Cloud adoption has heralded a new age of business and technology, as organizations share compute, storage, and infrastructure resources to innovate and scale. But these developments have brought with them their own set of challenges.
From an incident response standpoint, cloud security data and processes are often isolated from traditional security measures, requiring multiple consoles to manage overall security posture. From an operations standpoint, managing service credentials is a tiresome exercise, with each service needing keys or passwords to call different sets of APIs. Users need a platform that unifies incident response across cloud and on-premise infrastructures without the need for credential management.
Demisto’s security orchestration and automation capabilities can now be used to deploy and manage a variety of AWS services in a keyless and secure manner. Even the most complex AWS environments can be unified with traditional security measures via Demisto for repeatable and scalable cloud security incident response.
- Ingest AWS alert data from GuardDuty to create incidents in Demisto and trigger automated playbooks tied to those incidents.
- Leverage AWS IAM roles for securely automating tasks without credentials or API keys.
- Execute tasks tied to management of S3, EC2, and SQS from Demisto.
- Capture DNS information from Route 53 through automated tasks run on Demisto.
- Leverage hundreds of Demisto product integrations to further enrich AWS alerts and coordinate response across security functions.
- Run thousands of commands (including for AWS) interactively via a ChatOps interface while collaborating with other analysts and Demisto’s chatbot.
USE CASE #1
Automated enrichment and response for cloud security incidents
If cloud security consoles are isolated from other functions such as EDR, malware analysis, and threat intelligence, it becomes time-consuming and repetitive for security analysts to cross-reference alerts from cloud security tools, get further context, and coordinate containment and response. Processes diverge depending on the analyst that handles the incident, and this leads to differing response quality.
Analysts can use the AWS GuardDuty integration to ingest alert data, create incidents in Demisto, and trigger standard, automated playbooks for responding to that incident. These playbooks can enrich the alert with more event details from GuardDuty, DNS information from Route 53, as well as coordinate across other products (including other AWS services) to extract wider context without the need for screen switching and manual repetition.
For example, a playbook could query GuardDuty for IP sets, use Route 53 for domain information, and retrieve message queues from SQS before updating bucket policies from S3 and deleting instances from EC2 as response actions.
AWS lookups and actions across products can save screen switching time, and orchestrating other product actions in the same window can help analysts look across security functions for richer and deeper incident context.
To learn more about Demisto's AWS integration, read our joint solution brief
USE CASE #2
Keyless automation of tasks for zero-trust security
Using static credentials tied to AWS services is an exercise that poses potential business and security risk. Securely passing the credentials among teams during hand-offs, managing the keys for each app at a central location, and ensuring that external forces don’t get access to these credentials are all exercises that involve additional work and don’t represent the most secure option.
Demisto’s integration with AWS Identity and Access Management (IAM) enables users and automated playbooks to access AWS services in a secure and keyless manner. Users can leverage IAM roles from within Demisto, attach privileges and users to those roles, execute automated actions through playbooks tied to those roles without the need for credential storage and transfer.
A keyless approach ensures that no credentials slip through the cracks onto external domains, thus minimizing the possibilities of attacks perpetrated through weak credential management. Enterprises can continue to leverage the benefits of actioning complex AWS environment use cases through automation without sacrificing the granular role-based security of AWS services.
We hope you found this integration overview helpful. Watch the video below for more details and a live playbook run-through of our AWS integration.
To explore Demisto in greater detail, you can access the Free Community Edition below.
Stay tuned for more product integration walkthroughs in the coming weeks.