Currently, Amazon Security Lake is widely accessible.
The public availability of Amazon Security Lake, which was first revealed in a demo at Invent 2022, is something we are delighted to announce today. In order to store security data in your AWS account, Security Lake consolidates security information from Amazon Web Services ( AWS ) environments, software as a service( SaaS ), on-premises, and cloud sources. The service normalizes and combines security data from AWS with a variety of security information sources thanks to support for the Open Cybersecurity Schema Framework( OCSF ). This improves your surveillance across multicloud and cross environments by giving your team of analysts and safety engineers large visibility to look into and react to security events.
<p>Figure 1 shows how Security Lake works, step by step. In this post, we discuss these steps, highlight some of the most popular use cases for Security Lake, and share the latest enhancements and updates that we have made since the preview launch.</p> <div id="attachment_29613" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29613" src="https://www.infracom.com.sg/wp-content/uploads/2023/05/img1-5.png" alt="Figure 1: How Security Lake works" width="760" class="size-full wp-image-29613"> <p id="caption-attachment-29613" class="wp-caption-text">Figure 1: How Security Lake works</p> </div> <h2>Target use cases</h2> <p>In this section, we showcase some of the use cases that customers have found to be most valuable while the service was in preview.</p> <h4>Facilitate your security investigations with elevated visibility</h4> <p>Amazon Security Lake helps to streamline security investigations by aggregating, normalizing, and optimizing data storage in a single security data lake. Security Lake automatically normalizes AWS logs and security findings to the OCSF schema. This includes <a href="https://aws.amazon.com/cloudtrail/" target="_blank" rel="noopener">AWS CloudTrail</a> management events, <a href="https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html" target="_blank" rel="noopener">Amazon Virtual Private Cloud (Amazon VPC) Flow Logs</a>, <a href="https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-query-logs.html" target="_blank" rel="noopener">Amazon Route 53 Resolver query logs</a>, and <a href="https://aws.amazon.com/security-hub/" target="_blank" rel="noopener">AWS Security Hub</a> security findings from Amazon security services, including <a href="https://aws.amazon.com/guardduty/" target="_blank" rel="noopener">Amazon GuardDuty</a>, <a href="https://aws.amazon.com/inspector/" target="_blank" rel="noopener">Amazon Inspector</a>, and <a href="https://aws.amazon.com/iam/features/analyze-access/?nc=sn&loc=2&dn=1" target="_blank" rel="noopener">AWS IAM Access Analyzer</a>, as well as security findings from over 50 partner solutions. By having security-related logs and findings in a centralized location, and in the same format, Security Operations teams can streamline their process and devote more time to investigating security issues. This centralization reduces the need to spend valuable time collecting and normalizing logs into a specific format.</p> <p>Figure 2 shows the Security Lake activation page, which presents users with options to enable log sources, AWS Regions, and accounts.</p> <div id="attachment_29614" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29614" src="https://www.infracom.com.sg/wp-content/uploads/2023/05/img2-5.png" alt="Figure 2: Security Lake activation page with options to enable log sources, Regions, and accounts" width="760" class="size-full wp-image-29614"> <p id="caption-attachment-29614" class="wp-caption-text">Figure 2: Security Lake activation page with options to enable log sources, Regions, and accounts</p> </div> <p>Figure 3 shows another section of the Security Lake activation page, which presents users with options to set <a href="https://docs.aws.amazon.com/security-lake/latest/userguide/manage-regions.html" target="_blank" rel="noopener">rollup Regions</a> and storage classes.