3518: AWS re:Invent: The New Playbook For Detection, Response, And Secure AI

[00:00:03] Welcome back to the Tech Talks Daily podcast. I'm here at AWS reInvent in Las Vegas. And today, I'm incredibly fortunate to be sitting down with the inspiring Kimberly Dixon for a conversation that sits right at the heart of what every business leader is thinking about right now.

[00:00:22] And that is, how do you innovate with confidence? When the security landscape keeps shifting and the pressure to move faster never lets up. And Kimberly brings deep experience from inside AWS and she works with customers who are wrestling with everything from cloud sprawl to the realities of how to secure AI.

[00:00:43] And this is a chance to hear how AWS sees the next chapter, how their security approach is evolving and what leaders should be paying close attention to. Before we go into today's episode, I just want to give a quick shout out to my good friends at Denodo. The data world is louder than ever. Yeah, AI hype, lake house complexity and pressure to deliver more with less.

[00:01:08] But my friends at Denodo, they're helping enterprises make sense of it all. Because their logical data management platform provides a unified data foundation for trustworthy AI, lake house optimization and data products that finally bring self-service to life. So combined with AWS, teams can now access secure, governed and AI ready data that accelerates every step of the journey.

[00:01:36] So whether you are a CIO or a builder, Denodo and AWS can help you unlock real AI outcomes without the headaches of data replication. And you can learn more at denodo.com slash AWS. But enough for me, let me beam your ears directly to the show floor here at AWS reInvent. So thank you for joining me here on the podcast. Can you tell everyone listening a little about who you are and what you're doing?

[00:02:03] Hi, Neil. Thanks for having me today. My name is Kimberly Dixon. I'm the worldwide go-to-market lead for our detection response services. So you might know services such as Amazon GuardDuty, which is for threat detection, Amazon Inspector for vulnerability management, AWS Security Hub CSPM for cloud security posture management, and the new AWS Security Hub service that was launched this week. I lead the go-to-market for all of these services. So my role is a bit interesting.

[00:02:30] I don't just have customers as my end customer, but I also work very closely with the service teams. So what I do is act as that bridge between what customers want and what we build to help prioritize all of our services, our features, our releases, and really designed a strategy of what service we should build next to help our customers answer the challenges. Incredibly cool. And obviously we're here on the final days of AWS re-invent.

[00:02:55] I'm curious, for everything that you've seen and heard, you've had so many conversations, back-to-back meetings. Any themes that have caught your attention? Anything that excite you from what you've seen? Yeah, I think from what I've heard from customers is, you know, we're still, while we're having all these big developments in AI, customers are still struggling with things such as prioritization. So prioritizing what security risks that they actually should be looking at, how to spend their resources.

[00:03:22] So in terms of time, in terms of investments, and a lot of the challenges that our customers are talking about is around how can we make our lives easier in order for us to then focus on more high-value tasks. So I think you will see when we start talking about the new announcements, we're looking at helping our customers prioritize what risks to focus on and what to do next in terms of their security journey. And I'm very, very proud of the launches that we actually have this year.

[00:03:48] And there has been a lot of big launches, a big rush towards Agente KI preparing businesses for what comes next. But I would imagine that you've got a slightly different take on this because during this big rush, you're possibly thinking about the security aspect and a security-first mindset, which is often missing from the conversation. But I assume it's something that you're incredibly passionate about. Yeah, I love that you actually mentioned the security-first mindset. I'm sure you've heard a ton this week about our security culture.

[00:04:16] And I think our security culture, no matter the rush of the developments of the Russian AI, security culture still remains the most important thing at AWS. So culture for us really starts from the top. But then, you know, we really empower our developers to think about security first and to take that ownership as they're building the tools and services that their customers actually use. So, no, I feel very optimistic about the way that we are building AI. I'm optimistic about the guardrails of building in place.

[00:04:43] And I'm really optimistic about the way that we are developing at this rapid rate to really help our customers with their challenges. And AWS has a long-standing reputation for that security-first mindset. So, how would you describe AWS's overall approach to security today? And how would you say it's evolved to meet some of the more modern threats now we're in this world of AI everywhere? I would imagine you've seen a lot of changes. Yeah. So, you know, going back to that culture first aspect,

[00:05:10] like I said, we empower our developers and our builders to build the most secure products. And the way that we actually build our cloud really thinks about how we can architect our cloud, such that it's the most secure cloud for our customers to not only build their current applications, but the applications of the future. So, those AI-heavy applications. We look at security in terms of the controls that we can build, in terms of our physical infrastructure, our networking, and even the tools that we provide our customers to use, such as encryption, etc.

