How to use generative AI & Amazon Security Lake for threat analysis | AWS OnAir-S05

00:13

it looks like Nick's Launchpad is

00:15

working today for once uh hey Ross Mark

00:20

guys how's it going guys hey guys I have

00:23

zero complaints I cannot think of a more

00:25

awesome way to spend a Friday uh while

00:28

working so um I'm looking outside and it

00:31

looks nice and warm my wife do you're

00:33

stuck inside nope someone's pulling

00:35

around in my garage I should tax them on

00:38

that so anyway Mark Ross uh first can

00:42

you explain what security lake is but

00:44

before that can you explain who you are

00:46

what you do and why did you want to

00:48

spend your Friday uh with us today sure

00:52

I'll go first hi folks Mark Teran Zony

00:54

I'm the GM of security Lake um as well

00:56

as Amazon detective really focusing on

00:58

helping customers um address their

01:01

security issues before they become

01:02

bigger

01:03

problems and uh I'm Ross Warren I'm the

01:06

product essay on the security Lake team

01:09

I've been working for Mark for the past

01:11

10 11 years in different uh sorry

01:14

Avenues and actually when I first met

01:16

Kyle he said I know who you are you

01:19

downloaded one of my white papers years

01:21

ago so it was a little bit of a weird

01:24

coincidence um when I first met him at a

01:26

bar after he joined ads I don't go to

01:28

bars

01:30

no he never

01:32

gra no that's why this beard is so full

01:35

it's full of

01:38

secrets I don't know I'm just I'm

01:40

riffing with it I'm seeing what sticks

01:42

all right cut me some slack R is a

01:44

numbers game isn't it Kyle it really is

01:47

yeah well Ross and mark thank you for

01:49

joining us uh we're here to talk about

01:51

security Lake and uh it's been a year so

01:55

take us back in time a little bit what

01:57

was it like launching a year ago

02:00

stressful but um but exciting as it

02:03

always is uh but let me let me talk a

02:06

little bit about what security lake is

02:07

and what the value prop and what's

02:10

happened over the course of the year so

02:12

um ultimately at the highest level we

02:13

want to democratize security data uh

02:16

customers can't protect what they don't

02:18

can't see and many of the things they

02:20

want to see are hitting in lots of logs

02:22

and large volumes and it's really hard

02:24

for them to parse that information and

02:27

bring it to the surface so we help them

02:28

do that and the journey started really

02:31

by talking to customers that were

02:33

spending a lot of their security analyst

02:36

times basically data wrangling and what

02:40

they found out is the security elenes

02:42

are really good at analyzing the

02:44

information but not really good at

02:46

pulling it all together and it was a

02:49

large set of undiff undifferentiated

02:51

heavy lifting so we wanted to really

02:53

take that off the table and

02:55

automatically centralize and organize

02:58

all the data that they need in one place

03:00

and that place is in their S3 bucket so

03:03

they have control over that data and

03:05

they can and they can vend it out to

03:07

whatever Partners including some of our

03:09

Cool Tools to make use of that data and

03:11

helpfully um try to figure out what's

03:13

happening in the environment uh that may

03:16

involve some risky Behavior that's it

03:18

that's it at the high level when I get a

03:20

little bit a little deeper into that um

03:23

we have this notion of sources and

03:24

subscribers so sources are things that

03:27

we generate in AWS on work loads that we

03:30

bring in automatically uh subscribers in

