Detection as part of security control engineering
Detection mechanisms are an integral part of security control development. As directive and preventative controls are defined, related detective and responsive controls should be constructed. As an example, an organization establishes a directive control related to the root user of an AWS account, which should only be used for specific and very well-defined activities. They associate it with a preventative control implemented by using an AWS organization’s service control policy (SCP). If root user activity beyond the expected baseline happens, a detective control implemented with an EventBridge rule and SNS topic will alert the security operations center (SOC). The responsive control entails the SOC selecting the appropriate playbook, performing analysis, and working until the incident is resolved.
Security controls are best defined by threat modeling of workloads running in AWS. The
criticality of detective controls will be set by looking at the business impact analysis
(BIA) for the particular workload. Alerts generated by detective controls are not handled
as they come in, but rather based on its initial criticality, to be adjusted during analysis.
The initial criticality set is an aid for prioritization; the context in which the alert
happened will determine its true criticality. As an example, an organization uses Amazon
GuardDuty as a component of the detective control used for EC2 instances that are part of a
workload. The finding Impact:EC2/SuspiciousDomainRequest.Reputation
is generated, informing
you that the listed Amazon EC2 instance within your workload is querying a domain name that
is suspected of being malicious. This alert is set by default as low severity, and as the
analysis phase progresses, it was determined that several hundred EC2 instances of type
p4d.24xlarge
have been deployed by an unauthorized actor, significantly increasing the
organization’s operating cost. At this point, the incident response team makes the decision
to adjust the criticality of this alert to high, increasing the sense of urgency and
expediting further actions. Note that the GuardDuty finding severity cannot be changed.
Rather, the organization’s alert based on the finding will have to be criticality adjusted.