Cloud AWS re:Invent Coverage | Mark Terenzoni, AWS

Clips
News
More from Cloud AWS re:Invent Coverage

Mark Terenzoni

GM, Security Services

AWS

AWS boosts cybersecurity efforts with updates to Security Lake

Among the slew of announcements at Amazon Web Services Inc.’s re:Invent conference this week are updates to the company’s cybersecurity services, incl...

play_circle_outline Enhanced Threat Detection: AWS Security Services at the Forefront of Innovation

play_circle_outline Incident response service and Security Hub integration

play_circle_outline Enhancing Security through Integration, Minimization, Simplification, and Open Standards in Identity Management and Networking

play_circle_outline Business focus on protecting AWS workloads

play_circle_outline Maximizing Security Lake Partnerships Through Splunk Federated Analytics

Info
Transcript

Mark Terenzoni, AWS

Mark Terenzoni

GM, Security Services AWS

Mark Terenzoni, General Manager of Security Services at AWS, discussed updates in cloud security with John Furrier. GuardDuty now offers attack sequencing for a more detailed threat view. Security Lake now integrates directly with OpenSearch for cost-effective data querying. Incident response planning, blast radius reduction, and access management were also touched upon. Security Lake is praised as a central hub for security data management. Partnerships with companies like Splunk enhance analytics capabilities. Customers appreciate Security Lake for its effi... Read more

explore Keep Exploring

What recent announcements were made regarding Amazon's GuardDuty threat detection service and Security Lake investigation capabilities? add

What services are involved in the new security incident response service announced by the company? add

What are the techniques and strategies Amazon deploys to minimize blast radius in their security measures? add

What capabilities does Detective provide for AWS workloads and how does it simplify security for customers? add

What recent announcement did Splunk make regarding federated analytics and how does it benefit customers in terms of cost and outcomes? add

bolt Powered by CUBE AI

Mark Terenzoni, AWS

search

>> Welcome back everyone to theCUBE's coverage here in Las Vegas. We're on the ground. We're getting all the action as we unpack the four days of wall-to-wall coverage here on theCUBE. I'm John Furrier, your host of theCUBE. Mark Terenzoni is here. GM. I was going to say vice president. GM of security services at AWS. You're running the security business. Great to see you. Thanks for coming back on theCUBE. Always a good time.

Mark Terenzoni

>> John. Always a pleasure. Absolutely.

>> Yeah. We love the security angle of AWS. I remember back when I first met the chief security officer with Andy Jassy in New York, 2015. At that time, the narrative was the cloud is not secure, and at that time it was like, "No, no. We actually have the best security posture because of the scale and all those things." Again, fast forward today, obviously best security, hardened, everything is rocking, but there's still threats. Customers have connected to the cloud either with an on-prem or edge to the cloud, so they have challenges. It's a constant battle of managing the inbound threats and stuff going on with the security attacks. Managing it, investigating it. It's what you guys do. Give us the state of the art right now in terms of cloud security services. What's the landscape look like right now and what are some of the things you guys are doing that's different? Obviously, got the scale. Take us through some of the current situation.

