🦄 Making great presentations more accessible.
This project aims to enhances multilingual accessibility and discoverability while maintaining the integrity of original content. Detailed transcriptions and keyframes preserve the nuances and technical insights that make each session compelling.
Overview
📖 AWS re:Invent 2025 - Scale Security Operations with AWS Security Incident Response Service (SEC329)
In this video, AWS and Infor discuss their partnership in transforming security operations using AWS Security Incident Response Service. Mignona Cotè (CISO at Infor) and Hart Rossman (VP of Security at AWS) explain how they reduced thousands of security findings to just 2-3 escalations by integrating GuardDuty, CrowdStrike, and Defender data through automated triage and enrichment. The session demonstrates DNS data exfiltration detection workflows, showcases the new agentic AI capabilities that provide instant investigation recommendations, and discusses six major service enhancements including dynamic pricing and ITSM integration. They achieved 99% reduction in manual investigations across Infor's large AWS estate, with only 0.03% requiring escalation. The discussion concludes with insights on future security trends, emphasizing AI-driven defense against AI-powered attacks and the evolution toward hyper-specialized incident response.
; This article is entirely auto-generated while preserving the original presentation content as much as possible. Please note that there may be typos or inaccuracies.
Main Part
Introduction: Infor's Security Transformation Journey with AWS Security Incident Response Service
Welcome to this morning's session. We're going to talk about Infor's journey and how they transformed their security operations within their company by leveraging AWS Security Incident Response Service. Throughout this talk, we're going to provide some background on Infor and how they utilize their business to serve multiple industries within their ecosystem.
We're going to discuss the challenges that Infor presented to us and the things we had to think deeply about in terms of how to solve those challenges. We'll take you through the actual solution itself and the journey it took for us to get there. Then we'll wrap up by discussing how learning about Infor's journey helped us shape the Security Incident Response Service.
I'm going to walk you through a demonstration of how we can detect one of the attack patterns from GuardDuty or other detection tools and how we can use that to triage and get to true intelligence for you. Lastly, we'll wrap up with some questions in a panel-type discussion and talk about what's next for the service and what's next for security operations as a whole.
With me here are two of my esteemed colleagues. Mignona Cotè is the CISO for Infor, and Hart Rossman is the VP of Security here at AWS. They are quite more fashion forward than I am, so enjoy the presentation, Mignona.
Thank you. Yes, we are fashion forward. We went shopping on Amazon the same night and got the same shirts. So what is Infor? Infor is an industry-specific, AI-driven cloud application. What does that really mean? It means we are built of several ERP systems that are specific to industries that deal with very complex operating environments.
Let me give you an example. Aston Martin is a cool product. What Infor does is allow Aston Martin to specify what color thread it wants in the car and to have it in each car as it's manufactured. That's the unique requirement that our customers have—what specifically needs to be in each product—and it builds out and lets them operate. What's really cool is that we have built our platform on AWS. We use hundreds of AWS services, which lets us represent with our customers the business intelligence and the security that only Infor can offer.
Three Core Challenges: Detection Noise, Collaboration, and Cloud Expertise
That's fantastic. When I think about Infor, they're involved in a multitude of different industries. When they came to us and stated that given the scope and the fact that they are a platform that's not built and then shifted to AWS but actually built into AWS, we had to think deeply about how to solve some of their challenges.
One of the things you think about is findings and detection tooling. Often they alert you on things that are maybe low risk or maybe critical findings, but oftentimes it's all mixed together. They came to us and said, how do I get to the point where I can make real intelligent decisions based on the findings that I'm getting, whether that be from one of my detection tools within AWS Cloud or maybe from my EDR solution that I'm hosting within my ecosystem?
So we had to solve for that particular challenge. The second piece was when something does alert you, how does your security team, your managed security service provider, and your vendor all work together in one particular environment so that we can share information and work together to get to the actual root of the problem. Then lastly, which is a challenge that most customers face, is how do I maintain the right level of expertise to be able to do incident response in the cloud environment?
