How Will Generative AI Change Security Operations?

Clarke Rodgers:
Scaling a successful global security operation is no small feat. It takes a level of commitment and a culture of ownership that prioritizes customer trust, while adapting to meet business needs.

Hi, I’m Clarke Rodgers, Director of Enterprise Strategy at AWS and your guide for a series of conversations with AWS security leaders here on Executive Insights.

In this episode, I’m joined by Tom Avant, Director of AWS Response and Resiliency. Listen in as we talk about the keys to building, maintaining, and evolving security operations to ensure business resilience. Thanks for joining us.

Clarke Rodgers:
Tom, thank you so much for joining me today.

Tom Avant:
Thank you so much for having me. I'm really honored. Appreciate it.

Clarke Rodgers:
I'd love to start off with just a little bit about your background. I know you spent some time in the military and then what drew you to AWS?

Tom Avant:
Going into the military, I went into, initially, linguistics, so I was an intelligence analyst and worked and just got this great exposure to all different cultures when I was at the Defense Language Institute in Monterey. Learned a lot about the world, which would come to serve me a lot better later on in life running global organizations and global teams.

And then the intelligence industry is just... There's so much that you see on the TVs and the movies and you think that's what it's like and then you get in and you realize it's nothing like that. But it was a great place for me to be able to go and to learn a lot about data and about processing and having methodology, be methodical in the way that I thought and the way that I looked at things. So, I did that, I worked at NSA for a couple of years doing different stuff from an intelligence perspective.

And then ultimately, when I became an officer as an air battle manager, a command and control officer running intelligence operations, I'm now doing President support, I'm doing humanitarian missions all over the world and making critical decisions and doing things that are all in the name of major global level incident response.

► More to watch: Discover the benefits of hiring veterans for security roles

Clarke Rodgers:
For sure.

Tom Avant:
So for AWS, it was like a natural fit. I've been in security for my whole life. I have joked before, I've had security clearance since I was 19. But coming into an organization that had values, Amazon was attractive because of those leadership principles. And when you get to understand what happens at AWS, when you really dig in, you're like, "Oh my God, so much of the world ticks because of the things that we do.” I get to have a piece of that.

Clarke Rodgers:
Let's talk a little bit about your current role at AWS. What is that current role and what are your responsibilities?

Tom Avant:
The primary thing is I run the AWS Security Operations Center, and then I also am responsible for AWS business continuity. So, two very different things, but critically important to the business in both rights. So, AWS Security Operations Center is responsible for tier one physical and logical incident response across the business. So, anything from a data center to S3 buckets, we are the front lines making sure that we monitor detections and then either triage those detections or route them to other people who can fix them if we can't do it ourselves.

So, for everybody wondering about their badge, we run that operating system and we do all the different integrations with that in order to make sure people get in and out of the spaces that they need to every day. And then also, that you don't get into the spaces that we don't want you to get into.

Clarke Rodgers:
For sure.

Tom Avant:
Right? So, the access control is very important. The business continuity piece is the resilience of all of our operations and our services. We attest and we say, "Hey, we have redundant systems and we trust these systems." And we tell customers, "Hey, we know that this is going to be good." And we want to make sure that when we tell them that, they know that we're not just saying that because it sounds cool. We're saying it because we've tested it and we've got people in the background working tirelessly to go back and retest and use all of our different things, everything from operational risk reviews to COEs to different ISO requirements in order to make sure that our services really are resilient.

Clarke Rodgers:
So, I assume things like red teaming and stuff like that falls under you?

Tom Avant:
That actually doesn't. That's in a different part of the business. But what we do is more like the TTXs or the exercises where we'll do a full-scale exercise and bring in people from all different parts of the business. And it's essentially a simulation to say, “Okay, what happens if we have a bad day? How do we respond? How do we react? How do we make sure the right things happen?” It never goes perfect, we learn so much stuff. We incorporate that, we put that in the run books, we share that with teams, and we go and we do it again.

Clarke Rodgers:
Running a SOC is a huge investment from a business perspective. How do you justify the expense, or do you even have to, based on the type of work we're in? Because when customers... I have conversations with customers, they're like, "Well, I'd love to have a SOC, but it's so expensive, the staff and the tooling and all this stuff." How do I make the business case for it with my leadership that we, in fact, need a SOC or maybe even just a SOC service if they decide to subscribe to one?

Tom Avant:
That's a complex question. There's a couple of answers to it. The first part is because we're awesome, so that's how you justify it. But no, it's through KPIs and data. And we have QBRs with our leadership. So, we consistently look at mechanistic ways to assess, “Are we providing and returning value to the business and to the customer?”

Clarke Rodgers:
Could you share any of the metrics that you use?

Tom Avant:
So, there's tons of stuff that we're looking at in all the different business lanes in order to make sure that we're returning that value to the business. For our access control system, we make sure that we talk about the system uptime and what the system downtime is, right? And we make sure also that for different configurations that we've applied, that we coordinate, what is the net gain off of those changes that we've put in place?

For detections, we look at meantime to detect, meantime to resolve. We look at the different types of detections we're coming in and we look at the value that's returned to the business in those spaces. For business continuity even, we're looking at different metrics about the different services that we have, broaden scope, the ones that are ISO certified, the ones that we have been able to make sure have gone through testing.

Now, the other part of that question, however, is at the same time, and maybe this is just because I grew up as a frugal person, but at the same time, I really believe in that first tenant, “Scale through humans as a last resort.” You come to me, you say, "Hey, do I have a great idea for you! I think that this would be a great job for the SOC."