[00:05:41] Another thing that we use to actually approach that security-first mindset is really the way that we look at threat intelligence. And I don't think we speak about this enough. So, I really would like to dive into that. So, when you think about AWS, you also have to think about Amazon and the scale at which we operate. And the fact that we have to operate and secure all of our different, very disparate business units. We secure things from the satellites, our distribution networks. We secure a massive global cloud infrastructure as well.

[00:06:10] And all of that is actually served, and we can actually look at that visibility and gather that threat intelligence from threat actors that might try to compromise our massive networks. So, how we actually collect all of our threat intelligence is really through an internal suite of products. One of them is called MadPot. And there's actually a really great blog that I urge all of your listeners to go read about MadPot. But MadPot is basically our globally distributed honeypot sensors.

[00:06:35] And we actually provide all of these honeypot sensors, thousands of them globally are deployed, to actually look at the way that threat actors are actually acting. So, just imagine a honeypot gets spun up, and within about 90 seconds, it gets discovered by a threat actor. And about three minutes later, they attempt to exploit it. So, these MadPot sensors have actually seen over 750 million interactions a day from these threat actors.

[00:07:03] So, what we do with that is that we gather all the actions that the threat actors are taking. We gather these signals, and then we correlate all these signals across the regions and across the globe, so that we can identify these patterns. And all of these threat intel actually gets fed back into our services, such as Amazon GuardDuty, like I said, with threat detection or AWS Bob Application Firewall. You know, it doesn't just stop there, though, with MadPot. It's not just about securing AWS.

[00:07:31] We also make it a point to make sure that we're securing the internet as a whole. So, we really do share our threat intelligence over with government security agencies. We share that with affected organizations. We've actually been involved recently in taking down Rapprobot. I don't know if you've heard about Rapprobot. Yes, yes. But for people listening, please tell everyone a little about.

[00:07:53] So, Rapprobot is basically, it was a massive IoT botnet that was actually being used to attack over 350,000 organizations across 80 countries. Yes, so that was really cool.

[00:08:08] And most recently, we've also been able to take down APT29, so Advanced Persistent Threat 29, which was a watering hole campaign that was actually attackers were using this to harvest credentials in Microsoft's device authentication workflows. So, you know, that kind of threat intelligence that we're gathering, we're also sharing to make sure that it's not just AWS that's secure. It is the organizations that we work with and the world in general, too.

[00:08:37] Wow, incredibly cool. And again, from the show floor there, are there any big announcements or trends that you're most excited about that you've seen and heard this year? Anything stand out for you? Yes, I'm very excited about talking about this. I actually was personally involved in two of them, the Security Hub launch and the Guard Duty Extended Threat Detection launch for EC2 and ECS.

[00:08:59] But, you know, to your initial point about AI, AI, AI, I want to call out first one of the frontier agents that was released was called Security Agent. And that Security Agent was actually deployed at the same time as we introduced Kero's Autonomous Agent, as well as the DevOps Agent, showing again that Security First mindset. So not only are we making developers' lives easier, we're also making the security team's lives easier as well. So really thinking about that security first.

[00:09:28] But what I love about the security agent is that it really helps in terms of prioritization and making sure that, you know, security teams, security analysts are really being able to take that manual repetitive task they had in the past to actually then focus on their most high value task. So, you know, things that could have taken weeks to do, the security agent can now do within a few minutes.

[00:09:54] So a good example is the security agent allows for secure design reviews. So even before a single line of code is written, the security agent can actually compare a team's design documents against their organizational policies and then actually provide recommendations of where it sees vulnerabilities that might exist. And this is even before a line of code is written. So usually that would take weeks, Neil. Weeks.

[00:10:21] And, you know, we've actually brought that down for developer and security teams down into a few minutes. The next thing that the security agent also does is automated code reviews. So secure design reviews.

[00:10:33] So once the code is written, the security agent can actually provide code analysis to see if there's any vulnerabilities that a developer might have, you know, uploaded or from the pull request itself and then provide those remediations directly into those source code repositories for the developers to then work on. And then the last thing that it does, and I used to also work in the space, it also does automated penetration testing, which is really powerful.