AWS has over 300 services, and it's very challenging to hire security professionals that have that breadth of knowledge across all those particular services. So we came up with a way to be able to do so. Looking into those three buckets, we decided that we needed to get more proactive and not just think about the response element of security operations, but how do we shift left?
The Solution Architecture: From Ingestion to Intelligent Escalation
So we started looking at how we could ingest all of your GuardDuty findings and all of your third-party findings that can be integrated into Security Hub.
Ford took it a step further and partnered with us to build connectors to bring in findings from their Defender environment. They were able to bring in findings from CrowdStrike, which at the time was not integrated into Security Hub. We were able to bring in those findings, start enriching them, and reach a point where now we can triage. Now I understand your environment and how you normally operate. We begin to triage those things to reduce noise.
Yona explained how large an enterprise they operate. We were not talking about five or six findings or two or three accounts. We were talking about a large estate of real estate that one small security team could not triage in a timely fashion the way they wanted to. Once we reach the point of ingestion and triage, we can make intelligent decisions about what is important. Now we investigate the rest, and those investigations have gone down from taking days or hours to now we can investigate within minutes. We were able to take findings from being maybe a day old to now being raised within minutes if they require attention.
Lastly, how do we escalate appropriately? How do we make sure we notify the customer of an event that we cannot make a determination on, an event where we cannot determine whether this is a false positive or a finding that is not really important based on the activity taking place in the environment? We can escalate those urgently to them.
DNS Data Exfiltration Case Study: Automated Triage and Suppression Logic
I mentioned I would walk you through an actual attack pattern that is very common among GuardDuty, and that is the DNS data exfiltration. There are multiple reasons why this finding may appear. Not all of those are malicious in nature. Some depend on what you are doing within your particular ecosystem. N4 has GuardDuty enabled to have these findings come in, and those findings will be realized within AWS GuardDuty. GuardDuty takes those findings and presents them to you in a dashboard form. You can have alerting mechanisms based on your settings. But N4 onboarded to AWS Security Incident Response Service. Now we are taking those findings and sending them through an EventBridge connection that allows those findings to come into our environment. When they come in, we have the triage responsibility aligned within AWS.
We send those through a number of automations that allow us to take in the GuardDuty finding and look at the EDR solution finding. We do not just look at that finding in a vacuum by itself, but we look at different telemetry from other areas of your ecosystem to let us know if that finding is actually a true positive or if it should be investigated or maybe it is an actual event taking place that requires incident response actions. Because it is inside the Security Incident Response Service, we are able to utilize the information we have learned from the environment. We are able to triage and now use some of the respondent intelligent processes through a number of scripts to see if maybe this alert triggered because of a pen test taking place or maybe this alert triggered because there is a mergers and acquisitions process taking place. We get that information back from the customer and feed it into the logic to make intelligent decisions.
When we are done with that, a responder, an actual human, is going to look at these findings and determine if the logic could not make a determination on its own based on what we know about the customer's environment. If the human has to look at it, they have two decisions to make. One decision is whether to create a suppression logic where we can suppress that finding because we recognize what the customer is going through. N4 has already outlined what is taking place within their environment. They let us know on the third Wednesday of every quarter they will be conducting these particular actions, and we are able to use that to create the right suppression logic. But if we cannot at that point, then we escalate. We escalate to the customer, we escalate to N4. We let them know this is an event that we would like for you to validate. If this is expected behavior, we go back to the previous step of creating the suppression logic. If not, then we kick off a security investigation.
Service Enhancements and Measurable Results: From Thousands to Single-Digit Escalations
During this time period, we have reduced from thousands of findings down to maybe two or three findings that we actually escalate to the customer. That gives N4 significantly more time to focus on the primary core parts of their business. We took this feedback and enhanced the service even further than what we had already provided. Working with partners and customers like N4, we have launched a number of different enhancements over the past year. These six enhancements are just a few examples where we are now integrating agentic AI into incident response.
