SEC10-BP04 Automate containment capability
Automate containment and recovery of an incident to reduce response times and organizational impact.
Once you create and practice the processes and tools from your playbooks, you can deconstruct the logic into a code-based solution, which can be used as a tool by many responders to automate the response and remove variance or guess-work by your responders. This can speed up the lifecycle of a response. The next goal is to allow this code to be fully automated by being invoked by the alerts or events themselves, rather than by a human responder, to create an event-driven response. These processes should also automatically add relevant data to your security systems. For example, an incident involving traffic from an unwanted IP address can automatically populate an AWS WAF block list or Network Firewall rule group to prevent further activity.
Figure 3: AWS WAF automate blocking of known malicious IP addresses.
With an event-driven response system, a detective mechanism initiates a responsive
mechanism to automatically remediate the event. You can use event-driven response capabilities
to reduce the time-to-value between detective mechanisms and responsive mechanisms. To create
this event-driven architecture, you can use AWS Lambda, which is a serverless compute service
that runs your code in response to events and automatically manages the underlying compute
resources for you. For example, assume that you have an AWS account using the AWS CloudTrail
service. If CloudTrail is ever turned off (through the cloudtrail:StopLogging
API call), you can use Amazon EventBridge to monitor for the specific
cloudtrail:StopLogging
event, and invoke a Lambda function to call
cloudtrail:StartLogging
to restart logging.
Level of risk exposed if this best practice is not established: Medium
Implementation guidance
Automate containment capability.
Resources
Related documents:
Related videos: