By AJ Yawn, CISSP

Earlier this month, AWS announced that Amazon Detective is now available to all customers, reinforcing their dedication to helping customers hold up their end of the shared responsibility model . This shared responsibility model enables your organization to alleviate the burden of responsibility for the security of the physical infrastructure of AWS or “Security of the cloud.” This frees up your organization to focus on the “security in the cloud” which boils down to protecting your applications and sensitive data your customers’ entrust you with.

AWS developed security best practices to consider when designing and evaluating your AWS architecture within the Security pillar of the well-architected framework . The security pillar outlines five focus areas that organizations must consider when implementing security in the cloud. Those focus areas are – identity and access management, detective controls, infrastructure protection, data protection, and incident response.

As you can see from the (ISC)² Miami Chapter graphic, AWS has developed, and continues to develop, several security services that directly assist customers with implementing controls and safeguards in each focus area. Amazon Detective is the latest service that fits within this security pillar to assist organizations with securing their AWS workloads. It is a service that uses machine learning, statistical analysis and graph theory to accelerate the incident response process providing accuracy and speed for your team. Amazon Detective is intended to be an extension of your security team, so think of Detective as a security analyst that continuously analyzes trillions of events or findings from AWS CloudTrail, Amazon GuardDuty, Virtual Private Cloud (VPC) Flow Logs and AWS Security Hub.

How will Detective help my team?

CloudTrail, GuardDuty, VPC Flow Logs, Security Hub and third-party security information and event management (SIEM) solutions provide a robust set of data for organizations. However, sorting through this data from multiple systems to identify whether or not a security event is an actual incident is a time consuming and demanding task for organizations of all sizes. Amazon Detective uses data science techniques to quickly analyze and identify root causes of incidents, providing security professionals with detailed context surrounding the security event or incident such as geolocation tracking, origin IP addresses and affected resources (i.e. IAM users or EC2 instances).

The industry-accepted NIST Cybersecurity Framework (CSF) lists out five key functions of a cybersecurity risk management program: Identify, Protect, Detect, Respond, and Recover. Detective helps organizations bridge the gap between detection and response activities that make up a critical part of any incident response program. Detective accelerates the incident response process, providing security practitioners the necessary data to quickly triage security findings, begin incident investigations and conduct threat hunting activities. Interactive visualizations enable your security team to quickly determine whether an incident is a false positive, false negative or legit malicious action by a threat actor.

This step forward in automating the data log aggregation and analysis aspects of the incident response process aligns with the information security industries’ continued push for security automation. Ponemon Institute found in a recent survey of security practitioners that automation increases the productivity of current security personnel (43% of respondents), and reduces the false-positive or false-negative rates (43% of respondents). 60% of respondents stated that automation is helping to reduce the stress of their organization’s IT security personnel.

Amazon Detective supports the insight of these practitioners by automating tasks in the incident response process such as collecting and reviewing data from multiple sources to determine if a security event rises to the level of an incident. One of the immediate benefits of using a security tool like Detective is the time it gives back to your security team or individual practitioner. Removing mundane or administrative tasks can result in a proactive approach to security. Leveraging the historical data and established security baselines, Detective can be used to perform proactive analysis to discover threats that may be dormant in your environment. It facilitates historical investigation based on minimal information about a potential threat such as a malicious IP address. Detective can provide a time-based analysis of any AWS accounts, VPC, or EC2 instances impacted by that IP addresses or malicious event. Most security teams do not have the time or resources to perform proactive analysis. The threat hunting aspect is what has me the most excited about this tool for organizations improving their security incident response process.

Start Exploring

Detective may not be the best option for your organization depending on your architecture or other tools currently in use. However, it is possible to use the product, test it out, integrate it with existing tools and estimate costs with a 30-day free trial. The free trial is preloaded with two weeks of data so your team can immediately begin using the tool with live data from your environment. The potential is there for this new service to significantly improve organizations’ incident response teams and processes. I think exploring new tools and learning new techniques that can improve cybersecurity programs is one of the fun parts of being an information security professional. Amazon Detective is a tool that security practitioners with workloads hosted on AWS should explore to help increase the accuracy and speed of incident detection, investigation, and recovery.