</p> <div id="attachment_29615" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29615" src="https://www.infracom.com.sg/wp-content/uploads/2023/05/img3-4.png" alt="Figure 3: Security Lake activation page with options to select a rollup Region and set storage classes" width="760" class="size-full wp-image-29615"> <p id="caption-attachment-29615" class="wp-caption-text">Figure 3: Security Lake activation page with options to select a rollup Region and set storage classes</p> </div> <h4>Simplify your compliance monitoring and reporting </h4> <p>With Security Lake, customers can centralize security data into one or more rollup Regions, which can help teams to simplify their regional compliance and reporting obligations. Teams often face challenges when monitoring for compliance across multiple log sources, Regions, and accounts. By using Security Lake to collect and centralize this evidence, security teams can significantly reduce the time spent on log discovery and allocate more time towards compliance monitoring and reporting.</p> <h4>Analyze multiple years of security data quickly</h4> <p>Security Lake offers integration with third-party security services such as security information and event management (SIEM) and extended detection and response (XDR) tools, as well as popular data analytics services like <a href="https://aws.amazon.com/athena/" target="_blank" rel="noopener">Amazon Athena</a> and <a href="https://aws.amazon.com/opensearch-service/" target="_blank" rel="noopener">Amazon OpenSearch Service</a> to quickly analyze petabytes of data. This enables security teams to gain deep insights into their security data and take nimble measures to help protect their organization. Security Lake helps enforce least-privilege controls for teams across organizations by centralizing data and implementing robust access controls, automatically applying policies that are scoped to the required subscribers and sources. Data custodians can use the built-in features to create and enforce granular access controls, such as to restrict access to the data in the security lake to only those who require it.</p> <p>Figure 4 depicts the process of creating a data access subscriber within Security Lake. </p> <div id="attachment_29616" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29616" src="https://www.infracom.com.sg/wp-content/uploads/2023/05/img4-3.png" alt="Figure 4: Creating a data access subscriber in Security Lake" width="760" class="size-full wp-image-29616"> <p id="caption-attachment-29616" class="wp-caption-text">Figure 4: Creating a data access subscriber in Security Lake</p> </div> <h4>Unify security data management across hybrid environments</h4> <p>The centralized data repository in Security Lake provides a comprehensive view of security data across hybrid and multicloud environments, helping security teams to better understand and respond to threats. You can use Security Lake to store security-related logs and data from various sources, including cloud-based and on-premises systems, making it simpler to collect and analyze security data. Additionally, by using automation and machine learning solutions, security teams can help identify anomalies and potential security risks more efficiently. This can ultimately lead to better risk management and enhance the overall security posture for the organization. Figure 5 illustrates the process of querying AWS CloudTrail and Microsoft Azure audit logs simultaneously by using Amazon Athena.