How to use generative AI & Amazon Security Lake for threat analysis | AWS OnAir-S05
Summary
TLDRビデオスクリプトでは、セキュリティ・レイク(Security Lake)の紹介とその価値提案が行われています。Mark TeranとRoss Warrenが、AWSのセキュリティ問題を事前に特定し、解決するプロセスを説明しています。彼らはセキュリティ分析者の時間をデータの集約に費やすのではなく、自動化された方法でS3バケットにデータを一元化し、パートナーツールを通じて分析を可能にしています。さらに、オープンサイバーセキュリティスキーマフレームワーク(OCSF)を使用してデータを統一し、顧客がより迅速かつコスト効率の高い方法でセキュリティ状況を把握できるようにしています。
Takeaways
- 😀 セキュリティレイク(Security Lake)は、セキュリティデータを民主化することを目指しており、顧客が保護できないものを見える化するためのツールです。
- 🔍 セキュリティレイクは、顧客がセキュリティアナリストの時間をデータの整理に費やすのを避けるために作られました。顧客は情報分析は得意ですが、情報を一元化するのが難しく、セキュリティレイクはこれを自動化します。
- 📦 セキュリティレイクはS3バケットにデータを一元化し、顧客がデータをコントロールし、必要なパートナーやツールにデータを提供することができます。
- 🔗 ソースとサブスクライバーという概念があります。ソースはAWS上で自動生成されるもので、サブスクライバーは分析ワークロードを指しており、複数の第三者ツールやサービスが含まれます。
- 🛠️ セキュリティレイクはオープンサイバーセキュリティスキーマフレームワーク(OCSF)を使用して、さまざまなデータソースからデータを統一された形式に変換します。
- 📈 顧客はSQLクエリを理解しており、セキュリティレイクはこれを使用してデータに問い合わせを行い、結果を返します。
- 👨🏫 セキュリティの基礎知識を身に着けるためには、AWSの様々なトレーニングや認定資格を取得することが推奨されています。
- 🚀 セキュリティレイクは過去1年で多くのソースやパートナー、統合を追加し、顧客のニーズに応えています。
- 📊 QuickSightやAthenaなどのツールを使用して、セキュリティレイクのデータを視覚化し、ダッシュボードを作成することができます。
- 🤖 AIを活用して、セキュリティデータに対して自然言語で問い合わせを行い、視覚化されたレポートや分析を迅速に生成することができます。
- 🔑 セキュリティレイクはセキュリティデータの整理と分析を簡素化し、セキュリティ専門家だけでなく、一般の開発者や経営者にも利用しやすくなっています。
Q & A
セキュリティレイクとはどのようなサービスですか?
-セキュリティレイクは、セキュリティデータを民主化することを目指したサービスで、顧客が大量のログデータを整理し、解析し、表面に持ち上げるのを支援します。
Mark TeranとRoss Warrenはどのような人物ですか?
-Mark TeranはセキュリティレイクのGMであり、Amazon Detectiveに重点を置いて顧客のセキュリティ問題を事前に解決するのに役立ちます。Ross Warrenはセキュリティレイクチームの製品マネージャーで、Markと10〜11年間一緒に働いています。
セキュリティレイクの価値提案とは何ですか?
-セキュリティレイクの価値提案は、顧客がS3バケットにデータを一元管理し、パートナーやツールにデータを提供することで、セキュリティ分析者がデータの集約と分析に時間を費やすのを助けることです。
セキュリティレイクのソースとサブスクライバーとは何を意味していますか?
-ソースはAWS上で自動生成されるもので、ワークロードを含みます。サブスクライバーは主に分析ワークロードで、OpenSearchやAthena、SageMakerなどのツールを含みます。
セキュリティレイクが提供するオープンサイバーセキュリティフレームワーク(OCSF)とは何ですか?
-OCSFは、インダストリーの助けを借りて作成されたデータのスキーマで、受信データの形式を統一化し、顧客がより効率的にデータを照会できるようにします。
セキュリティの専門家ではない初心者がセキュリティレイクを使い始めるにはどうしたら良いですか?
