Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introduction to AWS Security Hub

Felipe Garcia
January 31, 2019
38

Introduction to AWS Security Hub

This session will include an overview and demo of AWS Security Hub. AWS Security Hub is a new service in Preview that gives you a comprehensive view of your high-priority security alerts and compliance status across AWS accounts. With Security Hub, you now have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, as well as from AWS Partner solutions.

Felipe Garcia

January 31, 2019
Tweet

Transcript

  1. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security Hub Service Overview 1.31.19 Cameron Worrell Solutions Architect
  2. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. AWS security overview Archive Snapshot Protect Detect Respond Recover Identify Investigate Automate Amazon Macie
  3. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Problem statement 1 Large volume of alerts and the need to prioritize 3 Dozens of security tools with different data formats 2 Ensure that your AWS infrastructure meets compliance requirements 1 Prioritization Multiple formats Visibility Compliance Lack of a single pane of glass across security and compliance tools 4
  4. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. AWS Security Hub overview
  5. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Rollout plans and pricing AWS Security Hub is available today as a public preview service • Available at no additional cost except for AWS Config costs for new AWS Config users • Open to everyone • Get started in a few clicks • Goal is to iterate on latest features with customers before releasing as generally available (GA) Full API/CLI/SDK support • C++, Go, Java, JS, .Net, PHP, Python, Ruby Supported Regions (15) • Asia Pacific (Mumbai) • Asia Pacific (Seoul) • Asia Pacific (Singapore) • Asia Pacific (Sydney) • Asia Pacific (Tokyo) • Canada (Central) • EU (Frankfurt • EU (Ireland) • EU (London) • EU (Paris) • South America (Sao Paulo) • US East (N. Virginia) • US East (Ohio) • US West (N. California) • US West (Oregon)
  6. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Knowledge Check Security Hub currently consumes information directly from which sources? (Choose 4) A. Amazon Inspector B. AWS Systems Manager C. Amazon GuardDuty D. Amazon Cognito E. Amazon Macie F. Integrated Partner Solutions
  7. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Knowledge Check When thinking about AWS security services in the context of the NIST Cybersecurity Framework, what additional steps are included in the flow? (Choose 2) A. Protect B. Automate C. Detect D. Investigate E. Identify
  8. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Some of our current users
  9. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Partner integrations Firewalls Vulnerability SOAR SIEM Endpoint Compliance MSSP Other
  10. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Partner integration examples — CrowdStrike
  11. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Partner integration examples — Armor
  12. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Partner integration examples — Alert Logic 1. Inspected data is transported to Alert Logic’s data ingestion, processing, and analytics platform 2. Alert Logic’s threat detection and response capability analyzes the data and identifies incidents 3. An internal service (dedicated to AWS Security Hub) assesses the incident for potential posting to AWS Security Hub 4. The incident is then posted to the respective customer’s AWS Security Hub console as a finding
  13. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Cloud Custodian and AWS Security Hub Details for how to integrate Cloud Custodian with Security Hub are posted at: https://aws.amazon.com/blogs/opensource/announcing-cloud-custodian-integration-aws-security-hub/ Add the action “post-finding” to a policy, then run custodian to have it’s findings sent to Security Hub Posted findings are visible in Security Hub with the policy name mapping to the Title of the finding
  14. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. A few clicks to enable Security Hub
  15. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Simple multi-account setup
  16. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. AWS Security Finding Format ~100 JSON-formatted fields Finding Types • Sensitive Data Identifications • Software and Configuration Checks • Unusual Behaviors • Tactics, Techniques, and Procedures (TTPs) • Effects Severity.Normalized
  17. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Automated compliance checks 43 fully automated, nearly continuous checks
  18. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Insights help identify resources that require attention
  19. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Customizable response and remediation actions Event (event- based) Rule
