AWS Announces General Availability of Amazon Detective

Today, Amazon Web Services Inc., an Amazon.com company (NASDAQ: AMZN), announced the general availability of Amazon Detective, a new security service that makes it easy for customers to conduct faster and more efficient investigations into security issues across their AWS workloads. Amazon Detective automatically collects log data from a customer’s resources and uses machine learning, statistical analysis, and graph theory to build interactive visualizations that help customers analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. There are no additional charges or upfront commitments required to use Amazon Detective, and customers pay only for data ingested from AWS CloudTrail, Amazon Virtual Private Cloud (VPC) Flow Logs, and Amazon GuardDuty findings.

To get started with Amazon Detective, visit https://aws.amazon.com/detective/.

When customers face a security issue like compromised user credentials or unauthorized access to a resource, security teams must conduct an investigation to understand the cause, assess the impact, and determine the remediation steps. Before an investigation can even begin, customers must first collect and combine terabytes of potentially relevant data from network, application, and security monitoring systems, and make it available in a way that allows their security analysts to infer related anomalies. In order to explore the data, analysts rely on data scientists and engineers to turn seemingly simple questions like “is this normal?” into mathematical models and queries that can help produce answers. Customers then typically build custom dashboards that analysts use to validate, compare, and correlate the data to reach their conclusions. Security teams must continually re-establish baselines of normal behavior, understand new patterns of activity, and revisit application configurations as resources, accounts, and applications are added or updated in an environment. These complex and time-consuming tasks impede security teams’ ability to quickly investigate and respond to security issues.

Amazon Detective helps security teams conduct faster and more effective investigations. Once enabled with a few clicks in the AWS Management Console, Amazon Detective automatically begins distilling and organizing data from AWS CloudTrail, Amazon VPC Flow Logs, and Amazon GuardDuty findings into a graph model that summarizes resource behaviors and interactions observed across a customer’s AWS environment. Using machine learning, statistical analysis, and graph theory, Amazon Detective produces tailored visualizations to help customers answer questions like “is this an unusual API call?” or “is this spike in traffic from this instance expected?” without having to organize any data or develop, configure, or tune their own queries and algorithms. Amazon Detective’s visualizations provide the details, context, and guidance to help analysts quickly determine the nature and extent of issues identified by AWS security services like Amazon GuardDuty and AWS Security Hub. Amazon Detective’s graph model and analytics are continuously updated as new telemetry becomes available from a customer’s AWS resources, allowing security teams to spend less time tending to constantly changing data sources. By letting the Amazon Detective service perform the necessary data sifting, security teams can more quickly move on to remediation.

“Even when customers tell us their security teams have the tools and information to confidently detect and remediate issues, they often say they need help when it comes to understanding what caused the issues in the first place,” said Dan Plastina, Vice President for Security Services at AWS. “Gathering the information necessary to conduct effective security investigations has traditionally been a burdensome process, which can put crucial in-depth analysis out of reach for smaller organizations and strain resources for larger teams. Amazon Detective takes all of that extra work off of the customer’s plate, allowing them to focus on finding the root cause of an issue and ensuring it doesn’t happen again.”

Amazon Detective is available today in the US East (N. Virginia), US East (Ohio), US West (Oregon), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Paris), Europe (Stockholm), Asia Pacific (Mumbai), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), and South America (Sao Paulo) regions, with more regions coming soon.

T-Systems, a subsidiary of Deutsche Telekom, is one of the world’s leading digital service providers.

"As part of protecting our clients' cloud applications and services, T-Systems’ security experts analyze billions of security-relevant events every day," said Andrej Maya, Cloud Solutions Architect for T-Systems. "This has traditionally required using custom log management solutions that take considerable time and resources to maintain. Amazon Detective simplifies our security monitoring and helps our security analysts quickly understand potential issues without the complexity of managing the underlying data ourselves."

WarnerMedia is a leading media and entertainment company that creates and distributes premium and popular content to global audiences.

“Large security organizations are tasked with protecting huge environments with diverse workloads from a multitude of threats, while the smaller organizations I talk to often don’t have the resources to replicate the tooling and expertise of their bigger counterparts,” said Chris Farris who leads public cloud security for WarnerMedia and teaches Cloud Security for the SANS Institute. “Amazon Detective will help both of these groups reach faster, better-informed conclusions to their security investigations. It does the hard work of aggregating and analyzing high-volume telemetry sources like VPC Flow logs and CloudTrail. Larger organizations will see major efficiencies, and small teams will have access to information and tooling that they’d have a hard time collecting and building on their own.”

Expel provides transparent managed security, on-prem and in the cloud.

“We have customers of all shapes and sizes running a diverse array of workloads on AWS, so it’s critical that we have high-quality data sources that can aid us in conducting fast and accurate security investigations,” said Peter Silberman, chief technology officer at Expel. “Amazon Detective offers our customers an additional layer of insight about what’s happening in their environment, which gives our security analysts more data and context to use during investigations without adding complexity to that process. With Amazon Detective, we’ll be able to process specific types of alerts faster, which means reducing investigation time and getting quicker, more detailed answers to our customers about what happened.”