🦄 Making great presentations more accessible.
This project enhances multilingual accessibility and discoverability while preserving the original content. Detailed transcriptions and keyframes capture the nuances and technical insights that convey the full value of each session.
Note: A comprehensive list of re:Invent 2025 transcribed articles is available in this Spreadsheet!
Overview
📖 AWS re:Invent 2025 - How Lumen Defender Managed Rules Supercharge AWS Network Firewall (SEC102)
In this video, Amish Shah from AWS and Sushmita Nayak from Lumen introduce Partner Managed Rules for AWS Network Firewall, featuring Lumen Defender Managed Rules powered by Black Lotus Labs threat intelligence. The session explains how AWS Network Firewall is a fully managed service that scales automatically up to 100 Gbps and now integrates curated threat intelligence from marketplace partners directly into the console. Lumen, a Tier 1 global ISP, provides unique outside-in threat detection by monitoring 200 billion+ flow sessions daily and tracking 2 million threats, with daily automatic rule updates in Suricata format. The integration enables customers to deploy network-level threat protection in minutes without operational overhead, complementing existing endpoint security with early infrastructure detection and actionable context about malware, botnets, C2, and nation-state attacks.
; This article is entirely auto-generated while preserving the original presentation content as much as possible. Please note that there may be typos or inaccuracies.
Main Part
Introducing AWS Network Firewall and Partner Managed Rules for Simplified Security
All right, thank you. Hello, everyone. My name is Amish Shah. I'm the product manager for network and application services at AWS. I focus on network firewall and threat intelligence. I'm joined by Susmita. She is the senior director of product at Lumen, managing managed security services for Lumen. We are extremely excited here to talk about how Lumen and AWS have been working together for the last couple of months to help you elevate the security of your cloud workloads.
Before diving deep into the joint solution, I just want to give you a brief introduction of what AWS Network Firewall is. AWS Network Firewall is a fully managed cloud firewall service. This is AWS native firewall service that allows you to deploy essential network protections, so you can inspect any traffic that is going in and out of your VPCs as well as apply filtering policies between your VPCs to stop lateral movement of traffic. The service is fully managed, which means you don't have to worry about deploying the firewall infrastructure. You don't have to worry about the maintenance upgrade of the software. It's done automatically for you and it horizontally scales automatically up to 100 gigabits per second, depending on your traffic volume.
We have a built-in stateful inspection engine on the firewall which allows you to write any specific rules that are required from your business application standpoint. You can write traffic matching rules based on IPs, fully qualified domain names, URL filtering. You can also do IDS IPS, threat signature-based rules. It gives you lots of flexibility on how you want to control traffic that is leaving out of your VPCs. It's fully managed by firewall manager services so you can apply consistent security policy across your entire AWS organization and different accounts using that single pane of glass.
One of the things that I heard last year when I was talking about network firewall with the customers is we want simplified security. Especially managing rules at scale is a challenge for us. What can you do to make it easy for us? For that, I'm extremely excited to announce the partner managed rules on AWS Network Firewall. Earlier at re:Invent, we launched Partner Managed Rules, which gives you curated list of threat intelligence from some of the top AWS Marketplace partners directly into the network firewall.
At launch, we partnered with seven vendors, including Lumen, to give you best of breed threat intelligence that you can now easily apply to your firewall policy and protect your network and improve your network security. What it means is now you get automatic updates on these threats directly into your firewall policy, which means you don't have to worry about writing your own rules, managing IP lists, domain lists, or writing threat signatures. It's all done by partners who have their entire team of security experts working on behalf of you and giving you the best of breed threat intelligence as well as keeping you ahead of attacks before they are even discovered using their threat intelligence.
It is fully integrated into the network firewall console, which means you don't have to worry about going to the marketplace to subscribe to those rules. You can do that directly from the console, and then you can with a few clicks apply those rules directly into your firewall policy. It's all done within the network firewall console, which significantly simplifies the operational complexity that was involved in either writing the rule or managing these policies at scale.
As you can see here, when you log into the console, now you will see an option to add partner managed rules. When you click on that, you will see a list of all available rule groups, including the Defender managed rule groups from Lumen, which is available on the console. It will tell you exactly what type of threats are being covered from those rule groups. Specifically talking about the Defender managed rule groups, you'll get coverage from malware-based threats, command and control threats, bot activities, and more directly over here. So with one click checkbox,
you can now add those rule groups in your Network Firewall policy. And this threat intelligence is coming from Black Lotus Labs, so they are using their global backbone and giving you and keeping you ahead of the attacks before they are even discovered. So this is how we are making it super simple for you, so you can get ahead of the attackers.
