AWS re:Invent 2025 - Streamlining Telecom Cybersecurity Operations with AWS Generative AI (IND206)

Streamlining Telecom Cybersecurity Operations with AWS Generative AI

Common Challenges in Telecom Cybersecurity

• Telecoms and communication service providers face an increased number of security attacks and cyber threats
• They operate under stringent regulatory norms, requiring constant evolution of security architecture
• Managing the complexity of multiple monitoring and security control tools is challenging
• Diagnosing security incidents by analyzing verbose, unstructured logs from various sources is time-consuming and error-prone

Leveraging Generative AI for Incident Resolution

• The solution uses an "Agentic AI" powered by AWS Bedrock Agent Core to assist security analysts
• The agent can:
  • Fetch and correlate logs from various sources (e.g., Zscaler, Checkpoint, Alumio)
  • Analyze the logs to diagnose the root cause of security incidents
  • Provide a detailed report to the security analyst within minutes
• The agent is built using the Strands SDK and the AWS Bedrock Cloud 3.7 Sonnet model
• It authenticates to the AWS Bedrock Agent Core Gateway, which provides access to the necessary tools

Architecture Overview

1. Personas:
   • Security analyst interacts with the generative AI agent
2. Agent Runtime and Authentication:
   • The agent runs on the AWS Bedrock Agent Core runtime
   • It authenticates to the gateway using a JWT, which is validated by AWS Bedrock Agent Core Identity
3. Tool Integration:
   • The agent retrieves the available tool schema from the gateway
   • It then uses the tools to fetch and analyze logs from various sources (e.g., Zscaler, Checkpoint, Alumio)
   • The tool integrations are implemented as Lambda functions
4. Centralized Log Storage:
   • AWS Security Lake is used to store the logs in a centralized, standardized format (Open Cybersecurity Schema Framework)
   • This enables efficient querying and processing by the agent and other analytics tools

Solution Benefits

1. Faster Incident Detection and Resolution:
   • The agent can diagnose and resolve security incidents within minutes, compared to hours or days manually
   • Increases the productivity of the security operations team
2. Self-Service for Internal Users:
   • The agent can be provided as a self-service tool for internal users to diagnose their own issues
   • Reduces the volume of support tickets and improves collaboration between developers and security teams
3. Reduced Operational Complexity:
   • The agent can dynamically write queries and interact with various log sources, eliminating the need for users to learn complex tools and query languages
   • Centralizing logs in AWS Security Lake simplifies log management and lifecycle policies

Key Takeaways

1. The power of generative AI on AWS, enabled by the Strands SDK and AWS Bedrock, can dramatically reduce incident resolution time for telecom security teams.
2. AWS Bedrock Agent Core runtime makes it easy to deploy and scale the generative AI agent, requiring only a few lines of code changes.
3. A "crawl, walk, run" approach can be adopted, starting with a security analyst portal and progressing to self-service for internal users and advanced security incident investigation.
4. Integrating with AWS Security Lake provides a centralized, standardized log storage solution to support the agent's analysis capabilities.
5. The AWS Bedrock Agent Core Gateway enables the agent to connect to log sources beyond just AWS, including on-premises and other cloud providers, providing flexibility in the solution architecture.