View a markdown version of this page

ECO SIR roles and responsibilities - EDI Cloud Operations Support Guide

ECO SIR roles and responsibilities

The following tables describe your (the "Customer") responsibilities compared with our ("AWS") responsibilities for the phases of security incident response (SIR).

Security incident response – Detect Phase

Activity

Customer

AWS

Logging, indicators, and monitors

Configuring logs and monitors to enable event management for instances and accounts

C, I

R

Monitoring supported AWS services for security alerts

I

R

Deploying and managing endpoint security tools

R

I

Monitoring for malware on instances using endpoint security

R

I

Notifying customers of detected events through outbound messaging

I

R

Routing notification and subsequent updates to the decision makers for specific accounts and workloads to improve incident response time

C, I

R

Defining, deploying, and maintaining ECO standard detection services such as Amazon GuardDuty and AWS Config

C, I

R

Recording AWS infrastructure change logs

C

R

Implementing and maintaining an allowlist, denylist, and custom detections on supported AWS security services, such as Amazon GuardDuty

R

C

Security incident response – Analyze Phase

Activity

Customer

AWS

Investigation and analysis

Performing an initial response for supported security alerts that a supported detection source generated

I

R, C

Using available data to assess false and true positives

C, I

R

Reviewing ECO assessments for false and true positives that ECO shares

R

C

Generating a snapshot of affected instances that ECO shares with the customer, if needed

I

R

Performing forensics tasks such as chain of custody, file system analysis, memory forensics, and binary analysis

R

C, I

Collecting application logs to help with troubleshooting

C

R

Collecting data and logs that are accessible to ECO to help investigate security alerts

C, I

R

Responding to the alerts to help ECO investigate

R

C, I

Engaging SMEs within ECO services on security investigations

C, I

R

Engaging third-party vendors during investigation such as for EPS anti-malware

R, C, I

I

Sharing investigation logs from supported AWS services to customers during an investigation

I

R

Communication

Sending alerts and notifications from ECO detection sources for managed resources

I

R

Managing alerts and notifications for application security events

C

R

Engaging the customer security point of contact during a security incident investigation

R

I

Security incident response – Contain Phase

Activity

Customer

AWS

Containment strategy and execution

Deciding on the execution of the agreed containment strategy and agreeing with the consequences that might affect the availability of services during the containment window

R

C, I

Backing up affected systems for further analysis

C, I

R

Containing applications and workloads through application-specific configuration or response activity

C, I

R

Defining the containment strategy based on the security incident and the affected resource

C, I

R

Enabling encryption and secure storage of point-in-time backups of affected systems

R, C, I

C

Executing supported containment actions for AWS resources, including Amazon Elastic Compute Cloud (Amazon EC2) instances, network, and AWS Identity and Access Management (IAM)

C, I

R

Security incident response – Eradicate Phase

Activity

Customer

AWS

Eradication strategy and execution

Defining eradication options based on the security incident and the affected resource on customer application workloads

R

C, I

Deciding on the agreed eradication strategy, timing of eradication execution and the consequences

R

C, I

Defining eradication steps based on the security incident and the affected resource on ECO managed workloads

C, I

R

Eradicating and hardening AWS resources including Amazon EC2 instances, network, and IAM

C, I

R

Eradicating and hardening applications and workloads through application-specific configuration or response activity

R

I

Security incident response – Recover Phase

Activity

Customer

AWS

Recovery preparation and execution

Configuring backup plans and targets as requested by the customer

C

R

Reviewing backup plans to restore ECO managed workloads

C

R

Performing backup restoration activities for resources of supported AWS services

I

R

Reviewing and confirming backup plans to restore customer applications and workloads post-incident

R, A

C, I

Backing up customer applications, application configurations, and deployment settings to restore customer applications and workloads post-incident

C, I

R, A

Restoring applications and customer workloads through application-specific restoration steps

R, C

R, C

Security incident response – PIR Phase

Activity

Customer

AWS

Post incident reporting

Sharing appropriate lessons learned and action items with customer as required

I

R, A