So here is an architecture diagram, one of the common deployment types on how customers deploy a Network Firewall to build a centralized inspection capability using AWS Network Firewall. And with this integration, you can now protect all your workloads within VPCs using Network Firewall and the threat intelligence which is powered by Lumen. So here is how you can deploy Network Firewall in an inspection VPC, and as I showed, you can add Lumen Defender Managed Rule Group on your Network Firewall policy. So with that, I will introduce Sushmita and have her walk you through more details on how this will all help you alleviate your network security.
Lumen's Outside-In Threat Intelligence: Black Lotus Labs Powers AWS Network Firewall Protection
Sushmita, thank you Amish. Hello all, thank you for joining this session. I'm Sushmita Nayak and I lead all of our network security services and threat intelligence products at Lumen. Before we talk about what Lumen's outside-in intelligence means and how it powers the firewall security, I want to introduce a little bit about who is Lumen and what kind of security products and solutions and what kind of threat intelligence we bring. So Lumen, for those who may be less aware, is really the Internet service provider that if you're a business of any size, whether you are a local data center or you have an office or a cloud data center, if you need Internet connectivity, most likely you are getting it from Lumen.
So we are one of the number one Tier 1 peer networks globally and we bring the Internet to all of your enterprises. Also proud to share that we provide the Internet connectivity for this conference re:Invent. It is powered by Lumen. With that introduction, I wanted to talk a little bit about what we mean by cyber intelligence and why is it important to have more cyber intelligence now than ever.
Really, attacks are escalating. The risks are real, and for anyone of you who is deploying a workload on AWS, which probably is most of you, you are worried about the attacks that are escalating all of your workloads, whether it is malware or proxies or botnets or phishing attacks or ransomware attacks or DDoS attacks. All of them have multiplicative growth in the last several years, and really what that means to each of you, if you are on a security team or you're on the network security team, you are worried about whether your cloud workloads are indeed safe.
Proud to announce that we are one of the launch partners with AWS to provide our Lumen's threat intelligence powered by Black Lotus Labs. Black Lotus Labs, for introduction, is Lumen's threat intelligence arm. I'll introduce more about who is Black Lotus Labs in a minute, but we are bringing in the proven Black Lotus Labs threat intelligence that is unique to our network at the visibility and the scale of our network and how it operates. For the first time, we're bringing this outside our network to the ecosystem, to AWS Network Firewall customers. Never before have we brought this threat intelligence to ecosystems like AWS.
So what's in it for you guys if you are a firewall customer? For the first time, as Amish was mentioning, when you are managing your firewall right within the AWS console, you can look up Lumen as a Partner Managed Rule and be able to subscribe to it and immediately deploy it into one or more of your VPCs or firewalls right away, getting protection from threat intelligence in minutes. So this is Lumen Defender Managed Rules. The net of it is that it is a managed rule set that is provided by Lumen and AWS. What that means is it comes at no operational cost to you. Lumen brings the rule sets in Suricata format to AWS.
AWS brings in those rule sets with automatic updates into your firewalls, protecting your networks without you having to worry about it, completely hassle-free.
Let's talk about why Lumen Defender Managed Rules matter. There's a lot of threat intelligence out there, so the question is, yet another threat intelligence, do I need it? I think that's the real question. There are three elements of what we bring to the table. One is early threat infrastructure detection. Lumen, because it's an ISP, because we have the most peered network globally, because we can see each of the traffic that is crossing our network because of our global status, we can uniquely identify good versus bad traffic. We can see it when the traffic is coming on a network, and we can immediately determine if it's good or bad traffic and we can stop it if it's bad traffic. So again, uniquely positioned threat intelligence from a network perspective by Lumen.
Second, rapid automated protection. What does that mean? As I mentioned earlier, you don't have to do anything. Lumen, behind the scenes together with AWS Network Firewall infrastructure, is automatically updating those rules, and I'm proud to share that we update our rules daily. This is pretty unheard of. If you are a CISO or a security team or a network security individual, you'll say, well, if I know a threat, I want to be able to protect from it right away. Most threat intelligence companies, most firewall companies protect on a few days a week when they update their rules. Lumen is probably one of the only vendors who provides threat intelligence updates daily.
Third is actionable intelligence with context. Let me explain what that is and why it's important. IPs, DNSs, URLs, they're all kind of cold elements like 192.5.235. What does that even mean to anyone? What Lumen brings is actionable context to that particular IP, explaining what is that IP, which threat actors, which malware, which category of attack it belongs to. Is it malware or botnet or C2 or proxy? What kind of severity is it? What's the reputation of that IP? We constantly have AI-led algorithms along with human intelligence rank and rate those IPs in terms of severity so that you don't have to do that.
So we're automatically classifying those IPs and automatically providing context. In the first version of the release, we have limited context, but we're working on providing enriched context. For example, if it's a malware, which threat actor, which threat family is it associated with? You want to know about that, which nation state actor has been involved with launching an attack from that IP. We are one of the few vendors who believe in providing actionable context along with your IPs so that when the IP gets blocked on the firewall, it hits the logs and your SOC teams are watching those logs. They're like, what is this IP and why did anyone block it? We give you the context. Because of these three reasons, I think Lumen's threat intelligence is by far one of the top ones.
