Amazon Web Services has recently introduced a new incident response service aimed at aiding security teams in responding to threats more efficiently and reducing the time it takes for organizations to bounce back from cyber attacks. This groundbreaking service, called AWS Security Incident Response, was unveiled ahead of the company’s re:Invent 2024 conference in Las Vegas.
Utilizing machine learning technology, AWS Security Incident Response can automatically triage and analyze security signals from Amazon GuardDuty and other supported third-party threat detection tools interconnected through the AWS Security Hub cloud security posture management service. By automating these processes, security teams can investigate incidents, coordinate responses across multiple stakeholders, manage permissions across various environments, and document actions taken and decisions made, all of which leads to a more streamlined incident response approach.
Betty Zheng, a senior developer advocate at AWS, highlighted the necessity for such a service in a blog post announcing the launch of AWS Security Incident Response. Zheng pointed out that security teams often face an overwhelming volume of daily alerts, potentially resulting in misallocated resources and decreased efficiency. Manual investigation of security findings can strain resources and cause crucial security alerts to be overlooked, underscoring the critical importance of automating incident response procedures for quick and effective threat mitigation.
The new service comes equipped with preconfigured notification rules and permission settings, ensuring rapid execution of containment actions to hasten incident response times and minimize the impact of security breaches. For alerts that cannot be automatically resolved, AWS Security Incident Response generates security cases to be addressed by the security team. In case of high-priority threats, the service connects to the AWS Customer Incident Response Team (CIRT) for round-the-clock support.
Moreover, AWS Security Incident Response offers self-service investigation tools, secure data transfer options for sharing logs and forensics data, messaging and video conference scheduling for seamless communication with stakeholders and investigators, and automated case history tracking and reporting capabilities. Security teams can handle incidents independently or collaborate with third-party security vendors according to their specific needs and requirements.
To continuously enhance incident response performance, security teams can monitor and measure their progress over time through a dedicated service dashboard displaying key metrics like mean-time-to-resolution (MTTR), number of cases resolved within specific time frames, and the number of triaged findings, among others.
AWS Security Incident Response is now accessible in 12 AWS Regions globally, including the US, Asia Pacific, Canada, and Europe. Organizations interested in leveraging this service can enable it via the AWS management console and service-specific APIs. Administrators must enable the proactive response feature to grant service-level permissions for monitoring and analyzing security alerts. By incorporating customer-specific data like common IP addresses and AWS Identity and Access Management (IAM) principals, alerts are automatically categorized and addressed using service automation.
AWS recommends activating Amazon GuardDuty and AWS Security Hub to experience the full benefit of the service. By leveraging this comprehensive incident response solution, organizations can enhance their security posture and bolster their defenses against cyber threats.