Cloud adoption has heralded a new age of business and technology, as organizations share compute, storage, and infrastructure resources to innovate and scale. But these developments have brought with them their own set of security hurdles to overcome. The volume of data resulting from rapid cloud provisioning and multiple cloud security products makes it impossible for your teams to remain agile and flexible in their threat response - without the help of automation.
However, the ideal “automated” incident response workflow is a balance of automated and manual tasks. It is flexible enough to automate the repetitive and standard tasks but also takes into account the less clear cut security issues that require human investigation to determine the full scope of the problem and the dispositions required.
Demisto and Amazon Detective Integration
This integration between Demisto and Amazon Detective expands on the strategic alliance and existing deep integrations between AWS and Demisto. It provides the ideal workflow balance of automation coupled with deeper human investigation, giving security teams direct access via Demisto to Amazon Detective’s rich source of resource profiles (AWS Account, AWS role, AWS user, EC2 instance, IP Address, User Agent, GuardDuty Findings) and the behavior and actions on these resources. In cases where further investigation of findings are required, direct access to Amazon Detective is easily integrated into Demisto’s playbooks to speed analysis and standardize incident response.
For example, an alert from AWS Security Hub or GuardDuty might trigger a playbook that creates the incident, provides access to finding/resource details from Amazon Detective and other AWS products to extract wider context, enabling the security team to better prioritize their remediation efforts.
Interactive, real-time investigation of complex threats
After running playbooks, your team can then gain greater visibility when investigating threats and issues within target accounts. They can run commands from other security tools in real-time, or dig deeper into Amazon Detective on a specific finding or to identify related items that need to be addressed. All actions taken by the security analyst are auto-documented within the Demisto War Room, providing an evidence timeline and disposition audit trail for cross team collaboration or post investigation reporting.
Amazon Detective, coupled with Demisto’s orchestration workflows, help cloud security teams streamline and scale their threat investigation and incident response efforts.
We hope you found this integration overview useful. To explore Demisto in greater detail, you can download our free community edition below.