thatDot

Real-time AWS CloudTrail Threat Detection

by thatDot · 4 min read

The Problem

AWS CloudTrail logs are full of untapped information that can help reduce risk and improve event response times, especially when analyzed in context and in real time. A thatDot cyber security customer seeking to expand their offerings to include threat detection monitoring of AWS CloudTrail logs faced three challenges. They needed to:

Typical use cases for their new product would include identifying both existing employees misusing credentials to access restricted resources and outsiders using valid but compromised credentials. This combines two of the toughest cyber-security challenges in the industry.

The Solution

Finding New Emerging Threat Behaviors, In Real-time (as attacks are happening)

The team at thatDot solved the client's threat detection problem with the first modern threat-hunting stack to combine real-time identification of unknown or emerging threats. Using both Novelty Detector and an event processing system that can instantly identify known patterns and act on them (Quine Enterprise).\

Novelty Detector is a new graph AI technique built on the Quine streaming graph that uses categorical data from events (e.g. IP addresses, file names, file paths, API call types) in order to understand the context within which user and system actions take place. This rich context is used to evaluate behaviors in order to identify novel behaviors in real time, with a notably low incidence of false positives.

Novelty Detector results displayed as a graph, making them easy to understand and act on. (From VAST use case.)

Novelty Detector separates truly novel events from those that are unique but not a threat.

When it comes to instantly identifying and acting on known threats, including ones previously detected by Novelty Detector and classified, the client used Quine streaming graph. They used standing queries to monitor for patterns of behavior in the graph indicative of malicious behavior. And because Quine is not limited by time windows, they were able to build a threat detection system that monitored for a broader range of threat behaviors than traditional complex event processing systems and XDRs allow.

Quine is ideal for SaaS businesses. Quine Enterprise can ingest millions of events/second from multiple streams, combine them into a single graph view, detect patterns for known threat indicators, and act instantly to emit contextually rich alerts.

Human-Readable Results

Both Quine and Novelty Detector are based on the same knowledge graph technologies that makes use of categorical data. This means the data structures they create and output -- node objects, their properties, and the relationships between those objects -- are expressed in a familiar human-readable format (subject, predicate, object). This means results are easy to understand and immediately contextualized.

Knowing who did what when, whether or not they had the privileges to do so, how long they had those privileges, and similar contextual information -- all quite easy to generate with Quine and Novelty Detector -- means SOC/NOC analysts don't need to spend exorbitant amounts of time researching alerts.

Fast Time To Market

Quine Enterprise with Novelty Detector made development fast and straightforward. With both unknown and known threats covered, the client was able to quickly launch a threat detection product to round out their growing portfolio of cyber security products.

Key Value Take Away