beawolf - Fotolia

AWS snaps up Sqrrl to strengthen threat detection, analytics

Amazon's move to fold Sqrrl, a threat detection startup, into AWS security services could help bring together its growing list of disparate security tools.

A recent Amazon acquisition is likely to result in yet another tool to help AWS customers keep tabs on the security of their sensitive data.

Sqrrl, a security startup, confirmed this week that it was acquired by Amazon and would be folded into AWS. The Cambridge, Mass., company has roots in the NSA and focuses on threat detection, hunting and incident response based on the growing trend of security analytics.

Rumors about the deal have circulated since December, when it was first reported by Axios. AWS has not publicly confirmed the deal, but that report said the deal was for around $40 million. The deal works nicely for Amazon because of the relatively low price and Sqrrl's experience with large data sets due to its background with the intelligence community, said Tim Prendergast, co-founder and CEO of, a cloud security and compliance company in Pleasanton, Calif.

"Sqrrl is a prime candidate for GuardDuty integration, Amazon's internal incident response and security team for telemetry to give customers a heads up about threats," he said. "It seems to be a natural, logical process of how to engage and provide better security services over time."

GuardDuty, which became available last November, is AWS' threat detection service that provides warnings based on its intelligent review of its own network. Sqrrl could help enhance that service with more advanced responses once threats are detected.

Word of the deal comes a year after AWS acquired another startup,, whose team and presumably technology was used to build Amazon Macie. Macie, which was made available in August 2017, uses machine learning to recognize and track sensitive data in Simple Storage Service (S3) and provide alerts about any anomalous behavior.

AWS has long touted the shared-responsibility model by which it ensures the security of the underlying infrastructure, but that model puts the burden on its customers to lock down everything they build on the AWS cloud. Over time the company has added some critical security features, such as key management and identity federation, to appeal more broadly to enterprise IT and not just startups and lines of business.

When you get to the cloud, [SIM data] come and go so quickly, so if you're a security team you've got to resolve that in a hybrid environment.
Eric Ogrenanalyst, 451 Research

In the past two years AWS has added a slew of security tools to further assuage concerns about security and help track data: Amazon Cloud Directory, Amazon Inspector, AWS Single Sign-On, AWS Shield, AWS IoT Device Defender and Amazon GuardDuty. AWS has also updated some of its default settings to prevent embarrassing exposures of sensitive data when customers leave their S3 buckets open to the public.

Despite those efforts, one of the biggest criticisms of security in the AWS cloud has been the disjointed nature of the various tools. Sqrrl could help address that shortcoming, which is particularly important as Microsoft has in many ways jumped ahead in this area, Prendergast said. For example, Microsoft has built threat intelligence and hunting tools into Office 365, Windows Defender Advanced Threat Protection and as components inside Azure Security Center.

"Microsoft fired a lot of security bullets this year to make sure that customers are getting defense and depth and decisions across multiple layers of infrastructure, whereas Amazon has positioned itself to look at each layer individually and not pulled everything together as a holistic application," he said.

Security in the cloud and on premises aren't the same

Security in the cloud is far different than the traditional models used to lock down data centers. That often means a focus on automation and elasticity, and on applications rather than the network end points. AWS likely will sell Sqrrl as part of its trend to offer baseline services that leverage data analytics to analyze and investigate potential problems, said Sanjay Kalra, co-founder and chief product officer at Lacework, a cloud security vendor in Mountain View, Calif.

Eric Ogren, analyst with 451 ResearchEric Ogren

In fact, cloud vendors such as AWS and others that handle network traffic on behalf of their clients are best positioned to take advantage of these types of tools because of the massive amount of operational data they control about user behavior, said Eric Ogren, an analyst at 451 Research. Sqrrl could be used to bridge the gap between security models in the public cloud and inside private data centers as it provides a unified way to investigate and respond to threats.

"On premises, most of the SIM [security information and event management] data tends to be firewalled and IDS log data, and timestamps based on IP addresses," Ogren said. "When you get to the cloud, what's an IP address? They come and go so quickly, so if you're a security team you've got to resolve that in a hybrid environment."

Trevor Jones is a senior news writer with SearchCloudComputing and SearchAWS. Contact him at [email protected].

Dig Deeper on AWS infrastructure

App Architecture
Cloud Computing
Software Quality