CloudTrail is a valuable data source that provides insights into API calls used to access AWS accounts, but the service poses several high-level Cybersecurity challenges. Because CloudTrail logs every API call, log data can grow to sizes that are impossible for analysts to fully consider. Worse, traditional CloudTrail logs are not monitored by the legacy Cybersecurity platforms in place at many organizations.
MixMode gives teams the power to utilize CloudTrail data to achieve a more complete security posture. Organizations feel much more confident when this important data source is considered within a comprehensive security framework.
What is CloudTrail?
AWS defines CloudTrail as “an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Events include actions taken in the AWS Management Console, AWS Command Line Interface and AWS SDKs and APIs.”
CloudTrail is enabled on AWS accounts when they are created.
CloudTrail is a helpful tool in many ways. It contains the raw history of activity from AWS services across multiple accounts. It also logs API actions from the AWS Management Console, including API actions from AWS command-line tools and AWS Software Development Kits. Every action that occurs — access, adds, deletes and modifications — a CloudTrail event is recorded.
AWS Recommended CloudTrail Security Best Practices
AWS recommends several best practices for managing CloudTrail data, including:
- Create a trail to maintain ongoing records beyond the 90-day CloudTrail history default, which is not a permanent or complete record. AWS suggests creating a single trail that logs management events in all AWS Regions and additional trails for specific event logs, such as Amazon S3 bucket activity or AWS Lambda functions.
- Apply trails to all AWS Regions to create complete records of events taken by users, roles, or services. This ensures that all events that occur in an AWS account are logged, no matter which AWS Region is involved.
- Enable CloudTrail log file integrity through the CloudTrail log file integrity validation process to establish positively that log files have not changed or that specific user credentials performed specific API activity.
- Integrate with Amazon CloudWatch Logs, which allow for monitoring and alerting on specific events captured by CloudTrail, based on configurations.
How MixMode uses CloudTrail
MixMode can analyze CloudTrail data in real-time for anomalies, alerts, predictive analytics and forensic search, through a patented self-learning AI originally built for DARPA and the DoD. Once MixMode is deployed within an AWS environment, MixMode teams benefit from access to extensive forensic search and investigation tools.
A central benefit of the unsupervised, context-aware AI MixMode platform is in its ability to drill down to only those threats that pose a legitimate risk to a network. The platform doesn’t rely on log data like a traditional SIEM — instead, MixMode creates a baseline of expected network behavior based on real-world environments in real-time. The platform uses CloudTrail data as an additional source that can be tapped to deliver anomaly detection that is more complete than relying on traditional sources alone.
Consider the scenario detailed in this MixMode blog post. Here, MixMode AI flagged specific CloudTrail activity as anomalous. As you can see in the screenshot of the MixMode Security Events Overview dashboard, there were 32,038 logs ingested over the prior 24 hours. Of those logs, AI has surfaced only five Risk Level 10 anomalies to investigate from simple API call logs.