-初心者はAWSの基礎知識やセキュリティの基本概念を学び、セキュリティレイクのハンズオンワークショップやAWS Skill Builderの学習パスを活用して始めることができます。
セキュリティログがセキュリティ体制になぜ重要なのか説明してください。
-セキュリティログは、システムのアクティビティ、APIコール、リソース間の相互作用を記録しており、顧客がセキュリティ上のリスクや脆弱性を特定するために不可欠な情報源です。
セキュリティレイクが提供するデータの正規化とは何を意味していますか?
-データの正規化とは、異なるソースからのログデータを一つの標準形式に変換することで、顧客がデータの分析や問い合わせを容易に行うことができるようにするプロセスです。
セキュリティレイクのデモンストレーションで使用されたクイックサイトとは何ですか?
-クイックサイトは、セキュリティレイクのデータを視覚化するためのダッシュボードツールで、顧客がデータを簡単に分析し、レポートを作成できるように設計されています。
セキュリティレイクが提供するAIツール「クロード」とは何ですか?
-クロードは、セキュリティレイクのデータに対して自然言語で質問し、視覚化やレポートを作成するためのAIツールで、専門知識がなくてもデータの分析を迅速に行うことができます。
セキュリティレイクのデモンストレーションで生成されたレポートはどのようにして改善されるか教えてください。
-レポートは、より具体的な質問や指示をAIツールに与えることで改善され、より詳細なデータの分析や視覚化を提供することができます。
Outlines
😀 セキュリティレイクの紹介と価値提案
ビデオスクリプトの第1段落では、Mark Teran ZonyとRoss Warrenがセキュリティレイクについて紹介しています。MarkはセキュリティレイクのGMとして、顧客のセキュリティ問題を事前に解決することを目指していると述べています。Rossは製品マネージャーとして、Markと共に10年以上働き、セキュリティの専門知識を提供しています。彼らはセキュリティデータを民主化し、顧客が保護できないものを保護できないという問題に対処することを目的としています。セキュリティ分析者がデータの整理に時間を費やす問題を解決するために、S3バケットにデータを一元化し、顧客がデータをコントロールできるようにしています。また、ソースとサブスクライバーの概念も紹介されています。
📚 セキュリティの基礎知識とセキュリティレイクの使い方
第2段落では、セキュリティの基本知識とセキュリティレイクの使い方について説明されています。ログがセキュリティポジションに重要な役割を果たしている理由や、AWSセキュリティの基礎を学ぶ方法について触れられています。Kyleがセキュリティレイクの使いやすさを強調しており、ログを有効にし始めることで、データの正規化を容易に行うことができます。また、セキュリティの専門知識を持つ人たちが、セキュリティレイクを活用してデータの分析や可視化を行う方法も紹介されています。
🖥️ セキュリティデータの分析と可視化
第3段落では、セキュリティデータの分析と可視化について詳しく説明されています。Rossはクイックサイトを使用してデータセットを分析し、視覚化する方法をデモンストレーションしています。彼はセキュリティレイクのデータセットを活用し、質問を通じてデータにアクセスし、分析結果を可視化しています。また、クイックサイトのダッシュボードを作成し、データの分析を通じてセキュリティの状況を把握する方法についても触れられています。
📈 レポート作成の効率化とAIの活用
第4段落では、セキュリティの状況を週次レポートとして提供する必要がある状況を例に、AIの活用によるレポート作成の効率化について紹介されています。Rossは、AIツール「クロード」を使用して、セキュリティ状況を分析し、レポートを作成する方法を説明しています。このプロセスは、セキュリティ分析者にとって非常に時間の節約であり、セキュリティの状況を迅速かつ効果的に把握することができると強調されています。
🙌 セキュリティレイクの成功と今後の展望
最後の段落では、MarkとRossがセキュリティレイクの成功と今後の展望について話しています。セキュリティレイクが1年以上も存在しており、顧客のセキュリティデータを民主化し、分析を容易にすることを目的として成長を続けていることが強調されています。彼らは今後もセキュリティレイクを通じて、顧客のセキュリティ問題を解決し、セキュリティ分析をさらに強化していく意図を示しています。
Mindmap
Keywords
💡セキュリティレイク (Security Lake)
💡セキュリティアナリスト (Security Analyst)
💡データ・_wrangling_ (データ・_wrangling_)
💡S3バケット (S3 Bucket)
💡ソース (Source)
💡サブスクライバー (Subscriber)
💡オープン・サイバーセキュリティ・スキーマ・フレームワーク (Open Cyber Security Schema Framework, OCSF)
💡SQLクエリ (SQL Query)
💡リスク行動 (Risk Behavior)
💡データ・ノーマライゼーション (Data Normalization)
Highlights
Nick's Launchpad is working and the team is discussing how to spend a productive Friday.
