I don't know any big organizations that solely rely on GuardDuty. IMO, GuardDuty is great for a smaller company that wants something and doesn't want to have to buy/onboard/maintain a vendor.
There's at least one thing that GuardDuty does that is much more difficult to do without it: the detection of instance credential usage from outside the account/VPC. I'm sure there's a way to do this with cloudtrail logs but it's not straight forward.
My biggest problem with GuardDuty is that it's all or nothing (for the most part). We'd love to have the cloudtrail/DNS/ML monitoring but disable flow logs, which are by far the most expensive part of GD for large orgs. AWS refuses to give us that option. And if they're going to charge us a fortune for flow logs with GD at least let us download or view them.
I also find the DNS based cryptomining detections pretty handy, and high enough signal.
Great point on VPC Flow Logs! With the move to SKU off various GuardDuty features (S3 protection, Runtime, etc.) ... it'd be nice if GuardDuty monitoring of VPC Flow logs were more configurable
That's definitely aligned with what we see, we work with orgs where we're the next step after Guard Duty and some who already have more in place.
Certainly for the base usage, switching GuardDuty on can be a no brainer, as we touch on in the article - it's the additional SKUs where things a get a bit less clear.
bink|1 year ago
My biggest problem with GuardDuty is that it's all or nothing (for the most part). We'd love to have the cloudtrail/DNS/ML monitoring but disable flow logs, which are by far the most expensive part of GD for large orgs. AWS refuses to give us that option. And if they're going to charge us a fortune for flow logs with GD at least let us download or view them.
ramimac|1 year ago
I also find the DNS based cryptomining detections pretty handy, and high enough signal.
Great point on VPC Flow Logs! With the move to SKU off various GuardDuty features (S3 protection, Runtime, etc.) ... it'd be nice if GuardDuty monitoring of VPC Flow logs were more configurable
tracebit|1 year ago
Certainly for the base usage, switching GuardDuty on can be a no brainer, as we touch on in the article - it's the additional SKUs where things a get a bit less clear.