AWS Partner Network (APN) Blog

Strengthen Security Posture with AI-Enabled Insights Using Amazon Security Lake, Splunk, and Recorded Future

By Kunal Sharma, Sr. Solutions Architect – AWS
By Amandeep Singh, Solutions Architect – AWS
By Lody Claros, Sr. Customer Solutions Manager – AWS
By Christopher Coburn, Principal Tech Alliances Architect – Recorded Future

Organizations can enhance their critical infrastructure’s resilience by implementing advanced and robust security measures to counteract the evolving landscape of cybersecurity, providing mitigations against potential risks.

Security teams need to prioritize three major components to strengthen their security plan to proactively combat cybersecurity threats:

  • Scalable data storage
  • Real-time data analysis
  • Advanced threat intelligence

In this post, we will address common challenges security teams are facing and how to tackle them by applying these components together to strengthen your organization’s security posture: Amazon Security Lake, Splunk, and Recorded Future.

Recorded Future is an AWS Partner that empowers customers with real-time threat intelligence to defend their organizations against threat actors. Splunk is an AWS Partner that helps make your organization more resilient with a unified security and observability platform.

Amazon Security Lake automatically centralizes security data from Amazon Web Services (AWS) environments, software-as-a-service (SaaS) providers, and both on-premises and cloud sources into a purpose-built data lake stored in your account. With Security Lake, you can get a more complete understanding of your security data across your entire organization.

Security Team Challenges

  • Data siloes and fragmentation: Security data is often scattered across different systems and platforms in disparate formats. This can make it difficult for teams to gain a complete picture of their security data.
  • Complex data analysis and management: Analyzing and managing security data can be complex and time consuming because it comes from different sources and in large amounts.
  • Slow threat detection and response: Cybersecurity threats evolve quickly, requiring not just detection but anticipation and preemption of these potential threats. If the security data and/or tools are not properly organized, it can slow security teams down significantly.
  • Compliance and reporting: Monitoring and reporting on compliance can be challenging, especially if there is no tooling present to automate and streamline the collection of evidence.
  • Inefficient resource utilization: Security teams often spend time doing the undifferentiated task of gathering and sorting security data, which takes away from their ability to effectively analyze and take action to remediate cybersecurity threats.

Solution Overview

Organizations can tackle the challenges above by integrating Amazon Security Lake, Splunk, and Recorded Future to create a unified approach to strengthen security posture.

Architeture diagram

Figure 1 – Integrated architecture of Amazon Security Lake + Splunk + Recorded Future.

First, security teams need to determine where and how to store their security data in a centralized manner to address the challenges of data siloes and complex data management. Amazon Security Lake provides a centralized platform for collecting and storing security data, including logs, events, and alerts, from various sources such as cloud environments, on-premises systems, and third-party applications.

Leveraging AWS’s robust infrastructure, Security Lake utilizes services like Amazon Simple Storage Service (Amazon S3) for data storage, AWS Glue for data cataloging, AWS Key Management Service (AWS KMS) for encryption, and AWS Identity and Access Management (AWS IAM) for access control, ensuring that data is not only centralized but also securely managed and easily accessible for analysis.

This solution normalizes data from natively-supported AWS services using Open Cybersecurity Schema Framework (OCSF) and custom sources conform to OCSF schema before sending logs and events to Security Lake, thus reducing security data disparity.

Amazon Security Lake provides the foundation for a resilient, proactive defense strategy, ensuring that security data becomes a powerful asset in safeguarding digital systems.

Centralizing security data from AWS services in Amazon Security Lake

Figure 2 – Centralizing security data from AWS services in Amazon Security Lake.

Next, security teams need to determine how to best analyze their security data to address the challenges of slow threat detection and response. The high velocity of data generation requires that analysis occur in real-time or near-real-time to identify and mitigate cybersecurity threats.

Splunk is a real-time data analytics platform that processes and analyzes data on-the-fly and leverages artificial intelligence (AI) to automate the process of threat hunting, scouring through data to enable organizations to quickly identify, investigate, and respond to potential security threats.

