With the prevalence of cloud computing, we are able to build our apps that scale quicker all over the world, more redundant, and more cost-effective. To understand the predominance of cloud services, take a quick glance at Gartner's 2022 report:
Worldwide end-user spending on public cloud services is forecast to grow 20.4% in 2022 to total $494.7 billion, up from $410.9 billion in 2021, according to the latest forecast from Gartner, Inc. In 2023, end-user spending is expected to reach nearly $600 billion.
Security is one of the critical topics that is being overlooked as cloud computing becomes more popular. While businesses transition to the cloud, they may believe that security concerns are solely the responsibility of cloud providers. To avoid making this error, we should study the shared responsibility model.
This diagram is published by AWS and can be seen here. We can identify which security-related concerns are under our control by looking at this model. If we list the most typical cloud security mistakes;
And the list continues…
But how can we meet all of these security requirements? How can we be alerted when someone violates our rules? How can we centrally monitor all environments, rules, systems, and regions from a single location? How can we identify when there is an anomaly with the system?
This is where Lacework comes to our rescue. Lacework collects and evaluates cloud security metrics and data. This allows you to monitor your cloud security status from a single location. You can view these in the UI and create different alarms and reports.
In this article, I will compare the differences and similarities between Lacework and AWS Security services. Then I'll discuss which one could be used in different scenarios.
I’ll compare Lacework with GuardDuty, Inspector, Config, and Security Hub.
Amazon GuardDuty is a threat detection service that continuously monitors data sources, such as AWS CloudTrail data events for Amazon S3 logs, CloudTrail management event logs, DNS logs, Amazon EBS volume data, Amazon EKS audit logs, and Amazon VPC flow logs for malicious activity and unauthorized behavior to protect your Amazon Web Services accounts, workloads.
Lacework |
Amazon GuardDuty |
|
Predefined rules |
Rules Optional Anomalous Detections (Detect unknown unknowns + known bads) |
AWS developed ruleset against threats common to all AWS customers using known attack tactics |
Region |
Builds a model for every AWS account for workloads in all regions |
Region-specific service. Needs to be enabled in all 21 regions of an account. Findings are isolated to region |
Investigation |
Investigation built into the alerting |
Uses AWS Detective for further investigation |
Agent |
Application/Container/K8s visibility = Agent |
Application/container/host visibility requires additional tools and a different interface |
Amazon Inspector is a vulnerability management service that continuously scans your AWS workloads for vulnerabilities. Amazon Inspector automatically discovers and scans Amazon EC2 instances and container images residing in Amazon Elastic Container Registry (Amazon ECR) for software vulnerabilities and unintended network exposure.
Lacework |
Amazon Inspector |
Run time protection to detect compromised instances for container-based applications |
Easy setup in the AWS Console (a few clicks) |
Data aggregation across instances in all regions |
Continuous scanning for vulnerabilities on hosts and in container images in ECR |
OS package manager installed software plus Non-OS language libraries scanned (i.e. packages installed with pip, npm, etc.) for containerized workloads |
At launch, doesn’t support Windows OS for EC2 or distroless container images |
Vulnerabilities in container registries are correlated with containers running in your environment |
No correlation between vulns in ECR and running containers |
AWS Config is a cloud auditing service that offers an inventory of current resources as well as tracking AWS resources to examine compliance and security levels.
Lacework |
AWS Config |
Learns user and entity behavior (UEBA) for each account and alerts when anomalous behavior occurs |
Rules-based approach to discovering when resource configuration has changed |
Config and compliance are out of the box features |
Provides information about whether your resources are compliant with configuration rules you specify |
After account integration, all activity is available in all regions |
Regional service that needs to be enabled in every account and every region |
Discovery and detection made easy with high context events for troubleshooting and remediation |
Easy tracking for change management |
AWS Security Hub collects and compares security data from AWS services and other vendor security services to best practices and compliance standards.
Lacework |
AWS Security Hub |
Platform approach to security with aggregated data for all your AWS accounts |
Single place that aggregates, organizes, and prioritizes your security alerts or findings from multiple AWS services and vendor services |
Provides customer-centric evaluation of your security posture with baseline behavioral analytics |
Trying to bring “single-pane-of-glass” consolidation of scattered security tools |
Multiple accounts supported after integrations are set up with multi-region resource assessment |
Region-based service, which must be set up in every individual region you may have workloads in |
Lacework may be handy if you are working with more than one cloud provider and have many environments. From a centralized place, you can monitor the security status of all environments and cloud providers. However, if you simply use AWS, AWS Native services will function. You can receive data from other accounts if you define an account as a security account and make it a delegated administrator.