Sift Security Blog AWS ECS Integration

CloudHunter Amazon ECS IntegrationSift Security CloudHunter integrates with Amazon EC2 Container Service (ECS) to enable improved visibility and enhance detection, threat hunting, and incident response capabilities. For ECS instances, CloudHunter provides high-fidelity anomaly detection results to identify potentially compromised instances. CloudHunter considers the quality of the baseline when determining how to prioritize alerts. Because containers are generally single-purpose and homogeneous, they have highly predictable baselines, from which CloudHunter can easily identify and prioritize abnormal behavior. CloudHunter also provides useful visualizations around ECS Instances, such as which auto scaling groups and images they are created from, and what users are responsible for any changes made to them. The screenshot below shows CloudHunter being used to investigate a compromised ECS instance. The graph shows all the instances of a container, with an alert for one of the nine instances exhibiting unusual behavior. The alert (in red) shows unusual network traffic, indicating a potentially malicious login from an unusual geo-location. CloudHunter enables you to take mitigate actions directly from the canvas, selecting the compromised instance (highlighted in blue) and shutting it down. What is Amazon ECS?Amazon EC2 Container Service (ECS) is a highly scalable, high performance container management service that supports Docker containers and allows you to easily run applications on a managed cluster of Amazon EC2 instances. Amazon ECS eliminates the need for you to install, operate, and scale your own cluster management infrastructure. With simple API calls, you can launch and stop Docker-enabled applications, query the complete state of your cluster, and access many familiar features like security groups, Elastic Load Balancing, EBS volumes, and IAM roles.