Amazon Web Services’ (AWS) latest offering—Security Incident Response—facilitates faster communication and collaboration among stakeholders in an enterprise to identify and respond swiftly as well as effectively to threats.

The service was launched at the company’s annual flagship cloud computing event, re:Invent 2024, on December 1 (Sunday), helps customers “prepare for, respond to, and recover from” various security events, including account takeovers, data breaches and ransomware attacks.

“It offers the ability to have all the right information in the right place, the right access controls and then the ability to collaborate quickly on triaging. Recovery is another great benefit of the service,” Hart Rossman, Vice President of Global Services Security at AWS, told businessline.

Security, particularly incident response, is a team sport, he emphasised, adding that AWS has learned a lot of best practices over time, which includes creating a service that allows customers to be more collaborative, effective and timely in security incident response as well as preparation and post issue analysis.

Betty Zheng, a Senior Developer Advocate at AWS, in a blog post explains that Security Incident Response automates the triage and investigation of security findings from Amazon GuardDuty and integrated third party threat detection tools through AWS Security Hub.

It facilitates communication and coordination and provides 24/7 access to security experts from the AWS Customer Incident Response Team (CIRT) who can assist during security events, she added.

The service aims to provide customers with more comprehensive support across the phases of incident response lifecycle, from preparation to detection, analysis, and recovery.

Security events are becoming more pervasive and complex for customers. Security teams often face an overwhelming number of daily alerts, leading to potential misplaced priorities of resources and reduced effectiveness. Manual investigation of findings strains resources and may cause customers to overlook critical security alerts.

Additionally, coordinating responses across multiple stakeholders, managing permissions in various environments, and documenting actions complicate the process. There is an opportunity to better support customers and remove various points of undifferentiated heavy lifting that customers face during security events.

“The launch that we announced this week is the tooling and capability for customers to do a lot of that (incident response) themselves… If you don’t have the expertise that the AWS CIRT has, this service now gives you some of that capability right for your own security or incident response team,” asserts Rossman.

AWS Customer Incident Response Team (CIRT) is a specialised 24/7 global AWS team, which was created by Rossman. It provides support to customers during security events on the customer side of the AWS Shared Responsibility Model.

“These (customer) security teams have a lot going on and they can be subject to alert fatigue. Just too much information coming at them. What the incident response service does is narrow that profile, automatically resolve what we can and then really allow them to focus on the most important tasks or alerts that they need to,” he added.

To this effect, the service automatically triages security findings from Amazon GuardDuty and supported third-party tools through Security Hub to identify high-priority incidents requiring immediate attention.

It leverages automation and customer-specific information to filter and suppress security findings based on expected behaviour, helping teams focus on critical security alerts.

The service simplifies incident response by offering preconfigured notification rules and permission settings that can be extended to both internal and external stakeholders, including third-party security providers.

Customers can access a centralised console with integrated features, such as messaging, secure data transfer, and video conference scheduling, all accessible through service APIs or the AWS Management Console.

Customers gain access to self-service investigation tools and 24/7 support from the AWS CIRT. Customers also have the ability to handle incidents independently or interoperate with third-party security vendors.

These options allow customers to choose, manage, and conduct their incident response based on their specific needs and requirements.

(The author is in Las Vegas at the invitation of Amazon Web Services (AWS))