In this session, learn about AWS Security Hub and how it gives you a comprehensive view of your high-priority security alerts and compliance status across AWS accounts. See how Security Hub aggregates, prioritizes, and helps you take action on your alerts from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, as well as from AWS Partner solutions.

1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Take action on your security and compliance
alerts AWS Security Hub
Ely Kahn
Principal product manager
AWS Security Hub
S E C 2 0 1
Scott Ward
Principal solutions architect
AWS Partner Network

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Agenda
Security Hub overview
Customer use cases
“Taking action” deep dive
Demonstration
Questions

3. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Problem statements
Large volume of
alerts, and the need
to prioritize and
take action
3
Dozens of security
tools with different
data formats
2
Many compliance
requirements, and
not enough time to
build the checks
1
Too many security
alerts
Too many security
alert formats
Backlog of
compliance
requirements
Lack of an
integrated view of
security and
compliance across
accounts
4
Lack of an
integrated view

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Security Hub overview

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
The AWS security services ecosystem
Protect Detect Respond
Automate
Investigate
RecoverIdentify
AWS
Systems
Manager
AWS Config
AWS
Lambda
Amazon
CloudWatch
Amazon
Inspector
Amazon
Macie
Amazon
GuardDuty
AWS
Security Hub
AWS IoT
Device
Defender
KMSIAM
AWS
Single
Sign-On
Snapshot ArchiveAWS
CloudTrail
Amazon
CloudWatch
Amazon
VPC
AWS
WAF
AWS
Shield
AWS
Secrets
Manager
AWS
Firewall
Manager
AWS
Organizations
Personal
Health
Dashboard
Amazon
Route 53
AWS
Direct
Connect
AWS Transit
Gateway
Amazon
VPC
PrivateLink
AWS Step
Functions
Amazon
Cloud
Directory
AWS
CloudHSM
AWS
Certificate
Manager
AWS
Control
Tower
AWS
Service
Catalog
AWS Well-
Architected
Tool
AWS
Trusted
Advisor
Resource
Access
manager
AWS
Directory
Service
Amazon
Cognito
Amazon S3
Glacier
AWS
Security Hub
AWS
Systems
Manager

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Rollout plans and pricing
Security Hub is available today as a public preview
service
• Available at no additional cost, except for AWS Config costs for
new AWS Config users
• Open to everyone
• Get started in a few clicks
• Goal is to iterate on latest features with customers before
releasing as generally available (GA)
Full API/CLI/SDK support
• C++, Go, Java, JS, .NET, PHP, Python, Ruby
Supported Regions (15)
Asia Pacific (Mumbai)
Asia Pacific (Seoul)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
Asia Pacific (Tokyo)
Canada (Central)
EU (Frankfurt
EU (Ireland)
EU (London)
EU (Paris)
South America (Sao Paulo)
US East (N. Virginia)
US East (Ohio)
US West (N. California)
US West (Oregon)

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Partner integrations
Firewalls
Vulnerability
SOAR
SIEM
Endpoint
Compliance
MSSP
Other
Firewalls
Vulnerability
SOAR
SIEM
Endpoint
Compliance
MSSP
Other

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS security finding format
~100 JSON-formatted fields
Finding types
1. Sensitive data identifications
2. Software and configuration checks
3. Unusual behaviors
4. Tactics, techniques, and procedures
(TTPs)
5. Effects

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Partner integration examples: CrowdStrike

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Partner integration examples: Alert Logic
Customer Environment
Alert Logic data ingestion,
processing, and analytics
1. Inspected data is transported to Alert Logic’s data ingestion,
processing, and analytics platform
2. Alert Logic’s threat detection and response capability analyzes
the data and identifies incidents
3. An internal service (dedicated to Security Hub) assesses the
incident for potential posting to Security Hub
4. The incident is then posted to the respective customer’s
Security Hub console as a finding
1
2
3
4

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Setup and multi-account

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Compliance checks

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Insights

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Response and remediation
Automation document
AWS Step Function
Lambda function
Rule
Amazon CloudWatch
Event
AWS Security Hub

16. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Some of our current customers

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Use case 1: Centralized security and compliance workspace
Goal
Have a single pane of glass to view, triage, and take action on AWS security
and compliance issues across accounts
Personas
SecOps, compliance, and/or DevSecOps teams focused on AWS, Cloud
Centers of Excellence, the first security hire
Key processes
example
1. Ingest findings from finding providers
2. High volume and well known findings are programmatically routed to
remediation workflows, which include updating the status of the finding
3. Remaining findings are routed to analysts via an on-call management
system, and they use ticketing and chat systems to resolve them
“Taking action”
integrations
Ticketing systems, chat systems, on-call management systems, SOAR
platforms, customer-built remediation playbooks

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Use case 2: Centralized routing to a SIEM/Elastic
Goal
Easily route all AWS security and compliance findings in a normalized format
to a centralized SIEM or log management tool
Personas SecOps, compliance, and/or DevSecOps teams
Key processes
example
1. Ingest findings from finding providers
2. All findings are routed via Amazon CloudWatch Events to a central SIEM
that stores AWS and on-premises security and compliance data
3. Analyst workflows are linked to the central SIEM
“Taking action”
integrations
SIEM

20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Use case 3: Dashboard for account owners
Goal
Provide visibility to AWS account owners on the security and compliance
posture of their account
Personas AWS account owners
Key processes
example
1. Ingest findings from finding providers
2. Account owners are given read-only access to Security Hub
3. Account owners can use Security Hub to research issues that they are
ticketed on or proactively monitor their own security and compliance
state
“Taking action”
integrations
Chat, ticketing

21. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Why take action
Security findings require your
attention
Time is critical
Can’t scale with humans

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Taking action with Security Hub
AWS Security Hub Amazon CloudWatch
Events
Amazon GuardDuty
Amazon Inspector
Amazon Macie
Third-party providers

24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Taking action on all findings

25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Event pattern examples {
“source”: [
“aws.securityhub”
],
“detail-type”: [
“Security Hub Findings”
],
“detail”: {
“findings”: {
“Resources”: {
“Tags”: {
“Environment”: [
“PCI”
]
}
}
}
}
}
Filter by tags

26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Event pattern examples {
“source”: [
“aws.securityhub”
],
“detail-type”: [
“Security Hub Findings”
],
“detail”: {
“findings”: {
“Severity”: {
“Normalized”: [
95,
96,
97,
98,
99,
100
]
}}}}
Filter by severity

27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Custom actions in Security Hub

28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Custom actions in Security Hub

29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Custom actions in Security Hub
{
"source": [
"aws.securityhub"
],
"resources": [
"arn:aws:securityhub:us-west-
2:xxxxxxxxxxxx:action/custom/send_to_email"
]
}
Rule
Event

30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Custom actions in Security Hub
Rule
Event
Rule
Event
Rule
Event
Run
command

31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Custom actions in Security Hub

32. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Key takeaways
Automatically evaluate your compliance against key standards with one-click, frictionless
enablement
Centralize all of your findings via the AWS Security Findings Format without the need to
parse and normalize them
Prioritize findings using insights for efficient response and remediation
Take action on findings automatically or semi-automatically using CloudWatch Events
View and understand your security and compliance state in one place

34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Next steps
Try the preview: https://console.aws.amazon.com/securityhub/
Become a partner: Contact us at securityhub-partners@amazon.com
Learn more: https://aws.amazon.com/security-hub/

35. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ely Kahn
elykahn@amazon.com
Scott Ward
scotward@amazon.com