Business & Technology

AWS GuardDuty & Fortinet: Automating Cloud Security

By Frederick Harris | May 15, 2018

Fortinet delivers native integration of the Security Fabric with Amazon GuardDuty to  block and monitor potentially malicious traffic in Amazon Web Services. This integration accelerates time-to-protection in the cloud by using dynamic FortiGate firewall rules to block newly detected threats. 

What is AWS Amazon GuardDuty?

Amazon GuardDuty is a threat detection service that continuously monitors for malicious and unauthorized behavior to help protect AWS accounts and workloads. GuardDuty looks at several sources of endpoint and network telemetry, including CloudTrail event logs, DNS logs, and VPC Flow Logs. Using integrated threat intelligence feeds and machine learning, GuardDuty can detect anomalies in account and workload activity.

How Does AWS GuardDuty Integration with Fortinet Work?

Fortinet leverages AWS-native orchestration to make suspicious activities detected by GuardDuty more actionable. Using CloudWatch events and Lambda, this integration automatically sends updates on new threats to all FortiGate next-generation firewalls deployed in the user’s AWS environment. The ongoing GuardDuty threat feeds of malicious IP addresses or domains can then be used in dynamic firewall policies to immediately protect against future inbound traffic from those compromised sites.

Orchestration scripts make it easy to both deploy the integration as well as automate the ongoing threat feeds, and are freely available as open-source tools for FortiGate customers. Like much of our other cloud automation that leverages cloud-native DevOps tools, we’ve published these scripts as open-source, meaning end-users are free to deploy the scripts out-of-the-box for quick integration for the most common architectures and use cases, or to tailor them to their more specific needs. The scripts also support multi-region deployment to enhance your entire security fabric. GuardDuty findings in one region are parsed and malicious IP addresses are added to FortiGate firewalls spanning multiple regions.

A Lambda package is available for all users of FortiOS 6.0 and newer which supports the ability to remediate GuardDuty-detected threats via dynamic firewall policies. The script integrates GuardDuty as a generalized threat intelligence feed that doesn’t just accelerate incident response, but can also be used for deeper Fabric intelligence and automation.

How Does the Fortinet Security Fabric Protect and Automate the Cloud?

At Fortinet we’ve developed the Security Fabric to be the means for achieving Broad, Integrated, and Automated protection across an entire organization. This is particularly applicable as organizations migrate to the public cloud to accelerate and transform their business. Fortinet is the only network security leader that can deliver a complete Security Fabric entirely within AWS, stitching together multiple layers of security from next-generation firewall to web/mail security to sandboxing to analytics. Just as importantly, the Fortinet Security Fabric enables organizations to mitigate threats across the expanded attack surface, from on-premise to public cloud and SaaS.

Learn more about Amazon GuardDuty on the Amazon Web Services website.

Learn more about FortiGate and Fortinet Security Fabric solutions for Amazon Web Services, or go directly to the Fortinet offerings and free trials in AWS Marketplace. The AWS Amazon GuardDuty integration script can be downloaded for FortiOS 6.0 or newer.