What is our primary use case?
Most of the time, Amazon GuardDuty is used to collect additional network login requirements, so it's basically in the compliance setting, particularly if you need to collect additional logs, or you need additional protection for your infrastructure in the cloud. Those are the areas where you can utilize Amazon GuardDuty and have it assist with compliance, as it's one of the authorized services for compliance, and it's more than likely the tool to use. For the most part, my organization uses the solution for additional protection within the cloud and also to assist with any additional login capabilities that you can't get through the other services. Amazon GuardDuty fills those gaps and helps facilitate a lot of gaps that you have.
What is most valuable?
What I like most about Amazon GuardDuty is that you can monitor your AWS accounts across, but you don't have to pay the additional cost. You can get all your CloudTrail VPC flow logs and DNS logs all in one, and then you get the monitoring with that. A lot of times, if you had a separate tool on-premise, you would have to set up your DNS logs, so usually, Amazon GuardDuty helps with all your additional networking requirements, so I utilize it for continuous monitoring because you can't detect anything if you're not monitoring, and the solution fills that gap. If you don't do anything else first, you can deploy your firewall, and then you've got your Route 53 DNS and DNSSEC, but then Amazon GuardDuty fills that, and then you have audit requirements in AU that says, "Hey, what are your additional logs?", so you can just say, "Hey, we utilize Amazon GuardDuty." You're getting your CloudTrail, your VPC flow logs, and all your DNS logs, and those are your additional logs right there, so the solution meets a lot of requirements. Now, everything comes with a cost, but I also like that the solution also provides threat response and remediation. It's a pretty good product. I've just used it more for log analysis and that's where the value is at, the niche value. Once you do threat detection, it goes into a lot of other integrations you need to implement, so threat detection is only good as the integration, as the user that knows the tools itself, and the architecture and how it's all set up and the rules that you set within that.
What needs improvement?
Improvement-wise, Amazon GuardDuty should have an overall dashboard analytics function so we could see what's in the current environment, and then in addition to that, provide best practices and recommendations, particularly to provide some type of observability, and then figure out the login side of it, based on our current environment, in terms of what we're not monitoring and what we should monitor. The solution should also give us a sample code configuration to implement that added feature or feature request.
What I'd like to see in the next release of Amazon GuardDuty are more security analytics, reporting, and monitoring. They should provide recommendations and additional options that answer questions such as "Hey, what can we see in our environment?", "What should we implement within the environment?", What's recommended?"
We know that cost will always be associated with that, but Amazon GuardDuty should show us the increased costs or decreased costs if we implement it or don't implement it, and that would be a good feature request, particularly with all products within AWS, just for cloud products in general because there are times features are implemented, but once they're deployed, they don't tell you about costs that would be generated along with those features. After features are deployed, there should a summary of the costs that would be generated, and projected based on current usage, so they would give us the option to figure out how long we're going to use those features and the option to keep those on or turn those off. If more services were like that, a lot more people would use those on the cloud.
For how long have I used the solution?
I've used Amazon GuardDuty for a year, and I've used it with other organizations as well.
What do I think about the stability of the solution?
Amazon GuardDuty has wonderful stability. My organization is currently using it in the production environment and it works really well. A lot of companies I know are using it, and I've been a third-party assessor before, and the companies I know implement the solution along with Cloud Trail and CloudWatch to get that observability, and then if you decide to do threat response and you want to tag an MSSP provider, all you have to do is link into Amazon GuardDuty, and that's it, you're done. The solution has its pros and cons.
What do I think about the scalability of the solution?
Amazon GuardDuty is a scalable solution. My organization didn't have a problem with adding users. What's been challenging is doing it through infrastructure as code, but just regular added users should be straightforward and easy to do.
How are customer service and support?
I haven't had to use technical support for Amazon GuardDuty yet. Maybe somebody else used it for integration help, for example, to just try to make another integration work with it, but that's about it. A lot of times it would be "Hey, I don't understand that portion of the integration", so you've got to contact support and the code was messed up because a lot of times, in one development or one product, if the codebase is changed and it's not connecting, it could be a coding issue. Eighty percent of the time, you're changing a code issue in a pipeline, a code data integration, or an issue with the API. Most of the time that's the issue.
Which solution did I use previously and why did I switch?
My organization decided to go with Amazon GuardDuty because most of the infrastructure resides in AWS, so it was just a lot easier for compliance purposes to go with that to get the additional observability for the additional logs that are required.
How was the initial setup?
How easy the initial setup for Amazon GuardDuty all depends on the architecture. If you're deploying this right out of the box, it's easy. A lot of times you want to implement your firewalls and more complex requirements going forward and it just depends on where you set it up in your architecture. It could be more complex if you're dealing with certain requirements, but more than likely, it's self-explanatory. Sometimes, depending on the integrations you're using with the solution, the integrations can be always complex because you're trying to implement Amazon GuardDuty logs to Qualys, for example. The complexities occur during integration and that's usually true for most products.
I had to implement Amazon GuardDuty with Qualys, and the integration was painful because Qualys didn't accept it, but Amazon was right for it, but then the other provider makes it more challenging. Utilizing and using infrastructure as code is a whole challenge itself as well, so if you do it just regular based, you'll think you're okay, and my current organization has that problem because my organization wants to implement infrastructure as code and that's great, but if you see that you're having problems with the modules, then you shouldn't use infrastructure as code, but if that's what my organization wants to do, I just let the DevOps team deal with that. As long as the solution is deployed and I can get observability of the environment, that's all that matters to me.
What's my experience with pricing, setup cost, and licensing?
I don't have all the details in terms of licensing for Amazon GuardDuty, but my organization does have a license set up for it.
What other advice do I have?
I use the latest and greatest version of Amazon GuardDuty that's available on the market.
The number of users of Amazon GuardDuty in my organization is between one to ten. Per my boss, it's a maximum of ten.
My advice to someone who wants to use the solution for the first time is that you've got to establish your use case. What are you going to use it for? Focus on that area, and then I would also implement a proof of concept to make sure that it's set up in your staging environment where you can do all your testing and get all your test results. Depending on what you can implement, make sure your integrations work, and the other tools you have you should also integrate with Amazon GuardDuty in your testing, so when you go to production with it, you would understand the ROI for using the tool.
A lot of times, you always want to have a centralized view of everything in your environment. What you don't want is when you have to go to this tool and then go to that tool, and it's just so much. You already have to do MFA just to get into it, and then once you're in, you'd want to see your whole environment and just get all your touchpoints, so integration is the key component to test within Amazon GuardDuty.
I would rate Amazon GuardDuty seven out of ten because some of the integrations may not work well with it, and depending on the integration that you're working with, the security tools have a lot of requirements to implement. Integration support should be a little bit easier, and it just depends on whether you're doing infrastructure as code versus doing just regular batch scripting, or a formation template. The solution has pros and cons.
My organization is a customer of Amazon GuardDuty.
Which deployment model are you using for this solution?
Public Cloud
*Disclosure: My company does not have a business relationship with this vendor other than being a customer.