03:33

that those sources include multiple

03:36

third parties SAS application logs from

03:39

on Prem logs from other places that

03:41

customers run workloads so they have

03:43

unified centralized View and then the

03:46

sub subscribers are largely analytic

03:48

workloads including things that we have

03:50

such as open search and Athena and Sage

03:53

maker and uh thirdparty tools like

03:56

Splunk and data dog and um I M crowd

04:00

strike and I mean IBM Q radar and crowd

04:04

strike and palal networks that the

04:06

customers already use today but want to

04:09

have a bigger aperture onto the

04:11

information that they can analyze over

04:13

time so that's kind of what it looks

04:15

like and over the course of the year

04:16

we've added a lot more sources we've

04:18

added a lot more partners and uh We've

04:21

added a lot of uh interesting

04:22

Integrations and the reason this comes

04:24

together pretty natively uh is and we're

04:27

going to talk a little bit about some of

04:28

the you know cannot talk security

04:30

without some gen and some of the

04:32

capabilities that brings to the table

04:33

and Ross is going to give us a nice demo

04:35

on that a little bit later hopefully but

04:37

why this is a you know why security Lake

04:40

makes that a lot easier for customers is

04:42

twofold one is um the query uh stack is

04:47

understood and unified right SQL queries

04:50

we have a language uh we know how to how

04:52

to write queries in that language and

04:54

then what we did with with industry's

04:57

help is we created a schema on this data

05:00

called open cyber security schema

05:02

framework or ocsf that now takes the

05:05

data that's coming in and unifies it

05:07

into a format so when you have a known

05:09

set of data and you have a known set of

05:12

capabilities that you want to query it

05:14

things like gen can automate that

05:17

process so what we found in our Journeys

05:19

with customers is they are really smart

05:22

from a security perspective and they

05:24

know how to ask really good questions

05:25

like things like tell me the top five

05:30

vulnerabilities in my environment

05:32

they're accessible to the internet

05:34

speaking of really good questions Mar

05:35

let me interrupt you here for just a

05:37

second we had a really good question

05:38

from chat um you know I think before we

05:41

dive fully into I look I'm sitting with

05:44

three Security Experts I'm a little

05:47

nervous actually uh you all are gonna

05:49

start okay two Security Experts sorry I

05:52

miscounted um uh you know we some of the

05:56

some of the audience maybe they don't

05:58

have a security background I'm a Dev

06:01

right so when I think logs that's where

06:02

I go to troubleshoot right but security

06:06

folks y'all live in the logs I've

06:08

learned uh logs are your lifeblood right

06:12

can you explain kind of the fundamentals

06:14

right the question from chat is what do

06:15

I have to have a basic knowledge of to

06:17

get into security like but can you

06:19

explain maybe like why logs are so

06:21

important to uh security posture compan

06:24

I'm just going to start calling myself a

06:25

digital Lumberjack because I deal with

06:28

logs

06:30

yeah

06:32

um go go ahead Kyle you're gonna say

06:34

something yeah so um so there's awesome

06:38

ways to learn more about security Lake

06:40

um but also just the basics of AWS

06:42

security and there's a handful of ways

06:43

of doing this uh one you could join

06:46

these live streams there's also a live

06:47

stream called lockdown where we focus on

06:50

security stuff that's on Tuesdays at 11:

06:52

am Pacific Time who does Lockdown Kyle

06:54

as your host Kyle um where we talk about

06:56

various security topics but also for

07:00

um like immersive experiences there's

07:02

workshops. AWS and I'll have I'll ask

07:05

politely that Nick dro the link into the

07:08

chat for you to reference uh but those

07:10

are some like self-paced workshops but

07:12

then there's also AWS skill Builder a

07:14

more formal training where you could

07:16

look at the learning Paths of getting

07:19

your AWS solution architect associate

07:22

your AWS Cloud fundamentals or

07:25

foundations it's one of the two um or

07:27

the security specialty certification

07:30

so there's multiple ways to go about it

07:33

depending on what your preferred

07:34

modality of learning is now if you want

07:37

to learn more about security Lake if

07:39

you're at any of the conferences or if

07:40

there's a AWS Summit uh there's

07:42

typically Hands-On workshops that are

07:43

happening around that as well uh but

07:45

yeah there's tons of resources and we'll

07:47

try to get those links into the chat and

07:49

maybe during our sponsor segment I'll

07:52

pull up some links and drop them in the

07:53

chat myself so Kyle's very

07:57

verbose and he wants to make make sure

07:59

he's got everything out there but to get

08:02

into security

08:04

Lake it is actually very very easy for

08:07

you to start enabling logs and bringing

08:09

things in that whole normalization that

08:11

Mark talked about if it's a native log

08:14

you don't have to think about it you now

08:15

have logs normalized across your whole

08:18

organization um where before even I had

08:21

to go Google how do I do cross account

08:23

buckets what are my policies what are my

08:24

rules I've got four or five buttons for

08:27

to start doing that in security like so

08:29

it's very very easy um it's now then

08:32

what you do with the data is sort of now

08:35

what those Partners or there's those

08:38

other kinds of solutions that Mark was

08:39

talking about and that's the uh open

08:42

source standardized format that you were

08:45

you were yeah the

08:47

normalization interrupted you so rudely

08:49

Mark that that's a component of it um

08:52

but I think Ross hit the nail in the

08:54

head getting it all in one place where

08:55

and customers get to decide if they want

08:57

to bring it into one region or keep it

08:59

in the region it's generated but these

09:01

logs are can be large right they they

09:04

emulate all of the traffic patterns that

09:06

the customers run while they're running

09:08

their applications at awos they're

09:10

capturing all of the API calls and in

09:13

the interactions within the resources at

09:15

the infrastructure layer so there's a

09:16

lot of data that's in here um and what

09:19

the beauty of that normalization in some

09:22

of the capabilities that gen brings is

09:24

we can start to bring that data back in

09:27

a pinpointed way so we're not bringing

09:29

it all back we're not spending a lot of

09:30

money on processing it all it's at rest

09:33

and when the customer asks a question uh

09:36

through one of the partners or our tools

09:39

um we're just precisely going to the

09:41

information we need in giving the

09:42

results back and that saves a lot of

09:44

time and a lot of money well we're

09:46

running out of time Ross do you wanna do

09:48

you want to show us some of this Ross

09:50

said he had like popup pictures and like

09:52

a took right I was like that's a great

09:55

question that someone just asked because

09:56

now let's go show um how we can do all

10:00

that yes and very very easily um what

10:04

we're looking at here is a pretty nice

10:07

looking dashboard in quick site um and

10:12

one of my colleagues built it and I've

10:14

watched him write squel queries it's not

10:16

fun to watch him write squl queries

10:18

inside of Q or inside of Athena but he

10:23

built all this very very easy by asking

10:26

questions of Q so what we're kind of

10:28

looking at here is

10:30

quick site that's got some data sets

10:32

that are in security Lake all that

10:34

normalized format everything that Mark

10:36

was just talking about um so we've got a

10:39

bunch of cool visualizations here right

10:41

we've got a nice Landslide coming off

10:44

there um in some of our data but and

10:48

I've got other things here we could look

10:50

at cloud trail we could look at security

10:52

Hub and we've got a lot of really nice

10:55

detail but let's figure out how did Matt

10:57

actually build these things

11:00

um I can now start I clicked on hey

11:03

let's ask some questions of my cloud

11:06

trail

11:07

data Q is pretty cool because it

11:09

actually will give me some questions