Mark Terenzoni

>> Sure. Well, we had a couple announcements this week, so I'll probably start with that. GuardDuty, our threat detection service announced attack sequencing capabilities. They've always been able to use machine learning to understand what threats are happening for customers in their environment. But what they're doing now is they're really piecing those together in the form of TTPs, in highlighting to customers what may be a benign single threat is really tied to a potential risk or attack. We don't expect there to be too many of these firing, but it's going to give much more of a higher fidelity view of what's happening in the customer's environment. That's on the threat detection side. On the investigation side, Security Lake, as you know, we launched about 18 months ago, is really a capability that we put together for customers to bring all of this security telemetry in one place in a normalized format. This is a really important component, because before even launching Security Lake, we founded OCSF, Open Cybersecurity Schema Format with a number of leading security vendors to help industry organize security data in a way that analytics can run at scale on top of that data. Prior to having a unified schema, customers would have to piece this together. What we really found is that customers have security teams. They're really good at understanding and remediating threats and not really good at big data problems, and we were forcing them to become big data experts. We've taken that burden or undifferentiated heavy lifting off of the customer's back, organized the data in a format that they can go run their use cases and analytics, and then partnered with a number of security vendors that rely on this data but don't need to ingest it. They can actually query it directly on top of Lake. Which leads me to the second announcement, which we're really excited about, is a direct integration with Security Lake with OpenSearch. OpenSearch had been a partner of Security Lake's for over a year, but the use case was ingest all the data from Security Lake into OpenSearch, and then customers could analyze it in the OpenSearch interface. What we've announced this week is what we call zero ETL or direct query. The customers no longer need to ingest the data. The data stays in Security Lake and they can query it directly as needed, relatively high performance, and then analyze the chunks of data that they need. This does a couple things. It opens up the aperture for the amount of data that customers can actually analyze and have visibility on, but the second piece is it dramatically reduces the cost, because you're not fully ingesting for data that you may or may not need to query.

>> Well, cost and hassle, too, because you've got data movement costs and you also have ingestion of flow, all this new stuff you got to integrate in.

Mark Terenzoni

>> Correct.

>> That's the benefit. There's two benefits. Cost. You get access to all the data. But then wait a minute, it's the right data. I got to now run stuff on those jobs. I got to run jobs on that to figure out where it goes.

Mark Terenzoni

>> Or even what the format of it is. With OCSF, the other side benefit is really on the data science and machine learning and analytics side. They can start to build their own content and detections, because they already understand the format before they have sample data, and it really reduces that whole development cycle for our partners, for our customers, and certainly for AWS.

>> Just to get the news straight, we covered on SiliconANGLE.com, so again, people can go check it out Sunday ahead of the event. You guys announced the security incident response service.

Mark Terenzoni

>> Correct.

>> That's GuardDuty and then the Security Hub are involved in that piece. That's the one service and then obviously the OpenSearch.

Mark Terenzoni

>> Yes. That's part of our professional services offerings. We've for a long time helped customers understand potential incidents and risks, mostly in a reactive manner. Now, this brings the proactive aspects to the security posture to the forefront. This team will go in and actually help operationalize security events using GuardDuty, Security Hub, really whatever tools the customer has, and many of them will be third parties over time as well.

>> Filtering out those unnecessary logs, too, is another benefit. Let's get into the whole problem statement. Rapid detection, rapid response has always been a big thing. This is what people want. Talk about that aspect to it, because the surface area is now the cloud. It's everything. Everything is the surface. There's no perimeter, obviously. It's not even discussion anymore. But the importance of incident response planning becomes big. Specifically, what do you do? Take us through that process, and what are customers challenge with as you talk to customers? Are they up to their eyeballs in SIM migrations? What's going on in the customer?

Mark Terenzoni

>> This is a complex area. The data is growing exponentially. You're right, it's not just in one place. It's on-prem. It's in SaaS applications. It's in the cloud infrastructure. Phase one for this is making sure customers understand what they're running, what data is necessary to help them when they have an issue or an incident, and how can they organize that data in an efficient, effective manner. You mentioned SIM, and I think that landscape is changing a little bit. Historically, many SIMs were on-prem. They were software sales and customers really managed the infrastructure. I think you look at today and beyond, most of those implementations are happening in the cloud. They're either cloud-native tools, software solutions, or instantiations of those tools on the cloud. The landscape for those vendors is changing, because now instead of just selling software, they're actually selling infrastructure with their software to provide outcomes for their customers. That changes a little bit and the dynamics of that plays very well into why we built Security Lake, to take that undifferentiated heavy lifting off of the partners and the customers, gather all that data that you need, but do it in a very low-cost manner. It's stored in S3. It's stored in the customer's account, so the customers really have the controls over what their lifecycle is, how they manage it, what aperture they have, how much data, how they filter it. But you're right, when the biggest challenge a customer has is when something does go bump in the night and they don't have the data they need to investigate or analyze it or the skills they need, that's when it really becomes a challenge.

