From early stages in this maturity model it was recommended to Act upon Amazon GuardDuty findings , however the recommendation of the formation of an incident response team (Blue Team) implies much more than only responding to an incident.
The Blue Team, is a team specialized in responding to security incidents.
The work of the blue team involves acting in different moments:
In the cloud, the response to cloud incidents can be very different from way the process is executed on-premise, since in the cloud all the technical information required for decision making for the Incident response process is available, thanks to services such as AWS Config , AWS CloudTrail , and the possibility of consulting data in a programmatic way, can achieve a much higher degree of automation. In fact Stephen Schmidt, CISO of AWS mentioned in his talk Security Leadership on re:Invent 2019 That 96.4% of our AWS infrastructure security incidents are automatically resolved, without human intervention.
Therefore, to manage the response to incidents, taking advantage of the cloud capabilities, The Blue Team should invest a large part of its time in building automatic remediation tasks for incidents, especially for the most recurring, or the ones with greater impact
The name Blue Team comes from the American military games where security was tested with a red group that pretended to be the enemy and a blue team that made the defense.