Mark Teran, GM of Security Lake, introduces himself and his focus on helping customers address security issues proactively.
Ross Warren, Product Manager at Security Lake, shares his background and a coincidental encounter with Kyle.
The concept of Security Lake is introduced as a means to democratize security data, making it more accessible.
Security analysts spend a lot of time on data wrangling, and Security Lake aims to automate this process.
Security Lake helps centralize and organize data in an S3 bucket, giving customers control over their data.
Sources and subscribers are explained as components of Security Lake, providing a unified view of data from various sources.
Integrations with analytic workloads like OpenSearch, Athena, and third-party tools are discussed as part of Security Lake's offerings.
The Open Cyber Security Schema Framework (OCSF) is highlighted as a way to unify data into a standardized format.
Security Lake's ease of enabling logs and bringing them into a normalized format is emphasized.
The importance of logs in security and their role as the lifeblood of security operations is discussed.
Kyle suggests resources for learning more about AWS security, including live streams, workshops, and AWS Skill Builder.
Ross demonstrates how to build visualizations in QuickSight using Security Lake data without writing SQL queries.
The ability to quickly generate reports and visualizations for security status updates is showcased.
Claude, a foundational model, is used to generate a quick story for creating a security status report.
The discussion concludes with the potential for a deeper dive into creating visualizations using Q and QuickSight on a future live stream.
Transcripts
it looks like Nick's Launchpad is
working today for once uh hey Ross Mark
guys how's it going guys hey guys I have
zero complaints I cannot think of a more
awesome way to spend a Friday uh while
working so um I'm looking outside and it
looks nice and warm my wife do you're
stuck inside nope someone's pulling
around in my garage I should tax them on
that so anyway Mark Ross uh first can
you explain what security lake is but
before that can you explain who you are
what you do and why did you want to
spend your Friday uh with us today sure
I'll go first hi folks Mark Teran Zony
I'm the GM of security Lake um as well
as Amazon detective really focusing on
helping customers um address their
security issues before they become
bigger
problems and uh I'm Ross Warren I'm the
product essay on the security Lake team
I've been working for Mark for the past
10 11 years in different uh sorry
Avenues and actually when I first met
Kyle he said I know who you are you
downloaded one of my white papers years
ago so it was a little bit of a weird
coincidence um when I first met him at a
bar after he joined ads I don't go to
bars
no he never
gra no that's why this beard is so full
it's full of
secrets I don't know I'm just I'm
riffing with it I'm seeing what sticks
all right cut me some slack R is a
numbers game isn't it Kyle it really is
yeah well Ross and mark thank you for
joining us uh we're here to talk about
security Lake and uh it's been a year so
take us back in time a little bit what
was it like launching a year ago
stressful but um but exciting as it
always is uh but let me let me talk a
little bit about what security lake is
and what the value prop and what's
happened over the course of the year so
um ultimately at the highest level we
want to democratize security data uh
customers can't protect what they don't
can't see and many of the things they
want to see are hitting in lots of logs
and large volumes and it's really hard
for them to parse that information and
bring it to the surface so we help them
do that and the journey started really
by talking to customers that were
spending a lot of their security analyst
times basically data wrangling and what
they found out is the security elenes
are really good at analyzing the
information but not really good at
pulling it all together and it was a
large set of undiff undifferentiated
heavy lifting so we wanted to really
take that off the table and
automatically centralize and organize
all the data that they need in one place
and that place is in their S3 bucket so
they have control over that data and
they can and they can vend it out to
whatever Partners including some of our
Cool Tools to make use of that data and
helpfully um try to figure out what's
happening in the environment uh that may
involve some risky Behavior that's it
that's it at the high level when I get a
little bit a little deeper into that um
we have this notion of sources and
subscribers so sources are things that
we generate in AWS on work loads that we
bring in automatically uh subscribers in
that those sources include multiple
third parties SAS application logs from
on Prem logs from other places that
customers run workloads so they have
unified centralized View and then the
sub subscribers are largely analytic
workloads including things that we have
