AWS whitepapers documentation change
Summary
Removed entire content including explanations of behavioral vs rule-based detection, GuardDuty examples, and browser warning
Security assessment
Content removal about detective security controls doesn't indicate a security fix. The deleted material was educational about security features but its removal doesn't correlate with addressing a specific vulnerability or weakness in AWS services.
Diff
diff --git a/whitepapers/latest/aws-security-incident-response-guide/detective-control-implementations.md b/whitepapers/latest/aws-security-incident-response-guide/detective-control-implementations.md index d5947d458..8b1378917 100644 --- a//whitepapers/latest/aws-security-incident-response-guide/detective-control-implementations.md +++ b//whitepapers/latest/aws-security-incident-response-guide/detective-control-implementations.md @@ -1 +0,0 @@ -[View a markdown version of this page](detective-control-implementations.md) @@ -3,47 +1,0 @@ -[](/pdfs/security-ir/latest/userguide/sir-ug.pdf#detective-control-implementations "Open PDF") - -[Documentation](/index.html)[Security Incident Response](/security-ir/index.html)[](what-is.html) - -# Detective control implementations - -It is important to understand how detective controls are implemented because they help determine how the alert will be used for the particular event. There are two main implementations of technical detective controls: - - * **Behavioral detection** relies on mathematical models commonly referred to as machine learning (ML) or artificial intelligence (AI). The detection is made by inference; therefore, the alert might not necessarily reflect an actual event. - - * **Rule-based detection** is deterministic; customers can set the exact parameters of what activity to be alerted on, and that is certain. - - - - -Modern implementations of detective systems, such as an intrusion detection system (IDS), generally come with both mechanisms. Following are some examples for rule-based and behavioral detections with GuardDuty. - - * When the finding `Exfiltration:IAMUser/AnomalousBehavior` is generated, it informs you that “an anomalous API request was observed in your account.” As you look further into the documentation, it tells you that “The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries,” indicating that this finding is of a behavioral nature. - - * For the finding `Impact:S3/MaliciousIPCaller`, GuardDuty is analyzing API calls from the Amazon S3 service in CloudTrail, comparing the `SourceIPAddress` log element with a table of public IP addresses that includes threat intelligence feeds. Once it finds a direct match to an entry, it generates the finding. - - - - -We recommend implementing a mix of both behavioral and rule-based alerting because it is not always possible to implement rule-based alerting for every activity within your threat model. - - **Javascript is disabled or is unavailable in your browser.** - -To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. - -[Document Conventions](/general/latest/gr/docconventions.html) - -Detection as part of security control engineering - -People-based detection - -Did this page help you? - Yes - -Thanks for letting us know we're doing a good job! - -If you've got a moment, please tell us what we did right so we can do more of it. - -Did this page help you? - No - -Thanks for letting us know this page needs work. We're sorry we let you down. - -If you've got a moment, please tell us how we can make the documentation better.