Cloud giant Amazon Web Services (AWS) is adding artificial intelligence and automation capabilities to its cybersecurity services to enhance the ability to faster detect threats against cloud workloads and data and to more efficiently triage and respond to cyberattacks when they occur.
In the case of both demos presented at AWS re:Invent this week, speed is a critical factor at a time when cyberattacks are becoming more frequent and more sophisticated, according to AWS.
This sentiment echoes the sentiments of financial services providers (MSSPs) who are adopting AI for a wide range of reasons, including security services for their clients. According to a September survey by D3 Security, 80% of cloud providers surveyed are using emerging technology in some capacity, including 13% for analysis and threat detection and 13% for automation and orchestration.
“Security teams often face an overwhelming number of daily alerts, leading to the potential for misplaced resource priorities and decreased effectiveness,” Betty Cheng, senior developer advocate at AWS, wrote in introducing the cloud provider's new security incident response service. “Manually investigating results strains resources and may cause customers to miss important security alerts. Additionally, coordinating responses across multiple stakeholders, managing permissions in different environments, and documenting procedures adds to the complexity of the process.”
Tools like security incident response and new AI and machine learning-based threat detection capabilities in AWS GuardDuty can reduce the number of manual steps needed when addressing a potential fast-moving or ongoing security incident, Cheng wrote.
Detect and respond to attacks
Security Incident Response automates triage tasks and investigates security findings from Amazon's GuardDuty threat detection service and third-party threat detection tools AWS Security Hub. MSSPs also use the tools in the Security Hub to protect customer environments in AWS or can help customers operate these tools.
Sorting through results from GuardDuty and third-party tools in the Security Hub, the new service will automatically identify high-priority incidents that need attention, and filter security results based on expected behavior. It also extends notification rules and permission settings that were previously configured internally and externally, including external service providers. There is also automatic case history tracking and reporting.
The service also comes with self-service fulfillment and support tools from AWS, and the service dashboard includes metrics that businesses can use to measure their response performance and improve average time to resolution. The service is now available in 12 regions in the US, Asia Pacific, Canada and Europe.
New capabilities in GuardDuty Extended Threat Detection use artificial intelligence and machine learning to identify known and previously unknown attack sequences, which Esra Kayabali, AWS senior solutions architect, wrote, delivers “a more comprehensive, proactive approach to cloud security. This enhancement addresses the increasing complexity of modern cloud environments and the landscape.” Advanced threat intelligence, simplifying threat detection and response.
Enhanced guard duty
GuardDuty's expanded features correlate security signals, enabling them to identify attack sequences within their AWS environments, Kiabali wrote. These sequences involve multiple steps in the attack, from privilege discovery to API manipulation to data exfiltration. Detections appear as “attack sequence results,” which is a new feature to GuardDurty and comes with a Critical Severity.
“GuardDuty has never used Critical Severity, and has reserved this level for outcomes with the utmost confidence and urgency,” she wrote. “These new scores provide a critical severity score and include a natural language summary of the nature and significance of the threat, observable activities mapped to tactics and techniques from the MITRE ATT&CK framework, and guided remediation recommendations based on AWS best practices.”
Amazon GuardDuty Extended Threat Detection is automatically enabled at no additional cost to organizations using GuardDuty in any AWS Region that supports it.
MSSPs are no stranger to artificial intelligence
About two-thirds of MSSPs are now using automation capabilities, and service providers' adoption of AI is expected to follow a similar trend, Walker Barnerd, director of content marketing at D3 Security, wrote in a blog post.
Klik Solutions, a managed IT services provider in Baltimore, Maryland, wrote in a blog post in September that digital transformation has created a rapidly evolving cybersecurity landscape that is leading to a sharp increase in cyber threats that include sophisticated phishing attacks and ransomware.
“Amid this chaotic environment, AI in endpoint security has emerged as a critical tool for defending companies against malicious activity,” the company wrote, adding that as cybercrime tactics become more sophisticated, the need for modern endpoint security becomes even more critical. .
As organizations realize the importance of AI in endpoint security, the role of managed security service providers (MSSPs) has become increasingly vital. “These experts have the experience and resources to effectively implement and manage AI-based security solutions.”
