Amazon’s Detective will help you investigate your cloud computing security mysteries
Amazon’s cloud services business AWS has announced that security tool Amazon Detective, which uses machine learning to help visualize anomalies in customers’ resources, is now generally available. Launched as a preview at last year’s re:Invent event, the feature is likely to put an end to many security team’s woes.
Amazon Detective collects large quantities of AWS log data, and combines it with AI, statistical analysis and graph theory to investigate and identify the root cause of potential security issues or suspicious activities. The tool processes data from various sources within the user’s resources, including AWS Guard Duty, AWS CloudTrail and Virtual Private Cloud Flow Logs, and turns information into an interactive graph model that summarizes the way resources behave and how they interact with each other.
While the cloud provider already offers products, such as the AWS Security Hub, to identify security problems and notify users when something is wrong, the issue for security analysts is often to dig out the root cause of an alert.
Typically, security teams have to collect and combine logs from various sources, extracting terabyte upon terabyte of relevant information from monitoring systems, before building the data into dashboards that let them analyze the behavior of resources, and pinpoint unexpected API calls, spikes in traffic, or other indicators of unusual behavior.
Needless to say, tracing back the first stage of a security breach is a prospect that no expert looks forward to. Many small companies simply don’t have the resources to carry out the process; and in the case of large companies, the amount of data that needs to be aggregated can quickly become overwhelming.
“Gathering the information necessary to conduct effective security investigations has traditionally been a burdensome process, which can put crucial in-depth analysis out of reach for smaller organizations, and strain resources for larger teams,” said Dan Plastina, vice president for security services at AWS. “Amazon Detective takes all of that extra work off the customer’s plate, allowing them to focus on finding the root cause of an issue and ensuring it doesn’t happen again.”
The Detective tool’s analytics continuously update as new information becomes available from AWS resources, and keeps up to a year of aggregated data that links to security findings in order to provide quick answers to customers’ questions. For example, if AWS’s threat detection tool GuardDuty finds an unusual Console Login API call, the Detective can provide details of API call trends over time, as well as user login attempts on a geolocation map.
In the case of an alert that is yet to be verified, the new tool could also help identify a real security threat from a false positive. Customers can track the resources, IP addresses and AWS accounts linked to a specific alert thanks to the Detective’s collection of data, to figure out whether it is necessary to take further action.
As cloud workloads become ever-more complex and data-heavy, Amazon Detective will be a welcome extra service, especially for customers who spread data and resources over several AWS accounts.
Sebastien Stormacq, senior developer advocate at Amazon, said in a blog post announcing the news that Amazon Detective works across several AWS accounts. “It is a multi-account solution that aggregates data and findings from up to 1,000 AWS accounts into a single security-owned ‘master’ account,” he said, “making it easy to view behavioral patterns and connections across your entire AWS environment.”
The new feature will also reassure security teams that increasingly worry about keeping cloud workloads safe from cyberattacks. A recent report published by security organization Cybersecurity Insiders revealed that 93% of cybersecurity professionals are at least moderately concerned about public cloud security. More than one in four of the organizations surveyed confirmed that they had experienced a cloud security incident in the past year.
Chris Farris, who leads public cloud security at WarnerMedia, which was one of the companies that accessed an early trial of Amazon Detective, said that the tool will help organizations large and small reach better-informed conclusions to their security investigations.
“It does the hard work of aggregating and analyzing high-volume telemetry sources,” said Farris. “Larger organizations will see major efficiencies, and small teams will have access to information and tooling that they’d have a hard time collecting and building on their own.”
AWS confirmed that there will be no additional charges to use Amazon Detective. Customers will only pay for the data ingested for findings from AWS CloudTrail and GuardDuty, as well as Amazon Virtual Private Cloud Flow Logs.