AWS re:Invent 2025 - From SIEM to SOC: Building AI-Native Security in the Cloud with AWS (AIM289)

Summary: From SIEM to SOC: Building AI-Native Security in the Cloud with AWS

Overview

This presentation from AWS re:Invent 2025 discusses the evolution of security operations in the cloud, focusing on how organizations can leverage AI-powered security solutions to build a modern, cloud-native Security Operations Center (SOC). The speaker highlights the limitations of traditional Security Information and Event Management (SIEM) systems and outlines a strategic approach to transitioning from SIEM to an AI-driven SOC on AWS.

Limitations of Traditional SIEM

• SIEM systems struggle to keep up with the volume, velocity, and variety of security data in the cloud
• Legacy SIEM tools are often complex, resource-intensive, and require significant manual effort to maintain and analyze
• SIEM solutions are typically reactive, focusing on detecting known threats rather than proactively identifying and mitigating emerging risks

The Need for AI-Native Security

• The cloud introduces new security challenges, such as ephemeral infrastructure, distributed applications, and dynamic user access
• Traditional security approaches are no longer sufficient to keep pace with the evolving threat landscape
• Organizations require AI-powered security solutions that can automatically detect, investigate, and respond to threats in real-time

Building an AI-Native SOC on AWS

1. Data Aggregation and Normalization:

   • Leverage AWS services like Amazon CloudWatch, AWS CloudTrail, and Amazon VPC Flow Logs to centralize and normalize security data
   • Use Amazon Kinesis to ingest and stream security events in real-time

2. AI-Powered Threat Detection:

   • Employ Amazon GuardDuty for continuous monitoring and threat detection, leveraging machine learning to identify anomalies and potential threats
   • Integrate Amazon Macie for sensitive data discovery and classification, helping to identify and protect against data breaches

3. Automated Incident Response:

   • Utilize AWS Lambda and Amazon EventBridge to build automated workflows for incident response and remediation
   • Integrate with AWS Security Hub to centralize security findings and enable cross-service correlation

4. Threat Hunting and Investigation:

   • Leverage Amazon Athena and Amazon Elasticsearch Service for ad-hoc querying and analysis of security data
   • Empower security analysts with interactive visualizations and dashboards using Amazon QuickSight

5. Security Orchestration and Automation:

   • Implement AWS Security Hub to unify security findings from multiple AWS services and third-party tools
   • Automate security operations tasks using AWS Systems Manager and AWS Step Functions

Key Takeaways

• The transition from SIEM to an AI-native SOC on AWS enables organizations to keep pace with the evolving threat landscape and cloud security challenges
• AI-powered security solutions like Amazon GuardDuty and Amazon Macie can significantly improve threat detection, investigation, and response capabilities
• Automating security operations tasks and integrating security data across AWS services can enhance efficiency and reduce the burden on security teams
• A well-designed AI-native SOC on AWS can provide real-time visibility, actionable insights, and proactive security measures to protect against advanced threats

Real-World Examples

• A global financial institution leveraged the AI-native SOC approach to reduce the time to detect and respond to security incidents by 50%
• A leading e-commerce company used Amazon GuardDuty and Amazon Macie to identify and mitigate sensitive data exposure, preventing a potential data breach
• A major healthcare provider implemented the AI-native SOC architecture to streamline security operations, enabling their security team to focus on high-impact activities rather than manual, repetitive tasks