AWS launches automated service for incident response

AWS on Sunday launched a new service designed to assist customers' incident response efforts by automating triage and remediation processes.

AWS Security Incident Response, which was unveiled ahead of the company's re:Invent 2024 conference this week, is aimed at reducing organizations' mean time to respond to potential threats and cyber attacks. The service can automatically triage and remediate security events detected through Amazon GuardDuty, the cloud giant's threat detection service, or other supported third-party tools while also elevating events that require attention from security teams.

Hart Rossman, vice president of global services security at AWS, said that in cases of high-priority threats, the service enables streamlined access to the AWS Customer Incident Response Team (CIRT), which provides 24/7 support.

"It enables centralized security teams to focus on the most immediate and relevant findings," he said. "It also provides communication and collaboration features that streamline incident response and allow direct collaboration with the AWS CIRT."

Rossman said AWS Security Incident Response provides customers with clear triage and waterfall rules in the service documentation so that organizations understand what detections GuardDuty generates and how those detections can be prioritized. He also said the automated triage feature uses machine learning technology for the decision-making process.

"Shortly after GA [general availability], we have some generative AI features we plan to release," Rossman said. "We have some good ideas there, and they are pretty well-founded and well-tested, but we're not making them immediately available."

AWS Security Incident Response also offers preconfigured permission settings and policies for both internal employees and third parties such as external security teams. The service provides a central console that enables customers to manage current incidents, adjust alert settings and track case histories as well as metrics such as mean time to resolution.

"Security teams often face an overwhelming number of daily alerts, leading to potential misplaced priorities of resources and reduced effectiveness," Betty Zheng, senior developer advocate at AWS, wrote in a blog post announcing AWS Security Incident Response. "Manual investigation of findings strains resources and may cause customers to overlook critical security alerts."

Rossman said the service, which has been in development for nearly two years, was born from customers' desire to have the same tools and techniques as AWS CIRT but as a self-service. Customer trials during the preview phase showed how much automated triage can reduce alert fatigue for security teams, he said.

"Noise suppression is key," Rossman said. "We're focusing on driving down the mean time to respond, and that means having a set of algorithms that help us suppress the alerts that can be auto-resolved and then escalating the ones that really need a human in the loop."

Additionally, the preview phase also revealed that many organizations have a disparate incident response landscape with different tools that don't necessarily interoperate and multiple communication channels that are spread across several environments. Rossman said having one central communications channel for both internal and external stakeholders is crucial.

Rossman said that in addition to GuardDuty and supported third-party tools, AWS will look at adding more data sources to AWS Security Incident Response in the future. "We've got a really exciting roadmap to drive increased capabilities and increased value for the customers," he said.

AWS Security Incident Response is now available globally.

Rob Wright is a longtime reporter and senior news director for TechTarget Editorial's security team. He drives breaking infosec news and trends coverage. Have a tip? Email him.