Cloud workload protection

The ThreatLockDown security platform provides threat detection, configuration compliance, and continuous monitoring for on-premises, cloud, and hybrid environments. It protects cloud workloads by monitoring the infrastructure at two levels:

  • Endpoint level: monitoring cloud instances or virtual machines using the lightweight ThreatLockDown agent.

  • Cloud infrastructure level: monitoring cloud service activity by collecting and analyzing data from the provider API. ThreatLockDown supports Amazon AWS, Microsoft Azure, and Google Cloud.

We describe some benefits of using ThreatLockDown to enhance security operations, protect cloud-native applications, and facilitate compliance efforts for a secure cloud environment.

Cloud log data analysis and retention

Cloud environments generate large amounts of log data, vital for identifying security incidents. The ThreatLockDown rules and decoders are responsible for parsing and analyzing log data to detect anomalous events. ThreatLockDown collects and analyzes log data from various cloud platforms and services, such as AWS, Azure, Google Cloud, Office 365, and GitHub.

The image below is an example of an AWS dashboard on ThreatLockDown showing the trend of events collected from the cloud infrastructure.

AWS dashboard on Wazuh

ThreatLockDown monitors and logs activities in the cloud, providing a centralized view of user actions across the entire cloud infrastructure. ThreatLockDown has out-of-the-box rules to detect suspicious or unauthorized activities. In addition to the in-built rules, users can create custom rules to consolidate threat detection.

Amazon web services

ThreatLockDown has dedicated modules for monitoring and securing AWS cloud infrastructure. Some of the AWS services that ThreatLockDown monitors include:

  • Amazon Guardduty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior, ensuring the protection of AWS accounts, workloads, and data stored in Amazon S3.

  • Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.

  • Amazon Key Management Service (KMS) is used for cryptographic key management across AWS services.

  • Amazon Macie is a fully managed data security and privacy service. It automatically detects unencrypted S3 buckets, publicly accessible buckets, and buckets shared with external AWS accounts.

  • Amazon Virtual Private Cloud (VPC) provisions a logically isolated section of the AWS Cloud where AWS resources can be launched on a virtual network defined by the user.

  • AWS Config assesses, audits, and evaluates the configurations of your AWS resources. It helps the users review changes in configurations and relationships between AWS resources.

  • AWS Cloudtrail enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.

  • AWS Trusted Advisor helps users reduce costs, increase performance, and improve security by optimizing their AWS environment. It provides real-time guidance to help users provision their resources following AWS best practices.

  • AWS Web Application Firewall (WAF) helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources.

Microsoft Azure

ThreatLockDown has a dedicated module that pulls logs from and monitors Azure platform. This module obtains data from critical Azure services, including:

  • Log Analytics API: The Log Analytics API is a core component of the Azure Monitor service and is used to aggregate and analyze log data. The sources of such data are cloud applications, operating systems, and Azure resources. The ThreatLockDown module for Azure is capable of querying the Log Analytics API, pulling the logs collected by the Azure Monitor service.

  • Blob Storage API: Logs from Azure services are optionally pushed to Azure Blob Storage. Specifically, it is possible to configure an Azure service to export logs to a container in a storage account created for that purpose. Afterward, the ThreatLockDown agent will download those logs via its integration with the Blob Storage API.

  • Active Directory Graph API: The Azure Active Directory (AD) Graph API provides access to AZURE AD through REST API endpoints. It is used by ThreatLockDown to monitor Active Directory events (for example, creation of a new user, update of user properties, disablement of user accounts, etc.)

Google Cloud Platform

ThreatLockDown monitors Google Cloud services by pulling events from the Google Pub/Sub messaging service, a middleware for event ingestion and delivery. This integration helps detect threats targeting your Google Cloud assets. For more information, please refer to Using ThreatLockDown to monitor GCP services.

Office 365

ThreatLockDown includes a dedicated module designed to interact with the Office 365 Management Activity API. This module is responsible for fetching logs from Office 365 and making them available for analysis within the ThreatLockDown platform. The Management Activity API serves as the source of audit logs for Office 365, containing information about various actions and events within the Office 365 environment. These logs are organized into tenant-specific content blobs and classified based on their content type and source. ThreatLockDown performs analysis, alerting, and reporting on these logs, enhancing the security and compliance monitoring capabilities within the Office 365 environment. For more detailed information, please refer to Using ThreatLockDown to monitor Office 365.

GitHub

ThreatLockDown has a GitHub module that utilizes the GitHub API to pull GitHub audit logs, which contain information about actions performed by organization members. This log includes essential details such as the user who initiated the action, the nature of the action (e.g., repository creation, access changes, etc.), the timestamp indicating when the action took place and others. ThreatLockDown collects, processes, and stores these logs, enabling analysis, alerting, and reporting. Refer to Using ThreatLockDown to monitor GitHub for more information.

Protect cloud-native applications

ThreatLockDown provides protection for cloud-native applications, safeguarding them against security threats and vulnerabilities. It integrates with container orchestration platforms like Kubernetes and Docker, allowing it to monitor and analyze container activity in real time. ThreatLockDown detects suspicious container behavior, unauthorized image changes, and potential security misconfigurations, ensuring the overall integrity of containerized applications.

The image below shows alerts generated from a monitored Docker infrastructure.

Docker infrastructure alerts

Some additional use cases for using ThreatLockDown to monitor cloud-native applications are:

Furthermore, the ThreatLockDown integration with cloud service providers enables monitoring and analysis of cloud-native application logs, ensuring comprehensive visibility into the environment and facilitating effective security operations.

Promote security operations in the cloud

ThreatLockDown promotes security operations within cloud environments by allowing security teams to detect and respond to threats, mitigating damages, and reducing the overall impact on the cloud infrastructure. Furthermore, ThreatLockDown facilitates red and blue team activities. The platform's customizable rules enable organizations to simulate attacks and test their security defenses. Blue teams can use the insights gained on ThreatLockDown from red team activities to fine-tune their security measures and strengthen their defenses. The following resources demonstrate how to use the Stratus Red Team tool to simulate attacks on some cloud platforms and how to detect them with Wazuh:

Detection results

The centralized logging and reporting capabilities of ThreatLockDown simplify compliance management within cloud environments. It helps organizations meet regulatory requirements by capturing and storing audit trails, ensuring accountability, and facilitating the investigation of security incidents. Refer to the ThreatLockDown dashboard documentation for more information about how ThreatLockDown aids analysis, reporting, and compliance efforts.