Amazon's ML-Based 'Detective' Security Service Goes GA
Amazon announced the general availability of a new managed security service that uses machine learning (ML) models to create graphical representations of account behaviors.
The new Amazon Detective service, which had been available in preview since December, aims to provide users with answers to such questions as: "Is this an unusual API call for this role?" and "Is this spike in traffic from this instance expected?"
Originally unveiled at the 2019 re:Invent conference, Amazon Detective uses ML to investigate security events across a user's entire Amazon Web Services (AWS) environment. It automatically collects log data from AWS resources and uses ML, statistical analysis and graph theory to build a linked set of data that enables users to conduct faster and more efficient security investigations.
The tool is designed to mine information from multiple AWS data stores -- AWS CloudTrail, AWS GuardDuty, and Amazon VPC Flow Logs -- and create visualizations that show the origins and impacts of specific security events.
Unlike other AWS services, such as Macie and GuardDuty, which simply identify security weaknesses and send alerts, Amazon Detective is designed for situations in which it's necessary to analyze "large quantities of AWS log data to determine the cause and impact of a security issue," explained Sébastien Stormacq, AWS developer evangelist, in a blog post.
Such situations normally require significant scripting work, the use of ETL and SIEM tools, and proficiency in data science to organize and contextualize all the relevant information. Amazon Detective, Stormacq explained, automates that process.
"Amazon Detective uses machine learning models to produce graphical representations of your account behavior and helps you to answer questions such as 'is this an unusual API call for this role?' or 'is this spike in traffic from this instance expected?'" he wrote. "You do not need to write code, to configure or to tune your own queries."
Users can run Amazon Detective across as many as 1,000 AWS accounts, giving them a comprehensive view of their entire cloud environment. They can also keep data visualizations for up to one year, useful for tracking log behaviors over a long term.
Amazon Detective is currently available in these 14 regions: US East (Ohio), US East (N. Virginia), US West (N. California), US West (Oregon), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Paris), Canada (Central), and South America (São Paulo). More information is available here.