The moment N4 opens a case with us, an agent automatically runs and provides key recommendations and starting points for investigation. The agent includes log extractions to highlight places to begin the investigation. Meanwhile, a security professional within AWS reviews those same results from the AI agent, and we communicate back and forth together to truly partner on the security operations journey for customers. We also adjusted our pricing approach, recognizing that the service needs to scale with the customer's business. We changed from a static entry point to a dynamic approach so that as your business grows, your pricing adjusts with you.
We looked at how we communicate with customers. There is automation where the service communicates with you, but there are also times when you do not want particular communications coming your direction. You are now able to filter those communications out. Certifications are important for many of our customers, including N4. We focused on the most important certifications upfront, which was high trust, and we continue to build on that. Be on the lookout for additional launches of new certifications that the service has agreed upon.
We also received significant feedback about wanting to use existing ITSM and ticket management systems to integrate into the security incident response service. Additionally, we now allow you to onboard at the organizational unit level within that particular service rather than requiring you to onboard an entire organization. We have taken all this feedback, integrated all these enhancements, and we got the results back from N4.
We started this journey with N4 having a large estate of AWS accounts. With an estate that large, you have many endpoints, systems, and applications involved within your environment. We were able to take all those in, triage those particular findings, and see real gains from that. When you think about a typical security operations team manually investigating each finding that comes up, we are able to save a lot of time in their cycles. Now their team is able to respond to and focus on harder problems that humans should be dealing with today because automation and technology are doing a lot of that triage and tier one work on their behalf.
Security Incident Response AI Agent: Real-Time Investigation and CloudTrail Analysis
Even when we get down to the one percent that was investigated and the zero point zero three percent that was actually escalated, they were all expected patterns of behavior. These were penetration tests taking place, activities and game days that the customer was conducting that we did not have knowledge of. We were able to find this pattern, find this activity, and escalate to them in a timely fashion. That in itself was a huge win for you and your team, allowing your team to get back those hours in the day to focus on harder problems. One of the last things I want to discuss is the security incident response AI agent. There has been a lot of energy and excitement about agentic AI in many places. One of the places we felt deeply about was how to implement this in a security incident response environment. What does an AI agent look like in incident response? If you think about most threat actors, they have always tried to use what used to be admin tools against the actual organization. So what we figured was we could use an AI agent to help us with this particular problem.
As attack patterns become more sophisticated and attacks occur at greater speed, AI is the only way for us to keep up with these patterns. We've incorporated this deeply into our operations today. You can go into the Security Incident Response console, open up a case with AWS, and based on the information you provide in that case, the AI agent will start running on your behalf immediately and begin going through your CloudTrail. It will look at areas within your environment that align with that particular attack pattern and even identify things you didn't call out, telling you that this is also something it has seen that could be an area of concern you might want to examine, along with recommendations.
We're excited about the security response AI agent. It doesn't have to be enabled—it comes by default to customers when they access it. We've been able to utilize this with Infor on a couple of their cases and have gotten some interesting results that really opened our eyes to some points we could start with in our investigations. I'd like to talk through Infor's recent journey with us. A couple of weeks ago, we had an opportunity to work closely together to understand how they think about penetration testing in their environments and how they approach testing during game days when they're challenging their security teams to exercise their response capability.
Before we got the results, I had anxiety because I didn't know what they would show. One of the gentlemen who reports to me called and sent me a message on Saturday asking if we were okay. We were okay, but we did find some things. The results came from pen testers. We do a lot of penetration testing because we have 200 products in our multi-tenant environment and have regulatory requirements for pen testing, so we allow for it. I was proud that the technology found it. We had another penetration testing situation where I instantly initiated the process, which was great for letting us test the environment. Within seconds, AWS was able to look at everything and let us know we were comfortable with what it was. I really appreciate the speed of execution.
