Securityhub
•Download as PPTX, PDF•
1 like•692 views
A look into security hub custom actions
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Securityhub
Similar to Securityhub (20)
More from Richard Harvey
More from Richard Harvey (20)
Recently uploaded
Recently uploaded (20)
Securityhub
- 1. © 2019, Amazon Web Services, Inc. or its Affiliates. Deep Dive on AWS Security Hub Centrally view and manage security alerts and automate compliance checks Ric Harvey SaaS Solutions Architect Amazon Web Services rjh@amazon.com @ric__harvey https://gitlab.com/ric_harvey/
- 2. © 2019, Amazon Web Services, Inc. or its Affiliates. Why Security Hub?
- 3. AWS security services overview Protect Detect Respond RecoverIdentify Automate Investigate Systems Manager, AWS Config IoT Device Defender, Key Management Service, IAM, Single-Sign-On, Firewall Manager, Server Manager, Shield, WAF, VPC Inspector, Macie, GuardDuty CloudWatch, Lambda CloudWatch, Cloudtrial Snapshot, Archive https://aws.amazon.com/security/ Forensic
- 4. What security challenges are we facing? Large volume of alerts and the need to prioritize 3 Prioritizing Lack of single pane of glass across security and compliance tools 4 Visibility Dozens of security tools with different data formats 2 Multiple formats Ensure your AWS infrastructure meets compliance requirements 1 Compliance https://aws.amazon.com/security/
- 5. Introducing AWS Security Hub https://aws.amazon.com/security-hub/
- 6. AWS Security Hub benefits Managed regional AWS service in minutes that aggregates findings across AWS accounts Manage security and compliance findings in a single location, increasing efficiency of locating relevant data Create custom insights to track issues unique to your environment https://aws.amazon.com/security-hub/
- 7. AWS Security Hub workflow Enable AWS Security Hub for all your accounts. Account 1 Account 2 Account 3 Conduct automated compliance scans and checks. Take action based on findings. Continuously aggregate and prioritize findings. https://aws.amazon.com/security-hub/
- 8. Compliance Standards • Based on CIS AWS Foundations Benchmark • Findings are displayed on main dashboard for quick access • Best practices information is provided to help mitigate issues Compliance Standards https://aws.amazon.com/security-hub/
- 9. AWS Security Hub insights Security findings that are correlated and grouped for prioritization • More than 20 pre-built insights provided by AWS and AWS partners • Ability to create your own insights • Dashboard provides visibility into the top security findings • Additional details for each finding is available for review EC2 instances that have missing security patches S3 buckets with stored credentials S3 buckets with public read and write permissions https://aws.amazon.com/security-hub/
- 10. AWS Security Hub Services Availability (Regions) • US East (N. Virginia) • US East (Ohio) • US West (N. California) • US West (Oregon) • Canada (Central) • EU (Ireland) • EU (Frankfurt • EU (London) • EU (Paris) • Asia Pacific (Singapore) • Asia Pacific (Sydney) • Asia Pacific (Seoul) • Asia Pacific (Tokyo) • Asia Pacific (Mumbai) • South America (Sao Paulo) Available in 15 Regions
- 11. © 2019, Amazon Web Services, Inc. or its Affiliates. Used by Customers
- 13. © 2019, Amazon Web Services, Inc. or its Affiliates. Extendable with Partners
- 15. Partner integration examples - CrowdStrike
- 16. Partner integration examples -Armor
- 17. © 2019, Amazon Web Services, Inc. or its Affiliates. Simple to Enable
- 18. Getting started A few clicks to enable Security Hub https://aws.amazon.com/security-hub/getting-started/
- 20. AWS Security Finding Format ~100 JSON-formatted fields Finding Types • Sensitive Data Identifications • Software and Configuration Checks • Unusual Behaviors • Tactics, Techniques, and Procedures (TTPs) • Effects Serverity.Normalised 0 30 70 100 EffectsTTPsUnusual Behavior Software & Config Check Sensitive Data Identifications
- 21. Automated compliance checks 43 fully automated, nearly continuous checks
- 22. Insights help identify resources that require attention
- 23. Customisable response and remediation actions Event (event- based) Rule
- 24. © 2019, Amazon Web Services, Inc. or its Affiliates. Demohttps://github.com/aws-samples/aws-securityhub-to-email
- 25. Key takeaways Collect and process security findings from multiple accounts within a region Evaluate your compliance against regulatory and best practice frameworks Identify and prioritize the most important issues by grouping and correlating security findings with Insights Understand and manage your overall AWS security and compliance posture
- 26. © 2019, Amazon Web Services, Inc. or its Affiliates. Thank you! Any Questions? Ric Harvey SaaS Solutions Architect Amazon Web Services rjh@amazon.com @ric__harvey https://gitlab.com/ric_harvey/
Editor's Notes
- Even though it’s your responsibility to protect your data and resources in the cloud, AWS makes this task much more manageable by offering various different services to help you along the way. First, you must know what you’re protecting. CLICK AWS services like AWS Config and AWS Systems Manager can help you identify the resources and configurations that makes up your environment. Once you have that information, the next step is to protect your data and resources. CLICK AWS Shield, Amazon VPC, and AWS Identity and Access Management are just a few of the services available to you for protecting and granting access to your data and resources. Detecting security issues and threats is a required on-going task in any environment. CLICK AWS services like Amazon Macie, Inspector, and GuardDuty provide you with he means to run thorough assessment checks and threat detection against your data and applications. Once an issue or threat is found, CLICK you can automate a response via AWS Lambda and CLICK investigate the incident with Amazon CloudWatch and AWS CloudTrail logs. CLICK Amazon EBS snapshots and Amazon Glacier archives can be used when recovering from an incident. Then you can do Forensic investigations if needed.
