HelpnetSecurity

AWS retools Security Hub for AI and multicloud threats


AWS added AI workload protection and Microsoft Azure security monitoring to Security Hub, its centralized security platform for collecting and prioritizing security findings across cloud environments. Support for additional cloud platforms will follow.

“Collecting findings was never the hard part. The hard part is understanding them, connecting them, and acting before an attacker does, and doing it at the speed attacks now move. The programs that win from here will be the ones that see across their whole estate and respond fast, not the ones with the most dashboards. That is what we are building toward, and these launches are steps on that path,” said Michael Fuller, Director a6 at AWS.

Azure security monitoring

Security Hub discovers Azure virtual machines, container images, Function Apps, and identities, then evaluates them for misconfigurations, internet exposure, and software vulnerabilities. It performs posture assessments against the CIS Microsoft Azure Foundations Benchmark.

Azure findings use the same format, automation, and response workflows as AWS findings, allowing security teams to assess risk across their organization’s environment through a single interface.

Earlier this year, AWS introduced Security Hub Extended, which adds integrations with partner security solutions across nine security categories. The service extends visibility and protection to endpoints, identities, email, browsers, and data across AWS, other cloud environments, and on-premises infrastructure.

AI workload protection

AWS introduced new GuardDuty capabilities for AI threat detection and investigation, along with an AI inventory in Security Hub, to help security teams improve visibility across AI workloads.

Amazon GuardDuty AI Protection, now generally available, provides threat detection for Amazon Bedrock and Amazon SageMaker. It detects unusual model usage, cost harvesting attacks in which attackers use stolen credentials to run AI inference at a victim’s expense, and prompt injection attempts through integration with Amazon Bedrock Guardrails.

Cost harvesting exploits compromised AWS credentials to access foundation models. Because AI inference is expensive, attackers can use stolen credentials to incur significant costs for victims. GuardDuty analyzes AWS CloudTrail data events to establish normal model usage patterns and identifies unusual activity that may indicate credential compromise or abuse.

GuardDuty AI-powered investigations, currently in preview, analyze GuardDuty findings to help security teams determine whether alerts represent malicious activity or benign events.

The feature examines finding context, related activity from the previous 90 days, affected resources, and threat intelligence to investigate incidents automatically. Each investigation includes a confidence score, MITRE ATT&CK mapping, supporting evidence, and recommended actions, such as suppressing false positives, containing threats, or remediating affected resources. It supports investigations across individual AWS accounts and AWS Organizations, helping reduce the time required to analyze and respond to security alerts.

Security Hub now includes an AI inventory that provides an updated view of AI assets and their security posture across an organization.

For AWS-managed AI services, Security Hub inventories Amazon Bedrock, Amazon SageMaker, and AgentCore resources through AWS Config. For self-hosted and external AI workloads, it identifies models running on Amazon EC2, Amazon ECS, and Amazon EKS, including the external model endpoints they access.

The service maps AI assets to the underlying infrastructure, including compute, networking, IAM roles, and data stores, and correlates them with security findings such as Amazon GuardDuty alerts. This helps security teams identify affected infrastructure and assess the impact of AI-related threats more quickly.



Source link