As co-author of AWS Detective, I’ve had the unique opportunity to bridge the gap between traditional threat hunting and cloud-native security investigation. Here are some key insights from that journey.

From Concept to Service

AWS Detective emerged from real-world needs I encountered while working with security teams struggling to investigate incidents in cloud environments. Traditional tools weren’t designed for the scale and complexity of modern cloud infrastructures.

Key Challenges We Solved

1. Data Correlation at Scale

Cloud environments generate massive amounts of security data. Detective helps analysts quickly identify relationships between:

  • VPC Flow Logs
  • DNS logs
  • CloudTrail events
  • GuardDuty findings

2. Visual Investigation

Drawing from my presentation experience on “Threat Hunting with Visualization,” we built intuitive visual interfaces that help analysts understand complex attack patterns.

3. Time-Based Analysis

One lesson from my Carbon Black days: time context is crucial. Detective’s timeline views help analysts understand the sequence of events during an incident.

Real-World Applications

Based on my speaking engagements and consulting work, common use cases include:

  • Lateral Movement Detection - Identifying unusual access patterns across AWS resources
  • Insider Threat Investigation - Analyzing user behavior anomalies
  • Compromise Assessment - Understanding the full scope of security incidents

Best Practices for Cloud Investigation

From my SANS presentations and field experience:

  1. Start with high-fidelity alerts - Use GuardDuty findings as investigation starting points
  2. Follow the data flow - Understand how data moves through your cloud architecture
  3. Leverage automation - Use APIs to scale your investigation capabilities

Looking Forward

The cloud security landscape continues to evolve. My recent work on vulnerability disclosure and security testing (featured on “Screaming in the Cloud” podcast) shows there’s still much work to be done.

Interested in cloud security investigation techniques? I regularly speak on these topics - contact me for speaking opportunities.