In today’s ever-changing security landscape, incident response teams need to take advantage of the breadth of external threat intelligence available in real-time to enrich data gathered from internal logs and systems, and to better understand threats impacting their organizations.
Automated Cloud Security Access Monitoring and Response
Increased cloud adoption has improved organizational agility, reduced product time-to-market, and leveled the playing field. However, as organizations adopt more cloud services, there is also a rapid proliferation of resources associated with cloud service environments. So, it can be a challenge for security teams to ensure access compliance at all times across the breadth of cloud services within these environments.
Demisto and IAM Access Analyzer Integration
This integration between Demisto and AWS’s IAM Access Analyzer expands on the strategic alliance and existing deep integrations between AWS and Demisto, to help security teams monitor compliance to resource-based policies for S3 buckets, IAM roles or KMS keys, and streamline the incident response process when potential policy violations are detected.
When IAM Access Analyzer identifies a resource that is shared with a principal that is outside of your account, it generates a finding. This finding is automatically ingested in Demisto where specific details about the resource and permissions that resulted in the finding can be leveraged in real-time investigations or for automated tasks in a playbook. Demisto playbooks are task-based workflows that help standardize incident response for the same types of incidents (in this case IAM Access Analyzer findings) and more importantly - automate away repetitive, high volume tasks so your team is freed up for more proactive threat hunting or decision making.
Interactive, real-time investigation of complex threats
While automated playbooks can ease your team’s workload, an attack investigation sometimes requires them to perform additional tasks such as pivoting from one suspicious indicator to another to gather critical evidence and draw relations between incidents before finalizing resolution.
After running playbooks, your team can then gain greater visibility and new actionable information about the attack by running IAM Access Analyzer commands in the Demisto War Room. They can query and view data via Demisto War Room to understand the context behind cross-account usage such as who is allowed by the resource-based policy to access which accounts. They can also run commands from other security tools in real-time, ensuring a single-console view for end-to-end investigation. The War Room auto-documents all playbook and security analyst actions, providing an audit trail for post-investigation reporting.
Comprehensive findings generated by IAM Access Analyzer, coupled with Demisto’s orchestration workflows, help cloud security teams confidently scale to handle high volume cloud alerts with automated, policy-driven response actions.
We hope you found this integration overview useful. To explore Demisto in greater detail, you can download our free community edition below.