Amazon’s Chief Information Security Officer and cybersecurity guru CJ Moses takes a deep dive with CRN about how his firm alongside cloud unit Amazon Web Services thwart trillions of cyberattacks without anyone even noticing.
“With AWS Shield for example, 99 percent of all DDoS attacks that hit the AWS cloud are mitigated without any knowledge to any of the customers that would have been impacted. Why is that? It’s because the system is doing its job,” said Amazon’s Moses, the chief information security officer (CISO) and vice president of security engineering at Amazon.
Moses is one of the nation’s leading cybersecurity experts, having spent years working for the FBI and the Air Force Office of Special Investigations, as he puts it, “chasing criminals and spies around the world.”
Amazon intentionally places vulnerable systems out on the internet so that the company can learn from the behaviors of potentially malicious threat actors. Amazon calls this honeypot network MadPot.
Amazon sees MadPot attacked with a whopping 750 million attempts every single day, while AWS’ active defense tool Sonaris prevented nearly 2.7 trillion attempts to discover vulnerable services on Amazon EC2 over the past year.
Advertisement
[Related: The 10 Biggest AWS News Stories Of 2024: CEO Exit, AI And Partners]
Moses explains how Madpot, AWS’ active defense tool Sonaris and Amazon CEO Andy Jassy’s security culture make Amazon one of the most important and innovative cybersecurity companies on the planet.
MadPot Sees 750 Million Threat Attempts Per Day
MadPot is AWS’ threat intelligence technology that deters bad actors using tools to find, study and stop digital threats that might affect customers. MadPot is a type of global honeypot system, which are decoys set up to capture threat actor behavior.
“We have a honeypot network that we create called MadPot across all of AWS. They’re essentially vulnerable systems that we intentionally place out there, in various different types with different vulnerabilities. That system then allows for bad actors to do their things to them, and we learn by that,” said Moses.
MadPot has grown to become a sophisticated system of monitoring sensors and automated response capabilities. The sensors observe hundreds of millions of potential threat interactions and probes every day around the world, with hundreds of thousands of those activities advancing to be classified as malicious.
Moses—who was AWS’ CISO for 15 years before becoming Amazon’s CISO in 2023—said Amazon doesn’t look into customers’ data or instances running on behalf of the customers.
“So we create vulnerable ones that we manage and operate and run, and then are able to get the threat intel from the systems that we own. We take that information and very quickly vectoring off to defensive measures from what we learn in order to be able to block and tackle that stuff,” said Moses.
“It operates at such a scale that, earlier this year, we were reporting that we would see 100 million interactions a day—so scams and threat attempts. That is increased to 750 million a day,” he said.
The increase is due to threat actors increasing their targeting capabilities via new tech like generative AI, while at the same time, AWS has also built better tools for improved threat visibility.
Sonaris Blocks 2.7 Trillion Attempts On EC2 And 27 Billion On S3 Buckets
When Amazon catches threats, it uses AWS Sonaris—an active defense tool that analyzes potentially harmful network traffic so Amazon can quickly and automatically restrict threat actors who are hunting for vulnerabilities.
“Sonaris is a network-level system that allows us to take that threat intel and then do blocking. So mitigations or blocking to keep that threat actor activity from impacting our customers,” said Moses.
“MadPot provides that threat intelligence near real time to Sonaris that is then able to block and tackle those things,” he said. “By way of example, one metric on Sonaris is 2.7 trillion block actions attempts on EC2 instances over the last year.”
In the past 12 months, Amazon confirmed that Sonaris has prevented nearly 2.7 trillion attempts to discover vulnerable services on Amazon EC2. Sonaris has also denied more than 27 billion attempts to find unintentionally public S3 buckets.
“So you’re looking at 27 billion S3 buckets that have been protected because of that,” he said.
Why Amazon’s Incident Response Business Has Been So Secretive
In terms of owning one of the world’s top incident response businesses, Amazon security teams have historically “kind of been hanging in the shadows,” Moses said.
However, now the company’s incident response team has grown significantly and has stepped into the spotlight.
“For a lot of the threat intelligence, we’ve been doing it behind the scenes for years. We never talked to you [CRN] or anybody else about it in the past. This year, we’ve been starting to open up the doors and let people take a look, mostly because customers have been asking,” said Moses.
Customers tell Amazon that other top cybersecurity vendors consistently tout and market their new products to the public.
“Customers tell us, ‘You have access to a lot more than they make. What are you doing?’ In the past, it’s always been, ‘Yes we do. We’re taking care of you. So don’t worry about it.’ But as we’ve learned, people want details,” said Moses. “They don’t trust that you’re doing the stuff. So this year, we’ve been sharing a lot more.”
Why Cybersecurity Threats Don’t Keep Moses Up At Night
Many might think being the CISO of Amazon might be up all night thinking about a range of cyber threats.
However, with Moses’ more than 25 years in top cybersecurity roles, the only thing he says keeps him up at night are his dogs.
Chasing some of the world’s most dangerous hackers and criminals across the globe for years has given Moses perspective.
“One of the things that that’s taught me is, you need to focus on what you can control. If I focus on what I can control, the things that I can’t control become a lot easier to deal with. Therefore, I don’t get worried,” he said. “I mean, there are things that in the moment that concern me. I look at what I can do about it and we [solve] the things we can do. Many times, that is preparatory for the future.”
Amazon’s One Big Cybersecurity Differentiation
One of the main reasons why Moses isn’t losing sleep worrying about the billions of threats targeting his company and its customers, is Amazon’s cybersecurity philosophy.
“The number one differentiation that Amazon has is culture. Having the leadership have security as priority zero or the top priority—it differentiates us,” said Moses.
Amazon’s top notch security posture isn’t by accident, but because of two decades worth of Amazon prioritizing cybersecurity.
“[Cybersecurity] is not something that just came around recently because we had a security issue. It’s how we have been since day one, because we were paranoid from our past life,” said Moses, who first joined AWS in 2007. “Andy Jassy bought into the paranoia because he believed in us and carried that forward. Quite honestly, building from that core of that security culture has allowed us to dodge a lot of these big security events.”
“We can show proof that we saw the attempts on our systems from the same threat actors that others had fallen to. We see it on a regular basis. We see 750 million of them a day,” said Moses. “But why aren’t they getting in [to Amazon]? It’s because we’re making the right investments in advance. We are not paranoid. We know they’re out to get us, and we’re going to do everything we can to stop them.”