Amazon GuardDuty vs. Security Onion

In a multi-account/multi-tenant environment, GuardDuty often alerts us to possible malicious traffic before it becomes an issue. The ability to automatically enable GuardDuty creates baseline security which is crucial when an account is first created. It also helps greatly in environments where other users are able to create resources as often GuardDuty alerts us to insecure resources we did not know about. It can however sometimes be a little overzealous with its assessments alerting on benign activity which then requires suppression rules.

Incentivized

Security Onion works well for setting up within a Linux environment. This brings a new platform to run and maintain though. The application its self has helped to keep track of logs and vulnerabilities in the environment. Alert triage and case creation is simple to start and follow through to the end.

• Monitors outgoing connections from AWS resources to known malicious hosts.
• Monitors incoming connection to AWS resources from known malicious hosts.
• Integrates with other centralized logging solutions.

Incentivized

• GUI
• Support
• Easy of use

• Does not have the ability to add any custom monitors.

Incentivized

• Requires Linux
• Training

Other vendors may have a more robust solution but for our needs, Security Onion was the one to move forward with. We have tested some of the others but the cost of those platforms makes the ROI not as desirable. There is a learning curve with Security Onion but it is worth it for the value provided.

• GuardDuty has helped us prevent possible security incidents multiple times which could have caused substantial damage.

Incentivized

• Makes Alert Triage easier to handle
• Analysis of threats simple