What is AWS Detective and How it Works?

There are millions of people, startups, largest enterprises, including government agencies trust AWS to build robust infrastructure and agility with less cost. Considering the growth of complexity in today’s data, organizations often face issues in understanding how they can protect and secure their data and their clients.

The services like Amazon GaurdDuty, Amazon Macie, and partner security products will identify security concerns and help in finding what is wrong and how to troubleshoot. But there might be chances that you need to deep dive and figure out what is the fundamental cause and how to fix it. Determining the root cause includes collecting and combining the various log data from different resources, then the security analyzer has to take a call and start the investigation.

But one such service that makes all these processes simple by making your security teams to identify the root cause of the issue easily is Amazon Detective. Detective enables you to easily analyze, investigate and quickly detect the root cause of suspicious activity.

Virtual Private Cloud (VPC)Flow logs: Flow log is a VPC’s built-in support to capture the data about how the network resources are flowing in and out of the VPC.

AWS CloudTrail: CloudTrail is a “Management and Governance” tool in the console. The owners can check every API call made to other resources in the account and written to a log.

Amazon GuardDuty: Amazon GuardDuty is aws managed monitoring service for Cloud security; it enables you to detect threats and their behavior.

How to enable AWS Detective?

*First, you need to log in to the Management Console, navigate to the Detective console

*Click Get started

*Review the information provided in the Enable Detective page

*There will be Master Account and Member Account and the Master Account will be aligned between GaurdDuty and Security Hub. The master account can invite other accounts to be member accounts for the behavior graph.

*One behavior graph will have only one Master account per region, and the account can be a master account in different regions

*Attach the IAM policy that allows you to enable the Detective, and manage a behavior graph

*After enabling the Detective, you can add the member accounts to your behavior graph

How does it work?

*You need to enable the Detective in the AWS management console. As of now, AWS has made it available only in five regions [US East(Ohio), US East( Virginia), US West(Oregon), Asia Pacific(Tokyo), Europe(Ireland)].

*Detective automatically collects the events like login attempts, API calls, and network traffic from the VPC flow logs. If the customer has already enabled the Amazon GuardDuty detective will put away the findings detected by GuardDuty.

*It uses machine learning and visualization to make an integrated and interactive view of your resource behavior from time to time.

*It rapidly investigates the activities that are against the norm and identifies the patterns which indicate any security issues. But some security issues need more investigation to examine the effect of malicious activity. If the AWS Guard Duty identifies this kind of problem, then you can go to Detective and quickly determine the root cause for the challenge.

The flow of investigation includes the following phases

Phase1:While looking at the findings in GuardDuty or security Hub, an analyst can choose those findings in Detective. From Detective, the analyst can use the Detective search function to select a finding to triage.

Phase2:The finding profiles will have a set of visualization. These visualizations are created from the behavior graph. The behavior graph is basically generated from the logs that are collected by Detective and other data that it has consumed.

Phase3:Once the issue is found and determined, whether it is true or false positive, then the analyst can update the status in the original service.

The highest priority at the AWS is Cloud security and Security is a shared responsibility between you and AWS. Though AWS has proven itself to be a reliable Cloud service provider in today’s world, although you should verify and that’s where the responsibility as a Cloud user relies on.