AWS re:Invent 2025 - Scale Security Operations with AWS Security Incident Response Service (SEC329)

Transforming Security Operations with AWS Security Incident Response Service

Background on Infor and their Business

• Infor is an industry-specific, AI-driven cloud application provider
• They serve multiple industries with complex operating environments
• Infor has built their platform on AWS, leveraging hundreds of AWS services

Challenges Faced by Infor

1. Triaging security findings from various sources (Guard Duty, EDR, etc.)
   • Findings were often low-risk or critical, making it difficult to prioritize
2. Coordinating incident response across security teams, MSPs, and vendors
   • Needed better information sharing and collaboration
3. Maintaining the right level of expertise to handle cloud-based incident response
   • AWS has over 300 services, making it challenging to have in-house expertise

The AWS Security Incident Response Service Solution

1. Proactive Ingestion and Triage of Security Findings
   • Ingested findings from Guard Duty, Defender, CrowdStrike, and other sources
   • Triaged findings using automation and enrichment to reduce noise and prioritize
2. Collaborative Incident Investigation and Escalation
   • Enabled seamless collaboration between Infor, AWS, and other partners
   • Escalated only the most critical events that required Infor's attention
3. Leveraging AWS Expertise for Incident Response
   • Provided Infor with access to AWS's broad cloud security expertise
   • Reduced the need for Infor to maintain in-house cloud security specialists

Demonstration: Detecting and Responding to DNS Data Exfiltration

1. Guard Duty identified a DNS data exfiltration event
2. The AWS Security Incident Response Service:
   • Ingested the Guard Duty finding and correlated it with other telemetry
   • Used automation and enrichment to triage the finding and determine context
   • Escalated the incident to Infor only when necessary, reducing noise
   • Provided recommendations and starting points for Infor's investigation

Enhancements to the AWS Security Incident Response Service

1. Integrating Agentic AI for Incident Response
   • Automatically provides recommendations and log extractions to aid investigations
   • Allows security professionals and the AI agent to collaborate on cases
2. Flexible Pricing Model
   • Scales with the customer's business, rather than a static entry point
3. Expanded Certifications and ITSM Integrations
   • Supports additional certifications and integrates with customer's ITSM tools
4. Granular Onboarding at the Organizational Unit (OU) Level

Results and Impact for Infor

1. Significant Time Savings in Security Operations
   • Reduced the time to triage and investigate findings from days to minutes
   • Allowed Infor's security team to focus on more strategic, high-impact work
2. Improved Incident Response and Escalation
   • Quickly identified expected patterns of behavior (e.g., penetration testing)
   • Escalated only the most critical events that required Infor's attention

The Future of Security Incident Response

1. Addressing the Threat of AI-Powered Attacks
   • Threat actors may use AI to launch more sophisticated, adaptive attacks
   • Defenders will need to leverage AI and automation to keep pace
2. Towards a Unified Security Operations Approach
   • Integrating security tools, processes, and teams across the organization
   • Automating more of the "undifferentiated heavy lifting" in security operations
3. Personalized and Specialized Security Agents
   • AI-powered security agents tailored to individual responders' expertise and workflows
   • Enabling hyper-specialized, personalized incident response capabilities