection and automation.

Learn more about Amazon GuardDuty on the Amazon Web Services website.

Learn more about FortiGate and Fortinet Security Fabric solutions for Amazon Web Services, or go directly to the Fortinet offerings and free trials in AWS Marketplace. The AWS Amazon GuardDuty integration scripts can be downloaded for FortiOS 5.6 or 6.0 versions.