AWS Security Competency Case Study: Threat Detection and Response.

A major UK high street retailer transformed their security operations by implementing Amazon Security Lake with OpenSearch Serverless, achieving a 50% cost reduction whilst dramatically increasing visibility and data retention capabilities. HOOP Cyber delivered the complete solution from proof-of-concept to production in just 15 days.

Challenges

The retailer operates a complex multi-channel business with physical stores, e-commerce platforms, and distributed cloud infrastructure. Following the retirement of their previous security monitoring platform, they faced critical gaps in threat detection and compliance capabilities.

Key Challenges:

• Limited visibility into security events across AWS and hybrid cloud infrastructure
• Prohibitive costs of legacy SIEM restricting data ingestion and retention periods
• Slow forensic investigations due to insufficient historical data (30-90 days retention only)
• Inability to analyse verbose log sources (Cloudtrail, VPC Flow, S3 Data Events) due to cost constraints
• Compliance risks from inadequate data retention for regulatory requirements
• Extended time-to-detect threats due to platform limitations and manual processes

Business Impact: Without modernisation, the organisation faced increased risk of undetected breaches, regulatory non-compliance, extended incident response times, and inability to protect customer data effectively across their digital estate.

Solutions

HOOP Cyber implemented a cloud-native security operations architecture based on Amazon Security Lake and OpenSearch Serverless, delivering a modern threat detection and response capability with significantly reduced operational costs.

Core Architecture:

• Amazon Security Lake: Centralised security data repository with native OCSF normalisation, multi-region aggregation, and cost-effective storage in compressed Parquet format
• Amazon OpenSearch Serverless: Zero-ETL query interface providing sub-second dashboards and interactive threat hunting without data duplication
• Multi-Region Deployment: Primary region (eu-west-1) with automated roll-up from secondary regions, supporting distributed operations
• Intelligent Data Source Selection: Strategic enablement of high-value log sources (CloudTrail, Route 53, WAF) whilst deferring verbose sources for future stream processing
• MITRE ATT&CK Detection Library: Custom SQL queries mapped to threat tactics including privilege escalation, resource hijacking, and defence evasion

Key AWS Services Deployed:

Amazon Security Lake, Amazon OpenSearch Serverless, AWS CloudTrail, Amazon Route 53 Resolver, AWS WAF, Amazon GuardDuty, AWS Security Hub, AWS Lake Formation, AWS Glue Data Catalogue, AWS IAM Identity Centre, AWS Organisations, Amazon S3 with Intelligent-Tiering, AWS Lambda, Amazon SQS

Implementation Approach:

• Pre-POC: Define POC target architecture, agree success criteria, review AWS Architecture, review potential to inget 3^rd party data sources.
• Week 1: Architecture design, Infrastructure-as-Code deployment (Terraform), Security Lake instantiation across all regions, automated log source ingestion
• Week 2: OpenSearch Serverless configuration, zero-ETL query testing, custom detection rule development, dashboard creation, cost optimisation analysis
• Post-PoC: Production deployment, security team training, phased roadmap for future capabilities

Why This Architecture:

• Agile Security Modernization approach that focus’ on critical threat detection strategy whilst reducing cost and operational workload.
• Zero-ETL approach eliminates data duplication and associated costs
• OCSF standardisation enables consistent queries across all current and future data sources
• Serverless architecture scales compute independently from storage based on actual demand
• Pay-per-query model aligns costs with actual usage rather than fixed infrastructure
• Multi-year retention at fraction of traditional platform costs
• Foundation for future advanced capabilities (Security Analytics and Response, federated search)

Results

The implementation delivered immediate, measurable business value with significant cost savings and enhanced security capabilities.

Quantified Business Outcomes

• 50%+ Cost Reduction: Monthly security operations costs
• 15-Day Deployment: Complete proof-of-concept to production deployment (versus typical 3-6+ month timelines)
• Extended Retention: Multi-year data retention capability.
• Sub-Second Queries: Dashboard response times under 1 second using materialised views
• Increased Coverage: Ability to analyse previously cost-prohibitive log sources including CloudTrail, WAF, and DNS
• Operational Efficiency: Security analysts spend more time hunting threats rather than managing infrastructure
• Compliance Ready: Extended retention and audit trails support GDPR, PCI-DSS, and regulatory requirements

Security Capabilities Delivered

• Three MITRE ATT&CK-mapped detection rules operational with expansion roadmap
• Real-time threat detection across AWS services.
• Automated alerting with defined escalation paths reducing mean-time-to-detect
• Self-service analytics enabling security team independence
• Foundation established for third-party log integration.
• Scalable architecture supporting business growth without proportional cost increases

Strategic Value

This solution positions the retailer for continued security maturation with a modern, cloud-native architecture aligned to AWS best practices. The flexible foundation supports future adoption of advanced capabilities including Amazon Security Analytics and Response, federated search, and automated incident response workflows. Most critically, the organisation now detects and responds to threats more effectively whilst spending 50% less on security operations