</p> <div id="attachment_29617" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-29617" loading="lazy" src="https://www.infracom.com.sg/wp-content/uploads/2023/05/img5-3.png" alt="Figure 5: Querying AWS CloudTrail and Microsoft Azure audit logs together in Amazon Athena" width="1107" height="753" class="size-full wp-image-29617"> <p id="caption-attachment-29617" class="wp-caption-text">Figure 5: Querying AWS CloudTrail and Microsoft Azure audit logs together in Amazon Athena</p> </div> <h2>Updates since preview launch</h2> <p>Security Lake automatically normalizes logs and events from natively supported AWS services to the OCSF schema. With the general availability release, Security Lake now supports the latest version of OCSF, which is version 1 rc2. CloudTrail management events are now normalized into three distinct OCSF event classes: Authentication, Account Change, and API Activity.</p> <p>We made various improvements to resource names and schema mapping to enhance the usability of logs. Onboarding is made simpler with automated <a href="https://aws.amazon.com/iam/" target="_blank" rel="noopener">AWS Identity and Access Management (IAM)</a> role creation from the console. Additionally, you have the flexibility to collect CloudTrail sources independently including management events, <a href="https://aws.amazon.com/s3/" target="_blank" rel="noopener">Amazon Simple Storage Service (Amazon S3)</a> data events, and <a href="https://aws.amazon.com/lambda/" target="_blank" rel="noopener">AWS Lambda</a> events.</p> <p>To enhance query performance, we made a transition from hourly to daily time partitioning in Amazon S3, resulting in faster and more efficient data retrieval. Also, we added <a href="https://aws.amazon.com/cloudwatch/" target="_blank" rel="noopener">Amazon CloudWatch</a> metrics to enable proactive monitoring of your log ingestion process to facilitate the identification of collection gaps or surges.</p> <p>New Security Lake account holders are eligible for a <a href="https://aws.amazon.com/security-lake/pricing/?refid=9bc21f40-12f4-4d2b-8b8d-6f6f65ab19e6" target="_blank" rel="noopener">15-day free trial</a> in supported Regions. Security Lake is now generally available in the following <a href="https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/" target="_blank" rel="noopener">AWS Regions</a>: US East (Ohio), US East (N. Virginia), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Europe (Frankfurt), Europe (Ireland), Europe (London), and South America (São Paolo).</p> <h2>Ecosystem integrations</h2> <p>We have expanded our support for third-party integrations and have added 23 new partners. This includes 10 source partners — <a href="https://www.aquasec.com/" target="_blank" rel="noopener">Aqua Security</a>, <a href="https://claroty.com/" target="_blank" rel="noopener">Claroty</a>, <a href="https://www.confluent.io" target="_blank" rel="noopener">Confluent</a>, <a href="https://darktrace.com/" target="_blank" rel="noopener">Darktrace</a>, <a href="https://www.extrahop.com/" target="_blank" rel="noopener">ExtraHop</a>, <a href="https://www.gigamon.com/" target="_blank" rel="noopener">Gigamon</a>, <a href="https://www.sentra.io/" target="_blank" rel="noopener">Sentra</a>, <a href="https://torq.io/" target="_blank" rel="noopener">Torq</a>, <a href="https://www.trellix.com/en-us/index.html" target="_blank" rel="noopener">Trellix</a>, and <a href="https://www.uptycs.com/" target="_blank" rel="noopener">Uptycs</a> — enabling them to send data directly to Security Lake. Additionally, we have integrated with nine new subscribing partners — <a href="https://www.chaossearch.io/" target="_blank" rel="noopener">ChaosSearch</a>, <a href="https://newrelic.com/" target="_blank" rel="noopener">New Relic</a>, <a href="https://ripjar.com/" target="_blank" rel="noopener">Ripjar</a>, <a href="https://socprime.com/" target="_blank" rel="noopener">SOC Prime</a>, <a href="https://stellarcyber.ai/" target="_blank" rel="noopener">Stellar Cyber</a>, <a href="https://swimlane.com/" target="_blank" rel="noopener">Swimlane</a>, <a href="https://www.tines.com/" target="_blank" rel="noopener">Tines</a>, <a href="https://torq.io/" target="_blank" rel="noopener">Torq</a>, and <a href="https://wazuh.com/" target="_blank" rel="noopener">Wazuh</a>. We have also established six new services partners, including <a href="https://www.boozallen.com/" target="_blank" rel="noopener">Booz Allen Hamilton</a>, <a href="https://www.cmdsolutions.com.au/" target="_blank" rel="noopener">CMD Solutions, part of Mantel Group</a>, <a href="https://www.infosys.com/" target="_blank" rel="noopener">Infosys</a>, <a href="https://insbuilt.com/en/home-eng/" target="_blank" rel="noopener">Insbuilt</a>, <a href="https://www.leidos.com/" target="_blank" rel="noopener">Leidos</a>, and <a href="https://www.tcs.com/" target="_blank" rel="noopener">Tata Consultancy Services</a>.