Amazon Detective: Overview, Working, Use Cases, & Many More

Amazon Detective simplifies the analysis, investigation, and rapid identification of the root cause of potential security issues or suspicious activities. It collects log data from your AWS resources automatically and then uses machine learning, statistical analysis, and graph theory to create a linked set of data that allows you to conduct faster and more efficient security investigations.

In this blog, we will be discussing Amazon Detective-

• What is Amazon Detective?
• How does it work?
• Features
• Benefits
• Use Cases
• Security
• Pricing
• Frequently Asked Questions

What is Amazon Detective?

To identify potential security issues or findings, AWS security services such as Amazon GuardDuty, Amazon Macie, and AWS Security Hub, as well as partner security products, can be used. These services are extremely useful in notifying you when something is wrong and directing you to the appropriate location to correct it.

Amazon Detective makes this process easier by allowing your security teams to easily investigate and quickly get to the bottom of a finding. It can analyze trillions of events from multiple data sources, including Amazon Virtual Private Cloud (Amazon VPC) Flow Logs, Amazon Elastic Kubernetes Service (Amazon EKS) audit logs, and Amazon GuardDuty findings, and automatically creates a unified, interactive view of your resources, users, and their interactions over time.

With a few clicks in the AWS Console, you can get started with Amazon Detective. There is no software to install, nor are there any data sources to enable and maintain.

How does Amazon Detective work?

• Detective extracts time-based events such as API calls, log-in attempts, and network traffic from data sources and applies machine learning and visualization to create a view of everyday resource interactions and behaviors over time. Guard Duty, Amazon Inspector, and Amazon Security Hub are all services that provide security alerts and monitoring.
• Guard Duty manages threat detection, provides continuous monitoring for unusual or malicious behavior, and safeguards AWS accounts against port scanning, penetration testing, and even bitcoin mining.
  Amazon Inspector provides application-level security assessments and improves AWS’s overall security by automating network and host-based security analysis.
• AWS Security Hub collects security data from AWS and other sources to assist in identifying trends and establishing a more advanced security posture, allowing you to respond to a broader range of security threats.
• Amazon Detective allows you to investigate security events or potential threats from a variety of sources. Detective collects and integrates terabytes of log data, transforms it for analysis, and provides visualizations to aid in the detection of anomalies.
  

Features-

1. Automatic data collection across all your AWS accounts- Amazon Detective collects and analyses events from data sources such as AWS CloudTrail logs, Amazon VPC Flow Logs, Amazon EKS audit logs, and Amazon GuardDuty findings, and stores aggregated data for up to a year for analysis.
2. Consolidates disparate events into a graph model- Amazon Detective can analyze trillions of events about IP traffic, AWS management operations, and malicious or unauthorized activity from many different data sources to build a graph model that distills log data using machine learning, statistical analysis, and graph theory to build a linked set of data for security investigations.
3. Interactive visualizations for efficient investigation- Amazon Detective includes interactive visualizations that allow you to investigate issues more quickly and thoroughly while exerting less effort. Large sets of event data can be easily filtered into specific timelines, with all the details, context, and guidance you need to investigate quickly.
4. Seamless integration for investigating a security finding- Amazon Detective is integrated with AWS security services such as Amazon GuardDuty and AWS Security Hub, as well as AWS partner security products, to assist in the rapid investigation of security findings identified in these services.
5. Simple deployment with no upfront data source integration or complex configurations to maintain- There is no software to install, no agents to set up, and no complex arrangements to maintain. There are no data sources to enable, so you won’t have to pay for data source activation, data transfer, or data storage.

Benefits-

1. Faster and more effective investigations- Amazon Detective provides a unified view of user and resource interactions over time, with all context and details in one place, to assist you in quickly analyzing and determining the root cause of a security finding.
2. Save time and effort with continuous data updates- Amazon Detective automatically processes terabytes of IP traffic, AWS management operations, and malicious or unauthorized activity event data records. It organizes the data into a graph model that summarises all of your AWS security-related relationships.
3. Easy to use visualizations- Amazon Detective keeps aggregated data for up to a year that shows changes in the type and volume of activity over a specified time period and links those changes to security findings. Amazon Detective generates visualizations containing the data required to investigate and respond to security findings.

Use cases-

• Triage security findings- Triage is frequently the first stage of the investigation process. It is used to determine whether the discovery is a genuine security issue or a false positive. Using Amazon Detective visualizations, you can quickly determine whether a finding is malicious or a false positive by seeing what resources, IP addresses, and AWS accounts are associated with it, as well as related findings and activity that occurred nearby in time or location.
• Incident investigation- When AWS Security services such as Amazon GuardDuty identify a finding, you can immediately go to Amazon Detective and see the context and activity related to the finding, drill down into relevant historical activities to identify unusual patterns, and quickly determine the nature and extent of the root cause and the activity that contributed to the finding.
• Threat hunting- Threat hunting is a proactive analysis that seeks out hidden threats based on specific clues or hypotheses. Amazon Detective aids in threat hunting by allowing you to focus on specific resources such as IP addresses, AWS accounts, VPCs, and EC2 instances, as well as providing detailed visualizations of activities associated with those resources.

Security in Amazon Detective-

AWS prioritizes cloud security above all else. As an AWS customer, you have access to a data center and network architecture designed to meet the needs of the most security-conscious organizations.

Security is a shared responsibility between AWS and you. The shared responsibility model describes this as security of the cloud and security in the cloud:

Pricing-

The price of Amazon Detective is based on the volume of data ingested from AWS CloudTrail logs, Amazon VPC Flow Logs, Amazon Elastic Kubernetes Service (Amazon EKS) audit logs, and Amazon GuardDuty findings. Per account/region/month, you are charged per Gigabyte (GB) ingested. Enabling these log sources is free of charge.

The Detective charges for data ingested into the behavior graph from CloudTrail, VPC Flow Logs, and GuardDuty at the time of writing.

• First 1000 GB   $2.00/GB
• Next 4000 GB  $1.00/GB
• Next 5000 GB  $0.50/GB
• Over 10k   GB $0.25/GB

There is a fully featured Amazon Detective 30-Day Free trial available.

Frequently Asked Questions-

Q1: Is Amazon Detective a regional or global service?
Ans: Amazon Detective must be enabled region by region and allows you to quickly analyze activity across all of your accounts in each region. This ensures that all data analyzed is local and does not cross AWS regional boundaries.

Q2: Can I manage multiple accounts with Amazon Detective?
Ans: Yes, Amazon Detective is a multi-account service that collects data from monitored member accounts and aggregates it under a single administrative account in the same region. Multi-account monitoring deployments can be configured in the same way that administrative and member accounts are configured in Amazon GuardDuty and AWS Security Hub.

Q3: Can I use Amazon Detective if I do not have Amazon GuardDuty enabled?
Ans: Before you can enable Amazon Detective on your accounts, you must first allow Amazon GuardDuty on those accounts for at least 48 hours. You can, however, use Amazon Detective to look into more than just your Amazon GuardDuty results. Amazon Detective generates detailed summaries, analyses, and visualizations of your AWS accounts, EC2 instances, AWS users, roles, and IP address behaviors and interactions.

Related Links/References

The post Amazon Detective: Overview, Working, Use Cases, & Many More appeared first on Cloud Training Program.