Security operations teams are often caught in a dilemma: either create highly sensitive detection systems and risk overwhelming analysts with false positives, or fine-tune for precision and potentially overlook genuine threats. Sanchit Mahajan, a Software Development Manager in Amazon’s Security division, confronts this challenge daily. He leads teams that develop platforms capable of processing vast amounts of telemetry data, aiming to detect sophisticated threats without inundating incident responders.
With over 15 years of experience spanning payments, e-commerce, and cybersecurity, Mahajan has witnessed firsthand how alert fatigue intensifies as organizations grow. His innovative approach involves using AI to automate signal generation, correlate billions of events, and transform raw threat intelligence into actionable insights. The objective is not to replace human judgment but to relieve security analysts from the burden of sifting through noise, allowing them to focus on significant threats.
AI has revolutionized the way security teams differentiate real threats from noise by accelerating the triage process. Advanced AI models can identify patterns in data already classified as noise and predict whether new alerts follow similar patterns. This capability either suppresses alerts automatically or scores them for further review, significantly reducing triage time. Additionally, AI can consolidate multiple alerts triggered by a single user across different machines into one, thereby reducing the overall number of alerts to be addressed.
Unlike traditional rule-based systems, AI-driven detection can dynamically identify commonalities between multiple detection outputs, making them more accurate. This adaptability allows AI to recognize anomalous behaviors that static rules might miss, such as a user attempting multiple logins from varying locations.
Automated signal generation leverages AI to identify and correlate signals that might indicate malicious intent, even if they don’t individually constitute an attack. This method allows security teams to focus on a reduced subset of events, enhancing their ability to catch threats that might otherwise go unnoticed.
In an ever-evolving threat landscape, AI models are trained through threat research and feedback learning. By assessing internal and external threat reports, AI can predict the applicability of new threats to Amazon’s ecosystem. Feedback from analyzed alerts further refines the models, enabling them to focus on genuine anomalies.
AI transforms vast threat intelligence feeds into actionable insights by filtering irrelevant data and enriching relevant indicators with context. This process allows security analysts to prioritize threats that are most pertinent to their environment. AI’s ability to correlate seemingly unrelated events helps uncover attack patterns that would be difficult to detect manually.
While AI significantly reduces alert overload, achieving a balance between sensitivity and false positives remains a challenge. Continuous feedback and tuning of detection systems help improve accuracy and reduce analyst burnout. In domains like payments and e-commerce, where precision and recall are crucial, AI helps by grouping similar alerts and providing enriched context for human review.
Looking ahead, AI is expected to play an increasingly vital role in security operations, handling data processing and initial threat assessment. However, human judgment will remain indispensable for making critical decisions, especially as attackers also begin to leverage AI, creating an arms race where human creativity and intuition become key advantages.