- Given that context, let’s look at why we built AWS Security Hub. There are really 4 problems that we are addressing. Compliance is critical for many AWS users that face a myriad of internal and external compliance requirements as they migrate to the cloud. Compliance can also help ensure that accounts and resources are properly configured which is a top pinpoint for many users. Addressing the Compliance problem: Automated compliance checks via Standards Guides Data formats: AWS (and non-AWS) users are typically using dozens of different security tools. They all have different data formats that need to be parsed and normalized before they can be analyzed. Large organizations can spend 1000s of hours on this Addressing the Data formats problem Standardized Amazon Finding Format (no parsing or normalization needed) Integration with dozens of AWS and partner security tools Prioritization: AWS users may face a handful to tens of thousands of alerts per day depending on what tools they are using and how their environment is configured. This can be too much for a human to handle Addressing the problem Visual “Insight” creation to identify high priority findings. + [200] pre-packaged Insights. Integrate with your SIEM, Ticketing, Chat, or SOAR system. Single pane of glass Lastly, customers want the coveted single pane of glass that brings together both their compliance and security information across all of their accounts into a single view. Addressing the problem Summary dashboards across security and compliance Multi-account rollup
- Get started in a few clicks and a few more for multi-account rollup No normalization or parsing needed with AWS Security Finding Format 28 partner integrations with simple setup (a few clicks to 15 min of CloudFormation deployment); 3 fully automated AWS integrations 25+ out-of-the-box AWS correlation and stacking rules called “insights” and ability for customers to create their own; plus default ones from partners coming soon. Automated compliance checks via CIS AWS Foundations Benchmark Automated response and remediation actions on specific findings via CloudWatch Events rules and targets
- You can set up AWS Security Hub in the AWS Management Console by clicking the “Enable Security Hub” button and adding your AWS accounts to the service. The process of ingesting data across the AWS security services begins. Security Hub (CLICK) aggregates findings from AWS security services and partner security tools and correlate them to identify the highest priority findings. As an additional step, (CLICK) Security Hub conducts continuous and automated compliance checks using industry standards and provide the results to you for remediation. Finally, you may review the findings (CLICK) in the console and select the ones for specific actions such as sending finding to ticketing, chat, email, or automated remediation via CloudWatch Events and Lambda.
- Standards is one of the methods used by Security Hub to process findings. This method uses compliance frameworks that are based on regulatory requirements or AWS best practices. AWS has defined specific evaluation checks that align to the controls within a certain compliance standard. CIS, or Center for Internet Security, AWS Foundations Benchmark is the compliance standard currently being used by Security Hub. AWS Security Hub creates a score to inform you how your AWS environment is doing against the CIS Benchmark and displays it on the main dashboard. When you click through to the standard, you will see a summary of the controls that need your attention. Security Hub also shows informational best practices on how to mitigate each compliance issue.
- Standards is one of the methods used by Security Hub to process findings. This method uses compliance frameworks that are based on regulatory requirements or AWS best practices. AWS has defined specific evaluation checks that align to the controls within a certain compliance standard. CIS, or Center for Internet Security, AWS Foundations Benchmark is the compliance standard currently being used by Security Hub. AWS Security Hub creates a score to inform you how your AWS environment is doing against the CIS Benchmark and displays it on the main dashboard. When you click through to the standard, you will see a summary of the controls that need your attention. Security Hub also shows informational best practices on how to mitigate each compliance issue.
- 29 product integrations, 24 companies All have aligned to AFF Some have done multiple product integrations: Splunk, PAN, CP, Qualys Different use cases: send findings, get findings, remediate findings All fully validated; demo’d to us the integration in our AWS demo environment which you will see momentarily and in a number of cases demo’d in a customer environment.
- First crowdstrike, an endpoint protection platform. Crowdstrike deploys a python app to collect findings from its agents deployed on EC2 instances. It then does something very cool, where it enriches their findings with additional resource info by calling the AWS API. It then sends these enriched findings to to SecHub in the AWS Finding Format. A customer can set up this integration with SecHub in less than 15 min using a CF template that CS put together.
- Next, Armor… a MSSP. The piece that I really liked about their integration is how easy it is to get started. They simplified beyond even CF templates. Armor customers can literally just flip a toggle button to begin pushing findings to SecHub. They can also select specifically which types of findings to push to SecHub with another flick of a switch.
- Security findings from AWS services such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie are collected in Security Hub using a standardized AWS Security Findings Format. Partner integrations such as Check Point, CrowdStrike, Palo Alto Networks, Qualys, Symantec, and others use the same standardized findings format, eliminating time-consuming data parsing and normalization tasks. Now you can focus on prioritizing and acting on these consolidated findings.
- Example checks: Ensure no root account access key exists Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password Ensure the S3 bucket CloudTrail logs to is not publicly accessible This is the first of many compliance modules that we will provide.