>> Yeah. We've covered the Security Lake before. Love your focus area. One of the questions that comes up is how do I integrate a robust identity management system into this? You guys have that in there. That mitigates unnecessary access. You have identity and access is another key variable. Take us through what you guys do there. What's the impact to the customer?

Mark Terenzoni

>> Yeah. You're absolutely right. If you really unpeel the threats and the historical potential attacks customers face, a large percentage of them can be traced back to credential misuse and identity misuse, and it really gets down to least privileged access. This is one of the things we really try to help customers with is identifying what access is needed and what isn't, and getting to that least privileged state to reduce that blast radius and risk. We also have some tools like Access Analyzer that goes and looks at what the roles and the users have access to and helps customers identify gaps and areas that they can reduce that risk and exposure.

>> You mentioned blast radius, which is a term that's used also in Amazon as well as the industry. How do you minimize that blast radius? Just getting down to the primitives? Is there techniques that Amazon deploys? Take us through, because that's really what everyone tries to get to.

Mark Terenzoni

>> I think it starts with identity, but it also goes to the perimeter and the networking segmentation. We have a number of capabilities also in that place to help customers really segment maybe their production applications and lock down the access, make sure there's no unnecessarily access to the internet where there doesn't need to be, and where there needs to be, make sure that those are really protected ports and we understand what's going on and we're monitoring them on a regular basis.

>> Can you talk about the importance of incident response and planning? Because again, some people wait until the breach and then they do the postmortems, they do all the reporting. But the importance of the planning.

Mark Terenzoni

>> 100%. You have to have a plan. It starts with the data. It also might start with partners. Who do you have on retainer? Who do you have that can help you when you need it the most? Not all companies have mature security teams. Those that do in many cases already have plans in place and they're well aware of what the requirements and necessary needs are. But many customers aren't necessarily secure, have a large security team, so they're going to rely on partners to help in this area. That's one of the reasons we announced what we did at the show to help customers not only prepare but respond, and more importantly respond before it really becomes a big event or issue for the customer.

>> Why is the security lake important as this central hub, and how does it enhance the security and the data management piece of it? Talk about that.

Mark Terenzoni

>> Yeah. We take the data management right off the table. We built Security Lake in a way-

>> When you say take off the table, what do you mean take off the table?

Mark Terenzoni

>> We do all that work for the customer. You in a single location click a button and tell us what accounts you care about and what data sources you care about, and we will automatically take them from the generation spots and bring them into Security Lake, convert them to OCSF format, write them to Parquet with Iceberg table format on them so they become operationalized without any work the customer has to do. We do it at the same price as if the customer wanted to provision those logs and do this work themselves. Now, that's not everything, because now I need to bring my on-prem data, I got to bring my SaaS applications, maybe my other cloud workloads. We make a provision for customers to bring all that data as well.

>> Yeah. Mark, I got to go off the reservation a little bit here and talk about the S3 announcements here at re:Invent. S3 table buckets. You mentioned Parquet. Open table formats. S3 metadata. This is going to add more value to the Security Lake.

Mark Terenzoni

>> 100%. We already do that today. We put everything in Iceberg, but now you're going to have it at the primitives of S3, which is really, in my opinion, where it should be. These are going to be access patterns. They're open standards and we support open standards in many ways, but that's actually going to help my job, because they're going to take some of that work off the table for me.

>> Yeah. S3 has got so much goodness in there. We're just talking with Commvault, one of the partners, and versioning. Huge feature.

Mark Terenzoni

>> That's critical.

>> Critical feature on rollbacks, resilience.

Mark Terenzoni

>> Yeah. We have those as part of Security Lake, too, because you need to be able to do that, especially as OCSF or open cyber Security, it evolves. We're now version 1.3. By the way, I should tell you, we just moved the project to the Linux Foundation as well, so it's going to get more momentum. It's going to get more discoverable.