such as open search and Athena and Sage
maker and uh thirdparty tools like
Splunk and data dog and um I M crowd
strike and I mean IBM Q radar and crowd
strike and palal networks that the
customers already use today but want to
have a bigger aperture onto the
information that they can analyze over
time so that's kind of what it looks
like and over the course of the year
we've added a lot more sources we've
added a lot more partners and uh We've
added a lot of uh interesting
Integrations and the reason this comes
together pretty natively uh is and we're
going to talk a little bit about some of
the you know cannot talk security
without some gen and some of the
capabilities that brings to the table
and Ross is going to give us a nice demo
on that a little bit later hopefully but
why this is a you know why security Lake
makes that a lot easier for customers is
twofold one is um the query uh stack is
understood and unified right SQL queries
we have a language uh we know how to how
to write queries in that language and
then what we did with with industry's
help is we created a schema on this data
called open cyber security schema
framework or ocsf that now takes the
data that's coming in and unifies it
into a format so when you have a known
set of data and you have a known set of
capabilities that you want to query it
things like gen can automate that
process so what we found in our Journeys
with customers is they are really smart
from a security perspective and they
know how to ask really good questions
like things like tell me the top five
vulnerabilities in my environment
they're accessible to the internet
speaking of really good questions Mar
let me interrupt you here for just a
second we had a really good question
from chat um you know I think before we
dive fully into I look I'm sitting with
three Security Experts I'm a little
nervous actually uh you all are gonna
start okay two Security Experts sorry I
miscounted um uh you know we some of the
some of the audience maybe they don't
have a security background I'm a Dev
right so when I think logs that's where
I go to troubleshoot right but security
folks y'all live in the logs I've
learned uh logs are your lifeblood right
can you explain kind of the fundamentals
right the question from chat is what do
I have to have a basic knowledge of to
get into security like but can you
explain maybe like why logs are so
important to uh security posture compan
I'm just going to start calling myself a
digital Lumberjack because I deal with
logs
yeah
um go go ahead Kyle you're gonna say
something yeah so um so there's awesome
ways to learn more about security Lake
um but also just the basics of AWS
security and there's a handful of ways
of doing this uh one you could join
these live streams there's also a live
stream called lockdown where we focus on
security stuff that's on Tuesdays at 11:
am Pacific Time who does Lockdown Kyle
as your host Kyle um where we talk about
various security topics but also for
um like immersive experiences there's
workshops. AWS and I'll have I'll ask
politely that Nick dro the link into the
chat for you to reference uh but those
are some like self-paced workshops but
then there's also AWS skill Builder a
more formal training where you could
look at the learning Paths of getting
your AWS solution architect associate
your AWS Cloud fundamentals or
foundations it's one of the two um or
the security specialty certification
so there's multiple ways to go about it
depending on what your preferred
modality of learning is now if you want
to learn more about security Lake if
you're at any of the conferences or if
there's a AWS Summit uh there's
typically Hands-On workshops that are
happening around that as well uh but
yeah there's tons of resources and we'll
try to get those links into the chat and
maybe during our sponsor segment I'll
pull up some links and drop them in the
chat myself so Kyle's very
verbose and he wants to make make sure
he's got everything out there but to get
into security
Lake it is actually very very easy for
you to start enabling logs and bringing
things in that whole normalization that
Mark talked about if it's a native log
you don't have to think about it you now
have logs normalized across your whole
organization um where before even I had
to go Google how do I do cross account
buckets what are my policies what are my
rules I've got four or five buttons for
to start doing that in security like so
it's very very easy um it's now then
what you do with the data is sort of now
what those Partners or there's those
other kinds of solutions that Mark was
talking about and that's the uh open
source standardized format that you were
you were yeah the
normalization interrupted you so rudely
Mark that that's a component of it um
but I think Ross hit the nail in the
head getting it all in one place where
and customers get to decide if they want
to bring it into one region or keep it
in the region it's generated but these
logs are can be large right they they
emulate all of the traffic patterns that
