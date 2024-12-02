Amazon Web Services (AWS) has launched a new service to help organizations prepare for and recover from ransomware attacks, account takeovers, data breaches, and other security events: AWS Security Incident Response (SIR).

Creating a case (Source: AWS)

AWS Security Incident Response explained

“Security events are becoming more pervasive and complex for customers,” says Betty Zheng, Senior Developer Advocate at AWS. Incident response is becoming harder due to the increased complexity and the lack of in-house resources.

“You can enable Security Incident Response across AWS Organizations through your management or delegated administrator account. To experience the full service, we recommend activating Amazon GuardDuty [Amazon’s threat detection service, which has also been enhanced] and AWS Security Hub as well,” AWS explains.

Security Incident Response is granted the necessary permissions, AWS SIR monitors and triages findings from those services and if it finds that attention or action is required, it notifies the organization’s incident responders. Certain containment actions can be also be automated through the service, to speed up incident response.

“Customers can access a centralized console with integrated features, such as messaging, secure data transfer, and video conference scheduling, all accessible through service APIs or the AWS Management Console. Additional capabilities include automated case history tracking and reporting, allowing security teams to focus on remediation and recovery efforts,” Zheng explained the offering’s communication and collaboration tools.

“The service simplifies incident response by offering preconfigured notification rules and permission settings that can be extended to both internal and external stakeholders, including third-party security providers.”

The final element of the service is access to security investigation tools and playbooks, and the AWS CIRT experts. Organizations can choose to use just the former or both. In the latter case, they should expect a response within 15 minutes.

After the security event has been resolved, the service allows users to review a case history of all incident-related activities, so they can see what they did well and pinpoint things they should change to improve their security posture. SIR can also be used to simulate security events and thus train their security team to respond to them.