Superna Eyeglass® Ransomware Defender for AWS S3

Protect Your AWS S3 Object Data with a NIST Compliant Solution

nist object.png

Overview

Cloud Storage available from AWS S3 service exposes your corporate data to Internet based attacks on your data.  Enhancing the security of cloud data stored in S3 with an Adaptive Security solution that monitors storage IO and separates normal from suspicious or malicious IO.   The solution offers real time detection, alerts, attack mitigation and recovering from the attack with a precise list of infected files.

Deployed with Cloud formation templates and leverages AWS services for scaling and simplicity.  Automatically learns behaviors and customizes configuration with Learning mode.  Stress test your security with Security Guard feature that offers a simulated attack and defend automation to test your cyber defences.

What does Cloud Native Solution Mean?

Many vendors offer cloud solutions that were initially on premise solutions and offered in the Cloud without modifications.  These solutions cost more over time, are costly to manage since they don't integrate with AWS cloud services, security, role based access.   

A cloud native application uses cloud services to allow flexible , scalable on demand, consumption based solution.   Ransomware Defender for AWS S3 is deployed using AWS Cloudformation template that simplifies the deployment and installation process.   To enable a cloud scalable solution Amazon Managed Streaming for Apache Kafka (MSK) service is used to process events for the Analytics modules.     The EC2 instances use auto Scaling groups to allow on demand scaling of performance.   The input of data used to analyze IO patterns uses Cloudtrail service.   This allows streamlined deployment, integrated security, on demand scalability  and predictable, traceable cost management. 

The license model is a subscription based on a quantity of protected S3 buckets and is integrated with AWS license manager to allow customers to manage license keys and entitlement in their accounts using native AWS tools.    

Key Features

  1. Real time behavioral analysis of S3 bucket access to identify malicious activity.

    1. Ability to log all affected objects from the attack and export to CSV​

    2. disable the authenticated user account to protect the storage bucket from further damage

    3. Events include affected objects list, source IP of the attacker, user account used to attack data

  2. Mass delete detection to alert when a high rate of deleted objects are detected

  3. Automated learning system that baselines normal bucket access patterns and self configures to detect real attacks vs normal IO patterns​

  4. Per bucket protection configuration

  5. Multi region support from a central location

  6. Alerting via email, syslog, web hooks

  7. Dynamic scaling to match processing to any sized workload using Scale Groups in EC2 and MKS service to scale event processing

  8. Event rate graphing to manage performance overtime

  9. Historical event tracking

  10. Flag as false positive feature if required for manual overrides

  11. Ignore list to suppress monitoring by bucket or object key path wildcard

  12. Monitor list to disable user account lockout function and enable only detection, object tracking and alerting with per bucket or object key path with wildcard support

  13. Simulated attack feature to self test detection and provide health status with automated test feature called Security Guard

Road Map

  1. Simple Notification Services (SNS) topics notify administrators of alerts

  2. Restore Manager - to automate restoring affected objects from previous versions (buckets require versioning to be enabled)