The RSA Conference 2024 last week was dubbed as the artificial intelligence security show, and rightfully so, as AI was prevalent across keynotes, sessions and the show floor. That’s all fine and dandy, but it’s important to understand the engine that drives AI is data.
Last year, Amazon Web Services Inc. announced Amazon Security Lake, to provide efficient security data management that would enable its customers to conduct proactive threat analysis of its data. And at RSAC, the cloud leader issued a raft of updates.
Security Lake is a centralized repository for security data from various sources, including those hosted in AWS environments, with software-as-a-service providers, in the cloud or on-premises. The idea is that consolidating data storage within the customer’s AWS account streamlines investigation and response to security events.
At RSAC, I talked to Mark Terenzoni, general manager of security services at AWS, about Amazon Security Lake and the updates. He told me the product is off to a fast start.
To build the product, Amazon worked with many top security companies to co-develop an open-source security framework called OCSF, for Open Cybersecurity Schema Framework. “OCSF currently has more than 700 participants from over 200 organizations, all open source, and it’s that community developing the schema,” he told me. “This is important because security logs and data come from different places and should have a common language to run analytics on, which reduces the cycle time to get the best results and outcomes.”
He added that Amazon Security Lake is built for customers to bring all of their security data in a democratized fashion, and it’s stored in their own S3 bucket, so they have full control of it.
This noble goal has some real-life benefits. Such a setup provides security teams with enhanced visibility and efficiency, enabling them to respond more effectively to security events and ultimately improving overall security posture.
Understanding security posture
AWS used the ad conglomerate Interpublic Group as an example in its blog post. IPG employs Security Lake to understand its security posture across hybrid environments. According to AWS, the company says that before it added Security Lake, it faced challenges managing diverse log data sources.
With Security Lake up and running, the IPG security team can effectively consolidate and analyze security-related data to better manage their security landscape. Security Lake also helps with incident investigation by automating the centralization of security data from AWS environments and third-party logging sources.
AWS says SEEK, an Australian online employment marketplace, uses Security Lake to streamline incident investigations and reduce the mean response time. With Security Lake, SEEK was able to identify potential security incidents faster and scale security operations more effectively.
Helping with compliance
Security Lake helps with log retention strategies for customers who must store large volumes of security logs to meet compliance requirements. It provides customizable retention settings and automated storage tiering to optimize storage costs and security analytics. By automatically partitioning and converting incoming security data into a storage and query-efficient format, it enhances query performance for security analytics.
By aggregating security events across different data sources, Security Lake enables analysts to correlate events to identify attack patterns more effectively easily — and earlier — moving the responsibility for maintaining secure coding and infrastructure to the development phase.
Integrations and enhancements
Since going to general availability last May, AWS has updated Security Lake several times. For example, it’s now integrated with Amazon Detective, which enables security teams to investigate and determine the root cause of security findings and suspicious activity.
Detective now queries and retrieves logs from Security Lake to support investigations. More than 100 data sources, from AWS and third-party sources, are available in Security Lake, with more than 70 direct partner integrations.
Security Lake secures data for better AI
AWS says that applying generative AI to data in Security Lake enhances threat-hunting and incident-response practices. This approach enables the analysis of behaviors from systems and users across their environments. As a result, security teams can speed up security investigations and responses, which improves the overall security posture.
I asked Terenzoni how security partners were leveraging the product. “We have many SIEM and XDR partners that have built integrations on top of Security Lake where they are querying data at rest,” he explained. “Without it, they would have to bring massive amounts of data into their platforms, much of which does not need to be accessed regularly. Now they can open their aperture and have more data visibility.”
Recent updates bring more data sources
The company announced new data sources, some of which were generated in AWS. Amazon EKS audit logs, used for Kubernetes workload visibility, have now been brought into Amazon Security Lake. Also, AWS has added support for version 1.1 of OCSF, which brings an updated schema. The data is also stored in Apache Iceberg tables, which helps customers retrieve data more efficiently.
Final thoughts
Security Lake shows the benefits AWS is bringing to its customers through tighter product integration within its suite and with partners. Terenzoni called out several ways customers can get a 1+1 = 3 value proposition with other Amazon services.
He mentioned Amazon Athena, Amazon Open Search Service, Amazon SageMaker, and Amazon Bedrock, to name a few, as well as the wide range of security services. He provided the example of Amazon GuardDuty producing data that is then sent to AWS Security Hub for findings. That data is sent to Security Lake for other tools to use.
Companies of all shapes and sizes have turned to AWS to handle data of all types. So the company is in a great position to help secure the data and then work with a wide variety of leading partners, including SaaS offerings such as Salesforce, Slack and Smartsheet via AWS AppFabric; cybersecurity firms such as CrowdStrike Holdings Inc., Palo Alto Networks Inc. and Splunk Inc.; and service companies such as Accenture, Deloitte, PricewaterhouseCoopers and Wipro Ltd.