Introduction to Amazon Detective
Using Amazon Detective in Security Investigations
Amazon Detective is a managed service used to conduct investigations and produce behavior graphs. It sources data points from AWS CloudTrail logs, VPC flow logs, and Amazon GuardDuty findings, then correlates that data to provide a unified view. According to AWS, the main features of Amazon Detective include:
- Automatic data collection across all your AWS accounts
- Consolidates disparate events into a graph model
- Interactive visualization for efficient investigation
- Seamless integration for investigating a security finding
- Simple deployment with no upfront data source integration or complex configurations to maintain
Transcription
Sometimes when we are working with clients on their information security compliance needs, we are dealing with log correlation and security investigations. How do you understand what’s going on in your environment and how can you take action when something malicious is happening? It’s not enough to have the logs just for the sake of having the logs. You have to be looking at them. You have to be using that information to understand them and decide where to go with it. It’s not enough to have the tools because if you’re ignoring the tools or ignoring the alerts, then you’re not getting the value and the benefit of having the tool in the first place. It was famously reported after the Target breach that they had a new tool that was alerting them to the nefarious activity, and they just turned off the tool because the alarms were getting to be too annoying. A lot of times in our audits, we’ll hear from a client, “Oh we have our logs, but we really don’t use them for anything. We haven’t taken it any further.”
Correlating your logs from various sources is very important. You might look at Amazon Detective as a way to do this. Amazon Detective is a service from AWS that can be used to create a unified view from a lot of different data points. You can bring in your VPC flow logs, your CloudTrail logs, your GuardDuty logs, and Amazon Detective is able to analyze this and present very valuable insights using machine learning and statistical analysis so that you can investigate what this data means. You might be asking yourself, “Well how much data was sent during this incident? Is this traffic normal?” You can compare it against earlier periods of time. Did this IP address interact with any other systems within our environment? What was it that happened immediately before this suspicious event happened? Amazon Detective is able to present you with that information and help you understand and utilize it in a much faster way.