============ Editor’s Note: Over time the Deep Security API has evolved making this workflow trivial using the APIs. Therefore the integration code has been retired and instructions on how to replicate the workflow are available in the Deep Security Automation Center. ============

AWS has launched a new security service called Amazon GuardDuty. This service aims to provide actionable threat intelligence for your AWS account and EC2 instances.

Trend Micro is proud to be a supporting partner for the launch of Amazon GuardDuty.

What is Amazon GuardDuty?

After a simple setup, Amazon GuardDuty starts to generate customized threat intelligence for you. The service analyzes Amazon CloudTrail and AWS VPC Flow Log data to look for issues such as inbound port scans, possible backdoor access to your systems, unauthorized use of your account, and many other potential problems.

If Amazon GuardDuty determines there is an issue, it generates a finding. These findings show up in the Amazon GuardDuty Management Console and can be sent to Amazon CloudWatch as an event. This flexibility means that you can easily review findings as well as react to them.

The Management Console provides a simple interface to analyze the history of findings. Unfortunately when a security issue presents itself, it’s often not an isolated case. Amazon GuardDuty does a fantastic job of aggregating events and highlight trend and ongoing issues. Overview information like this is critical to the success of your security practice.

When Amazon GuardDuty raises a finding, your team needs to take it seriously and have a process in place to respond.

Automated Workflows

The ability to send findings via Amazon CloudWatch Events is critical to this workflow. It’s trivially simple to connect an event to an AWS Lambda function and from there, take any action you wish.

Once you’ve made that connection, you now have the necessary workflow required for an automated incident response.

You now have access to a world of possibilities. When Amazon GuardDuty generates a finding related to IAM calling an API from a suspicious network, you can reduce that user’s privileges or revoke their access entirely depending on your threat model.

Similarly, if the finding indicates that an IAM user launches an EC2 instance that falls outside of their normal behaviour, you can suspend the instance, isolate it, or a simple email the user to verify that the action is legitimate.

These scenarios are a highly efficient way to respond to security issues and are made possible by merely enabling Amazon GuardDuty and writing a simple AWS Lambda function.


When you combine the threat intelligence from Amazon GuardDuty with the power of Trend Micro’s Deep Security,  extraordinarily powerful scenarios open up.

With a simple AWS Lambda function to interpret the Amazon GuardDuty finding, we can orchestrate a rich response via the Deep Security platform.

Amazon GuardDuty has a host of EC2-related findings that highlight potential issues with your instances. The integration between Amazon GuardDuty and Deep Security (available now on GitHub) has a link for all of these findings.

Let’s take a look at an example.

Amazon GuardDuty detects that one of your EC2 instances (WEB-UI-001) was involved in a brute force attack aimed at SSH (or RDP for Windows instances). That’s not good.

You use certificate-based SSH access, so it’s not a critical risk, but you need to make sure that nothing out of the ordinary is happening with your instance.

When the finding is sent to Amazon CloudWatch events, the integration function in AWS Lambda is triggered.

This function parses the finding and determines which instance was affected. It then finds that instance in Deep Security and–assuming it’s protected by Deep Security–then:

  • Runs a recommendation scan to ensure that the instance has an appropriate and up-to-date security policy
  • Runs an integrity scan to ensure that critical files haven’t changed recently
  • If requested, will also enable intrusion prevention (to block future attempts at remote exploits) and the integrity monitoring controls within Deep Security

All of this happens without your team taking any manual action. If you want, the integration will also send a detailed message to a specific Slack channel to make sure your team is in the loop!

The Next Steps

The initial workflow integrating Amazon GuardDuty and Trend Micro Deep Security can form the basis for automating your incident response process. The customized threat intelligence of Amazon GuardDuty with the prevention capabilities of Deep Security, is a great combination.

From here, you can add additional responses using the Amazon CloudWatch Event to AWS Lambda pattern. With this integration, we’ll be introducing the ability to send IP lists from Deep Security to Amazon GuardDuty to help tune findings. Look for that update shortly.

In the meantime, enable Amazon GuardDuty today. It only takes a minute. The integration with Deep Security is available on GitHub now.