This week at AWS re:Invent, AWS released the Security Incident Response service. It’s an awesome service and are we are super excited to be a launch partner for the associated AWS Security Incident Response Specialization. Let’s step through what the service is and what is means for customers. We are one of only 13 launch partners worldwide with expertise in the service and Security Incident Response (IR).

What is Incident Response?

IR is the process of responding to a cybersecurity incident that is potentially impacting your environment or workload. Following the NIST model, our focus in response (once the incident has been detected) is to recover the workload. This involves stepping through the investigation. From this, the containment and eradication approach is determine to recovery the application.

As an MSSP, RedBear provides an IR service as part of the standard offering. We use a combination of automation backed by manual response through our security operations team to manage the end to end process.. We are also involved in IR and forensics for other customers to help them recover from an incident.

What is the AWS Security Incident Response service?

This brand new tool brings a whole new way to manage security incidents in the AWS console. It is intended to help with preparation, triaging and management of incidents. Today. many customers struggle with speed to response due to alert fatigue. This can lead to burn out and dissatisfaction amongst response teams. The new service aims to help with these challenges

Today the service takes findings from Amazon GuardDuty and AWS Security Hub. It automatically triages those, using threat intelligence and learnt behaviour relevant to your AWS environment to prioritise findings. Anything not automatically suppressed will be flagged in the console for investigation. You can also manual create an incident based on some observed behaviours. Within the tool, you can communicate with relevant parties – no more tracking down how to get hold of someone in the heat of an incident.

aws security incident response

As well as providing collaboration within your AWS Organization, it has simple integration to both the AWS Critical Incident Response Team (CIRT) and to approved third parties. As a Specialization partner, you can hook RedBear into an incident 24/7 if you need help with your response.

What does it mean for you?

Our existing (and future!) MSSP customer already benefit from RedBear’s incident response service. For other non-MSSP customers who require an IR program (who doesn’t?), then this is a fantastic tool to quickly respond to and recover from incidents. It enables simple collaboration between parties, include the AWS CIRT where required. It’s an awesome enhancement to our existing Security Incident Response service.

The inclusion of the ability to perform IR exercises within the tool is super powerful. We often find customers may have developed an IR plan or process but rarely, if ever test it. This is often due to priorities and complexities of organising and hosting. The new service helps to solve that problem.

Wrapping up

IR is all about people. The tools and technology are the easiest part. Being prepared is foundational, be that through making sure that the right data is being logged or by running IR game days with your teams.

If you want to know more about AWS Security Incident Response service or IR in general, contact us at RedBear!

Close Menu