>> You as in Amazon Web Services, or your group is involved in that?

Mark Terenzoni

>> Well, it was already open source before, but we were hosting it in Apache, so the group which we're part of decided to make the move to Linux Foundation.

>> Just curious, why was that decision made?

Mark Terenzoni

>> Yeah. For a couple reasons. One is that we had a lot of experience with other projects with Linux Foundation, namely OpenSearch, and we had a really good outcome associated with that move. That was one of the major factors, but really help-

>> Governance is good, too.

Mark Terenzoni

>> The governance, the structure. We're going to keep the same governing body, but the structure and the discoverability for our developers, and it's a place where they already go today. We think it's going to help.

>> It's fun to see the Linux Foundation just continue to do such a great job. They've really shepherded many projects.

Mark Terenzoni

>> Exactly.

>> They do new things. They're not stuck in what they think. They're really open. They're such a great community. There have been a lot of successes there. By the way, ventures have come out of there, too. I know that's very a controversial topic, but I think it's great. You can see that innovation coming out of the community.

Mark Terenzoni

>> Yeah. We love . OCSF is still relatively young, but we've got over 900 contributors across 200 plus organizations. All the major cloud vendors, all the major security vendors, government agencies, and customers. What you'll find is that many of the security ISVs are recognizing how robust it is and they're moving their backends to OCSF.

>> There's always been that debate. I've always said open always wins, but you got to keep the lights on. Turn the lights on, see everything. If the collective intelligence of the community can see all the security data, a lot of good stuff can be happening. The bad guys see it, too, but hey, let's just level the playing field.

Mark Terenzoni

>> For sure. With this, we're making it a lot easier for the outcomes for customers with those tools. Think of the scenario where a major ISV that has been working machine learning on their data sets for 10 years. They've done a fantastic job, but now that we normalized OCSF, those same analytics in machine learning models can be applied to other sources and deliver outcomes rapidly.

>> That that's just the value of standing on the shoulders of giants before you, which is the ethos of open source. Talk about the business that you got running on right now. Tell us about the health of the business. What's your focus? What are some of the targets you're going after? What's the execution look like?

Mark Terenzoni

>> Yeah. Obviously, we're focused on protecting AWS workloads. Security Lake goes beyond that, but Detective does AWS workloads and really giving customers that simplified capability at any scale, that they can turn our services on, immediately get value, and more importantly, operationalize them without any burden or heavy lifting on their side. We really want to enable our customers' limited resources on the security side to focus on the things that matter the most. Taking our signal, marrying it with their knowledge of their workloads and applications, and prioritizing the right things to remediate.

>> One of the things I'm seeing this year at re:Invent that's obvious now. We've talked about this in the past on theCUBE and I think we might even talked about it, but I think it's been there, but now it's more obvious than ever, and that AWS is operating at such scale. You have certain advantages. It's rarefied air in a way. Not many people are there. You see things that other people don't see and the applications that are at that area are scaled apps. What came out of COVID with Connect. Who would've thought that Amazon would be in the call center as a service business? Well, that was born out of the benefit of what they were already doing internally. This is what that Andy Jassy playbook was for AWS to begin with. "Hey, we're doing internally. Let's expose that service to the public." Security has that same vibe. At least I feel that way. Share your thoughts on this, because as you get more expertise, you see more things operating at scale that will allow you to bring certain solutions to the customer.

Mark Terenzoni

>> 100%. Under the covers, we are able to identify threat intelligence across a wide range of data sources that we apply into our products. I think we've made some announcements recently around MadPot and some of the things we get with that, and certainly on the DNS side, we get to see things probably a little bit before they become on a threat list. We're applying that knowledge at scale into our products that ultimately deliver better outcomes for our customers in the security realm.