Integrating Amazon Security Lake with Splunk simplifies security teams’ access to broader diverse security datasets across their organizations, resulting in a complete picture analysis across datasets from their systems and custom sources. Actionable dashboards and insights will empower security teams to respond swiftly to threats and be able to anticipate and prepare for the future.

Splunk Enterprise Security AI/ML powered dashboard

Figure 3 – Splunk enterprise security AI/ML-powered dashboard.

Lastly, security teams need to determine how to best take proactive action on security data findings to remediate threats, meet compliance requirements, provide accurate reporting, and enforce security rules.

Recorded Future extends the scope of security analytics beyond internal data parameters by harnessing the power of machine learning and natural language processing to analyze and interpret vast amounts of data from across the open, deep, and dark web, thus ensuring a comprehensive view of the global threat landscape.

Integrating Recorded Future with Splunk combines this threat data with security data to bring insights into the latest tactics, techniques and procedures (TTPs) used by threat actors, which allows organizations to improve their security posture and proactively mitigate threats.

By feeding Splunk with external and actionable threat intelligence, this integration allows for a more holistic understanding of cybersecurity threats, as the external intelligence from Recorded Future provides context and relevance to the internal data processed by Splunk.

For example, indicators of compromise (IoCs) identified by Recorded Future can be correlated with log data within Splunk, enabling security teams to lower their mean time to response (MTTR) and quickly pinpoint potential threats that may have otherwise gone unnoticed.

Correlations view from Recorded Future App for Splunk

Figure 4 – Correlations view from Recorded Future App for Splunk.

In addition, Recorded Future provides enhanced contextual information on those IoCs using enrichment dashboards in Splunk, providing concise summary of information it has collected and analyzed on the selected entity, such as IP address, domain, and hash.

Security teams can leverage this enriched data to make informed, strategic decisions about their security infrastructure, policy-making, and incident response plans.

Recorded Future enrichment view provides ample context for a suspicious IoC

Figure 5 – Recorded Future enrichment view provides ample context for a suspicious IoC.

In summary, Splunk’s flexible data ingestion and powerful analytics, combined with Amazon Security Lake’s centralized security data storage and Recorded Future’s threat intelligence, empowers security teams to proactively stay ahead of cybersecurity threats in a world where artificial intelligence and generative AI is becoming the norm.

Implementation Overview

To set up the recommended unified approach in this post, see the instructions below:

  1. Set up Amazon Security Lake to aggregate security data from various sources, including cloud environments, applications, and on-premises data centers. This involves configuring data storage and setting up data ingestion pipelines for sources and subscribers.
  2. Connect Splunk to Amazon Security Lake to access and analyze the aggregated security data. The Splunk Add-On for AWS, available in Splunkbase, facilitates this integration. For additional details, refer to this guide on configuring the integration. Use Splunk’s Search Processing Language (SPL) to create real-time alerts and dashboards that monitor for specific threat patterns or anomalies, ensuring swift threat detection and response.
  3. Connect Recorded Future APIs within Recorded Future App for Splunk from Splunkbase to pull in intelligence feeds directly into Splunk, providing context for the analyzed data. For setting up correlations, refer to the Recorded Future App documentation.

Conclusion

If you’re ready to elevate your cybersecurity strategy and stay ahead with AI-driven insights, discover the power of integrating Amazon Security Lake, Splunk, and Recorded Future to transform your security posture.

Be proactive and harness the advanced capabilities of this joint solution to gain unparalleled insights, and stay ahead of potential threats. Contact us to get started on fortifying your defenses with our integrated cybersecurity solution.

.

Recorded Future – AWS Partner Spotlight

Recorded Future is an AWS Partner that empowers customers with real-time threat intelligence to defend their organizations against threat actors.

Contact Recorded Future | Partner Overview | AWS Marketplace

.

Splunk – AWS Partner Spotlight

Splunk is an AWS Partner that helps make your organization more resilient with a unified security and observability platform.

Contact Splunk | Partner Overview | AWS Marketplace