In September 2022, there was a critical bug in Confluence, CVE-2022-26134, which was under active exploit. Due to the nature of the vulnerability, customers could find out if they were impacted, but they couldn’t necessarily determine the initial infection point. They could have been exploited 3 days, or 90 days, or even 3 years prior. And data older than 90 days isn’t stored by most EDR vendors. Even worse, if a customer had switched EDR vendors, they would no longer have access to even the last 90 days of their data.
This is but one of many real-world examples of why customers should have direct access to their EDR data.
You might be wondering, “This is my company’s data – why can’t I use it?”
Well, there are a few reasons. For one, every vendor has their own taxonomy for how data is stored and indexed, so even if you had access to it, you might not be able to do anything with it.
Some large enterprises have their own tooling to enable teams to discover things about threats in their environment – like the initial attack vector for a specific CVE – but if they change vendors or don’t have direct access to the raw data, it’s hard for even those specialized teams to do their job. There are APIs, messaging frameworks and data formatting differences to navigate. It’s a lot of grunt work before getting any real value out of your data.
AWS sought to solve this problem, and Trend was on board from the start. We believe that this is your data, and it should be owned by you. We were thrilled AWS was creating a solution to this business problem.
Amazon Security Lake
With data contributors like Trend Micro sending customer EDR data to the customer’s owned data lake in AWS, you now have control of and access to your data.
The full life of data with full autonomy of data governance under the control of your teams.
This allows for a new and unique way for data analysts to have access to EDR telemetry in a way that makes sense for them while still allowing the SOC to have the XDR console and information they need.
But what about taxonomy?
Amazon Security Lake is a great central location for analysts to work with their data from across vendor types – Trend’s EDR data is just one data type available to customers. But having it one place under your control doesn’t matter if the individual vendors are all using different naming conventions and indexing approaches.
AWS partnered with Splunk and a few others earlier in 2022 to solve this problem first. The Open Cybersecurity Schema Framework (OCSF) was launched at Black Hat US 2022 to help defenders spend less time on collecting and normalizing threat data and more time on analyzing and acting on it.
OCSF was the precursor to Amazon Security Lake so the normalized data taxonomy was already in place. By using OCSF, ISV’s are providing normalized data to customers that can be analyzed and used in one place.
We’ve really enjoyed supporting each step of this project as a launch partner for both OCSF and Amazon Security Lake.
Together, we’re putting the customer in control, making critical data available to them from third-party security and analytics solutions of their choice.
After all, it is your data – there shouldn’t be significant barriers to using it.