Enhanced Capabilities in Amazon Detective to Accelerate Your Cloud Security Investigations

Overview

Amazon Detective streamlines the investigative process, allowing security teams to perform faster and more effective investigations. Amazon Detective’s prebuilt data aggregations, summaries, and context allow you to swiftly analyze and evaluate the type and scope of any security vulnerabilities.

Introduction

Amazon Detective makes it easy to analyze, investigate, and swiftly determine the underlying cause of security alerts or suspicious activity. Amazon Detective visualizes and conducts security investigations faster and more efficiently using machine learning (ML), statistical analysis, and graph theory. Amazon Detective automatically gathers log data and events from several sources, including AWS CloudTrail logs, Amazon Virtual Private Cloud (Amazon VPC) Flow Logs, Amazon GuardDuty discoveries, Amazon Elastic Kubernetes Service (Amazon EKS) audit logs, and AWS security findings. Detective saves aggregated data for up to a year for analysis and investigative purposes.

Amazon Detective is a managed security solution that enables security analysts to analyze suspected security concerns across many AWS accounts and workloads. Amazon Detective streamlines the analysis of security discoveries, making it easier to determine the scope of harmful behavior and its underlying cause. AWS GuardDuty is a threat detection solution that continuously monitors your AWS environment for malicious activity and unauthorized access. AWS GuardDuty now detects threats during runtime events in Amazon ECS, including serverless workloads on AWS Faregate. Amazon Detective aids in the study of these new detections by incorporating connections with prior discoveries into finding groups, graph visualizations, and other summaries to speed up security investigations.

Amazon Detective is a managed security service that streamlining the investigation process by generating data aggregations, summaries, and visualizations based on security findings and activity logs. Security analysts utilize Amazon Detective to swiftly analyze and assess the type and scope of any security vulnerabilities. Security Lake is a solution that automatically consolidates security data from AWS environments, SaaS providers, on-premises, and other cloud sources into a dedicated data lake. You may use Security Lake to simplify central log collecting and acquire a thorough overview of all security occurrences in your organization.

New capabilities of Amazon Detective

Amazon Detective adds four new capabilities to help you save time and strengthen security operations.

• Amazon Detective investigations for AWS IAM
• Amazon Detective finding group summaries
• Amazon Detective now supports security investigations for threats detected by Amazon Guard Duty ECS Runtime Monitoring.
• Amazon Detective now integrates with Amazon Security Lake, enabling security analysts to query and retrieve logs stored in Security Lake.

Description

1. Amazon Detective investigations for AWS IAM assist security analysts in identifying indicators of compromise (IoCs) in AWS Identity and Access Management (IAM) objects, including users and roles, to evaluate probable involvement in known MITRE ATT&CK techniques. These automated investigations are available in the AWS Management Console’s Detective area and via a new API that allows you to automate your analysis or incident response or communicate these results to other systems, such as AWS Security Hub.
2. Amazon Detective finding group summary employs generative artificial intelligence (AI) to enhance investigations. It automatically analyses finding groups and delivers insights in normal language to speed up security investigations. It gives a plain language title based on the finding group’s analysis and important summarised insights, such as explaining the activity that triggered the event and, if applicable, the impact. Finding group summaries do the hard job of analyzing a finding group created from several AWS data sources, making it easier and faster to evaluate odd or suspicious activities.
3. Amazon Detective now supports security investigations for threats detected by Amazon GuardDuty Elastic Container Service (ECS) Runtime Monitoring. Amazon Detective now provides enhanced visualizations and additional context for detections on Amazon You can use the new runtime threat detections from GuardDuty and the investigative capabilities from Amazon Detective to improve your detection and response for potential threats to your container workloads.
4. Amazon Detective now integrates with Amazon Security Lake, enabling security analysts to query and retrieve logs stored in Security Lake. You can use this integration to get additional information from AWS CloudTrail logs and Amazon Virtual Private Cloud (Amazon VPC) Flow Logs stored in Security Lake while conducting security investigations in Amazon Detective.

Demo for AWS IAM security analysis and finding group summary

Amazon Detective dashboard displays the number of completed investigations and the number of AWS IAM roles and users implicated in questionable activity.

From there, the list of investigations is narrowed down.

In my perspective, the most intriguing portion of the page is the mappings to tactics, techniques, and procedures (TTP). All TTPs are classed based on their severity. The console displays the techniques and activities employed. When I choose a certain TTP, I may view its information in the right pane. In this case, the suspicious IP address was engaged in almost 2,000 unsuccessful attempts to modify the trusted policy of an AWS IAM role.

On the other hand, discovering group summaries is provided under discovering groups. I pick a finding group to obtain a natural language explanation of the findings and associated risks.

Conclusion

Amazon Detective examines trillions of events from various data sources, including Amazon Virtual Private Cloud (Amazon VPC) Flow Logs, AWS CloudTrail logs, Amazon Elastic Kubernetes Service (Amazon EKS) audit logs, and findings from multiple AWS security services, to produce a unified, interactive view of security events. Amazon Detective also automatically aggregates linked results from Amazon GuardDuty and Amazon Inspector to provide combined threats and vulnerabilities, assisting security analysts in identifying and prioritizing possible high-severity security issues.

Drop a query if you have any questions regarding Amazon Detective and we will get back to you quickly.

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, Microsoft Gold Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, and many more.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.