alphaspirit - Fotolia

AWS security options grow with Amazon Detective

AWS has released Amazon Detective, a managed threat hunting service that generates visualizations out of log data from native Amazon Web Services.

AWS has added another member to its family of cloud security technologies with Amazon Detective, a service that enterprises can use to investigate security problems on the cloud platform.

Detective is now generally available following its debut at re:Invent in December, AWS said. The AWS security service pulls together log information from AWS sources such as CloudTrail, VPC Flow Logs and GuardDuty, then uses machine learning and statistical analysis to create visualizations that help determine whether a suspected security issue is an actual problem. This frees up security teams to focus on fixing problems rather than manually sorting and analyzing log data to reach these conclusions, according to AWS.

Many companies have scores or even hundreds of individual AWS accounts used by various teams. Detective addresses this by aggregating information from up to 1,000 AWS accounts into one controlled by the enterprise's security team, according to a blog post.

Amazon Detective is now available in the U.S., Europe, Asia-Pacific and South America, with more regions to come, AWS said. It could appeal both to large enterprises with very complex AWS security needs, as well as smaller ones with fewer financial resources.

The service is priced on a sliding scale based on how much data it ingests from CloudTrail, VPC Flow Logs and GuardDuty. The first 1,000 gigabytes per account, region and month costs $2 per gigabyte, with the price dropping to as low as 25 cents per gigabyte when more than 10,000 gigabytes are ingested. No other fees apply.

Detective may not crack every case

The new AWS security service has its roots in AWS' 2018 acquisition of security startup Sqrrl, maker of a threat hunting platform built on a graph database. That type of data store models information in a manner suitable for examining interconnections among various entities. It is perhaps best-known for its application in social media sites such as Facebook and extends well to a cloud security context.

Scott Piper, AWS security consultant, Summit RouteScott Piper

Detective wasn't the only security service AWS discussed at re:Invent. But others seemed geared more toward fixing certain persistent security issues among cloud customers. For example, IAM Access Analyzer focuses on helping customers lock down S3 storage buckets; S3 misconfigurations have been the source of a string of data leaks and exposures.

AWS rivals such as Microsoft have also moved to add new security services, such as Azure Sentinel, a security information and event management (SIEM) tool.

Overall, AWS customers should be mindful of Detective's limitations, said Scott Piper, an AWS security consultant at Summit Route in Salt Lake City.

If you have no security processes set up for incident response, Detective is a reasonable set of views that will help you as you investigate an incident.
Scott PiperAWS security consultant, Summit Route

"It's not a SIEM," Piper said. "It provides you a set of histograms. They converted a graph database into bar charts.  I don't even know at this point if Detective shares anything to do with Sqrrl since the end result is so different, but I had always been told that Detective was the rebirth of Sqrrl.

"If you have no security processes set up for incident response, Detective is a reasonable set of views that will help you as you investigate an incident," Piper added. "But if you already have logs feeding into something like Splunk or ELK or Sentinel, it's not going to be useful.  From what I can tell, you could task a junior [Security Operations Center] analyst to spend a day in any other tool re-creating the views Detective provides."

An AWS spokesman declined comment on Piper's remarks.

Dig Deeper on Cloud provider platforms and tools