ROB FREW
Back to Work

Basin EPP Integration: Insider Threat Detection

Served as single point of contact for all EPP-Basin integrations, managing 9PB+ daily endpoint data from 5M monitored endpoints to enable insider threat detection and IP protection.

Amazon
Platform Engineering
Basin EPP Integration: Insider Threat Detection
5M endpoints integrated
9PB+ daily data volume
IP theft cases prevented
50 team members coordinated

The Challenge

Amazon's Endpoint Protection Platform (EPP) team monitored 5 million corporate endpoints for security threats, insider risk, and IP protection. However, their endpoint data—file hash data, endpoint telemetry, security events—needed to flow into Basin for correlation with other security data sources and into AIP for alias-based investigations. EPP and Basin were separate organizations with different priorities, and real-time vs. batch detection latency was a critical challenge affecting threat detection speed.

My Approach

Established myself as the sole point of contact for ALL EPP-Basin integrations from the start of the Basin program, working with approximately 50 EPP team members throughout the program lifecycle. Addressed the real-time vs. batch detection challenge by gathering latency data across the entire pipeline—from file creation timestamp through event timestamp, Basin delivery time, and parquet conversion time—then analyzed use cases to determine whether streaming or batch processing was optimal for each detection type. Frequently scanned EPP data in Basin and recommended relevant datasets for AIP integration, creating a feedback loop where security engineers could request new datasets for the investigation platform. Guided security engineers on building new detections from endpoint data, including tying employee aliases to file hashes to detect sensitive IP exfiltration.

Key Deliverables

Managed all EPP-Basin integrations as single point of contact across ~50 team members

Optimized detection latency by right-sizing streaming vs. batch processing for each use case

Enabled file hash-to-alias tracking for IP theft detection (Ring Camera IP, company financials)

Created detection framework and feedback loop for security engineers to request new datasets

Established data quality frameworks ensuring accuracy for security-critical investigations

Technologies & Tools

AWSBasinSecurity AnalyticsThreat DetectionData PipelinesStreaming/Batch Processing

Related Projects

AmazonPlatform Engineering

Basin: Amazon Security's Data Lake

Platform processing 9PB daily from 350,000+ sources supporting ML workloads and security analytics across AWS.

AmazonPlatform Engineering

Fangorn Coral Collector Deployment

Deployed security log collectors on 350,000+ hosts across all AWS regions, achieving 97% security coverage with <1% CPU impact.

Want to discuss this project?

I'd love to share more details about my approach and results.

Get in Touch