What is DIAL and what are the features of DIAL?

• An In house monitoring and alerting system which gives us alerts on any malicious activity happening across our different AWS accounts over Slack or email,
• Assigns severity to each alert based on our severity classification module
• Stores all the generated alerts in DynamoDb and also forwards it to an open source incident response tool - theHive for further an analysis and enrichment
• Modular tool which makes it easy to add more alerting modules
• Improved error handling capabilities

What advantages this has over traditional SIEM for detection and alerting?

• Detection time of DIAL for any malicious activity over AWS is < 5 seconds. Traditional SIEM detection time is > 5-10 minutes.
• Completely stateless, infinitely scalable and cost effective
• Modular which makes it easy to increase our security coverage to any of the AWS resources
• Easy to deploy in multiple AWS accounts which we spawn
• While it does not replace the capabilities of a SIEM architecture, it gives us a huge advantage when it comes to detection time and complete control over granularity of an alert.

AWS Services that DIAL is currently covering:

• EC2
• Guard Duty
• RDS & Dynamo DB
• IAM
• SSM (Parameter Store)
• Secrets Manager
• S3
• VPC & VPC Peering Connections
• Internet Gateway
• Route Tables & Subnet Associations
• Security Groups