Last updated at Mon, 20 Nov 2023 17:22:21 GMT

It’s that time of year again! AWS Re:Invent, Amazon Web Services’ annual mega-conference will soon kick off in Las Vegas and there are sure to be a ton of new cloud security innovations unveiled throughout the week. From a Rapid7 perspective, we’re launching an exciting new capability - Cloud Anomaly Detection.

Now available in early access for Rapid7 customers, Cloud Anomaly Detection helps security teams detect unknown threats in their cloud environments that traditional rule-based detections miss, and with more precision to avoid excess noise and false positives.

Leveraging AI to Find a Needle in the Haystack

Detecting malicious activity in cloud environments poses a formidable challenge in cybersecurity due to the inherent speed and complexity of the cloud. Cloud infrastructure is dynamic, with constantly changing virtual assets, which makes it hard to pinpoint and respond to threats effectively. The complexity of cloud configurations, the transient nature of assets, and the vast data generated can obscure malicious activities, necessitating advanced monitoring and analysis tools.

Additionally, the unique cloud threat landscape, the different dynamics of detection and response compared to traditional IT environments, and the multiplicity of stakeholders involved further complicate the security landscape. Cloud incident investigations are often hindered by inefficient data access and a lack of context for affected cloud assets. This complexity, combined with a skills gap and the ongoing transition to cloud technologies, makes cloud security particularly challenging.

For some time now Rapid7 customers have benefited from the ability to ingest native threat detections from cloud providers and consolidate them into a single place. Cloud Anomaly Detection represents a significant leap forward adding native threat detections fueled by Rapid7’s proprietary AI detection engine to analyze control plane API activity and surface anomalous behavior across customers’ cloud environments. When combined with deep, real-time understanding of the environment, the platform allows security teams to respond to threats quickly and with the context needed to determine root cause and potential impact.

Taming the Noise Associated With Anomaly Detection

One of the persistent challenges that comes with attempting to detect anomalous user and entity behavior is that it can often present a significant amount of excess noise, often associated with a flood of false positives. This is due in large part to the complexity and rate of change that we outlined earlier. Not only is the overall composition of the environment constantly changing, but the way users and services in turn interact with each other are constantly-changing in kind. Often security teams are faced with a tradeoff between casting a wide net and dealing with the inevitable situation of chasing down benign activity or honing in further and risking actually malicious activity going undetected.

Rapid7's Cloud Anomaly Detection connects to your cloud environment - without the need for an agent - to monitor API activity by analyzing audit logs, creating an activity profile for each cloud principal, such as users, machines, storage buckets, and more. What sets this engine apart is its ability to automatically search for behavioral anomalies and prioritize potential risks in less than 10 minutes based on historical data. Importantly, the engine is calibrated to reduce false positive alerts by focusing on detecting malicious activity without relying on specific pre-configured attack indicators. It also considers the context of suspicious activity, taking into account recent actions by the same principal and adapting to changes in overall activity profiles and the cloud environment automatically.

Integrating Cloud Threat Detections Into Your SOC Workflows

When talking with SOC analysts, one of the things that became crystal clear to the team here at Rapid7 early on in the development process was the desire to consolidate threat detection and response activities into the existing workflows teams had in place today, including the SIEM/XDR tools that the SOC teams relied on (and had made significant investment in already). Integrating cloud threat detections, including both native and third-party solutions, into your current SOC workflows involves making the cloud threat findings themselves as well as the context needed to enrich those findings with all relevant environment details accessible through an API for easy ingestion into SIEM/XDR tools.

To that end, we’ve ensured teams can easily send detections from Cloud Anomaly Detection via API into whatever tools they’re using today. The Cloud Context Enrichment API, which was released earlier this year, provides a wide range of data related to cloud attributes, insights, misconfigurations, vulnerabilities, risks, and more, to expedite the investigative process, enhancing the efficiency of security operations. The combination of Cloud Anomaly Detection and Cloud Context Enrichment ensures SOC teams have the tools needed to incorporate cloud into their existing detection and response workflows.

Interested in learning more? Come see us at AWS Re:Invent!

We’ll be showcasing Cloud Anomaly Detection at AWS Re:Invent, so if you’re there be sure to stop by booth #1270 and check it out!