When we started, I think what I saw was that we flipped a switch and it was on. I'm sure there was more than that in the background, but it enabled us to actually scale across a very large environment. We're 77 percent overseas and work with many different companies that have strong name recognition overseas about what we provide. To know within a moment that we're okay is great. The investigation tool is really exciting. I hope I'm going to have to trust you that I will never have to read or write another playbook as long as I live.
One of the things being discussed here is that the moment you enable the service, we begin triaging your findings right away. When they virtually flipped the switch to turn it on, their concern levels were very high about what would be found. There have been times when we've worked with customers and been brought in for one issue, only to notice that there has actually been activity in the environment for months—multiple months. You don't know sometimes what you don't know. Infor had a very clean environment, but you never know until somebody looks underneath your hood what your environment really looks like. There had been six months of activity in the environment.
The Team Sport Approach: Integrating CrowdStrike, Defender, and Partner Ecosystems
I heard about it, and I was like, oh no, that can't be us. It wasn't. So how are you thinking about this from a senior level? There are a few things going on here. First of all, I'm super excited to have the one-year anniversary of the service. We had early adopters like Mignona and Infor and many others. One of the things that I love that's played out, and we haven't emphasized it a lot yet, but maybe we can now, is this idea that it's a team sport. It's not just AWS and Infor in this case, but we've got CrowdStrike and other partners who are deeply embedded with the customer, providing MDR, providing incident response, and other things.
It's really incumbent upon us as defenders to make sure that the adversary doesn't have any unnatural advantage, and one of the best ways we do that is by bringing the best and the brightest together to provide that active defense. When we were first talking to you, having the ability to work with your existing partners was so critical. Can you tell us a little bit about that? Because we're everywhere, we have a lot of partners, and it's not only just what we see in AWS but also with CrowdStrike and Defender. We run both of them, and then we have a lot of other add-on tools that we run for the layered defense type of process. If I just look at it, we've got the powerhouse of what AWS sees.
I asked you a while ago how much of the Internet do you cover. In 2019 it was one third, and I don't know if you have an up-to-date number on that, but AWS is out there pretty much hitting a large part of the Internet, so you're going to see things. Then CrowdStrike is going to see data from a different lens, and then Defender is going to see it from a different lens. You take all that and you glue it together. It helps you have comfort in what you see to know that it's really valid.
The other thing I like particularly about our relationship is that you've been very active in paying that forward to your customers and your partners. You've been able to explain that sort of value proposition that working with Infor on top of AWS with this whole security ecosystem at your disposal really is a benefit to your customers and partners. If you think about the standard ERP customer, my entire career when you join a company, you get put on an ERP rollout assignment. Usually the people who are running the assignments are not your security people. It's more project managers and business operations, and then there's the CFO who pays the check.
So you have to talk and communicate the value of what you're doing to these audiences, and then it goes to the board because they're paying the check. This gives us a chance now to share with them a really scalable solution for our partners. When they talk to their customers or when they have the interactions to sell, they're not selling to security people but to audiences that want to know that we're secure because they read what's in the media. That's the lens of what they've got from security—what is in the news or what an auditor has shared or what is a regulatory requirement. So we give them the information that they need to know for three pillars, but more importantly is what is in the news, and that's where the frantic happens. Can this happen to us?
When that question comes about, we now say we've got these powerhouses—CrowdStrike, AWS, Defender. You've got these large companies that are watching everything that's happening and they're responding instantaneously when something happens. We've got all of that looking at our environment. How cool is that? Absolutely, and it's super fun to be part of that journey with you and your customers and your partners.
Agentic AI in Action: Quiro's Impact on Threat Research and IOC Investigation
The other thing I'm super excited about, Lindsay, as you mentioned, is the agentic workflows that we're exposing to customers now. I know you talked through in depth. It's the tip of the iceberg. One of the things we're seeing very early on is that the more we can do to reduce undifferentiated heavy lifting, the more we can do to speed up an investigation and reduce the time to value or security value there, the better off we are for everybody.
