“You see, but you do not observe.”
Amazon Detective is a cybersecurity tool that automates the time-intensive processing of the vast quantities of AWS log data to assess the root cause and impact of a cybersecurity incident. First released in preview in December of 2019, AWS has now made it generally available.
When a cybersecurity incident occurs it is up to IT teams to sieve through the ashes to try and figure out where the breach or unauthorised access started. Hotel group Marriott International is once again going through this process after confirming a serious breach this week, after revealing an “unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property”. Early reports indicate an application providing services to guests was the starting point of the breach. This case is indicative of the complex nature of cybersecurity and the array of data and entry points IT teams must watch.
To get to the bottom of events, IT teams often have to write new scripts or extract, transform and load huge amounts of data from a dizzying array of data sources. Often, many of these sources are attached to siloed systems and it is not immediately clear what connects to what and, critically, what is normal behaviour.
Amazon Detective will automatically collate all of the data generated by other AWS services — Guard Duty, VPC Flow Logs and CloudTrail — presenting the user with a graph model that outlines how all resources and processes — such as API calls, network traffic and logins — are behaving and interacting across the entire IT environment.
Commenting on Amazon Detective, WarnerMedia cloud security lead Chris Farris, said: “It does the hard work of aggregating and analysing high-volume telemetry sources like VPC Flow logs and CloudTrail. Larger organizations will see major efficiencies, and small teams will have access to information and tooling that they’d have a hard time collecting and building on their own.”
Using machine learning, Amazon Detective maintains the data it has aggregated for a year to run machine learning processes and identify abnormalities as they occur. It automatically processes terabytes of event data records aggregating them into a visualised dashboard summarising unusual activity and showing the behaviour and security relationship of assets across the IT environment.
Along with acting as a reactionary tool, it can be used proactively to hunt for threats within the network by focusing on resources such as IP addresses, VPC and AWS account activity.
Amazon Detective enables users to view time-based data in a visual graph — allowing them to dig further into the details to identify derivations from normal behaviour.
While AWS points out that while there “are no additional charges or upfront commitments” to use Amazon Detective, it can be expensive depending on how much data flows through the tool. For the first 1,000 GB of data it will cost roughly two pounds ($2.5) per GB, that price scales down significantly to $0.31 when processing more than 10,000 GB per month. Good for large firms with huge amounts of data, but SMEs might get caught out.