AnnouncementCase StudyCheckmarkcustomer-story-iconData Sheethow-to-logoposts

Amazon Web Services

24x7 detection and response for AWS workloads and custom apps using AWS native services

Overview What we do What we look for How we connect to AWS Additional resources

Managed detection and response for AWS

(delivered by a team that knows AWS instances are cattle, not pets)

When you’re growing, security can take a back seat to the needs of your engineers. That makes sense. After all, you want your engineers focused on coding. Expel helps your security strategy keep up by detecting and chasing down security risks unique to Amazon Web Services.

Detections designed
for your AWS environment

Our AWS detection strategy uses native AWS services:

  • Analyzes GuardDuty
  • Adds custom detections for high-risk activities
  • Then, we tune our detections to match your apps and workloads

What we do

24x7 AWS monitoring

Our analysts chase down your AWS alerts so you can focus on building new features, products and services.

Investigations in AWS

We’ll connect the dots from suspicious AWS alerts back to their root cause and tell you what they mean.

Fixes “written in cloud”

Whenever possible, our analysts will recommend configuration changes to address activities we tell you about.

We wanted [a provider] with analysts who were well-versed with cloud tools and architecture. We were impressed with Expel’s cloud knowledge … Expel’s approach to security felt more like a partnership — one where our two teams would work seamlessly together.

— Lori Temples, VP, IT Security

Read customer story

What we look for

(updated at AWS speed)

AWS rolls out nifty new services and capabilities at a dizzying pace. As you add new AWS services, we’ll evaluate them and update our detection and response strategy where it makes sense so your security strategy can stay in synch with your engineering team. Here are a few examples of things we’ll look for:

Suspicious logins and
unauthorized access

Disabling or changing AWS
security capabilities

Unauthorized sharing or access to
sensitive data

Evidence of
instance compromise

Unusual changes to AWS Virtual
Private Clouds (VPC)

Risky violations of AWS best
practices

How we use native AWS services

(hint: GuardDuty is just a starting point)

Expel uses API integrations to connect directly to the AWS platform. We support authentication via an AWS IAM Role (recommended) or IAM User with a set of read-only permissions. To collect data, Expel communicates directly with APIs for services like GuardDuty and Inspector, and pulls CloudTrail data from S3.

How Expel uses AWS services for detection, investigation and response

AWS service Examples of how we use them Detect Investigate Remediate

Detection signal

Things that ring the bell and tell us there’s something to look for
Amazon GuardDuty To find things that go bump in your VPC
AWS Identity & Access Management Monitor who’s accessing your environment
Amazon Inspector Know when config changes are putting you at risk
AWS Key Management Service Monitor who’s touching your encrypted data
Amazon RDS Know when your data goes for a walk
Amazon Redshift Know when your data goes for a walk
AWS Security Hub Unified view and compliance checks

Investigative support

What our SOC uses to determine if there’s a real threat and determine the scope and intent
AWS CloudTrail The API audit log you’ve been waiting for
Amazon CloudWatch Operational monitoring, FTW!
Amazon Detective Decision support that turns frowns upside down

Remediation tools

We don't kill or isolate production services but we can talk about how to use these services
AWS Lambda Make fixes to give you that 'post' breach touch-up look
AWS Systems Manager Automation to restore you to know-good
Microsoft Azure overview What does it cost? Microsoft O365 overview

Blog

Making sense of
Amazon GuardDuty alerts

What is AWS GuardDuty and how can you make sense of all the signals? Here are our pro tips.

Blog

Following the
CloudTrail: Generating strong AWS security signals with Sumo Logic

Looking to get more or better security signals out of AWS? Then you’ll wanna read our pro tips on making the most of Amazon Cloud Trail.

Trial

Put us to the test
with a two-week free trial

Looking to strengthen your cloud security? Then try Expel Workbench™ for AWS to get Expel validated alerts and a chance to automate your investigations.

Give us 30 minutes to show you how we can protect your data and workloads in AWS.

Back To Top