4. What security challenges are we facing?
Large volume of
alerts and the need
to prioritize
3
Prioritizing
Lack of single
pane of glass
across security
and compliance
tools
4
Visibility
Dozens of security
tools with different
data formats
2
Multiple formats
Ensure your AWS
infrastructure
meets compliance
requirements
1
Compliance
https://aws.amazon.com/security/
6. AWS Security Hub benefits
Managed regional AWS service in minutes that aggregates
findings across AWS accounts
Manage security and compliance findings in a single location,
increasing efficiency of locating relevant data
Create custom insights to track issues unique to your
environment
https://aws.amazon.com/security-hub/
7. AWS Security Hub workflow
Enable AWS Security
Hub for all your
accounts.
Account 1
Account 2
Account 3
Conduct automated
compliance scans
and checks.
Take action based
on findings.
Continuously
aggregate and
prioritize findings.
https://aws.amazon.com/security-hub/
8. Compliance Standards
• Based on CIS AWS Foundations Benchmark
• Findings are displayed on main dashboard for
quick access
• Best practices information is provided to help
mitigate issues
Compliance
Standards
https://aws.amazon.com/security-hub/
9. AWS Security Hub insights
Security findings that are correlated and grouped for prioritization
• More than 20 pre-built insights provided by AWS and AWS partners
• Ability to create your own insights
• Dashboard provides visibility into the top security findings
• Additional details for each finding is available for review
EC2 instances that have
missing security patches
S3 buckets with stored
credentials
S3 buckets with public read
and write permissions
https://aws.amazon.com/security-hub/
10. AWS Security Hub
Services Availability (Regions)
• US East (N. Virginia)
• US East (Ohio)
• US West (N. California)
• US West (Oregon)
• Canada (Central)
• EU (Ireland)
• EU (Frankfurt
• EU (London)
• EU (Paris)
• Asia Pacific (Singapore)
• Asia Pacific (Sydney)
• Asia Pacific (Seoul)
• Asia Pacific (Tokyo)
• Asia Pacific (Mumbai)
• South America (Sao Paulo)
Available in 15 Regions
25. Key takeaways
Collect and process security findings from multiple accounts within a region
Evaluate your compliance against regulatory and best practice frameworks
Identify and prioritize the most important issues by grouping and correlating
security findings with Insights
Understand and manage your overall AWS security and compliance posture
Even though it’s your responsibility to protect your data and resources in the cloud, AWS makes this task much more manageable by offering various different services to help you along the way. First, you must know what you’re protecting.
CLICK AWS services like AWS Config and AWS Systems Manager can help you identify the resources and configurations that makes up your environment.
Once you have that information, the next step is to protect your data and resources. CLICK AWS Shield, Amazon VPC, and AWS Identity and Access Management are just a few of the services available to you for protecting and granting access to your data and resources.
Detecting security issues and threats is a required on-going task in any environment. CLICK AWS services like Amazon Macie, Inspector, and GuardDuty provide you with he means to run thorough assessment checks and threat detection against your data and applications.
Once an issue or threat is found, CLICK you can automate a response via AWS Lambda and CLICK investigate the incident with Amazon CloudWatch and AWS CloudTrail logs.
CLICK Amazon EBS snapshots and Amazon Glacier archives can be used when recovering from an incident.
Then you can do Forensic investigations if needed.
Given that context, let’s look at why we built AWS Security Hub. There are really 4 problems that we are addressing.
Compliance is critical for many AWS users that face a myriad of internal and external compliance requirements as they migrate to the cloud. Compliance can also help ensure that accounts and resources are properly configured which is a top pinpoint for many users.
Addressing the Compliance problem:
Automated compliance checks via Standards Guides
Data formats: AWS (and non-AWS) users are typically using dozens of different security tools. They all have different data formats that need to be parsed and normalized before they can be analyzed. Large organizations can spend 1000s of hours on this
Addressing the Data formats problem
Standardized Amazon Finding Format (no parsing or normalization needed)
Integration with dozens of AWS and partner security tools
Prioritization:
AWS users may face a handful to tens of thousands of alerts per day depending on what tools they are using and how their environment is configured. This can be too much for a human to handle
Addressing the problem
Visual “Insight” creation to identify high priority findings. + [200] pre-packaged Insights.