11:13

that it already thought about and we

11:15

could pick uh we're randomly GNA go

11:18

let's see if this one works fingers

11:20

crossed all right great that was easy

11:23

did I write a SQL query Kyle no I know

11:27

you love writing SQL queries um

11:29

but now I know that I've got a lot of

11:31

read activities 1.3 million read

11:34

activities um what's cool is I can share

11:37

this Visual and I can then start

11:40

building other you know adding to that

11:42

dashboard that I showed you a minute ago

11:44

that's kind of on the lefthand sides of

11:46

the screen there um I think someone said

11:50

about you

11:51

know let's put something else in there

11:54

what resources most high level

11:55

vulnerabilities now fingers crossed

11:58

again do I get some good

12:01

data what I'm doing now is really just

12:04

hey I'm starting to investigate my data

12:07

um okay we got a whole bunch of

12:10

resources and my visualization didn't

12:12

necessarily give me what I wanted but

12:14

that's fine we can now it's because we

12:16

didn't do a dance for the demo oh we

12:19

didn't do a dance you're correct no um

12:22

but that's one way to start building up

12:24

some of these visuals but I want to kind

12:27

of show you guys um

12:29

a little bit of the back end just a

12:31

little bit remember I said that um Hugh

12:36

could actually

12:37

generate some some questions I've got a

12:40

whole bunch of that I did not type in

12:43

looks like a whole bunch of people have

12:44

been testing them and asking them but

12:47

you can click on them and um once again

12:50

randomly

12:51

chosen um you

12:56

know that pretty good I now have an

12:58

account can go if I want to start doing

13:00

a deeper investigation I could actually

13:02

just pivot and look more at this account

13:04

if I wanted to right here what I think

13:07

is also important to highlight here and

13:10

because you mentioned logs loggy log

13:12

logs right um this is almost eliminating

13:16

the barrier of usage to getting or being

13:21

able to ask a question to your data and

13:23

get a response because normally an

13:25

executive an analyst someone they need

13:27

to be familiar with the query language

13:29

whatever the flavor of whatever they're

13:31

using for their data analytics or

13:33

ingestion is right it could be

13:35

proprietary it could be ANC

13:38

SQL who can remember all of that stuff

13:41

yeah right and so accelerating that ex I

13:46

didn't have to write SQL I didn't have

13:47

to think about it I didn't have to you

13:49

know even understand that it's a vendor

13:51

versus an account versus an AWS

13:55

um you know user wow yeah little bit of

13:58

trip up there um it's Friday what's even

14:01

really more cool more cool that can

14:04

anything be more cool than Kyle no um

14:07

very few things

14:09

so that's just visualizations that's

14:12

really nice into Quick site but what if

14:15

Mark came to me and said Ross I need a

14:17

weekly report of what our security

14:19

status looks like and I need it in 10

14:22

minutes hopefully You' you knew that you

14:24

had to do that report it's always like

14:26

it's always like hey you busy I need a

14:28

report right now

14:29

right immediately he knows I've asked

14:31

that before no never this isn't a real

14:34

example right Ross made this up and so

14:38

just to tie it all together I actually

14:40

asked Claude to say I need to I need to

14:44

create a dashboard give me a story now

14:46

real quick Claude Claude is a

14:49

foundational model uh that is ji stuff

14:52

it's not a person Ross didn't track

14:54

someone down and say hey Claude can you

14:56

make this Claude is a foundational model

14:58

yeah

15:00

so I asked Claude to give me a actually

15:02

a quick site story to be able to build

15:04

something and so it I pasted in here I'm

15:07

not going to read it at the sock manager

15:09

I need to provide a weekly report and it

15:11

kind of gave me I need security

15:13

incidents thread intelligence compliance

15:15

status right I didn't edit this I really

15:18

just cut and paste this out of my friend

15:20

Claude 3 um and I can go now remember I

15:24

was building up those dashboards that I

15:26

had before or those visuals I can now

15:29

utilize some of

15:31

these and they may not be the proper

15:34

ones but we're going to throw a whole

15:36

bunch of them in

15:38

there and we'll take a look what's going

15:41

on this is completely random and list

15:44

one looks nice I found that when working

15:47

with like chat Bots or anything that's

15:49

AI related talk to it like a three Ager

15:52

like you know when I found that I'm

15:54

talking to chatbots and like geni in a

15:58

