Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to act on your security and compliance alerts with AWS Security Hub - FND218 - AWS re:Inforce 2019

257 views

Published on

Learn about AWS Security Hub and how it gives you a comprehensive view of your high-priority security alerts and compliance status across AWS accounts. See how Security Hub aggregates, prioritizes, and helps you act on your alerts from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, as well as from AWS Partner solutions.

  • Be the first to comment

  • Be the first to like this

How to act on your security and compliance alerts with AWS Security Hub - FND218 - AWS re:Inforce 2019

  1. 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How to act on your security and compliance alerts with AWS Security Hub F N D 2 1 8 Ely Kahn Principal Product Manager AWS Security Hub Scott Ward Principal Solutions Architect AWS Partner Network Jason Fuller Head of Cloud Management and Operations HERE Technologies Rob Morris Cloud Engineer Northwestern Mutual
  2. 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda AWS Security Hub overview Customer use cases Taking action deep dive Demonstration Wrap-up
  3. 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Related workshops Tuesday, June 25 FND213: Hands-on with AWS Security Hub 5:15 – 7:15 PM | Level 2, Room 210C Tuesday, June 25 GRC330: Compliance automation: Set it up fast, then code it your way 2:45 – 4:45 PM | Level 2, Room 210C Wednesday, June 26 FND213-R1: Hands-on with AWS Security Hub 11:15 AM – 1:15 PM | Level 2, Room 210A
  4. 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  5. 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Problem statements Large volume of alerts and the need to prioritize and take action 3 Dozens of security tools with different data formats 2 Many compliance requirements and not enough time to build the rules 1 Too many security alerts Too many security alert formats Backlog of compliance requirements Lack of an integrated view of security and compliance across accounts 4 Lack of an integrated view
  6. 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Hub overview
  7. 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Generally availableas of today Supported Regions (15) Asia Pacific (Mumbai) Asia Pacific (Seoul) Asia Pacific (Singapore) Asia Pacific (Sydney) Asia Pacific (Tokyo) Canada (Central) EU (Frankfurt) EU (Ireland) EU (London) EU (Paris) South America (São Paulo) US East (N. Virginia) US East (Ohio) US West (N. California) US West (Oregon) New features since preview began • Amazon CloudWatch Events • CIS compliance standard improvements • Tag-based access controls and cost allocation • AWS CloudFormation • Performance improvements • Localization
  8. 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Partner integrations Firewalls Vulnerability Taking action Endpoint Compliance MSSP Other
  9. 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  10. 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Some of our current customers
  11. 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Use pattern 1: Centralized security and compliance workspace Goal Have a single pane of glass to view, triage, and take action on AWS security and compliance issues across accounts Personas SecOps, compliance, and/or DevSecOps teams focused on AWS, Cloud Centers of Excellence, the first security hire Key processes example 1. Ingest findings from finding providers 2. High-volume and well-known findings are programmatically routed to remediation workflows, which include updating the status of the finding 3. Remaining findings are routed to analysts via an on-call management system, and they use ticketing and chat systems to resolve them Taking action integrations Ticketing systems, chat systems, on-call management systems, SOAR platforms, customer-built remediation playbooks
  12. 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Use pattern 2: Centralized routing to a SIEM Goal Easily route all AWS security and compliance findings in a normalized format to a centralized SIEM or log management tool Personas SecOps, compliance, and/or DevSecOps teams Key processes example 1. Ingest findings from finding providers 2. All findings are routed via Amazon CloudWatch Events to a central SIEM that stores AWS and on-premises security and compliance data 3. Analyst workflows are linked to the central SIEM Taking action integrations SIEM
  13. 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Use pattern 3: Dashboard for account owners Goal Provide visibility to AWS account owners on the security and compliance posture of their account Personas AWS account owners Key processes example 1. Ingest findings from finding providers 2. Account owners are given read-only access to Security Hub 3. Account owners can use Security Hub to research issues that they are ticketed on or proactively monitor their own security and compliance state Taking action integrations Chat, ticketing
  14. 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Views, thoughts, and opinions expressed in the presentation belong solely to the author and not necessarily to the author’s employer, organization, committee, or other group or individual.
  15. 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Background
  16. 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What does AWS Security Hub provide? Provide insight about account security posture to account owners
  17. 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How do we use AWS Security Hub?
  18. 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. 4 of 5 in-car navigation systems in Europe and North America use HERE maps 10,000+ employees in 56 countries 30+ years of experience transforming location technology 400+ HERE cars collecting data for maps 200 countries mapped HD live map covering 600,000+ kilometers for autonomous driving 1,600 cities with transit routing in over 50 countries 700,000 3D data points per second per car 15,000 venues mapped globally HERE in numbers © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  19. 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. HERE: Open location platform The place for intelligent data usage and development Data Developer environment and platform foundation Services and solutions Data marketplace
  20. 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. HERE: Current management Our solution is layered in people and technologies Amazon GuardDuty, Cloud Custodian, AWS Organizations AWS Security Hub SIEM, alerting, and security response AWS
  21. 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  22. 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Taking action with AWS Security Hub AWS Security Hub Amazon CloudWatch Events Amazon GuardDuty Amazon Inspector Amazon Macie Third-party providers
  23. 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Hub taking action partner integration
  24. 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Taking action on all findings
  25. 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Event pattern examples { “source”: [ “aws.securityhub” ], “detail-type”: [ “Security Hub Findings” ], “detail”: { “findings”: { “Resources”: { “Tags”: { “Environment”: [ “PCI” ] } } } } } Filter by tags
  26. 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Event pattern examples Filter by severity { “source”: [ “aws.securityhub” ], “detail-type”: [ “Security Hub Findings” ], “detail”: { “findings”: { “Severity”: { “Normalized”: [ 95, 96, 97, 98, 99, 100 ] }}}}
  27. 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Custom actions in Security Hub
  28. 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Custom actions in Security Hub
  29. 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Custom actions in Security Hub Rule Event { "source": [ "aws.securityhub" ], "resources": [ "arn:aws:securityhub:us-west- 2:xxxxxxxxxxxx:action/custom/send_to_email" ] }
  30. 30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Custom actions in Security Hub Rule Event Rule Event Rule Event Run command
  31. 31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Custom actions in Security Hub
  32. 32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  33. 33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  34. 34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Next steps Try the 30-day trial: https://console.aws.amazon.com/securityhub/ Become a partner: Contact us at securityhub-partners@amazon.com Learn more: https://aws.amazon.com/security-hub/
  35. 35. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Ely Kahn elykahn@amazon.com Scott Ward scotward@amazon.com

×