View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cloud
April 3, 2020

Amazon Detective Spots Unusual Behaviour Buried in the Data Logs

“You see, but you do not observe.”

By CBR Staff Writer

Amazon Detective is a cybersecurity tool that automates the time-intensive processing of the vast quantities of AWS log data to assess the root cause and impact of a cybersecurity incident. First released in preview in December of 2019, AWS has now made it generally available.

When a cybersecurity incident occurs it is up to IT teams to sieve through the ashes to try and figure out where the breach or unauthorised access started. Hotel group Marriott International is once again going through this process after confirming a serious breach this week, after revealing an “unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property”. Early reports indicate an application providing services to guests was the starting point of the breach. This case is indicative of the complex nature of cybersecurity and the array of data and entry points IT teams must watch.

To get to the bottom of events, IT teams often have to write new scripts or extract, transform and load huge amounts of data from a dizzying array of data sources. Often, many of these sources are attached to siloed systems and it is not immediately clear what connects to what and, critically, what is normal behaviour.

Amazon Detective will automatically collate all of the data generated by other AWS services — Guard Duty, VPC Flow Logs and CloudTrail — presenting the user with a graph model that outlines how all resources and processes — such as API calls, network traffic and logins — are behaving and interacting across the entire IT environment.

Amazon Detective

Amazon Detective will automatically collate all of the data generated by other AWS services. Credit: AWS

Commenting on Amazon Detective, WarnerMedia cloud security lead Chris Farris, said: “It does the hard work of aggregating and analysing high-volume telemetry sources like VPC Flow logs and CloudTrail. Larger organizations will see major efficiencies, and small teams will have access to information and tooling that they’d have a hard time collecting and building on their own.”

Amazon Detective

Using machine learning, Amazon Detective maintains the data it has aggregated for a year to run machine learning processes and identify abnormalities as they occur. It automatically processes terabytes of event data records aggregating them into a visualised dashboard summarising unusual activity and showing the behaviour and security relationship of assets across the IT environment.

Along with acting as a reactionary tool, it can be used proactively to hunt for threats within the network by focusing on resources such as IP addresses, VPC and AWS account activity.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Amazon Detective enables users to view time-based data in a visual graph — allowing them to dig further into the details to identify derivations from normal behaviour.

Amazon Detective

Amazon Detective enables users to view time-based data in a visual graph. Credit: AWS

While AWS points out that while there “are no additional charges or upfront commitments” to use Amazon Detective, it can be expensive depending on how much data flows through the tool. For the first 1,000 GB of data it will cost roughly two pounds ($2.5) per GB, that price scales down significantly to $0.31 when processing more than 10,000 GB per month. Good for large firms with huge amounts of data, but SMEs might get caught out.

See Also: Tech Giants Team Up to Launch Open Source 5G Infrastructure Management Tool

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.