To go from a bump in the night to everything was all right as quickly as possible is really the name of the game. Agentic AI and generative AI is an absolute game changer for us, an absolute game changer. We use it internally as well. We just have now been able to expose it to customers, but we try to start with AI in-house and figure out how we can do that where we're not putting more pressure on the cognitive load of the incident responders.
We need to find ways to relieve and alleviate some of that. Our response teams, engineering teams, and product teams all work together in order to produce the best possible product. We try to do that first using AI. I try to use AI at least once a day now because I've seen so many benefits from it. Coming from being a traditional security person, starting off as a traditional IT administrator where I felt like I had to do everything myself, AI has changed that completely. The API calls and the way it's able to integrate, especially with a lot of our authentication systems, allows us to develop enhancements that enable us to conduct incident response a lot faster. It is an absolute game changer the way we're able to incorporate AI now into security operations.
One of the things I've been really impressed with is the way that our threat research folks have embraced agentic AIs. Using Quiro, I've watched that team go from an old model of whiteboarding something, looking at some data, and getting a war room collaboration mentality together to now getting a data point and going right into Quiro using a natural language prompt to really spec out what it might look like to create a detector or create a mitigation strategy. They either use that to feed into the service teams to go do the work or actually go right from the spec in Quiro into proof of concept code. This reduces the undifferentiated heavy lifting, increases collaboration, and speeds up resolution in ways that are unheard of.
The changeover was quick. It's not like they spent weeks and months trying to learn the technology. Literally within an hour or two, they went from having an idea to trying a natural language prompt, seeing it actually work, looking at the spec, and deciding the next action. It's mind-bogglingly cool. I used Quiro last week before I came to Reinvent. I had an indication, an IOC that I had from one customer, and I was interested to see if another responder had identified a similar IOC. So I threw it into Quiro and told it to look at my resolver group, look at my particular ticket queue, and look for this IOC anywhere else in the environment. It gave me back a summarization of the number of times that this IOC had been seen and what that IOC could have been doing throughout the environment. It gave me a full write-up on it.
I was able to use that, talk to my team, and they thought I was a genius at first, so I told them it was Quiro. But it really allowed us to move faster to be able to make a decision on how we wanted to address that particular IOC. Instead of looking at it in a vacuum, we were able to actually put a block in place widely. So we can prevent that action going forward and working with the service teams and working with our threat intelligence groups to be able to get that information out to the public faster.
If we have a finding, can we use Quiro against that finding to see if it's somewhere else as well? It depends on how you have your MCPs. We have MCP servers that are set up that I built specifically looking at my ticket queue. You can create an MCP server internal to have it start searching through the rest of your environment that maybe isn't covered by us because we're going to do it for you on your behalf for those that want that. But if you would like to do a subcord, you absolutely can. It just sounds intriguing.
Building Security Culture: Champions, Escalation, and Innovation Without Fear
Speaking of questions, I prepared a few ahead of time, and I hope it's okay with you and Lindsay if I ask you a couple of them. The first question is about this idea of a team sport. For you and Lindsay, how are these multifaceted security partnerships preparing you for opportunities maybe as far out as 2030? How do you think investing in those relationships now is going to pay off in the future? For me, the way we think about our partnerships is that threat actors work together. You've seen in a number of public cases where a threat actor gets into an environment and actually buys credentials from another threat actor, and then there's another threat actor handling the payment processing systems. We got the notion that we can't do security by ourselves, so we bring in partners, we bring in other solutions, and we have regular interactions with one another in order to test out these flywheels. How do I feed information to a partner?
How do I receive information from a partner, and then how do we work together? When we think about 2030, we cannot do security the same way we're doing it today. We're always leveraging what is the next ridge line that we have to cross. What happens if we had a situation where we had to do incident response across 20,000 accounts? How do we do that at scale and at a tempo that can still be at the right pace so we don't cause any harm to the actual customers or to other businesses?