Why do people say that? Because we're 24/7, and a lot of people are looking to offload something to the SOC, and they want to come over and say that. And I say, "You know what? Let's talk about the net benefit of this to the business." Because if you're asking us to help because this is a net benefit to the business, then absolutely. If you're asking us to do this because this is work that you don't want to do and you think other humans should do it, then I would say, "Maybe we should go back to OP1 and figure a way to automate ourselves out of this situation."

Clarke Rodgers:
For sure.

Tom Avant:
I'm still always telling my team that our job is to put ourselves out of a job. Our job is to continually find ways to either use automation or to make sure that we are driving detections down to a state where one day you go, "Well, why don't we have a SOC?" And I'll be able to tell you, "Once upon a time we did have a SOC." And that SOC went through and looked at all these different ways to be able to say, "We don't need to do this," or, "This could be automated," or "This could be better," or "We could push this upstream into a state where the SOC is no longer needed." That's my goal. I don't know if we'll ever get there, but it's certainly a goal to keep driving towards.

Clarke Rodgers:
Well, I actually had a question for you about that. If you were to look into your crystal ball, what does the SOC of the future look like? And I guess a different way to ask that question is, if you had a blank slate, how would you build out a SOC capability today?

Tom Avant:
I would say I'm looking at capability, because that's what it really comes down to. Or what is the capability that you gain from a SOC? What's a capability that you lose by not having a SOC or by outsourcing a SOC? The difference between the outsourcing part of that is you've got the company's interest first, and that's the reason why you want an in-house SOC — if you can afford it.

Clarke Rodgers:
And I guess internally, you're also going to have a knowledge of the business that an external party wouldn't have.

Tom Avant:
Absolutely. You're going to know who to go to. The other part of it, of being in-house, is your capability, right? Back to the capability. Make sure that you're focused on what you're delivering specifically for the business. And I think that you can be able to constantly tweak that because you're in those other meetings, like strategic planning meetings. So, as they're flowing down, you can understand that, "Okay, this is our new North star. This is where we've changed course." You can't do that if you're outsourced at the same pace.

And because business is moving so fast, you want to make sure that those people who are making those downstream actions are connected to the people who are making those strategic decisions, and therefore they're able to pivot really quickly. And that's one of the benefits of having an in-house. I would look at all of those things and I would say the capability, the North Star strategically that I've outlined, what type of protection posture am I looking for? And then what is my risk if I miss?

And when I think about that, I'm going to go…if that happens, can I look my customer in the eye and say, "I did everything possible to make sure this didn't happen," or am I going to punt and I'm going to say it was the other guy?

Generative AI and the future of security operations

Clarke Rodgers:
I love it. With the speed that technology is advancing, and of course with the generative AI tools that are out there, what do you see being that future SOC? I don't know if you can speak to if you're using any generative AI tools today, or you plan on doing it or investigating whatever the case may be, but how do you see that helping your SOC analysts and the other roles as well? And then from an attacker side, how are you thinking about how they may be using it so that you can either detect their activities or react to them?

Tom Avant:
We're starting to use it in a way of creating automated responses for some of our customers. And then we're also looking at automated workflows to be able to say, "Okay, we know that these are common workflows that come in — these are things based off our metrics that we're looking at, that customers are looking for a lot — how do we incorporate what our data is telling us with a more direct routing to the solutions that they're looking for and where they don't require human judgment, why don’t we remove the human completely from that chain?" And that's what we're working on right now.

Clarke Rodgers:
That's fantastic. And then from the adversary side?

Tom Avant:
The threat side's a real interesting one. It's such a new playing field. So, you're hearing so many different new things about injections into... People want to play with the technology, and they're just running out to all websites and just downloading. They don't even know what they're downloading half the time. You don't want people who are going to run into the fire. You want to assess the fire first and look for what is the best point of entry.

So, it's the same thing when we're talking about gen AI. What are the safe places to go? How do we make sure we validate that usage before we incorporate it? What are the different checks that we can run in the background and make sure we say, "Yeah, we feel really good about what we're doing," before we proliferate this. Because once it's in and it starts to propagate, that's not the time to find out that uh-oh, you did something wrong because now you're doing a cleanup and you're trying to catch up to the propagation. And that's just not fun, for those of us who've done it before for other things. So, you definitely want to look at it from a perspective of doing those pre-checks before you even break things in.

► Read the research report: Securing Generative AI: What Matters Now

And I think another threat that's tied to that that we're starting to see, which is probably an uncommon one, is regulation. It is probably one of the biggest trends I'm starting to see as we start to adopt more and more workloads to the cloud, as more and more customers are coming to the cloud. We go to more and more different environments, different countries. We're starting to see sovereign cloud pop up in more and more locations. The regulation is something that you actually have to think about. Before, it was an afterthought, and now it's at the forefront of a lot of our discussions. Before we go in and think about anything else, is how are we able to adopt and comply and still operate and maintain maximum value for the customer while also being in compliance and being able to communicate that?

Clarke Rodgers:
I think that is an incredible trend I've seen as well. It used to be we could have the conversation around security by design, right? Build security in, maybe even just in the prototyping stages, ideation stages of things. And now we're at the point where, “Oh, yeah, and privacy and compliance and regulatory obligations as well.”

Tom Avant:
Absolutely.

Clarke Rodgers:
I'm glad that you're seeing that, that people are pushing it further down into the stack so that when it comes to release time, you're actually aligning with things.

Tom Avant:
Absolutely.

Clarke Rodgers:
Well, this has been fantastic, Tom. I really appreciate your time today. Thank you.

Tom Avant:
Thank you so much for having me. I really appreciate it as well.