AWS unveils new service for managing security incidents

AWS has introduced AWS Security Incident Response, a service designed to assist organisations in managing security events swiftly and efficiently.

This service is particularly targeted to help clients prepare for, respond to, and recover from security occurrences such as account takeovers, data breaches, and ransomware attacks. It utilises automation to triage and investigate security findings from Amazon GuardDuty and integrated third-party threat detection tools through AWS Security Hub.

Key features of the Security Incident Response include its capability to facilitate communication and coordination by providing 24/7 access to the AWS Customer Incident Response Team (CIRT), who can offer support during security incidents. This positions the service as a comprehensive solution across the incident response lifecycle, covering preparation, detection, analysis, and recovery phases.

Security Incident Response addresses the complexities and pervasiveness of security events, which often overwhelm security teams with numerous alerts, potentially leading to misallocated resources and decreased efficacy. The challenge of manual investigations, stakeholder coordination, permission management, and documentation is significant, highlighting the need for enhanced customer support during security events.

The service comprises three main capabilities to aid customers in managing security events. The automated triaging of security findings helps identify high-priority incidents that need immediate action. Automation and customer-specific data aid in filtering and suppressing findings based on expected behaviour to maintain focus on critical alerts.

Incident response is simplified through preconfigured notification rules and permission settings extendable to both internal and external stakeholders, including third-party security providers. Customers can use a centralised console with integrated features such as messaging, data transfer, and video conference scheduling. It also provides automated case history tracking and reporting features.

Customers gain access to self-service investigation tools, and have the option for 24/7 support from AWS CIRT. This flexibility allows customers to manage incidents independently or cooperate with third-party vendors according to their specific needs and requirements.

A service dashboard provides customers with metrics to measure and enhance the performance of their security incident response over time. These metrics, which include mean time to resolution, active and closed case counts, and triaged findings, are instantly accessible without requiring additional report generation.

The onboarding process is streamlined, integrating with AWS Organizations to ensure comprehensive security coverage. Customers select a central account for managing all security events. A proactive incident response feature allows automated monitoring and investigation, sorting, and remediation of findings.

Additionally, customers can configure permissions for containment actions through specific IAM roles, which could speed up incident response and reduce the impact of security events.

AWS Security Incident Response is now available in 12 AWS regions globally, including the US, Asia Pacific, Canada, and Europe.