Security used to be a back office function. Security now is a core process within most businesses where we have to have a seat at the table to understand where the business is going. As businesses are starting to move towards open search and using open source technology, and as businesses are looking to leverage more Bedrock and other services, we can't be behind in finding out how to secure these particular products. We're looking to integrate more within the businesses in particular areas like marketing and product teams so we can move with the business instead of being perceived as blockers or being late to the party as it relates to new technology.
I want to pick up on a phrase I heard this morning about not being defined by the badges we wear. We become one team. Thinking about what's coming up with 2030, which is pretty quick, and reflecting on what's happened over the past 30 years I've been doing this, I'm doing some of the same things I've been doing for the past 30 years, and I'd love to see that go away. I really see what some of the work with Amazon GuardDuty and others is doing, and hopefully we won't have to use the word scanning anymore or password management.
We remove the processes of what we traditionally know security to be. To your point about working closer with the business, we can then enable security from a different lens on how we operate in a company to help it make more money, become more efficient, but do it in a secured way because security then becomes codified. It's removing all the mundane tasks. If you think about scanning and vulnerability management, it's kind of like writing lines in elementary school. Our life has become that with some of the processes that we have to do. We see us overcoming all of that, overcoming all the metrics and all the data collection, instead enabling growth.
As we're talking about it, I think of your point about Amazon supporting a large swath of the Internet, and it's a responsibility we take very seriously. We've got a lot of focus on how to stay resilient, how to stay secure, how to stay safe. It's not just the terrestrial Internet anymore. We're talking about space and the very real possibility of interplanetary communications in our lifetime. Thinking about the ability to do that as well, when you think about disconnected or deployed systems like an oil well or a tanker that is very hard to reach, but once you've got a satellite up in the sky, it's impossible to recall it for a patch or to investigate an adversary that might be poking around inside it.
Taking services like the AWS Security Incident Response Service, the relationships we're investing in today with customers and partners like yourself, CrowdStrike, Palo Alto, and others, we're thinking about how we ensure that we can provide the safest computing environment for our customers, no matter how far out they want to go, to space and beyond. That's really a top priority when you think about what we need to be investing in today to realize that in 2027 or 2030, which as you point out, is not too far away. It's pretty close. You need to give us a stretch goal.
Another question I was curious about: both of you are big tenured leaders in the security space. What are you doing to invest in the security culture that allows your responders and engineers to innovate fearlessly? Security culture is a big thing for us, and it's not just within our company, it's actually working with you guys and working with our customers as well. We've actually built what's called a security board with nine senior leaders that represent the development community of our organization. We're starting to unify the knowledge sharing across the developers.
That's where the magic happens. When you go in as a security practitioner with all the answers and say what you can and cannot do, the approach changes when you leverage those who create the technology. They bring different thoughts and processes because they don't have the legacy thought processes in place. We've done that through our security board working with the product groups, and we've also built what's called a security exchange.
The security exchange brings in different people within the company who don't necessarily have to be security professionals but have an interest in contributing. The objective is similar to what AWS had with a Slack channel where you exchange ideas. When a threat comes up, everyone checks their environment. If you have a question about how to do something, you ask it. If you want to ideate on a way to look forward, you do that. By embracing and bringing others into the content, you see a richness that comes out because security is no longer just the security group. Security becomes the organization.
Our marketing and communications teams, who are present today, have put security in almost everything they talk about. We embrace the word security because it is on top of every company's mind, and we use it to our marketing advantage, letting companies know that we're doing it. Our culture is how we operate with you and with our customers, and we do have 90,000 customers worldwide.