[00:11:02] So penetration testing used to take weeks. You know, you'd have to think about understanding the application, understanding how the application works in order to actually test if the application is secure. What the security agent can actually do is that it can actually do this automated penetration testing. It will then use these credentials to actually then run some kind of multi-stage attacks across the applications to actually test for those vulnerabilities.

[00:11:29] And I think that's super powerful because, again, you know, taking that time down from weeks into just a few minutes to actually have an understanding of whether or not the application that's deployed is vulnerable or could be exploited by threat actors. So that's the first one. That's just the first one. And what kind of feedback have you had from the community? Because, again, this passionate community of people out there. So how has it been received? Of course, it's been received really well.

[00:11:57] I think anything that has to do with helping our customers make their lives easier while still maintaining that core security aspects, customers are obviously going to love. Yeah. And then I'd love to talk about my products, if you don't mind. Oh, please. I'm going to save the best for last, as you said to me earlier. So one of the products that I've actually been working on is this service called the AWS Security Hub Service that was launched during Matt Garmin's keynote on Tuesday.

[00:12:27] And the Security Hub Service was really born out of the challenges that our customers were mentioning, which was, you know, that security findings tend to be quite isolated. So, you know, if you wanted to look at threats, you would have to go in understanding a finding and guard duty. If you wanted to understand a vulnerability, you would then have to look at Amazon Inspector or configuration compliance with CSPM.

[00:12:48] And our customers were telling us that it was very time consuming for them to actually think about what these threats mean or these findings mean as a whole. So the first thing that we thought about was how can we help our customers take these fragmented findings and really help them do automated correlation across threats, vulnerabilities, configurations, identity risks, sensitive data risks, as well as network exposure. So we're correlating this across attack sequences.

[00:13:17] To give you an example, imagine that I have an EC2 instance and this EC2 instance has a vulnerability that's being identified by Amazon Inspector. It also has a network reachable path, meaning that it could potentially be attacked or potentially be compromised. That EC2 instance might also have an IAM role that's attached to it by an instance profile that provides it administrative access to an S3 bucket with sensitive PII information.

[00:13:45] See, when you put all that together and when you correlate the threats, the vulnerabilities and the risks, then you really then surface up the most important security risks that a customer has to focus on. So it's no longer just, you know, five or six desperate findings. It's one high confidence finding that we deliver to customers in near real time. And I can't overstate how powerful that is.

[00:14:09] You know, we with the AWS Security Hub services near real time risk assessment, it's event driven. So let's say an S3 bucket is open to the public or Amazon Macy now sees that, you know, there's sensitive data in this S3 bucket. We redraw this exposure risk and this toxic combination. And we immediately tell our customers, again, this is the resource relationships and this is the risk that now you need to go and fix.

[00:14:36] And we provide them this in a completely visualized attack path graph. So it's graphically represented. It's beautiful. It's easy for them to understand. And it's also then easy for them to focus on as well. The other thing that the Security Hub service also does really well is in terms of helping our customers with remediation.

[00:14:57] So we've done some native integration with very popular ticketing tools that enables our customers then to cut a ticket and use their remediation workflows in order for them to then fix the security findings that we have. So, yeah, like, you know, with a security agent, there's a prioritization aspect. Again, with Security Hub, it's the manual investigation that a customer would usually take hours to do and actually try and find out what's happening within their environment to just a few seconds. Right.

[00:15:27] Because it's near real time. So extremely powerful. And the third service, we're at number three. I'm just so passionate about the power of three. The third service is GuardDuty Extended Threat Detection for EC2 and ECS. So GuardDuty Extended Threat Detection was first released last year at reInvent. And it focused on things such as IAM credential compromise as well as S3 data compromise.

[00:15:55] And now we've actually expanded that coverage to EC2 instances as well as ECS clusters. So also looking at your compute workloads as well. So GuardDuty Extended Threat Detection, again, focuses on correlating different security signals that we capture within Amazon GuardDuty. So, you know, certain things that an attacker might do could completely look very, very benign, right, in isolation.

[00:16:20] But what we're doing with GuardDuty Extended Threat Detection is we're correlating all of these different signals and saying, you know, based off this IP address, I see an attacker doing an initial compromise or initial access. And then I see the same IP address performing things such as, you know, privilege escalation. And maybe there's some kind of malicious or suspicious container activity.