very similar manner that I talked to my

15:59

three-year-old very specific more

16:01

detailed instruction gets you the more

16:03

detailed responses and narrows the scope

16:06

of the data that can be returned and

16:09

plus the retrieval augmented generation

16:10

I mean we could go on and on about gen

16:13

workloads but what you're essentially

16:15

saying is hey the security manager that

16:19

just walked by as I was about to head it

16:20

to lunch said I need a report with this

16:23

information this information this

16:24

information and that information by the

16:27

way I need it sparkly chart

16:30

CH in lines and stuff and I only failed

16:33

because I didn't start over I didn't

16:34

follow the exact instructions so what

16:37

this is now doing I said I want these

16:40

visuals and I have that story that I

16:42

need to build and we should and very

16:47

easily now have a PowerPoint

16:49

presentation and Kyle will say o and a

16:52

when we get

16:55

there

16:57

story we don't have the rights that Kyle

16:59

don't sing too much um it always comes

17:02

up with funky names too um some of the

17:05

other tests I've been doing um but as it

17:09

generates maybe I picked way too many

17:11

visuals yeah well while this is

17:14

generating yeah you know let let's talk

17:16

about where this all consolidate you

17:18

know we started with Mark telling us

17:20

about security L way to consolidate all

17:23

of these these disparate logs coming

17:25

from all these the systems into one

17:27

place and that's how you even get to the

17:29

point where you start building

17:30

visualization so uh we we we we kind of

17:35

launched across security Lake into the

17:39

getting value from security Lake portion

17:41

uh but we wouldn't even be able to be

17:44

generating these visuals without

17:46

security Lake behind it where you've

17:47

stored all of your security logs from

17:50

all the different tools you're using and

17:52

now Ross you're generating these these

17:55

uh visuals that you're going to share

17:56

with your Executives to give them

17:58

insight into it's been going on

18:01

generating a summary for you too I know

18:03

it even gives me a summary um it didn't

18:07

populate some of them just because I

18:09

didn't I was randomly picking but um I

18:13

mean for you to just so nice I can

18:14

actually bring these in select

18:16

everything and you're doing this in like

18:17

the matter of 10 minutes is still really

18:20

cool you know I would edit it some I

18:23

know what Mark wants usually and so I

18:25

would edit it a little bit but I'm using

18:28

he didn't have to know queries he didn't

18:30

have he just asked like normal questions

18:33

and that data you know represented these

18:36

uh these reports it's awesome I know for

18:38

a fact with my familiarity of quick site

18:42

and quering security like this would

18:44

take me at least half hour to an hour at

18:47

a minimum to even pick what theme I

18:50

wanted to use for the

18:53

conversation and then no this I I know

18:56

for a fact this would save so much time

18:59

um for you know those that need to

19:01

generate reports for like security

19:03

weekly reviews or you know this is

19:06

really awesome investigate or threat

19:09

hunt or do any of these cool things that

19:10

the security folks do on a daily basis

19:13

yeah well hey you know what

19:15

unfortunately we're out of time but chat

19:16

if you want me to try to convince Mark

19:18

and Ross to maybe do a deeper dive that

19:21

might be like 30 minutes to 45 minutes

19:24

long let me know let me know in the chat

19:27

I'll see if I could drag them along on

19:28

the lockdown and we'll talk more about

19:30

how we could create visualizations using

19:32

q and quick site uh we do have one

19:34

question does it become better over time

19:37

at generating

19:39

reports that I don't know but we'll find

19:42

an answer and probably talk about it on

19:44

lockdown yeah so more coming there's a

19:47

lot more work about what I just did

19:49

there's a whole team building some more

19:51

stuff and so yeah I think yeah where

19:54

Ross is the face there is a big team

19:56

behind him creating a lot of cool stuff

19:59

which is really but I have a big face

20:00

already so wait a minute I didn't say

20:02

creting a big that's why it's a big

20:06

team oh my gosh someone get Mark and

20:09

Ross out of here I'm kidding Mark Ross

20:12

thank you so much for joining us I I'm

20:14

really excited to hear more about uh

20:16

security Lake and the success it's had

20:18

and also it's been around for a little

20:20

over a year now I've heard which is cool

20:23

thanks for having us guys R has it

20:25

absolutely take care see you next time