Let's detail a little bit the architecture of how this works. Behind the scenes, starting on the left, you have Black Lotus Labs, which is us, our threat intelligence, which is looking at the global network, looking at our AI-led algorithms as well as human specialists and researchers who are looking at the attacks and curating the threat intelligence that is then being generated and formed into Suricata rules and reputation data that is being associated with it. These rule sets are being ingested in the form of Lumen Defender Managed Rules that are being then pushed into the AWS firewall if you have subscribed to it, and this then protects both the inbound and outbound traffic coming into your workloads or going out from your workloads.
The amazing thing is how AWS Network Firewall has brought the richness of this experience to you. It's not that you have to go into the marketplace and search for threat intelligence and learn about it and figure out what to do. They have built it right into the firewall administration page, the policy page, where you can go look up vendors that bring the threat intelligence and you can then subscribe to it, and within minutes you can apply it to your firewall or even hundreds of firewalls that you may have monitoring required for.
The ease of use and the product-led experience is a very big highlight in how security teams or network security teams can avail this functionality.
Why Black Lotus Labs Threat Intelligence Stands Apart: Network-Level Visibility and Actionable Context
I want to take a few minutes to talk a little bit about what is the Black Lotus Labs threat intelligence and why is it different from everyone else. The reason it is different is because we are powered by the network, and we can see the threat infrastructure being stood up even before the attack has hit your enterprise. To give you a parallel here, think about a bad actor. Let's say I'm a bad actor. I've come into the country with malicious intent. I've started to lease an apartment. I've started to contact my friends, ready to launch an attack on this country. Before I launch the attack, Lumen, because of its visibility into the network, can see what connections I'm making and start to create that intelligence and form. Because they know that I have a bad reputation, they know that other people I'm connecting to have bad reputations, so a combination of this intelligence is being used to find those network infrastructure and attacks much before the attacks are coming into the network.
We operate at a very big scale. We have 2 million threats that we track and block on a daily basis. We have 200 billion plus flow sessions and DNS queries that we are monitoring every single day, and we execute over 150 takedowns per month. Attacks are not new. Bringing down attacks is not new to us. We have a rich lineage over the last 10 years. You can see named attacks that Black Lotus Labs has prevented. We have been working with the public sector for the last several years, working discreetly with them and with the ecosystem of threat intelligence and security companies to block and take down these attacks that you're seeing here, whether it's Mirai back in 2018 to System BC REM Proxy much more recently. We are the specialists that bring down network-borne attacks like no one else does.
Going back to Lumen Defender and our credibility in bringing high fidelity threat intelligence to you, this is not a new space for us. We have been protecting our own networks for years, and we are one of the preferred vendors working with public sector companies to bring down nation-state attackers at all levels. For the first time, we're bringing this intelligence to commercial companies and enterprises, so we're extremely excited that you should try this out.
Again, I want to give another example to help people understand that not all threat intelligence is the same, because you may be saying, well, I already have threat intelligence from my endpoint security, from my firewall security, from my email security. Why do I need another one? Well, there's a distinction. Not all threat intelligence is the same. Let me use this analogy that one of my threat research leaders shared with me. Think of the United States and think of all the highways in the United States. All these highways are interconnected. Lumen has the most visibility into the most number of highways in the United States. Why does it matter? Because the traffic that flows on those highways, we can see those, and because we can see the suspicious traffic from probably benign traffic or potentially malicious traffic, we are able to spotlight those and take action on that intelligence.
All of this curated intelligence is being brought to you in the most easiest way. And again, to those who are thinking about I already have intelligence from endpoint, the endpoint intelligence is super important. Take another analogy. It's like your home security. Each of our homes have sensors to protect our homes. Think of endpoint intelligence as that. Can it be substituted by Lumen Defender Managed Rules? No, you should not. We're not asking you to replace it because you need home security. You need neighborhood aerial view of what is happening in the neighborhood. You want us to say, well, 50 blocks, 10 blocks down from your home, something has happened. That's the kind of intelligence that Black Lotus Labs brings in. So don't substitute it with other forms of intelligence. Complement it.
Key takeaways. We are bringing threat intelligence previously uniquely available to Lumen only for Lumen's network. It is powered by the number one network fabric that connects all of you enterprises here. Global visibility for the first time is coming to AWS customers. It is product-led integration, so seamlessly available to you AWS Network Firewall customers. Please give it a try, and the reason for that is it provides you actionable intelligence, great context for your security teams, and automatically updated. So there is no fuss, pretty hassle-free and pretty affordable too. Thank you.
; This article is entirely auto-generated using Amazon Bedrock.
Top comments (0)