[00:16:44] So we stitch together, again, all of these different signals and we provide that finding that could be six or seven different findings or six and seven different signals into one very, very high confidence, critical alert that customers can then act on and say, you know, I definitely think that there's something in my environment that I should look at. So, yeah, just again, you know, providing the correlation, that insight that allows customers to really act on what they really need to do next.

[00:17:11] And aside from the technology, your passion for the topic really shines through in our conversation today. And as businesses and leaders listening accelerate adoption of generative AI and data-driven services, how are you at AWS helping maintain that strong security and compliance without slowing innovation? Is that a battle that you face as well?

[00:17:31] Well, the way I look at it, even though the advent of AI might seem pretty new, at the end of the day, the infrastructure that you built the AI on is not very, very different. So the key security design principles, things like least privilege, making sure you're encrypting your data, making sure you're protecting the network, that remains the same. What has changed is the solutions of the services that enables customers to build generative AI very quickly.

[00:17:59] And, you know, last year we released Amazon Bedrock, right? So it allows, you know, fully managed service that allows a customer to build generative AI. And we also announced Bedrock guardrails. So allowing customers to build their generative AI applications with these guardrails in place that would do things such as look for prompt injections. It looks for harmful content in terms of harmful data or harmful images.

[00:18:26] You know, it makes sure that the, it basically enables as well guardrails around hallucinations. And what we've actually released, we also make sure in parallel that we're releasing the security controls that are required to make sure when a customer deploys an application, they do this securely. Yeah, yeah. And I think many organizations are now operating in multi-cloud or hybrid environments.

[00:18:50] So for those people listening, how is AWS thinking about security in a world where customers' workloads live rapidly across different infrastructures? Again, a big challenge, I would imagine. Yeah. So we hear from our customers and we understand, of course, that, you know, customers are having a huge environment sprawl, especially when it comes to technology. We understand the customers use multi-cloud and that obviously would introduce as well complexity to that.

[00:19:17] So in terms of that, you know, we've made sure that we've developed the frontier agents. So an example would be the DevOps agent that's able to actually work across AWS, multi-cloud, as well as hybrid environments. So really pooling again to that forefront, these very sophisticated agents that can actually help customers across their different environments. So the DevOps agent essentially works as an extension of the DevOps team.

[00:19:43] They're able to do things such as troubleshoot an application to understand what's gone wrong. And the DevOps agent really takes, again, looking at, you know, those long manual processes that a DevOps agent might have to look across their networks to see exactly what is wrong with the network or that application that makes it not work. And it reduces that to just a few seconds. A very good example is Commonwealth Bank of Australia.

[00:20:09] So they actually tested and recreated, I should say, a very complex IAM as well as networking example or issue. And then using the DevOps agent, they were actually able to identify what went wrong in less than 15 minutes. Right. And like I said, the DevOps agent actually works multi-cloud, hybrid environments and across AWS as a whole as well. So very, very powerful.

[00:20:35] We are thinking about how we can actually deliver these very sophisticated agents for our customers that are working across environments. I can say as well from an interoperability perspective, a security hub service is actually built upon a framework called the Open Cyber Security Schema Framework. And, you know, that is actually an industry-wide framework. And it's an open source framework that is being contributed to by over 900 organizations globally.

[00:21:02] So it's a very well-adopted framework. And essentially, the Open Cyber Security Framework actually seeks to normalize and standardize security data. So good example, vendor A might look at security criticality ratings from high, medium, and low. Vendor B might look at security criticality ratings from 0 to 10. So in the past, what an analyst would have to do, what a security team member would have to do, is do very complex data wrangling.

[00:21:29] Because they have to make sure that the data is comparable or standardized or normalized in a single framework. Right. So you need to understand, for example, what this vendor means when it says high, medium, low, and what this vendor means when it's from 0 to 10. So that's what the OCSF, or the Open Cyber Security Schema Framework, actually seeks to do. You know, now with the OCSF, because of that standardization and that normalization, the security findings are reported in exactly the same way.

[00:21:57] In terms of, you know, what that integer value might potentially be, what the products might be, how an IP address is written, for example.

[00:22:06] And with the Security Hub products, using OCSF, it essentially means that, you know, other tools or third-party tools, such as SIM tools, are able to take that finding very, very quickly and be able then to analyze that and compare it against other vendor findings that might come through from, you know, any other number of vendors that are using OCSF as well. So that interoperability, very powerful too.