I think about security similarly. I think about everyone being involved in security. When we think about service teams, product teams, and folks that work in business intelligence, that's a security component to everyone's business. We need our customers, employees, and users to have a security mindset because sometimes one of the easiest entry points into someone's ecosystem is by sending out phishing emails, spear phishing campaigns, or doing social engineering activities. These may sound like legacy activities, but they are very effective techniques and strategies being used and deployed today.
Everyone has to have a security-focused mindset. We took it a step further by creating security champions and a scouts program of professionals who are really champions behind security within the organization. Sometimes these are people who look around corners in a different way than the security team might see. They're embedded within other lines of business throughout the company, and we've seen a lot of value from that. When they are champions and part of the scouts program, they have a different lens, and they're able to tap their colleagues and say things like, "You don't have the right alt attached to that," or "We need to fix that," or "How about we not deploy that code until we get an application security review on it."
We've seen that really transform our culture of security. Lastly, we really love escalating. Escalation is truly built into the fabric and DNA of our organization. There's no hesitation and no fear in escalating. The best thing about it is whenever we have the opportunity to escalate, one of the first responses I hear from leaders is thank you for bringing me in and for urgently bringing this to my attention. The next question is always, "What can I do? How can I help?" They want an action to take to help with that particular use case.
That's enriching and a great way to have a good culture. A wise man once said, "Don't hesitate to escalate," and that wise man might be on stage with us today. We've got other great things that kick around the company. We've got a character on the team, Paco, who has this idea that security exceptions require exceptional security. If we're going to do hard things, it's an opportunity to raise the bar for the way we do security around them. All of that, listening to wise words from others, is this idea that to have a strong security culture, you have to groom it. You have to garden it, and you've got to be a student of the culture.
To learn about the way things are working today, how they're working, and why. If you're going to have strong security culture, you've got to understand the corporate culture itself and how they dovetail in. Then you've got to be an advocate, right? You've got to be a thought leader, as Minana and Lindsay have discussed today.
Then you've got to put on your builder hat and say the security culture today may not be the security culture of tomorrow. What can I do regardless of where I am in the organization to build that right culture, to build that right mental model so that others can innovate and achieve what maybe they didn't think was possible? Minati, you mentioned that directly. It's like let's stop focusing on necessarily some of the guardrails and let's focus on the opportunities that present themselves, right?
Having that kind of student, steward, builder mindset as we're talking about security culture is so powerful, right? You don't have to be the CISO to be able to do that, right? Anybody can build security culture from anywhere in the organization. For me, that's what I want to see more of in the future for all of our customers and partners.
Generative AI Adoption: Unlocking Efficiency and Growth Across the Business
In that same vein, how do you see your security strategies today allowing you to more comfortably adopt agentic AI and generative AI in the core business? Not necessarily security applications, but by doing some of the things we're talking about in security from your strategic standpoint, how are you unlocking opportunities for the business to go do interesting things with generative AI?
We're unlocking it for our customers as well. In our platform, we have what's called Velocity Suite and a set of modules that you get with our product that actually shows how to do process mining and other things that help companies operate more efficiently and make more money and create their competitive advantage on growing. In our company, what we're doing is taking the same training our developers are taking and all the others because we want to think like our customers think. So we're looking at how we can actually enable growth and efficiency.
I cannot get past efficiency because there's so much stuff that we just waste time on every day. This is going to help us get to where we are not thinking about that, and then we get to another realm of creative thinking and start using our critical judgment. We get back to where we were when we're in our youth, thinking about how to do things. Then growth is going to expand on ideas.
One of the ways I think about that is a little bit different because I'm not thinking about it from a financial standpoint. I'm wondering about it from a time perspective, right? You mentioned not doing some of those smaller tasks, and I think back on when we try to create. We're a very data-rich organization, right? The amount of data that we have to get through to try to make sense of based on the conversation that we're having and based on what we need.
I think one of the ways we can do that is by being more transparent in the use of AI and responsible use of AI. When we think about that, we think about it from the standpoint of having the technology that's been authorized, right? We've gone through the right security controls to make sure that the right information can be presented to the right authorized user. It's being transparent when we use those things.
