Cloud adoption has heralded a new age of business and technology, as organizations share compute, storage, and infrastructure resources to innovate and scale. But these developments have brought with them their own set of security hurdles to overcome.
From an incident response standpoint, cloud security data and processes are often isolated from traditional security measures, requiring multiple consoles to manage overall security posture. The disparate environments resulting from rapid cloud provisioning and multiple cloud security products also leads to a lack of visibility.
To meet these challenges, Demisto integrates with AWS Security Hub to provide unified, automated security intelligence and incident response across cloud and on-premise infrastructures. Security Hub aggregates, organizes, and prioritizes security alerts from multiple AWS services as well as AWS Partner Network (APN) security solutions. Demisto ingests these alerts from Security Hub and executes automatable playbooks that coordinate across the entire product stack for standardized and scalable response processes.
- Ingest aggregated alert data from AWS Security Hub to create incidents in Demisto and trigger automated playbooks tied to those incidents.
- Leverage hundreds of Demisto product integrations (including multiple AWS integrations such as Amazon GuardDuty, AWS CloudTrail, Amazon Route 53, Amazon Elastic Compute Cloud (EC2) and more) to add further context to AWS Security Hub alerts and coordinate response across security functions.
- Run thousands of commands (including for AWS Security Hub) interactively via a ChatOps interface while collaborating with other analysts and Demisto’s chatbot.
USE CASE #1
Automated enrichment of and response to cloud security incidents
If cloud security consoles are isolated from other functions such as EDR, malware analysis, and threat intelligence, security analysts’ efforts to cross-reference alerts across sources is time-consuming and fraught with error. Teams need to study alerts from cloud security tools, get further context, and coordinate containment and response for each incident. Processes also diverge depending on the analyst that handles the incident, leading to differing response quality.
Analysts can use the AWS Security Hub integration to ingest alert data, create incidents in Demisto, and trigger standard, automated playbooks for responding to those incidents. These playbooks can enrich the alert with more event details from Amazon GuardDuty, DNS information from Amazon Route 53, as well as coordinate across other products (including other AWS services) to extract wider context without the need for screen switching and manual repetition.
For example, a playbook could query Amazon GuardDuty for IP sets, use Amazon Route 53 for domain information, and retrieve message queues from Amazon Simple Queue Service (SQS) before updating bucket policies on Amazon Simple Storage Service (S3) and deleting instances from Amazon Elastic Cloud Compute (EC2) as response actions.
Aggregating AWS data across products and executing actions from a central console can save screen switching time. Orchestrating other product actions in the same window can also help analysts coordinate across security functions for richer and more comprehensive incident context.
For more information on Demisto's integrations with AWS, view our joint solution brief
USE CASE #2
Interactive, real-time investigation for complex threats
While standardized, repeatable playbooks can automate commonly performed tasks to ease analyst load, an attack investigation usually requires additional tasks to be performed in real-time. Actions such as pivoting from one suspicious indicator to another to gather critical evidence, drawing relations between incidents, and finalizing resolution can trap analysts in a screen-switching cycle during investigation and a documentation-chasing cycle after investigations end.
After running enrichment playbooks, analysts can gain greater visibility and new actionable information about the attack by running AWS commands in the Demisto War Room. For example, if playbook results contain alert details, analysts can get the Amazon GuardDuty detector tied to the alert or the list of users affected by the alert in real-time. Analysts can also run commands from other security tools in real-time using the War Room, ensuring a single-console view for end-to-end investigation.
The War Room will document all analyst actions and suggest the most effective analysts and command-sets with time.
The War Room allows analysts to quickly pivot and run unique commands relevant to incidents in their network from a common window. All participating analysts will have full task-level visibility of the process and be able to run and document commands from the same window. They will also prevent the need for collating information from multiple sources for documentation.
We hope you found this integration overview useful. To explore Demisto in greater detail, you can download our free community edition below. You can also access an Amazon Machine Image (AMI) of Demisto Enterprise by visiting this link.