the customers run while they're running
their applications at awos they're
capturing all of the API calls and in
the interactions within the resources at
the infrastructure layer so there's a
lot of data that's in here um and what
the beauty of that normalization in some
of the capabilities that gen brings is
we can start to bring that data back in
a pinpointed way so we're not bringing
it all back we're not spending a lot of
money on processing it all it's at rest
and when the customer asks a question uh
through one of the partners or our tools
um we're just precisely going to the
information we need in giving the
results back and that saves a lot of
time and a lot of money well we're
running out of time Ross do you wanna do
you want to show us some of this Ross
said he had like popup pictures and like
a took right I was like that's a great
question that someone just asked because
now let's go show um how we can do all
that yes and very very easily um what
we're looking at here is a pretty nice
looking dashboard in quick site um and
one of my colleagues built it and I've
watched him write squel queries it's not
fun to watch him write squl queries
inside of Q or inside of Athena but he
built all this very very easy by asking
questions of Q so what we're kind of
looking at here is
quick site that's got some data sets
that are in security Lake all that
normalized format everything that Mark
was just talking about um so we've got a
bunch of cool visualizations here right
we've got a nice Landslide coming off
there um in some of our data but and
I've got other things here we could look
at cloud trail we could look at security
Hub and we've got a lot of really nice
detail but let's figure out how did Matt
actually build these things
um I can now start I clicked on hey
let's ask some questions of my cloud
trail
data Q is pretty cool because it
actually will give me some questions
that it already thought about and we
could pick uh we're randomly GNA go
let's see if this one works fingers
crossed all right great that was easy
did I write a SQL query Kyle no I know
you love writing SQL queries um
but now I know that I've got a lot of
read activities 1.3 million read
activities um what's cool is I can share
this Visual and I can then start
building other you know adding to that
dashboard that I showed you a minute ago
that's kind of on the lefthand sides of
the screen there um I think someone said
about you
know let's put something else in there
what resources most high level
vulnerabilities now fingers crossed
again do I get some good
data what I'm doing now is really just
hey I'm starting to investigate my data
um okay we got a whole bunch of
resources and my visualization didn't
necessarily give me what I wanted but
that's fine we can now it's because we
didn't do a dance for the demo oh we
didn't do a dance you're correct no um
but that's one way to start building up
some of these visuals but I want to kind
of show you guys um
a little bit of the back end just a
little bit remember I said that um Hugh
could actually
generate some some questions I've got a
whole bunch of that I did not type in
looks like a whole bunch of people have
been testing them and asking them but
you can click on them and um once again
randomly
chosen um you
know that pretty good I now have an
account can go if I want to start doing
a deeper investigation I could actually
just pivot and look more at this account
if I wanted to right here what I think
is also important to highlight here and
because you mentioned logs loggy log
logs right um this is almost eliminating
the barrier of usage to getting or being
able to ask a question to your data and
get a response because normally an
executive an analyst someone they need
to be familiar with the query language
whatever the flavor of whatever they're
using for their data analytics or
ingestion is right it could be
proprietary it could be ANC
SQL who can remember all of that stuff
yeah right and so accelerating that ex I
didn't have to write SQL I didn't have
to think about it I didn't have to you
know even understand that it's a vendor
versus an account versus an AWS
um you know user wow yeah little bit of
trip up there um it's Friday what's even
really more cool more cool that can
anything be more cool than Kyle no um
very few things
so that's just visualizations that's
really nice into Quick site but what if
Mark came to me and said Ross I need a
weekly report of what our security
status looks like and I need it in 10
minutes hopefully You' you knew that you
had to do that report it's always like
it's always like hey you busy I need a
report right now
right immediately he knows I've asked
that before no never this isn't a real
example right Ross made this up and so
just to tie it all together I actually
asked Claude to say I need to I need to
create a dashboard give me a story now
real quick Claude Claude is a
foundational model uh that is ji stuff
it's not a person Ross didn't track
someone down and say hey Claude can you
