Cloud giant Amazon Web Services (AWS) is adding AI and automation capabilities to its cybersecurity services to enhance both the ability to more quickly detect threats against cloud workloads and data and to more efficiently triage and respond to cyberattacks when they happen.
In the case of both offerings introduced at this week’s AWS re:Invent show, speed is a crucial factor at a time when cyberattacks are getting more frequent and more sophisticated, according to AWS.
The sentiment echoes that of MSSPs that are embracing AI for a broad array of reasons, including for security services for their clients. According to a survey by vendor D3 Security in September, 80% of MSSPs surveyed use the emerging technology in some form, including 13% for analysis and threat detection and 13% for automation and orchestration.
“Security teams often face an overwhelming number of daily alerts, leading to potential misplaced priorities of resources and reduced effectiveness,” Betty Zheng, senior developer advocate at AWS, wrote in introducing the cloud provider’s new Security Incident Response service. “Manual investigation of findings strains resources and may cause customers to overlook critical security alerts. Additionally, coordinating responses across multiple stakeholders, managing permissions in various environments, and documenting actions complicate the process.”
Tools like Security Incident Response and new AI- and machine-learning-based threat detection capabilities in AWS’ GuardDuty service can reduce the number of manual steps needed when addressing a fast-moving potential or ongoing security incident, Zheng wrote.
Detecting and Responding to Attacks
Security Incident Response automates the tasks of triaging and investigating security findings from Amazon’s GuardDuty threat detection service and third-party threat detection tools AWS Security Hub. MSSPs also use the tools in Security Hub to protect client environments in AWS or can help clients operationalize such tools.
The new service, through triaging findings from GuardDuty and third-party tools in Security Hub, will automatically identify high-priority incidents that need attention, filtering security findings based on expected behavior. It also extends preconfigured notification rules and permissions settings internally and externally, including to third-party service providers. There also is automated case history tracking and reporting.
The service also comes with self-service investigatory tools and support from AWS, and a service dashboard includes metrics that companies can use to measure the performance of their response and improve the mean time to resolution. The service is available now in 12 regions in the United States, Asia Pacific, Canada, and Europe.
The new capabilities in GuardDuty Extended Threat Detection uses AI and machine learning to identity known and previously unknown sequences of attacks, which Esra Kayabali, senior solutions architect at AWS, wrote offers “a more comprehensive and proactive approach to cloud security. This enhancement addresses the growing complexity of modern cloud environments and the evolving landscape of security threats, simplifying threat detection and response.”
An Enhanced GuardDuty
The expanded features in GuardDuty correlate security signals, enabling them to identify attack sequences within their AWS environments, Kayabali wrote. Such sequences involve multiple steps in an attack, from privilege discovery to API manipulation to data exfiltration. The detections are shown as “attack sequence findings,” which is new to GuardDurty and comes with critical severity.
“GuardDuty had never used critical severity, reserving this level for findings with the utmost confidence and urgency,” she wrote. “These new findings introduce critical severity and include a natural language summary of the threat’s nature and significance, observed activities mapped to tactics and techniques from the MITRE ATT&CK framework, and prescriptive remediation recommendations based on AWS best practices.”
Amazon GuardDuty Extended Threat Detection is automatically enabled at no additional cost for organizations using GuardDuty in any AWS region that supports it.
MSSPs are No Stranger to AI
Walker Barnerd, D3 Security’s director of content marketing, wrote in a blog post that about two-thirds of MSSPs use automation capabilities now, and it’s expected that the service providers’ adoption of AI will follow a similar trend.
Klik Solutions, a managed IT services provider in Baltimore, Maryland, wrote in a blog post in September that digital transformation has created a rapidly evolving cybersecurity landscape that is driving a sharp increase in cyberthreats that include sophisticated phishing attacks and ransomware.
“Amid this chaotic environment, AI in endpoint security has emerged as a crucial tool for defending businesses against malicious activities,” the company wrote, adding that at a time when cybercrime tactics are getting more complex, the need for modern endpoint security becomes more critical.
As organizations recognize the importance of AI in endpoint security, the role of Managed Security Service Providers (MSSPs) becomes increasingly vital,” Klik wrote. “These experts possess the expertise and resources necessary to implement and manage AI-driven security solutions effectively.”