Amazon Web Services Inc. is expanding its cybersecurity portfolio with a new service that will make it easier for customers to detect and remediate breach attempts.

The offering, AWS Security Incident Response, made its debut on Sunday. It’s one of several platform additions the cloud giant introduced ahead of this week’s AWS re:Invent 2024 conference, where more product updates are expected.

Security Incident Response is powered by two existing services: Amazon GuardDuty and AWS Security Hub. The former offering is a threat detection engine that scans cloud environments for malicious activity. Security Hub, meanwhile, finds configuration-related vulnerabilities. It includes integrations that can collect technical data from certain third-party cybersecurity products.

Security Incident Response is powered by data from GuardDuty and the third-party cybersecurity tools that customers integrate with Security Hub. The new service scans the collected information for signs of malicious activity and filters unnecessary logs. It also points out particularly high-priority items that require immediate attention.

Companies that sign up for the service receive access to a collection of playbooks, automation workflows designed to speed up common cybersecurity chores. They were originally developed for the AWS Customer Incident Response Team, or CIRT, which helps customers respond to breaches. The cloud giant says that its playbooks automate tasks such as detecting when a malicious container launches in a Kubernetes cluster.

After Security Incident Response detects a potential breach, customers can use built-in incident management tools to remediate it. There are messaging, videoconferencing and file sharing features for coordinating the teams involved in tackling a cyberattack. A case tracking portal allows companies to refer a cybersecurity incident to AWS’ CIRT team or another breach remediation provider.

“Customers gain access to self-service investigation tools and 24/7 support from the AWS CIRT,” AWS senior developer advocate Betty Zheng wrote in a blog post. “Customers also have the ability to handle incidents independently or interoperate with third-party security vendors.”

Security Incident Response also lends itself to certain related tasks. According to AWS, companies can use the service to simulate cyberattacks and measure how effectively their breach response teams respond. Such exercises provide an opportunity to identify weak points in an organization’s cybersecurity workflows before hackers do.

To ease analysis, Security Incident Response includes a dashboard that displays information about companies’ breach response efforts. It tracks metrics such as the number of cybersecurity incidents that were reported in a given time frame and the mean time to resolution.

AWS customizes certain elements of Security Incident Response based on customer-provided data. For example, a company can specify a list of known IP addresses used by its subsidiaries to ensure the service won’t flag traffic from those addresses as malicious. Such configuration rules reduce false positives and thereby save time for cybersecurity teams.

“Customers can also configure permissions for the service to execute containment actions by deploying specific IAM roles,” Zheng explained. “By using these Security Incident Response containment capabilities, customers can achieve faster incident response times and potentially minimize the impact of security events on accounts and resources.”

Image: AWS