The document discusses AWS Security Hub, which provides a centralized place to manage security and compliance across AWS accounts and third-party systems. It allows users to view alerts and findings from multiple sources, prioritize them, and automatically trigger responses or remediation actions using features like AWS Lambda and Step Functions. Examples are given of how Security Hub can help with use cases like gaining visibility, routing alerts to a SIEM, and providing dashboards for account owners.

1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
How to act on security and compliance
alerts with AWS Security Hub
Ely Kahn
Principal Product Manager
AWS Security Hub
Amazon Web Services
S E C 2 0 2
Josh Hammer
Partner Solutions Architect
AWS Partner Network
Amazon Web Services

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Agenda
AWS Security Hub overview
Customer use cases
“Taking action” deep dive
Demonstration
Questions

3. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Problem statements
Large volume of
alerts, and the need
to prioritize and
take action
3
Dozens of security
tools with different
data formats
2
Many compliance
requirements, and
not enough time to
build the checks
1
Too many security
alerts
Too many security
alert formats
Backlog of
compliance
requirements
Lack of an
integrated view of
security and
compliance across
accounts
4
Lack of an
integrated view

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Security Hub overview

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
The AWS security services ecosystem
Protect Detect Respond
Automate
Investigate
RecoverIdentify
AWS
Systems
Manager
AWS Config
AWS
Lambda
Amazon
CloudWatch
Amazon
Inspector
Amazon
Macie
Amazon
GuardDuty
AWS
Security Hub
AWS IoT
Device
Defender
KMSIAM
AWS
Single
Sign-On
Snapshot ArchiveAWS
CloudTrail
Amazon
CloudWatch
Amazon
VPC
AWS
WAF
AWS
Shield
AWS
Secrets
Manager
AWS
Firewall
Manager
AWS
Organizations
Personal
Health
Dashboard
Amazon
Route 53
AWS
Direct
Connect
AWS Transit
Gateway
Amazon
VPC
PrivateLink
AWS Step
Functions
Amazon
Cloud
Directory
AWS
CloudHSM
AWS
Certificate
Manager
AWS
Control
Tower
AWS
Service
Catalog
AWS Well-
Architected
Tool
AWS
Trusted
Advisor
Resource
Access
manager
AWS
Directory
Service
Amazon
Cognito
Amazon S3
Glacier
AWS
Security Hub
AWS
Systems
Manager
AWS Identity
and Access
Management
(IAM)

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Generally available as of 6/24/19
Supported Regions (16)
Asia Pacific (Mumbai)
Asia Pacific (Seoul)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
Asia Pacific (Tokyo)
Canada (Central)
EU (Frankfurt)
EU (Ireland)
EU (London)
EU (Paris)
EU (Stockholm)
South America (São Paulo)
US East (N. Virginia)
US East (Ohio)
US West (N. California)
US West (Oregon)
New features since
preview began
• 30-day free trial
• Amazon CloudWatch
Events
• CIS compliance standard
improvements
• Tag-based access controls
and cost allocation
• AWS CloudFormation
• Performance
improvements

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Partner integrations
Firewalls
Vulnerability
Taking action
Endpoint
Compliance
MSSP
Other

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS security finding format
~100 JSON-formatted fields
Finding types
1. Sensitive data identifications
2. Software and configuration checks
3. Unusual behaviors
4. Tactics, techniques, and procedures
(TTPs)
5. Effects

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Partner integration examples: CrowdStrike

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Partner integration examples: Alert Logic
Customer Environment
Alert Logic data ingestion,
processing, and analytics
1. Inspected data is transported to Alert Logic’s data ingestion,
processing, and analytics platform
2. Alert Logic’s threat detection and response capability analyzes
the data and identifies incidents
3. An internal service (dedicated to Security Hub) assesses the
incident for potential posting to Security Hub
4. The incident is then posted to the respective customer’s
Security Hub console as a finding
1
2
3
4

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Setup and multi-account

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Compliance checks

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Insights

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Response and remediation
Automation document
AWS Step Functions
Lambda function
Rule
CloudWatch
Event
Security Hub

16. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Some of our current customers

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Use case 1: Centralized security and compliance workspace
Goal
Have a single pane of glass to view, triage, and take action on AWS security
and compliance issues across accounts
Personas
SecOps, compliance, and/or DevSecOps teams focused on AWS, Cloud
Centers of Excellence, the first security hire
Key processes
example
1. Ingest findings from finding providers
2. High-volume and well-known findings are programmatically routed to
remediation workflows, which include updating the status of the finding
3. Remaining findings are routed to analysts via an on-call management
system, and they use ticketing and chat systems to resolve them
“Taking action”
integrations
Ticketing systems, chat systems, on-call management systems, SOAR
platforms, customer-built remediation playbooks

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Use case 2: Centralized routing to a SIEM
Goal
Easily route all AWS security and compliance findings in a normalized format
to a centralized SIEM or log management tool
Personas SecOps, compliance, and/or DevSecOps teams
Key processes
example
1. Ingest findings from finding providers
2. All findings are routed via CloudWatch Events to a central SIEM that stores
AWS and on-premises security and compliance data
3. Analyst workflows are linked to the central SIEM
“Taking action”
integrations
SIEM

20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Use case 3: Dashboard for account owners
Goal
Provide visibility to AWS account owners on the security and compliance
posture of their account
Personas AWS account owners
Key processes
example
1. Ingest findings from finding providers
2. Account owners are given read-only access to Security Hub
3. Account owners can use Security Hub to research issues that they are
ticketed on or proactively monitor their own security and compliance
state
“Taking action”
integrations
Chat, ticketing

21. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Taking action with Security Hub
Security Hub Amazon CloudWatch
Events
Amazon GuardDuty
Amazon Inspector
Amazon Macie
Third-party providers

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Security Hub taking action partner integration

24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Taking action on all findings

25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Event pattern examples {
“source”: [
“aws.securityhub”
],
“detail-type”: [
“Security Hub Findings - Imported”
],
“detail”: {
“findings”: {
“Resources”: {
“Tags”: {
“Environment”: [
“PCI”
]
}
}
}
}
}
Filter by tags

26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Event pattern examples
Filter by severity
{
“source”: [
“aws.securityhub”
],
“detail-type”: [
“Security Hub Findings - Imported”
],
“detail”: {
“findings”: {
“Severity”: {
“Normalized”: [
95,
96,
97,
98,
99,
100
]
}}}}

27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Custom actions in Security Hub

28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Custom actions in Security Hub

29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Custom actions in Security Hub
Rule
Event
{
"source": [
"aws.securityhub"
],
"resources": [
"arn:aws:securityhub:us-west-
2:xxxxxxxxxxxx:action/custom/SendToEmail"
]
}

30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Custom actions in Security Hub
Rule
Event
Rule
Event
Rule
Event
Run
command

31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Custom actions in Security Hub

32. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Key takeaways
Automatically evaluate your compliance against key standards with one-click, frictionless
enablement
Centralize all of your findings via the AWS Security Finding Format without the need to
parse and normalize them
Prioritize findings using insights for efficient response and remediation
Take action on findings automatically or semi-automatically using CloudWatch Events
View and understand your security and compliance state in one place across all of your
accounts

34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Next steps
Try the 30-day trial: https://console.aws.amazon.com/securityhub/
Become a partner: Contact us at securityhub-partners@amazon.com
Learn more: https://aws.amazon.com/security-hub/

35. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ely Kahn
elykahn@amazon.com
Josh Hammer
johammer@amazon.com