make this Claude is a foundational model
yeah
so I asked Claude to give me a actually
a quick site story to be able to build
something and so it I pasted in here I'm
not going to read it at the sock manager
I need to provide a weekly report and it
kind of gave me I need security
incidents thread intelligence compliance
status right I didn't edit this I really
just cut and paste this out of my friend
Claude 3 um and I can go now remember I
was building up those dashboards that I
had before or those visuals I can now
utilize some of
these and they may not be the proper
ones but we're going to throw a whole
bunch of them in
there and we'll take a look what's going
on this is completely random and list
one looks nice I found that when working
with like chat Bots or anything that's
AI related talk to it like a three Ager
like you know when I found that I'm
talking to chatbots and like geni in a
very similar manner that I talked to my
three-year-old very specific more
detailed instruction gets you the more
detailed responses and narrows the scope
of the data that can be returned and
plus the retrieval augmented generation
I mean we could go on and on about gen
workloads but what you're essentially
saying is hey the security manager that
just walked by as I was about to head it
to lunch said I need a report with this
information this information this
information and that information by the
way I need it sparkly chart
CH in lines and stuff and I only failed
because I didn't start over I didn't
follow the exact instructions so what
this is now doing I said I want these
visuals and I have that story that I
need to build and we should and very
easily now have a PowerPoint
presentation and Kyle will say o and a
when we get
there
story we don't have the rights that Kyle
don't sing too much um it always comes
up with funky names too um some of the
other tests I've been doing um but as it
generates maybe I picked way too many
visuals yeah well while this is
generating yeah you know let let's talk
about where this all consolidate you
know we started with Mark telling us
about security L way to consolidate all
of these these disparate logs coming
from all these the systems into one
place and that's how you even get to the
point where you start building
visualization so uh we we we we kind of
launched across security Lake into the
getting value from security Lake portion
uh but we wouldn't even be able to be
generating these visuals without
security Lake behind it where you've
stored all of your security logs from
all the different tools you're using and
now Ross you're generating these these
uh visuals that you're going to share
with your Executives to give them
insight into it's been going on
generating a summary for you too I know
it even gives me a summary um it didn't
populate some of them just because I
didn't I was randomly picking but um I
mean for you to just so nice I can
actually bring these in select
everything and you're doing this in like
the matter of 10 minutes is still really
cool you know I would edit it some I
know what Mark wants usually and so I
would edit it a little bit but I'm using
he didn't have to know queries he didn't
have he just asked like normal questions
and that data you know represented these
uh these reports it's awesome I know for
a fact with my familiarity of quick site
and quering security like this would
take me at least half hour to an hour at
a minimum to even pick what theme I
wanted to use for the
conversation and then no this I I know
for a fact this would save so much time
um for you know those that need to
generate reports for like security
weekly reviews or you know this is
really awesome investigate or threat
hunt or do any of these cool things that
the security folks do on a daily basis
yeah well hey you know what
unfortunately we're out of time but chat
if you want me to try to convince Mark
and Ross to maybe do a deeper dive that
might be like 30 minutes to 45 minutes
long let me know let me know in the chat
I'll see if I could drag them along on
the lockdown and we'll talk more about
how we could create visualizations using
q and quick site uh we do have one
question does it become better over time
at generating
reports that I don't know but we'll find
an answer and probably talk about it on
lockdown yeah so more coming there's a
lot more work about what I just did
there's a whole team building some more
stuff and so yeah I think yeah where
Ross is the face there is a big team
behind him creating a lot of cool stuff
which is really but I have a big face
already so wait a minute I didn't say
creting a big that's why it's a big
team oh my gosh someone get Mark and
Ross out of here I'm kidding Mark Ross
thank you so much for joining us I I'm
really excited to hear more about uh
security Lake and the success it's had
and also it's been around for a little
over a year now I've heard which is cool
thanks for having us guys R has it
absolutely take care see you next time
Посмотреть больше похожих видео
5.0 / 5 (0 votes)