AWS Detective investigates complex security cases

  • April 1, 2020
  • imc

Amazon Web Services (AWS) has announces the general availability of Amazon Detective to analyse trillions of data points to make it easier to visualise security data and conduct faster and more efficient investigations. WarnerMedia and T-Systems are early users.
Amazon Detective is a security service that makes it easier to conduct faster and more efficient investigations into security issues across AWS workloads. It automatically collects log data from a user’s resources and uses machine learning, statistical analysis and graph theory to build interactive visualisations that help analyse, investigate and quickly identify the root cause of potential security issues or suspicious activities.
There are no additional charges or upfront commitments required to use Amazon Detective, and users pay only for data ingested from AWS CloudTrail, Amazon Virtual Private Cloud (VPC) flow logs, and Amazon GuardDuty findings.
When users face a security issue such as compromised user credentials or unauthorised access to a resource, security teams must conduct an investigation to understand the cause, assess the impact and determine the remediation steps. Before an investigation can even begin, users must first collect and combine terabytes of potentially relevant data from network, application and security monitoring systems, and make it available in a way that allows their security analysts to infer related anomalies.
To explore the data, analysts rely on data scientists and engineers to turn seemingly simple questions such as “Is this normal?” into mathematical models and queries that can help produce answers. Users then typically build custom dashboards that analysts use to validate, compare and correlate the data to reach their conclusions.
Security teams must continually re-establish baselines of normal behaviour, understand new patterns of activity, and revisit application configurations as resources, accounts and applications are added or updated in an environment. These complex and time-consuming tasks impede security teams’ ability to investigate and respond to security issues quickly.
Amazon Detective helps security teams conduct faster and more effective investigations. Once enabled with a few clicks in the AWS Management Console, Amazon Detective automatically begins distilling and organising data from AWS CloudTrail, VPC flow logs, and GuardDuty findings into a graph model that summarises resource behaviour and interactions observed across a user’s AWS environment.
Using machine learning, statistical analysis and graph theory, Amazon Detective produces tailored visualisations to help users answer questions such as “Is this an unusual API call?” or “Is this spike in traffic from this instance expected?” without having to organise any data or develop, configure or tune their own queries and algorithms.
Amazon Detective’s visualisations provide the details, context and guidance to help analysts quickly determine the nature and extent of issues identified by AWS security services such as GuardDuty and AWS Security Hub. Amazon Detective’s graph model and analytics are continuously updated as new telemetry becomes available from a user’s AWS resources, allowing security teams to spend less time tending to constantly changing data sources. By letting the service perform the necessary data sifting, security teams can more quickly move on to remediation.
“Even when customers tell us their security teams have the tools and information to confidently detect and remediate issues, they often say they need help when it comes to understanding what caused the issues in the first place,” said Dan Plastina, vice president for security services at AWS. “Gathering the information necessary to conduct effective security investigations has traditionally been a burdensome process, which can put crucial in-depth analysis out of reach for smaller organisations and strain resources for larger teams. Amazon Detective takes all of that extra work off of the customer’s plate, allowing them to focus on finding the root cause of an issue and ensuring it doesn’t happen again.”
Amazon Detective is available in north Virginia, Ohio, Oregon, Frankfurt, Ireland, London, Paris, Stockholm, Mumbai, Seoul, Singapore, Sydney, Tokyo and Sao Paulo, with more regions coming soon.
An early user is T-Systems, a subsidiary of Deutsche Telekom.
“As part of protecting our clients’ cloud applications and services, T-Systems’ security experts analyse billions of security-relevant events every day,” said Andrej Maya, cloud architect for T-Systems. “This has traditionally required using custom log management that takes considerable time and resources to maintain. Amazon Detective simplifies our security monitoring and helps our security analysts quickly understand potential issues without the complexity of managing the underlying data ourselves.”
Another user is WarnerMedia, a media and entertainment company that creates and distributes premium and popular content to global audiences.
“Large security organisations are tasked with protecting huge environments with diverse workloads from a multitude of threats, while the smaller organisations I talk to often don’t have the resources to replicate the tooling and expertise of their bigger counterparts,” said Chris Farris, who leads public cloud security for WarnerMedia and teaches cloud security for the Sans Institute. “Amazon Detective will help both of these groups reach faster, better-informed conclusions to their security investigations. It does the hard work of aggregating and analysing high-volume telemetry sources like VPC flow logs and CloudTrail. Larger organisations will see major efficiencies, and small teams will have access to information and tooling that they’d have a hard time collecting and building on their own.”
Expel provides transparent managed security, on-premises and in the cloud.
“We have customers of all shapes and sizes running a diverse array of workloads on AWS, so it’s critical that we have high-quality data sources that can aid us in conducting fast and accurate security investigations,” said Peter Silberman, chief technology officer at Expel. “Amazon Detective offers our customers an additional layer of insight about what’s happening in their environment, which gives our security analysts more data and context to use during investigations without adding complexity to that process. With Amazon Detective, we’ll be able to process specific types of alerts faster, which means reducing investigation time and getting quicker, more detailed answers to our customers about what happened.”