Amazon Detective – Machine Learning applied to Security

Amazon Detective is a Machine Learning Security feature in AWS.

Amazon Detective automatically collects log data from a customer’s resources and uses machine learning, statistical analysis, and graph theory to build interactive visualizations that help customers analyse, investigate, and quickly identify the root cause of potential security issues or suspicious activities. There are no additional charges or upfront commitments required to use Amazon Detective, and customers pay only for data ingested from AWS CloudTrail, Amazon Virtual Private Cloud (VPC) Flow Logs, and Amazon GuardDuty findings.

When customers face a security issue like compromised user credentials or unauthorized access to a resource, security teams must conduct an investigation to understand the cause, assess the impact, and determine the remediation steps. Before an investigation can even begin, customers must first collect and combine terabytes of potentially relevant data from network, application, and security monitoring systems, and make it available in a way that allows their security analysts to infer related anomalies.

Amazon Detective produces tailored visualizations to help customers answer questions like “is this an unusual API call?” or “is this spike in traffic from this instance expected?” without having to organize any data or develop, configure, or tune their own queries and algorithms. Amazon Detective’s visualizations provide the details, context, and guidance to help analysts quickly determine the nature and extent of issues identified by AWS security services like AWS Security Hub.