</p> <p>In addition, Security Lake supports third-party sources that provide OCSF security data. Notable partners include <a href="https://blog.barracuda.com/2022/11/29/barracuda-integration-aws-security-lake/" target="_blank" rel="noopener">Barracuda Networks</a>, <a href="https://blogs.cisco.com/security/cisco-joins-amazon-web-services-aws-for-the-launch-of-security-lake" target="_blank" rel="noopener">Cisco</a>, <a href="https://cribl.io/blog/when-stream-meets-lake-cribl-integrates-with-new-amazon-security-lake/" target="_blank" rel="noopener">Cribl</a>, <a href="https://www.crowdstrike.com/blog/crowdstrike-announces-expanded-service-integrations-at-aws-reinvent-2022/" target="_blank" rel="noopener">CrowdStrike</a>, <a href="https://www.cyberark.com/resources/product-announcements-blog/cyberark-audit-delivers-security-event-information-to-amazon-security-lake" target="_blank" rel="noopener">CyberArk</a>, <a href="https://www.lacework.com/blog/lacework-integrates-with-amazon-security-lake-to-reduce-complexity-in-your-cloud" target="_blank" rel="noopener">Lacework</a>, <a href="https://laminarsecurity.com/blog/laminar-integrates-with-amazon-security-lake/" target="_blank" rel="noopener">Laminar</a>, <a href="https://www.netscout.com/blog/utilizing-netscout-deep-packet-inspection-technology-enrich" target="_blank" rel="noopener">NETSCOUT</a>, <a href="https://www.netskope.com/press-releases/netskope-further-improves-risk-visibility-on-aws-strengthening-customers-security-posture" target="_blank" rel="noopener">Netskope</a>, <a href="https://www.okta.com/blog/2022/11/amazon-security-lake-and-okta-make-data-more-accessible-for-increased-security/" target="_blank" rel="noopener">Okta</a>, <a href="https://orca.security/resources/blog/amazon-security-lake-orca-security/" target="_blank" rel="noopener">Orca</a>, <a href="https://www.paloaltonetworks.com/blog/prisma-cloud/amazon-security-lake" target="_blank" rel="noopener">Palo Alto Networks</a>, <a href="https://www.pingidentity.com/en.html" target="_blank" rel="noopener">Ping Identity</a>, <a href="https://tanium.com/blog/ocsf-amazon-security-lake/" target="_blank" rel="noopener">Tanium</a>, <a href="https://falco.org/blog/falco-on-aws" target="_blank" rel="noopener">The Falco Project</a>, <a href="https://www.trendmicro.com/en_us/business.html" target="_blank" rel="noopener">Trend Micro</a>, <a href="https://www.vectra.ai/" target="_blank" rel="noopener">Vectra AI</a>, <a href="https://blogs.vmware.com/management/2022/11/vmware-aria-automation-for-secure-clouds-integration-with-amazon-security-lake.html" target="_blank" rel="noopener">VMware</a>, <a href="https://www.wiz.io/blog/wiz-launches-support-for-ocsf-to-detect-and-resolve-cloud-security-issues" target="_blank" rel="noopener">Wiz</a>, and <a href="https://www.zscaler.com/" target="_blank" rel="noopener">Zscaler</a>. We have integrated with various third-party security, automation, and analytics tools. This includes <a href="https://www.datadoghq.com/blog/analyze-amazon-security-lake-logs-with-datadog" target="_blank" rel="noopener">Datadog</a>, <a href="https://community.ibm.com/community/user/security/blogs/gaurav-sharma/2022/11/10/ibm-qradar-and-aws-announcement" target="_blank" rel="noopener">IBM</a>, <a href="https://www.rapid7.com/blog/post/2022/11/29/insightidr-launches-integration-with-new-aws-security-data-lake-service/" target="_blank" rel="noopener">Rapid7</a>, <a href="https://s1.ai/amazon-security-lake" target="_blank" rel="noopener">SentinelOne</a>, <a