Securityhub

Editor's Notes

• #4: Even though it’s your responsibility to protect your data and resources in the cloud, AWS makes this task much more manageable by offering various different services to help you along the way. First, you must know what you’re protecting. CLICK AWS services like AWS Config and AWS Systems Manager can help you identify the resources and configurations that makes up your environment. Once you have that information, the next step is to protect your data and resources. CLICK AWS Shield, Amazon VPC, and AWS Identity and Access Management are just a few of the services available to you for protecting and granting access to your data and resources. Detecting security issues and threats is a required on-going task in any environment. CLICK AWS services like Amazon Macie, Inspector, and GuardDuty provide you with he means to run thorough assessment checks and threat detection against your data and applications. Once an issue or threat is found, CLICK you can automate a response via AWS Lambda and CLICK investigate the incident with Amazon CloudWatch and AWS CloudTrail logs. CLICK Amazon EBS snapshots and Amazon Glacier archives can be used when recovering from an incident. Then you can do Forensic investigations if needed.
• #5: Given that context, let’s look at why we built AWS Security Hub. There are really 4 problems that we are addressing. Compliance is critical for many AWS users that face a myriad of internal and external compliance requirements as they migrate to the cloud. Compliance can also help ensure that accounts and resources are properly configured which is a top pinpoint for many users. Addressing the Compliance problem: Automated compliance checks via Standards Guides   Data formats: AWS (and non-AWS) users are typically using dozens of different security tools. They all have different data formats that need to be parsed and normalized before they can be analyzed. Large organizations can spend 1000s of hours on this Addressing the Data formats problem Standardized Amazon Finding Format (no parsing or normalization needed) Integration with dozens of AWS and partner security tools Prioritization: AWS users may face a handful to tens of thousands of alerts per day depending on what tools they are using and how their environment is configured. This can be too much for a human to handle Addressing the problem Visual “Insight” creation to identify high priority findings. + [200] pre-packaged Insights. Integrate with your SIEM, Ticketing, Chat, or SOAR system. Single pane of glass Lastly, customers want the coveted single pane of glass that brings together both their compliance and security information across all of their accounts into a single view. Addressing the problem Summary dashboards across security and compliance Multi-account rollup
• #6: Get started in a few clicks and a few more for multi-account rollup No normalization or parsing needed with AWS Security Finding Format 28 partner integrations with simple setup (a few clicks to 15 min of CloudFormation deployment); 3 fully automated AWS integrations 25+ out-of-the-box AWS correlation and stacking rules called “insights” and ability for customers to create their own; plus default ones from partners coming soon. Automated compliance checks via CIS AWS Foundations Benchmark Automated response and remediation actions on specific findings via CloudWatch Events rules and targets
• #8: You can set up AWS Security Hub in the AWS Management Console by clicking the “Enable Security Hub” button and adding your AWS accounts to the service. The process of ingesting data across the AWS security services begins. Security Hub (CLICK) aggregates findings from AWS security services and partner security tools and correlate them to identify the highest priority findings. As an additional step, (CLICK) Security Hub conducts continuous and automated compliance checks using industry standards and provide the results to you for remediation. Finally, you may review the findings (CLICK) in the console and select the ones for specific actions such as sending finding to ticketing, chat, email, or automated remediation via CloudWatch Events and Lambda.
• #9: Standards is one of the methods used by Security Hub to process findings. This method uses compliance frameworks that are based on regulatory requirements or AWS best practices. AWS has defined specific evaluation checks that align to the controls within a certain compliance standard. CIS, or Center for Internet Security, AWS Foundations Benchmark is the compliance standard currently being used by Security Hub. AWS Security Hub creates a score to inform you how your AWS environment is doing against the CIS Benchmark and displays it on the main dashboard. When you click through to the standard, you will see a summary of the controls that need your attention. Security Hub also shows informational best practices on how to mitigate each compliance issue.
• #10: Standards is one of the methods used by Security Hub to process findings. This method uses compliance frameworks that are based on regulatory requirements or AWS best practices. AWS has defined specific evaluation checks that align to the controls within a certain compliance standard. CIS, or Center for Internet Security, AWS Foundations Benchmark is the compliance standard currently being used by Security Hub. AWS Security Hub creates a score to inform you how your AWS environment is doing against the CIS Benchmark and displays it on the main dashboard. When you click through to the standard, you will see a summary of the controls that need your attention. Security Hub also shows informational best practices on how to mitigate each compliance issue.
• #15: 29 product integrations, 24 companies All have aligned to AFF Some have done multiple product integrations: Splunk, PAN, CP, Qualys Different use cases: send findings, get findings, remediate findings All fully validated; demo’d to us the integration in our AWS demo environment which you will see momentarily and in a number of cases demo’d in a customer environment.
• #16: First crowdstrike, an endpoint protection platform. Crowdstrike deploys a python app to collect findings from its agents deployed on EC2 instances. It then does something very cool, where it enriches their findings with additional resource info by calling the AWS API. It then sends these enriched findings to to SecHub in the AWS Finding Format. A customer can set up this integration with SecHub in less than 15 min using a CF template that CS put together.
• #17: Next, Armor… a MSSP. The piece that I really liked about their integration is how easy it is to get started. They simplified beyond even CF templates. Armor customers can literally just flip a toggle button to begin pushing findings to SecHub. They can also select specifically which types of findings to push to SecHub with another flick of a switch.
• #21: Security findings from AWS services such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie are collected in Security Hub using a standardized AWS Security Findings Format. Partner integrations such as Check Point, CrowdStrike, Palo Alto Networks, Qualys, Symantec, and others use the same standardized findings format, eliminating time-consuming data parsing and normalization tasks. Now you can focus on prioritizing and acting on these consolidated findings.
• #22: Example checks: Ensure no root account access key exists Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password Ensure the S3 bucket CloudTrail logs to is not publicly accessible This is the first of many compliance modules that we will provide.