AWS Targets Cloud Security with Incident Response Platform
The surge in cyber attacks targeting cloud infrastructure has created pressure for organisations to develop rapid response capabilities. The average cost of a data breach reached US$4.5 million in 2023, with cloud-based attacks accounting for a significant proportion of incidents.
Now, Amazon Web Services (AWS) has unveiled a security incident response service designed to automate the handling of cyber attacks.
The move comes as organisations struggle to manage growing volumes of security alerts across cloud environments. Many security teams rely on manual processes to investigate and respond to potential threats, leading to delays that can increase the impact of security breaches.
The AWS Security Incident Response platform integrates with the company's existing GuardDuty threat detection service and third-party security tools through AWS Security Hub to help organisations manage security breaches, account compromises and ransomware incidents.
AWS launches automated security triage capabilities
The service introduces automated triage capabilities for security findings, using customer-specific data to filter alerts based on expected behaviour patterns. This automation aims to address the challenge of security teams facing high volumes of daily alerts, which can lead to critical security notifications being overlooked.
Betty Zheng, Senior Developer Advocate at AWS, says: “Security events are becoming more pervasive and complex for customers. Security teams often face an overwhelming number of daily alerts, leading to potential misplaced priorities of resources and reduced effectiveness.”
The platform includes pre-configured notification rules and permission settings that extend to internal teams and external security providers. A central console provides integrated messaging, secure data transfer and video conferencing scheduling, accessible via APIs or the AWS Management Console.
Service integration enhances AWS Organizations security coverage
The onboarding process integrates with AWS Organizations to provide security coverage for current and future accounts. Organisations must select a central account within their AWS infrastructure where all active and historical security events can be created and managed.
The proactive incident response feature creates service-level permissions allowing Security Incident Response to monitor and investigate findings. For alerts that cannot be automatically remediated, the service creates a security case and notifies stakeholders within the customer's organisation.
Customers can configure permissions for the service to execute containment actions by deploying specific Identity and Access Management (IAM) roles – a security tool that manages access to AWS services and resources securely.
AWS Customer Incident Response Team offers round-the-clock support
Organisations using the service gain access to the AWS Customer Incident Response Team (CIRT), which provides 24/7 support during security incidents. The platform allows companies to handle incidents independently or work with third-party security vendors.
The service dashboard includes performance metrics such as mean time to resolution (MTTR) – the average time taken to resolve security incidents – and tracks the number of active and closed cases within specific timeframes. These metrics can be accessed without manual data collection or report creation.
- US$4.5m: Average cost of a data breach in 2023 (IBM)
- 12: Number of AWS regions where Security Incident Response is available
- 24/7: Hours of support provided by AWS Customer Incident Response Team
Implementation requires organisations to select a central account within their AWS setup, where security events are managed. The service then creates permissions to monitor findings from GuardDuty or third-party detection tools through Security Hub.
AWS Security Incident Response deployment spans global regions
The service has launched in 12 AWS regions including US East (N. Virginia, Ohio), US West (Oregon), Asia Pacific (Seoul, Singapore, Sydney, Tokyo), Canada (Central), and Europe (Frankfurt, Ireland, London and Stockholm).
The service aims to support customers across all phases of the incident response lifecycle, from preparation to detection, analysis and recovery. This comprehensive approach includes automation of manual tasks and streamlined communication between stakeholders.
As Betty Zheng says: “Manual investigation of findings strains resources and may cause customers to overlook critical security alerts. Additionally, coordinating responses across multiple stakeholders, managing permissions in various environments and documenting actions complicate the process.”
Explore the latest edition of Cyber Magazine and be part of the conversation at our global conference series, Tech & AI LIVE and Cyber LIVE.
Discover all our upcoming events and secure your tickets today.
Cyber Magazine is a BizClik brand
