Introduction to Amazon Detective and its use cases

Recipe Objective - Introduction to Amazon Detective and its use cases?

The Amazon Detective is widely used and is defined as a service that makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Amazon Detective automatically collects the log data from users' AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data which enables users to easily conduct faster and more efficient security investigations. Amazon Web Services security services like Amazon GuardDuty, Amazon Macie, and AWS Security Hub as well as the partner security products can be also used to identify the potential security issues, or findings and these services help alert users when something is wrong and point out where to go to fix it but sometimes there might be the security finding where you need to dig a lot deeper and analyze more information to further isolate the root cause and take action So, determining the root cause of security findings can be a complex process which often involves collecting and combining logs from many separate data sources, using extract, transform, and load (ETL) tools or the custom scripting to organize the data, and then security analysts having to analyze data and conduct some lengthy investigations. Amazon Detective helps in simplifying this process by further enabling users' security teams to easily investigate and quickly get to the root cause of a finding. Amazon Detective can analyze trillions of events from multiple data sources such as the Virtual Private Cloud (VPC) Flow Logs, AWS CloudTrail, and Amazon GuardDuty, and automatically creates a unified, interactive view of users resources, users, and the interactions between them over time and with this unified view, users can visualize all the details and context in one place to identify the underlying reasons for the findings, drill down into relevant historical activities and finally quickly determine the root cause.

Benefits of Amazon Detective

• The Amazon Detective produces visualizations with the information users need to investigate and respond to the security findings. It helps users answer questions like ‘is this spike in traffic from this instance expected?’ without having to organize any data or develop, configure, or tune their queries and algorithms. Amazon Detective maintains up to a year of aggregated data that shows changes in the type and volume of activity over a selected time window, links those changes to security findings and thus provides easy to use visualizations. Also, Amazon Detective automatically processes the terabytes of event data records about IP traffic, AWS management operations, and malicious or unauthorized activity. It organizes the data into the graph model which summarizes all the security-related relationships in the user's AWS environment. Amazon Detective then queries this model to create visualizations used in the investigations and further the graph model is continuously updated as new data becomes available from AWS resources, so users spend less time managing constantly changing data. Amazon Detective further presents a unified view of user and resource interactions over time, with all context and details in one place to help users quickly analyze and get to the root cause of a security finding. For eg, an Amazon GuardDuty finding, like an unusual Console Login API call, which can be quickly investigated in Amazon Detective with details about the API call trends over time, and user login attempts on a geolocation map and these details enable users to quickly identify if users think it is legitimate or an indication of the compromised AWS resource and thus provides faster and more effective investigations.

System Requirements

• Any Operating System(Mac, Windows, Linux)

This recipe explains Amazon Detective and uses cases of Amazon Detective.

Use cases of Amazon Detective

• It provides Threat hunting

Amazon Detective helps with the threat hunting by enabling users to focus on the specific resources such as IP addresses, AWS accounts, VPC, and EC2 instances and providing detailed visualizations of activities associated with those resources. Amazon Detective also helps with the hunting process by providing time-based analysis and the ability to drill in, see all activities during the specific time, and spot changes from the norm. Threat hunting is the proactive analysis to uncover hidden threats based on certain clues or hypotheses.

• It provides Incident investigation

Amazon Detective provides incident investigation. Also, some security findings require deep investigation to determine the extent of some malicious activity, its impact, and the underlying cause. When findings are identified by AWS Security services such as the Amazon GuardDuty, users can go to Amazon Detective and immediately see context and activity related to the finding, drill down into relevant historical activities to identify unusual patterns and further quickly determine the nature and extent of root cause and the activity that contributed to the finding.

• It provides Triage security findings

Using Amazon Detective visualizations, users can see what resource, IP addresses, and AWS accounts are connected to that finding, related findings, and activity that occurred close in time or location to that finding, to quickly determine if the finding is an actual malicious activity or a false positive. Also, Triage is often the first phase of the investigation process that is used to decide whether the finding is a real security issue or a false positive.