AWS recently announced the general availability of Security Lake, a managed service to automate the sourcing, aggregation, normalization, and data management of security data. The new service centralizes data from AWS environments, SaaS providers, on-premises, and cloud sources into a data lake stored in an AWS account.
The new service supports the Open Cybersecurity Schema Framework (OCSF), an open-source project started by AWS and other companies in the cybersecurity industry.
Introduced in preview at re:Invent, Amazon Security Lake helps analysts and security engineers investigate and respond to security events, facilitating timely responses, and improving security across multi-cloud and hybrid environments.
Source: https://aws.amazon.com/blogs/security/amazon-security-lake-is-now-generally-available/
Security Lake automatically collects logs for CloudTrail, VPC, Route 53, S3, and Lambda, converting them to the OCSF schema. Through Security Hub, it also collects security findings for other AWS services, including Amazon GuardDuty, Inspector, and AWS Config. Third-party logs can be ingested through Security Hub integration or providing data in the OCSF format.
With the general availability release, the service improves resource names and schema mapping to enhance the usability of logs and adds support for the latest version of OCSF (version 1 rc2). Furthermore, CloudTrail management events are now normalized into three distinct OCSF classes: authentication, account change, and API activity.
In the article "Data Lake Dilemma: Amazon Security Lake vs. AWS CloudTrail Lake", Isaac Zapata, founder at TK Cloud, suggests:
Amazon Security Lake is more feature rich with better long-term potential, assuming OCSF is deemed a successful program in the future. There is a larger base of AWS-Native log support and with out-of-the-box normalization of data, data transformation responsibilities are heavily offloaded from organizations.
Security Lake prices are based on two dimensions, data ingestion, and data normalization, with costs determined by the volume of log and event data ingested. There is no ingestion charge for third-party data, and the ingestion price changes depending on the origin of the logs. Scott Piper, cloud security consultant, comments:
Security Lake is mostly just normalizing logs into a different format and storing them in S3. Oddly for CloudTrail logs (which are the easiest for AWS to swap formats), it charges 3x the usual price. That's the only exception. The Security Lake team just hates CloudTrail apparently.
Andrzej Komarnicki, founder and cloud partner at smallfries digital, adds:
There's already CloudTrail Lake too, am I now supposed to run a Security Lake on top of my CloudTrail Lake and on top of my CloudTrail log trail?
Security Lake is available in a subset of AWS regions, including Northern Virginia, Ireland, and Singapore.