Amazon Web Services
24x7 detection and response for AWS workloads and custom apps using AWS native services
Managed detection and response for AWS
(delivered by a team that knows AWS instances are cattle, not pets)
When you’re growing, security can take a back seat to the needs of your engineers. That makes sense. After all, you want your engineers focused on coding. Expel helps your security strategy keep up by detecting and chasing down security risks unique to Amazon Web Services.
for your AWS environment
Our AWS detection strategy uses native AWS services:
- Analyzes GuardDuty and Macie alerts
- Adds custom detections for high-risk activities
- Then, we tune our detections to match your apps and workloads
What we do
24x7 AWS monitoring
Our analysts chase down your AWS alerts so you can focus on building new features, products and services.
Investigations in AWS
We’ll connect the dots from suspicious AWS alerts back to their root cause and tell you what they mean.
Fixes “written in cloud”
Whenever possible, our analysts will recommend configuration changes to address activities we tell you about.
What we look for
(updated at AWS speed)
AWS rolls out nifty new services and capabilities at a dizzying pace. As you add new AWS services, we’ll evaluate them and update our detection and response strategy where it makes sense so your security strategy can stay in synch with your engineering team. Here are a few examples of things we’ll look for:
How we use native AWS services
(hint: GuardDuty is just a starting point)
Expel uses API integrations to connect directly to the AWS platform. We support authentication via an AWS IAM Role (recommended) or IAM User with a set of read-only permissions. To collect data, Expel communicates directly with APIs for services like GuardDuty and Amazon Inspector, and pulls CloudTrail data from S3.
How Expel uses AWS services for detection, investigation and response
|AWS service||Examples of how we use them||Detect||Investigate||Remediate|
Things that ring the bell and tell us there’s something to look for
|Amazon GuardDuty||To find things that go bump in your VPC|
|AWS Identity & Access Management||Monitor who’s accessing your environment|
|Amazon Inspector||Know when config changes are putting you at risk|
|AWS Key Management Service||Monitor who’s touching your encrypted data|
|Amazon Macie||Know when your sensitive data goes walking|
|Amazon RDS||Know when your data goes for a walk|
|Amazon Redshift||Know when your data goes for a walk|
|AWS Security Hub||Unified view and compliance checks|
|AWS WAF||Know when someone’s poking at your application|
What our SOC uses to determine if there’s a real threat and determine the scope and intent
|AWS CloudTrail||The API audit log you’ve been waiting for|
|Amazon CloudWatch||Operational monitoring, FTW!|
|Amazon Detective||Decision support that turns frowns upside down|
We don't kill or isolate production services but we can talk about how to use these services
|AWS Lambda||Make fixes to give you that 'post' breach touch-up look|
|AWS Systems Manager||Automation to restore you to know-good|
What is AWS GuardDuty and how can you make sense of all the signals? Here are our pro tips.
Looking to get more or better security signals out of AWS? Then you’ll wanna read our pro tips on making the most of Amazon Cloud Trail.
If you’re running workloads on AWS, then you’ll want to know all about the latest and greatest AWS-native security tools. We’ve got you covered in our latest post.