When we go through our business reviews, there are times where I will tell that this particular presentation that you're seeing right now was actually created by Kiro. Or I have the right attachments built in within my web browser that if I'm on a particular web page, I can ask questions to Amazon Q in real time to be able to give me information that I need. Maybe the page is too rich, maybe it's too much information. I need to quickly get to a decision, and I'll be able to ask Amazon Q right there on the spot.
When I think about those types of APIs and I think about the integration with a lot of our AI tooling, I think that's the best way to get more usage and more adoption throughout the company and the organization. It's been truly phenomenal.
The Future of Security Incident Response: AI-Driven Defense and Hyper-Personalization
So we're running up against time here. Last question: the future of security incident response. Just a couple of thoughts on where that space is going. I foresee incident response being a race against time.
More threat actors are already deploying scripts, and many threat actors are using scripts to form attacks. I foresee that threat actors are going to start using AI models to continuously run attacks, not just from a DDoS perspective where attacks will be able to adjust to your defense mechanisms. If you think about how we do security operations and defense in a traditional environment, those would not be effective against an AI attack. We're going to need AI to defend against an AI attack.
I see threat actors becoming more shape-shifting, looking for other pivot points in real time through AI agents. As you begin blocking protocols and defensive points, they're going to continue to transform and adjust to your defensive posture. We've been talking a lot about supply chain attacks. We need to get to the point of supply chain defense where we are constantly meeting the demands of the future using AI and leveraging that within our environments and ecosystem.
I envision we really don't need a SOC anymore in the future. I keep asking the question: why don't we use the same ticketing system that our IT team or developers use? If you look at a company, each group has their own ticketing system and their own way to handle problem tracking and troubleshooting. Instead, it should morph into one thing. If something happens that's not normal, then there's an automated process to address it. When it's not normal, that means it's going through AI analysis and something really weird is happening.
The most awakening process was listening to how Amazon handles incident response. You don't have an L1 and L2 anymore because if something abnormal happens, a ticket is automatically generated to the owner of that transaction. That person researches it, and only L3 type activity comes to the responder. I see that L3 activity going to a support team. How do we start scaling down the support team? There's a lot of synergy in these processes. We talked about it in the data center days with fusion centers where you have security monitoring, data center monitoring, physical security group monitoring, bringing it all into one screen.
One of the trends I see emerging is hyper-specialization or personalization. Today you might have a centralized investigative chatbot or AI that all responders work with. In the future, I think one very real possibility is they'll each have their own individualized bot trained on their research methodology, their case data, their courses of action, maybe some of their public speaking so it has an understanding of their philosophy or approach. They can get much faster outcomes in the style and manner in which they have expertise.
We're already seeing that today. A lot of public speakers have a speaker bot with all their YouTube videos, scripts, and everything. For a new topic, you say write me a speech like this other one I did but on this new topic, and it generates it. I see the same thing happening for responders with a lot of hyper-specialization and personalization. You could have an agent of agents, which is what we talked about, and that's similar to what we're discussing. Could I have a holographic figure deliver the speech for me then? That would be even better. Well, the holographic image would not be as fashion forward as you are right now, so I think that would be one of our robot then.
One of the things that we do want to offer is the ability for everyone who wants to continue on their cloud journey. If you want to elevate your knowledge and take a couple of courses within AWS Skill Builder, you can get access to the Security, Identity, and Compliance area to learn more about security operations and how to do that within the cloud. I do want to take the moment to thank you for your time and attendance here on stage. I appreciate you and the valuable questions that you asked. Those were hard questions, but thank you for your insight and thought leadership.
If you do have any questions, because this is a silent session we can't do a live Q&A, but please catch us outside the doors of this room and we'll be able to answer any questions that you may have. With that being said, thank you all for your time.
; This article is entirely auto-generated using Amazon Bedrock.
Top comments (0)