[00:22:31] And obviously we're recording this, what many people listening will think of as the last bigger tech event of the year. So when we start looking ahead, what advancements do you see AWS driving in the future of cloud security? You probably can't share too much. I'm trying to get a teaser out of you. Is there anything you can? So let's go back to those themes again. I can speak on, you know, what I would like to see. I would like to see us continue to help our customers prioritize.

[00:23:01] I want to help make our customers' lives easier. So I think we can all look forward to how AWS will tackle that big question around what I should be focusing on and what I should be doing next from a security context. And I think we're going to continue leading the field in that in terms of helping our customers actually boil down what their most important risks are and to act on them in near real time. Next, of course, I think AWS is still going to be driving the forefront of secure AI adoption.

[00:23:29] You will see with all of the new announcements that we're focusing on delivering enterprise-ready AI, right? It's not just AI in isolation doing one or two tasks. We're now building enterprise AI applications as well as services that will really help our customers actually derive business value from our AI as well. So you will definitely see a lot more advancements, I think, in that space too.

[00:23:58] And on a personal level, I mean, today you've come all the way from MGM Grand to here at the Venetian. You've been back-to-back meeting, speaking with so many different people. When you take all that into account, all those conversations, all the keynotes, all the sessions, what are you going to be reflecting about when you sit on that plane ride home? Honestly, I'm always impressed by how much I learn every time I come to re-invent. It just gets bigger year after year.

[00:24:26] And the kind of things that, you know, I see my colleagues building and doing cool workshops, for example. I have a colleague that built the most beautiful workshop around an AI sock. And that was actually done, you know, weeks and weeks, sorry, not weeks, months and months of effort to actually build this workshop. And I think every time I come here, I realize that it's not just me that's passionate about keeping our customers secure.

[00:24:52] It's a whole ecosystem, really, of Amazon employees that are working hand-in-hand with our customers to actually build the best solutions that they can then use. So it makes me quite proud, actually. It's pretty misty-eyed. Quite right, too. And for people listening, if they want to find out more about the security focus, is there anywhere in particular you'd like to point them? I'm going to put a link to your LinkedIn for people that want to carry that conversation.

[00:25:19] But is there any particular area of the AWS website you'd like to point anyone on? Absolutely. So my team, which is the Global Specialist Security Team, essentially runs something called Activation Days. So Activation Days are basically hands-on workshops where attendees can come and try out our services. So we have very good Activation Days around threat detection.

[00:25:41] You can even, and this is a shameless plug, join the Activation Day for our new Security Hub service, and it's called Security Posture Management Activation Day. So definitely have a look at that. Easily Google-able, and have a look at an Activation Day that's coming to you, whichever region that you're in now. So have a look at the Activation Days. Of course, keep an eye on the security blog.

[00:26:06] So the security blog really acts as a tool not only for us to announce our latest services and our latest services or our latest, not creations, what can I say? Essentially our latest launches. But you will also see very passionate Amazonians building solutions using our Security Hub services.

[00:26:30] So, you know, how can I remediate a Security Hub finding, for example, is one of the blogs that will be coming out very soon. Or actually, it might be out even now, because it was definitely in staging last week. But the security blog is definitely something that everyone should be looking at. Because not only are you going to see the launch, you're going to see how AWS thinks you should use it from a best practice perspective, how partners are building on top of it, and how some customers are also benefiting from using these services as well.

[00:26:58] Well, I will add links to everything you mentioned there. Make it easy for people to find. And as I said at the very beginning of our podcast, there's so much talk of AI and agentic AI and pushing innovation forward. And I think it was just so refreshing to just take a step back and talk about that security mindset and getting everything right from the very foundations. It's something we don't talk about enough. So thank you. Absolutely. Wow.

[00:27:22] I think that was an incredibly thoughtful look at where cloud security is heading and how AWS is shaping that future. And Kimberly's perspective, she shared there, I think show how fast customer expectations are changing, but also how security strategy is becoming central to every AI and cloud discussion. But I'd love to hear your thoughts on where you see the biggest gaps and opportunities are right now. Please let me know. Keep this conversation going. Take blog writer out look dot com.

[00:27:52] LinkedIn X Instagram just at Neil C Hughes. But that's it for today. So thank you for listening as always. And I'll speak with you all again very soon. Bye for now.