Amazon Detective is a new security service that makes it easy for customers to conduct investigations into security issues across their AWS workloads.
Identify the root cause of potential security issues
Amazon Detective automatically collects log data from a customer’s resources and uses machine learning, statistical analysis, and graph theory to build interactive visualizations that help customers analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. There are no additional charges or upfront commitments required to use Amazon Detective, and customers pay only for data ingested from AWS CloudTrail, Amazon Virtual Private Cloud (VPC) Flow Logs, and Amazon GuardDuty findings.
When customers face a security issue like compromised user credentials or unauthorized access to a resource, security teams must conduct an investigation to understand the cause, assess the impact, and determine the remediation steps. Before an investigation can even begin, customers must first collect and combine terabytes of potentially relevant data from network, application, and security monitoring systems, and make it available in a way that allows their security analysts to infer related anomalies.
In order to explore the data, analysts rely on data scientists and engineers to turn seemingly simple questions like “is this normal?” into mathematical models and queries that can help produce answers. Customers then typically build custom dashboards that analysts use to validate, compare, and correlate the data to reach their conclusions.
Amazon Detective helps security teams
Security teams must continually re-establish baselines of normal behavior, understand new patterns of activity, and revisit application configurations as resources, accounts, and applications are added or updated in an environment. These complex and time-consuming tasks impede security teams’ ability to quickly investigate and respond to security issues.
Amazon Detective helps security teams conduct faster and more effective investigations. Once enabled with a few clicks in the AWS Management Console, Amazon Detective automatically begins distilling and organizing data from AWS CloudTrail, Amazon VPC Flow Logs, and Amazon GuardDuty findings into a graph model that summarizes resource behaviors and interactions observed across a customer’s AWS environment.
Amazon Detective produces tailored visualizations to help customers answer questions like “is this an unusual API call?” or “is this spike in traffic from this instance expected?” without having to organize any data or develop, configure, or tune their own queries and algorithms. Amazon Detective’s visualizations provide the details, context, and guidance to help analysts quickly determine the nature and extent of issues identified by AWS security services like AWS Security Hub.
Graph model and analytics
Amazon Detective’s graph model and analytics are continuously updated as new telemetry becomes available from a customer’s AWS resources, allowing security teams to spend less time tending to constantly changing data sources. By letting the Amazon Detective service perform the necessary data sifting, security teams can more quickly move on to remediation.
“Even when customers tell us their security teams have the tools and information to confidently detect and remediate issues, they often say they need help when it comes to understanding what caused the issues in the first place,” said Dan Plastina, Vice President for Security Services at AWS. “Gathering the information necessary to conduct effective security investigations has traditionally been a burdensome process, which can put crucial in-depth analysis out of reach for smaller organizations and strain resources for larger teams. Amazon Detective takes all of that extra work off of the customer’s plate, allowing them to focus on finding the root cause of an issue and ensuring it doesn’t happen again.”
Amazon Detective availability
Amazon Detective is available today in the US East (N. Virginia), US East (Ohio), US West (Oregon), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Paris), Europe (Stockholm), Asia Pacific (Mumbai), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), and South America (Sao Paulo) regions, with more regions coming soon.
WarnerMedia is a leading media and entertainment company that creates and distributes premium and popular content to global audiences. “Large security organizations are tasked with protecting huge environments with diverse workloads from a multitude of threats, while the smaller organizations I talk to often don’t have the resources to replicate the tooling and expertise of their bigger counterparts,” said Chris Farris who leads public cloud security for WarnerMedia and teaches Cloud Security for the SANS Institute. “Amazon Detective will help both of these groups reach faster, better-informed conclusions to their security investigations. It does the hard work of aggregating and analyzing high-volume telemetry sources like VPC Flow logs and CloudTrail. Larger organizations will see major efficiencies, and small teams will have access to information and tooling that they’d have a hard time collecting and building on their own.”
Expel provides transparent managed security, on-prem and in the cloud. “We have customers of all shapes and sizes running a diverse array of workloads on AWS, so it’s critical that we have high-quality data sources that can aid us in conducting fast and accurate security investigations,” said Peter Silberman, chief technology officer at Expel. “Amazon Detective offers our customers an additional layer of insight about what’s happening in their environment, which gives our security analysts more data and context to use during investigations without adding complexity to that process. With Amazon Detective, we’ll be able to process specific types of alerts faster, which means reducing investigation time and getting quicker, more detailed answers to our customers about what happened.”