  20. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Knowledge Check Security Hub consumes, aggregates, organizes and prioritizes findings AWS security services and partner solutions using which format? A. AWS Compliance Markup Format B. Cyber Threat Finding Format C. DoD Finding and Alert Format D. AWS Security Finding Format
  21. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Knowledge Check What are Security Hub Insights? A. Automated widgets used in security analyst dashboards B. Collection of related findings defined by an aggregation statement and optional filters C. Automated alerts generated by the Inspector rules engine D. A behavioral anomaly detected by machine learning
  22. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Knowledge Check What is the mechanism to automate response for Security Hub findings? A. Custom actions and AWS Config Rules B. Custom insights and AWS CloudTrail C. Custom actions and Amazon CloudWatch Events D. Custom insights and Amazon CloudWatch Logs
  23. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Use Case: Alert Triage Amazon CloudWatch Events Rule Security findings as custom events AWS Lambda Function 1 Status: Yellow AWS Lambda Function 2 … Notify SecOps team with Amazon SNS Status: Red
  24. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Use Case: Compliance Scans Amazon S3 bucket An ACL configuration change is discovered by Security Hub – bucket set to public 1 Lambda function sets bucket ACL back to private 3 2 Security Hub invokes Lambda function
  25. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Key takeaways Collect and process security findings from multiple accounts within a region Evaluate your compliance against regulatory and best practice frameworks Identify and prioritize the most important issues by grouping and correlating security findings with Insights Understand and manage your overall AWS security and compliance posture
  26. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Next steps Try the preview: https://console.aws.amazon.com/securityhub/ Learn more: https://aws.amazon.com/security-hub/ Join us in Boston, June 25–26, for the inaugural AWS re:Inforce https://aws.amazon.com/about-aws/events/reinforce/
  27. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Additional Resources
  28. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Name Description Source Introduction to AWS Security Hub ReInvent Service Launch (Video) Intro to AWS Security Hub (Video) Introduction to AWS Security Hub - AWS Online Tech Talks Learn about AWS Security Hub, and how it gives you a comprehensive view of your high-priority security alerts and your compliance status across AWS accounts. In this tech talk, you'll see how Security Hub aggregates, organizes, and prioritizes your alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, as well as from AWS Partner solutions. We will demonstrate how you can continuously monitor your environment using compliance checks based on the AWS best practices and industry standards your organization follows. Introduction to AWS Security Hub - AWS Online Tech Talks AWS Security Hub Partners https://aws.amazon.com/securi ty-hub/partners/ Additional Resources: AWS Security Hub
  29. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Name Description Source How to Integrate AWS Security Hub Custom Actions with PagerDuty (AWS Security Blog) In this post, I will walk you through how to create a custom action in AWS Security Hub and link that custom action with PagerDuty, an AWS Partner Network (APN) Advanced Technology Partner. This integration allows you to send Security Hub findings to PagerDuty and use the PagerDuty platform to manage, organize, and respond to Security Hub events related to your organization. https://aws.amazon.com/blogs/apn/ how-to-integrate-aws-security-hub- custom-actions-with-pagerduty/ How to Enable Custom Actions in AWS Security Hub In this post, I will introduce you to the process of creating AWS Security Hub Custom Actions with two examples: (1) sending findings to email; and 2) sending findings to Slack. This post will help you understand the process to create your own Custom Actions for utilization in your Security Operations playbooks. https://aws.amazon.com/blogs/apn/ how-to-enable-custom-actions-in- aws-security-hub/ AWS Security Blog posts: Additional Resources: AWS Security Hub
  30. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Name Description Source Announcing Cloud Custodian Integration with AWS Security Hub Solution Overview This solution will cover how to upgrade and configure an existing Cloud Custodian environment to post (aka, send) findings into AWS Security Hub, then view those findings in Security Hub. If you don’t already have a working Cloud Custodian environment, please visit Cloud Custodian’s Getting Started page. https://aws.amazon.com/blogs/open source/announcing-cloud-custodian- integration-aws-security-hub/ Additional Resources: AWS Security Hub: AWS Open Source Blog: