AWS re:Invent 2025 - Reimagining SIEM architecture using AWS S3 Buckets (SEC346)

Reimagining SIEM Architecture with AWS S3 Buckets

Overview

• Vega, a startup founded in 2024, is presenting a new approach to security operations and analytics using AWS S3 buckets.
• The presentation aims to address common challenges enterprises face with traditional SIEM (Security Information and Event Management) architectures, including growing security telemetry volumes, cost constraints, and data fragmentation.

Key Problems with Traditional SIEM Architectures

1. Growing Security Telemetry Volumes: The migration to the cloud and multi-cloud environments has led to a significant increase in the types and volumes of security telemetry data, such as CloudTrail logs, VPC flow logs, and more.
2. Cost Constraints: The traditional monolithic SIEM architecture requires sending all logs to a centralized system, leading to high costs for data ingestion and storage.
3. Data Fragmentation: Many organizations end up with multiple data repositories and SIMs due to factors like mergers and acquisitions or data residency requirements, making it challenging to correlate and analyze data across these disparate sources.

Vega's Federated Security Analytics Approach

1. Indexing Data in Place: Instead of sending all logs to a central SIEM, Vega's solution indexes the data directly in the AWS S3 buckets where the logs are already stored, eliminating the need for data egress and reducing costs.
2. Federated Queries and Analytics: Vega's console can then query the indexed data in the S3 buckets, allowing security teams to perform detection, threat hunting, and incident response without the need to centralize the data.
3. Hybrid Data Connectivity: Vega's platform can also connect to existing SIMs, data lakes, and other data sources, enabling cross-correlation of data across multiple repositories.
4. Unified Security View: Vega provides a single pane of glass for security operations, allowing teams to work within a unified interface despite the underlying data being distributed across different systems.

Technical Details and Benefits

• Vega's "Security Analytics Mesh" architecture enables the flexibility to store data in the most appropriate location, whether it's S3 buckets, data lakes, or existing SIMs.
• By indexing data in place within S3 buckets, Vega customers have seen cost reductions of 60-80% compared to traditional SIEM architectures.
• Vega's approach allows for longer data retention periods and the ability to onboard more data sources that were previously cost-prohibitive.
• The use of a common query language (KQL) and AI/LLM capabilities within Vega's platform helps security teams quickly get up to speed and leverage the distributed data for improved detection, threat hunting, and incident response.

Real-World Examples

1. Major E-commerce Platform: This company was able to entirely replace their existing SIEM solution by indexing data in S3 buckets, resulting in a 70% cost reduction while maintaining the same security capabilities and enabling longer data retention periods.
2. Fortune 500 Pharmaceutical Company: With over 500 AWS accounts, this company was able to gain full visibility and detection capabilities on their AWS environment without shipping any logs out of AWS, eliminating egress costs and data fragmentation.

Key Takeaways

• Vega's federated security analytics approach leverages the scalability and cost-effectiveness of AWS S3 buckets to address the challenges of traditional SIEM architectures.
• By indexing data in place and providing a unified security view, Vega enables enterprises to maintain visibility, detection, and incident response capabilities while significantly reducing costs.
• Vega's hybrid data connectivity and cross-correlation capabilities help organizations overcome the challenges of data fragmentation across multiple repositories.
• The use of a common query language and AI/LLM-powered features within Vega's platform helps security teams quickly adapt and maximize the value of their distributed security data.