When a company is the size of Amazon, a lot of bad actors will come after it and its customers, which makes defending the network a monster job. Over the years Amazon has developed a number of strategies, from machine learning and monitoring tools to good old-fashioned phone calling to identify and reduce risks to their network.
The company on Monday revealed an internal umbrella platform for the first time that has been in place for several years, called Mithra, which it built to handle Amazon scale. The main piece of technology underlying the solution is a massive graph database with 3.5 billion nodes and 48 billion edges, according to C.J. Moses, Amazon’s chief information security officer (CISO). (Mithra runs on internal systems inside Amazon as opposed to being a service that customers pay for directly.)
Moses says in simple terms that Mithra is basically a big funnel. “We have to go from lots of data down to very small amounts of data. The further you get down that funnel, the more you’re able to then have humans become engaged to be able to make the final decisions on what needs to be done,” Moses told TechCrunch.
In some cases, where the software has a strong signal that a domain is bad, humans don’t even need to be involved in the decision making; at Amazon’s scale, taking humans out of the loop when it can is important. “If you get down to where you have strong assurance that a domain is bad, we’re able to take that data and very quickly transition it straight into the systems that protect our environments,” Moses said.
That could involve the web application firewall (WAF), Amazon GuardDuty, the company’s threat detection system or even forwarding the domain in question to the AWS security service team for further review when required. Moses says when you combine Mithra with Sonaris, the company’s network observation platform, it provides a “pretty good defensive net around our AWS and Amazon environments.”
Amazon scale is unique.The company deals with a quarter of all internet traffic every day, according to Moses, and it “observes up to 200 trillion DNS requests in a single AWS Region alone. Mithra detects an average of 182,000 new malicious domains daily.”
The company has been using a combination of AI, ML, algorithms, monitoring and other tooling, but as it grows and scales, it realized it needed to have a single platform dedicated to monitoring the system for malicious domains and snuffing them out whenever possible. That’s where Mithra comes in.
AI plays a big role in a system this large, of course, and the company wouldn’t be able to deal with such a large graph database without AI. “The reality is that AI, in this particular case, or in many cases like this, is exactly the type of technology that you want to use in order to look at large scale amounts of data and identify throughout that data, the things that should be interesting to us,” Moses said. “And we can obviously train the AI to look for the aberrations, to look for the things that are outside of the norm, or those things that we’ve previously seen as malicious.”
The AI models can also help humans make better decisions. “Are we going to block this domain or not? Here’s a preponderance of the data that’s been assembled from Mithra, from Sonaris, from other threat sensors that we have, and then use that AI to coalesce it together into recommendations to the different systems that take the defensive measures,” Moses said.
Generative AI has a role to play because it enables the threat analysts, who are doing the threat hunting, to interact with the data in plain language and get back answers to help understand the situation better. Previously they would have had to run scripts, but generative AI provides a faster way to see what’s happening.
Sometimes, it’s not about shutting down domains, or how sophisticated the tech is, but just being able to pick up the phone and call a fellow CISO about what his team is seeing. “Some of our biggest investment is in making sure we have a very viable CISO network so we can pick up the phone and call someone at 2 a.m. and not have it be a cold call, even if they’re not customers of ours,” he said.
Update: This story has been updated to clarify when Mithra was launched.