href="https://www.splunk.com/en_us/blog/security/splunk-integrates-with-amazon-security-lake-to-deliver-analytics-using-the-open-cybersecurity-schema-framework.html" target="_blank" rel="noopener">Splunk</a>, <a href="https://www.sumologic.com/" target="_blank" rel="noopener">Sumo Logic</a>, and <a href="https://www.trellix.com/en-us/about/newsroom/stories/xdr/trellix-leverages-amazon-security-lake.html" target="_blank" rel="noopener">Trellix</a>. Lastly, we have partnered with service partners such as <a href="https://www.accenture.com/us-en" target="_blank" rel="noopener">Accenture</a>, <a href="https://eviden.com/" target="_blank" rel="noopener">Eviden</a> , <a href="https://www2.deloitte.com/us/en.html" target="_blank" rel="noopener">Deloitte</a>, <a href="https://dxc.com/us/en" target="_blank" rel="noopener">DXC Technology</a>, <a href="https://www.kyndryl.com/us/en/about-us/news/2022/11/kyndryl-aws-data-security" target="_blank" rel="noopener">Kyndryl</a>, <a href="https://www.pwc.com/us/en.html" target="_blank" rel="noopener">PwC,</a> and <a href="https://www.wipro.com/" target="_blank" rel="noopener">Wipro</a>, that can work with you and Security Lake to deliver comprehensive solutions.</p> <h2>Get help from AWS Professional Services</h2> <p>The <a href="https://aws.amazon.com/professional-services/" target="_blank" rel="noopener">AWS Professional Services</a> organization is a global team of experts that can help customers realize their desired business outcomes when using AWS. Our teams of data architects and security engineers engage with customer Security, IT, and business leaders to develop enterprise solutions. We follow current recommendations to support customers in their journey to integrate data into Security Lake. We integrate ready-built data transformations, visualizations, and AI/machine learning (ML) workflows that help Security Operations teams rapidly realize value. If you are interested in learning more, reach out to your AWS Professional Services account representative.</p> <h2>Summary </h2> <p>We invite you to explore the benefits of using Amazon Security Lake by taking advantage of our <a href="https://aws.amazon.com/security-lake/pricing/?refid=9bc21f40-12f4-4d2b-8b8d-6f6f65ab19e6" target="_blank" rel="noopener">15-day free trial</a> and providing your feedback on your experiences, use cases, and solutions. We have several resources to help you get started and build your first data lake, including comprehensive <a href="https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html" target="_blank" rel="noopener">documentation</a>, <a href="https://youtu.be/fKGhscpwN-k" target="_blank" rel="noopener">demo videos</a>, and <a href="https://aws.amazon.com/security-lake/resources/" target="_blank" rel="noopener">webinars</a>. By <a href="https://signin.aws.amazon.com/signin?redirect_uri=https%3A%2F%2Fus-west-2.console.aws.amazon.com%2Fsecuritylake%3FhashArgs%3D%2523%26isauthcode%3Dtrue%26region%3Dus-west-2%26state%3DhashArgsFromTB_us-west-2_9db65759c19cccd3&client_id=arn%3Aaws%3Asignin%3A%3A%3Aconsole%2Fmoose&forceMobileApp=0&code_challenge=82G6ycxjb4kpdJBfHzZrCkNIBb7Ekub-5NM3zqD1q68&code_challenge_method=SHA-256&refid=9bc21f40-12f4-4d2b-8b8d-6f6f65ab19e6" target="_blank" rel="noopener">giving Security Lake a try</a>, you can experience firsthand how it helps you centralize, normalize, and optimize your security data, and ultimately streamline your organization’s security incident detection and response across multicloud and hybrid environments.</p> <p> <br>If you have feedback about this post, submit comments in the<strong> Comments</strong> section below. If you have questions about this post, <a href="https://console.aws.amazon.com/support/home" target="_blank" rel="noopener noreferrer">contact AWS Support</a>.</p> <p><strong>Want more AWS Security news? Follow us on <a title="Twitter" href="https://twitter.com/AWSsecurityinfo" target="_blank" rel="noopener noreferrer">Twitter</a>.</strong></p> <!-- '"` -->