Integrate with your SIEM, Ticketing, Chat, or SOAR system.
Single pane of glass Lastly, customers want the coveted single pane of glass that brings together both their compliance and security information across all of their accounts into a single view.
Addressing the problem
Summary dashboards across security and compliance
Multi-account rollup
Get started in a few clicks and a few more for multi-account rollup
No normalization or parsing needed with AWS Security Finding Format
28 partner integrations with simple setup (a few clicks to 15 min of CloudFormation deployment); 3 fully automated AWS integrations
25+ out-of-the-box AWS correlation and stacking rules called “insights” and ability for customers to create their own; plus default ones from partners coming soon.
Automated compliance checks via CIS AWS Foundations Benchmark
Automated response and remediation actions on specific findings via CloudWatch Events rules and targets
You can set up AWS Security Hub in the AWS Management Console by clicking the “Enable Security Hub” button and adding your AWS accounts to the service. The process of ingesting data across the AWS security services begins. Security Hub (CLICK) aggregates findings from AWS security services and partner security tools and correlate them to identify the highest priority findings. As an additional step, (CLICK) Security Hub conducts continuous and automated compliance checks using industry standards and provide the results to you for remediation. Finally, you may review the findings (CLICK) in the console and select the ones for specific actions such as sending finding to ticketing, chat, email, or automated remediation via CloudWatch Events and Lambda.
Standards is one of the methods used by Security Hub to process findings.
This method uses compliance frameworks that are based on regulatory requirements or AWS best practices.
AWS has defined specific evaluation checks that align to the controls within a certain compliance standard.
CIS, or Center for Internet Security, AWS Foundations Benchmark is the compliance standard currently being used by Security Hub. AWS Security Hub creates a score to inform you how your AWS environment is doing against the CIS Benchmark and displays it on the main dashboard. When you click through to the standard, you will see a summary of the controls that need your attention. Security Hub also shows informational best practices on how to mitigate each compliance issue.
Standards is one of the methods used by Security Hub to process findings.
This method uses compliance frameworks that are based on regulatory requirements or AWS best practices.
AWS has defined specific evaluation checks that align to the controls within a certain compliance standard.
CIS, or Center for Internet Security, AWS Foundations Benchmark is the compliance standard currently being used by Security Hub. AWS Security Hub creates a score to inform you how your AWS environment is doing against the CIS Benchmark and displays it on the main dashboard. When you click through to the standard, you will see a summary of the controls that need your attention. Security Hub also shows informational best practices on how to mitigate each compliance issue.
29 product integrations, 24 companies
All have aligned to AFF
Some have done multiple product integrations: Splunk, PAN, CP, Qualys
Different use cases: send findings, get findings, remediate findings
All fully validated; demo’d to us the integration in our AWS demo environment which you will see momentarily and in a number of cases demo’d in a customer environment.
First crowdstrike, an endpoint protection platform. Crowdstrike deploys a python app to collect findings from its agents deployed on EC2 instances. It then does something very cool, where it enriches their findings with additional resource info by calling the AWS API. It then sends these enriched findings to to SecHub in the AWS Finding Format. A customer can set up this integration with SecHub in less than 15 min using a CF template that CS put together.
Next, Armor… a MSSP. The piece that I really liked about their integration is how easy it is to get started. They simplified beyond even CF templates. Armor customers can literally just flip a toggle button to begin pushing findings to SecHub. They can also select specifically which types of findings to push to SecHub with another flick of a switch.
Security findings from AWS services such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie are collected in Security Hub using a standardized AWS Security Findings Format. Partner integrations such as Check Point, CrowdStrike, Palo Alto Networks, Qualys, Symantec, and others use the same standardized findings format, eliminating time-consuming data parsing and normalization tasks. Now you can focus on prioritizing and acting on these consolidated findings.
Example checks:
Ensure no root account access key exists
Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
Ensure the S3 bucket CloudTrail logs to is not publicly accessible
This is the first of many compliance modules that we will provide.