>> Yeah. Mark, another area I want to touch on. I know it's a little bit maybe off-topic relative to your business, but it's more categorical in the industry, is that with open data and open source and exposing more and connecting people together. People always shared information. But now as the scale comes up, one other trend that's happened this year is that there's been much more of a law enforcement leaning into taking out groups that are organized versus just breaking them up. They just reconstitute. Actually putting them in jail, taking them off the streets. There's a whole law enforcement lift that we're seeing in that market that's causing disruption. These are organized mafias, these hackers, these criminals

Mark Terenzoni

>> In many cases, they're going into offices that look a lot like the offices that we go into, and they're very organized and they share information. Historically, they've shared information, I think, better than the good guys. I think the advent of OCSF and our ability to share information at scale with other companies and teams. Like you said earlier, it levels the playing field. I think the deterrent now is that in many cases, these groups were really not being persecuted, and that's changing. I think within our country and other countries, we're creating these mechanisms to really go after these actors. For sure.

>> Final question for you. Highlight some partnerships and customers that exemplify the relationship that you guys want to have with the marketplace. Talk about partners first and then customer.

Mark Terenzoni

>> Yeah. Partners have always been part of the ethos for us, and it's extremely important, especially with Security Lake. We almost think of it as a middleware where our partners feed sources into us and our partners put analytics on top of us. One recent announcement that I'll talk about with Splunk around what they call federated analytics. Historically, you would have to ingest all your data into Splunk and then run your analytics locally. The analytics are fantastic, the workflow is fantastic, but it becomes cost prohibitive. Customers would have to make some choices. With this recent announcement, they were able to federate that on top of Security Lake, open up their aperture, and provide more outcomes for customers without having to bring the ingestion in. That was a really exciting announcement. I think you'll see a lot more in that area from the SIM XDR vendors on top of things like Security Lake that really reduce the cost and friction, but deliver more value. From a customer standpoint, several customers have come out recently and endorsed Security Lake and the value it brings to them. I'm amazed to see how quickly customers were able to adopt and operationalize, so that's been really an exciting journey.

>> Well, we're going to have a lot of coverage this year on security. Obviously, RSA, we're there every year. Black Hat is a new event for us. Obviously, re:Inforce, your conference. I think you guys still do re:Inforce.

Mark Terenzoni

>> Yes, we do. We'll be in June in Philadelphia.

>> Yeah. We'll keep an eye on that. But in general, security is part of the data equation. Seeing gen AI being a nice lift there to help take advantage of some of that stuff, too.

Mark Terenzoni

>> Yeah. It's amazing. My teams have been doing some experimentation with that on top of Security Lake data, and it's really encouraging. I think it's going to really help the analysts get to the root cause very quickly.

>> Those root cause analysis get done much faster.

Mark Terenzoni

>> 100%.

>> Okay. Final, final question, because it popped in my head. I want to ask you. I know you got to go, but what are you most excited about this year from an innovation standpoint or in your purview around Security Lake? Obviously, the news here at re:Invent. If you could share one or two highlights to customers or anyone watching, the innovations that are getting you really jazzed about this market.

Mark Terenzoni

>> I think a couple things. One is the incident response capability to help our customers with expertise on the ground as they need them is going to be fantastic for them to get to that root cause. I think the second thing is you've heard a lot of things around gen AI. I think the code aspects of that in being able to help customers by taking vulnerabilities, and reducing the friction to patch them and reduce their surface area risk by applying those code capabilities to automatically generate code, where the developer on the customer side really just has to review it and check it in. I think it's going to reduce a lot of friction and also reduce the risk for customers.

>> Mark, thanks for coming back on theCUBE. General manager of security services at AWS. A lot of work to do still.

Mark Terenzoni

>> 100%.

>> But you guys are plugging away, pedaling as fast as you can, as they say. Bringing the goodness. Thanks for coming on theCUBE.

Mark Terenzoni

>> Thanks, John. Always a pleasure.

>> All right. I'm John Furrier, host of theCUBE here at AWS re:Invent. Our 12th year. I can't believe it's been 12 years. We're here every year getting all the actions. It's holiday time. The gifts keep on giving. The announcements are plentiful and people can't wait to get their hands on the technology. More coverage after this short break.