AWS Security Hub has the ability to ingest security findings from third-party security partners or security findings that organizations generate on their own. Additionally, the custom event feature of Security Hub allows organizations to make the appropriate response to a finding. In this session, get hands-on experience with Security Hub by integrating third-party security findings for your AWS environment, building out your own custom security finding integration, and defining and implementing custom events to respond to the security findings in your AWS environment.

1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Hands-on with AWS Security Hub
Scott Ward
Principal Solutions Architect
AWS
F N D 2 1 3 - R 1
Josh Hammer
Solutions Architect
AWS

2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
AWS Security Hub overview
Inbound integrations
Outbound integrations: Taking action
Workshop details

3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Related breakout
Wednesday, June 26th
FND218 – How to act on your security and compliance alerts with AWS Security
Hub
9:30 AM – 10:30 AM | Level 0, Hall B2, Yellow

4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Hub overview

5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Partner integrations
Firewalls
Vulnerability
SOAR
SIEM
Endpoint
Compliance
MSSP
Other

6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Hub taking action with partner integrations

7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Finding Format
~100 JSON-formatted fields
Finding types
1. Sensitive data identifications
2. Software and configuration checks
3. Unusual behaviors
4. Tactics, techniques, and procedures
(TTPs)
5. Effects

8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Partner integrations: Into Security Hub
AWS Security Hub
Customer Account
Partner Account

9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
You can create your own findings
AWS Security Hub

10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Setup and multi-account

11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Compliance checks

12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Insights

13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Taking action with Security Hub
AWS Security Hub Amazon CloudWatch
Events
Amazon GuardDuty
Amazon Inspector
Amazon Macie
3rd Party Providers

14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Taking action with Security Hub
AWS Security Hub Amazon CloudWatch
Events

15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Taking action on all findings

16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Event pattern examples {
"source": [
"aws.securityhub"
],
"detail-type": [
"Security Hub Findings"
],
"detail": {
"findings": {
"Resources": {
"Tags": {
"Environment": [
"PCI"
]
}
}
}
}
}
Filter by tags

17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Event pattern examples {
"source": [
"aws.securityhub"
],
"detail-type": [
"Security Hub Findings"
],
"detail": {
"findings": {
"Severity": {
"Normalized": [
95,
96,
97,
98,
99,
100
]
}}}}
Filter by severity

18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Custom actions in Security Hub

19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Custom actions in Security Hub

20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Custom actions in Security Hub
Rule
Event
{
"source": [
"aws.securityhub"
],
"resources": [
"arn:aws:securityhub:us-west-
2:xxxxxxxxxxxx:action/custom/send_to_email"
]
}

21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Custom actions in Security Hub
Rule
Event
Rule
Event
Rule
Event
Run
command

22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Custom actions in Security Hub

23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
High-level view of the workshop
✓ Integrate partner findings
✓ Create a custom finding integration
✓ Build taking action integrations

25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Integrate partner findings
CrowdStrike
Sending Amazon EC2 findings to Security Hub
McAfee MVision Cloud
Sending account configuration findings to Security Hub

26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create a custom finding integration
Identify noncompliant instances via AWS Config rules and
create findings in AWS Security Hub

27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Build taking action integrations
Custom Lambda function
PagerDuty
Slack
Demisto
Rapid7 – Insight Connect

28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
We are here to help you

29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Have fun
Ask questions

30. Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.