8 Security Capabilities You Need to Protect Your AWS Infrastructure

By on Nov 29, 2017

The worldwide infrastructure as a service (IaaS) public cloud market grew 31 percent in 2016 to total $22.1 billion, up from $16.8 billion in 2015, and is expected to show the fastest growth over the next five years compared to platform as a service (PaaS) and software as a service (SaaS), according to Gartner.

With increasing adoption of IaaS platforms, we also see SecOps teams struggle to expand their security operations in IaaS environments and keep up with the ever-evolving threat vectors. However, with the right preparation—such as leveraging a cloud access security broker (CASB)—any company can implement security controls in IaaS platforms to reduce their security risk. According to Gartner, “CASBs can gather and analyze risky configurations by assessing the security posture of the cloud infrastructure (for example, data stores exposed to the public internet) —ideally, this would replace the need for cloud infrastructure security posture assessment (CISPA) point products such as Evident.io”. Here are eight capabilities offered by McAfee (formerly Skyhigh Networks) Security Cloud to help you overcome the short-comings of point and IaaS native security solutions:

1) Discovery and Remediation of Risky IaaS Usage

Enterprises increasingly have lines of business where their work relies on third parties. For e.g. HR departments may be outsourcing the recruitment function to a vendor who is using a cloud storage service such as AWS S3 to store job applicant data. When you rely heavily on third parties for your business needs, the quality of your partner’s security operations is often unknown.  Their risk becomes your risk with disastrous consequences on the horizon. What you need is complete visibility into all cloud storage services storing enterprise data, including S3 buckets owned by third party partners. It’s not uncommon for S3 buckets owned by third parties you work with to be vulnerable to risks due to misconfigurations such as allowing World Reads/Writes or allowing AWS users to modify bucket permissions.

McAfee recently announced discovery of an  MITM exposure in cloud storage services and also outlined how enterprises could use a CASB to not only get visibility of such risks but also remediate such exposures.




Definitive Guide to Securing Workloads on AWS

Download to learn about AWS security challenges, best practices around securing AWS, and how CASBs can help you enforce your security and compliance requirements for AWS.

Download Now

2) Security Configuration Monitoring

Gartner has estimated that up to 99% of data breaches are a result of internal misconfigurations of IT infrastructure and not from external attacks. As seen through McAfee’s findings on GhostWriter, these misconfigurations are not easily identified nor are remediated due to varying reasons, including lack of control over security practices of third party vendors and inadequate tools in place to verify inadvertent misconfigurations. The problem is so pervasive that almost all of the last ten major data leaks that happened in the recent past from AWS S3 buckets happened due to misconfiguration which allowed World Read permissions on these buckets, thus allowing bad actors to exfiltrate sensitive information. Any enterprise subject to a compliance, security, or assurance framework must have continuous monitoring rules in place to prevent data leaks due to such inadvertent misconfigurations of IaaS and PaaS services in use.

McAfee Security Cloud allows customers to implement controls laid out in the CIS AWS Foundations Benchmark and adhere to the AWS security best practices with support for more than 70 CIS Level 1, Level 2 as well as McAfee recommended policies. And customers can use these pre-defined policies to continuously monitor both IaaS and PaaS services in AWS.



3) Data Loss Prevention (DLP) on Structured and Unstructured Data Sources

Enterprises use McAfee to perform DLP across their IaaS services.  Customers can create DLP policies based on data identifiers, keywords, and structured/unstructured fingerprints to identify where their sensitive data is so they can apply appropriate controls to ensure the security of that data. DLP can also be used to monitor resources that are intentionally configured as public and unencrypted so that if sensitive data is uploaded to the buckets at a later date, the data can be blocked and IT security can be notified.

It is important for your security platform to provide visibility into sensitive data stored in structured and unstructured data sources across AWS (S3 buckets, RDS, Data Lakes on Hadoop). With this knowledge, you can pinpoint any resource across such services that contains sensitive data and ensure it is adequately protected.




4) Activity Monitoring

The ability to monitor all user activities is one of the most important tasks enterprises undertake when they start using IaaS services. McAfee support AWS CloudTrail, which records all API calls and console commands performed by users as well as third party services, providing a wealth of data into usage patterns that can help answer the who, what, when, and how. This rich level of logging is a must-have to continually audit IaaS usage and ensure adherence to company best practices. Enterprises use McAfee’s activity monitoring to:

  1. Validate that permissions are set appropriately for different APIs or services in use
  2. Identify what APIs are being called, who is calling them and whether these users or roles have the right restrictions through IAM and/or KMS policies
  3. Archive the activities for up to a year in case of any internal or external audits for a detailed audit trail of all API, service and user level actions

McAfee monitors more than 1300 activities ingested through AWS CloudTrail logs and auto-categorizes them into seven different categories such as Administration, Download, Data Access, Delete, Download, Updates, Login Success etc. This greatly simplifies the consumption and analysis of the massive amount of raw event data within AWS, especially since it’s not in a human-readable format.




5) Anomalies and Threat Protection

McAfee correlates all activities ingested from CloudTrail to baseline behavioral patterns within an IaaS environment. Customers leverage McAfee to identify anomalies within their AWS environments, such as a large quantity of S3 objects accessed by an anonymous user, an unauthorized IAM user trying to delete a resource, suspicious login attempts by the same user or IAM role across blacklisted IPs, or an unauthorized user attempting to run EC2 instances.  McAfee’s machine learning algorithm uses a combination of two or more anomalies to alert on the most critical threats to help customers focus on remediating these instantaneously. With a best-in-class detection mechanism, McAfee supports identification of a number of IaaS specific threats and anomalies.




6) Visibility of Network Traffic Flows and Risk Remediation

AWS has native network traffic logging capability through VPC Flow Logs and Network Flow Logs respectively. McAfee ingests logs from these sources to provide customers with a holistic view of all activity within their networks, including network security group analysis to identify whether security groups are properly configured, which resources are available to the public internet vs. to back-end services only, what ports are these resources allowed to talk to, and an analysis of all allowed/denied traffic to validate whether any policies are to be modified. This reduces the need for SecOps to study access control lists (ACLs) of security groups within AWS thus significantly improving their ability to secure network traffic and remediate risks.




7) Regulatory Compliance Templates

Cloud security’s shared responsibility model ensures security “in” the cloud by requiring enterprises that have custom applications deployed in the cloud—as well as their networking, firewall, and access policies—to align with regulatory best practices. McAfee has a number of customers operating in highly regulated industry verticals and who have to adhere to HIPAA, PCI, SOC-2 controls. Our IaaS product capabilities help customers get access to a simple and centralized view and reporting to get real-time visibility into whether they’re compliant with regulatory policies.

8) Discovery and Governance of Shadow IaaS usage

Enterprises need visibility into applications hosted on IaaS services to reduce security risks and costs and govern usage of such services. McAfee supports auto-discovery of IaaS services such as AWS, Microsoft Azure, and Google Cloud Platform. Customers can monitor traffic patterns, data upload/download patterns, and number and details of users who are performing these activities within these IaaS applications on a continuous basis. McAfee’s cloud governance capabilities empowers customers to allow/block these activities, and identify unused applications within these services. The applications could then be consolidated with other redundant applications in different IaaS platforms to help reduce costs and enforce cloud vetting policies on IaaS services.

McAfee MVISION Cloud for AWS Architecture


At McAfee, we follow the below mentioned principles while continuing to make significant strides in enhancing our IaaS security capabilities.

Principles of McAfee Security Cloud

  1. Best-in-class Incident Detection: McAfee’s continuous monitoring platform has the best-in-class incident detection capabilities across all use cases mentioned above and we continue to invest to improve this further.
  2. Multi-Cloud Environments: In line with our vision to make cloud the most secure environment for business, we continue to address all relevant use cases across AWS, Microsoft Azure and Google Cloud Platform providing customers the benefits of securing their Cloud infrastructure through a single pane of glass.
  3. Native, API, agent-less approach eliminates any performance impact to customer systems and enables a superior user experience.
  4. Automate, Investigate and Remediate: McAfee’s integration with vendors such as Splunk, HP ArcSight, ServiceNow helps customers automate their SOC workflows, investigate security incidents and remediate them instantaneously. Our focus on using native services such as AWS Lambda empowers DevSecOps without needing them to learn any vendor specific utilities.

McAfee can help accelerate security intelligence of your AWS infrastructure to detect incidents quickly, expedite incident response and protect your enterprise more effectively. Interested to learn more about our McAfee for IaaS product? Please register here to schedule a demo and we will be in touch soon.

About the Author

McAfee Cloud BU

Learn about cloud threats, the latest cloud security technologies, and the leading approaches for protecting data in cloud services.

Read more posts from McAfee Cloud BU

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs