Stealthwatch Cloud is first and foremost known for its overall visibility and high fidelity security threat detection.  These detections range on a spectrum from on-premises endpoints to public cloud workloads and everything in-between.

Where it relates to public cloud workload protection in AWS, many of our customers believe that there should be the option to take action on a threat if deemed of significant criticality.  Some customers may find significant prioritization in activity such as an AWS workload suddenly acting as a server on the Internet for the first time ever whereas others may be more concerned about an overly permissive configuration causing an AWS workload to become brute-forced.

Whatever the scenario, the ability to take action is incredibly valuable to a Security Operations team or Incident Responder.  Stealthwatch Cloud users have a great deal of flexibility when it comes to responses and actions that the system can take once an Alert of importance triggers in the system.  There are built-in options for everything from email to syslog, chat system notifications to vendor-agnostic webhook support.  There are also cloud native service supported features such as public cloud provider storage bucket support and in the case of AWS, the ability to directly integration with the AWS Simple Notification Services or SNS as its commonly referred to.

With SNS built-in support in Stealthwatch Cloud, users are able to directly interact with the AWS infrastructure and take automated operational actions on workloads, configurations and services to mitigate both risk and threats in real-time.  This allows a Security Administrator to implement a proactive set it and forget it approach to implementing appropriate remediation actions for security Alerts that are of urgent criticality to them.  Actions can be in the form of insertion of Access Control List (ACL) rules, workload instance state manipulation or other infrastructure service configurations.  Programmatically speaking, the sky is the limit with how Stealthwatch Cloud can perform a mitigation task within the AWS public cloud environment.

To demonstrate this incredibly useful feature and workflow within Stealthwatch Cloud, I have created a tutorial on how to perform automated remediation in AWS on a breached workload by programmatically inserting VPC Network ACLs (NACLs) to block offenders in real-time as they attempt to exploit an overly-exposed EC2 instance.

Here is a diagram of the Proof of Concept workflow:

The intent of this tutorial is to primarily be a Proof of Concept to demonstrate to Stealthwatch Cloud customers how easily they can implement an automated remediation workflow into their daily operations of the solution.  The idea is that an Administrator can choose one or more alerts that of high criticality to them that they