Learn about AWS Security Hub and how it gives you a comprehensive view of your high-priority security alerts and compliance status across AWS accounts. See how Security Hub aggregates, prioritizes, and helps you act on your alerts from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, as well as from AWS Partner solutions.

1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
How to act on your security and compliance alerts
with AWS Security Hub
F N D 2 1 8
Ely Kahn
Principal Product Manager
AWS Security Hub
Scott Ward
Principal Solutions Architect
AWS Partner Network
Jason Fuller
Head of Cloud Management and Operations
HERE Technologies
Rob Morris
Cloud Engineer
Northwestern Mutual

2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
AWS Security Hub overview
Customer use cases
Taking action deep dive
Demonstration
Wrap-up

3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Related workshops
Tuesday, June 25
FND213: Hands-on with AWS Security Hub
5:15 – 7:15 PM | Level 2, Room 210C
Tuesday, June 25
GRC330: Compliance automation: Set it up fast, then code it your way
2:45 – 4:45 PM | Level 2, Room 210C
Wednesday, June 26
FND213-R1: Hands-on with AWS Security Hub
11:15 AM – 1:15 PM | Level 2, Room 210A

4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Problem statements
Large volume of
alerts and the need
to prioritize and
take action
3
Dozens of security
tools with different
data formats
2
Many compliance
requirements and
not enough time to
build the rules
1
Too many security
alerts
Too many security
alert formats
Backlog of
compliance
requirements
Lack of an
integrated view of
security and
compliance across
accounts
4
Lack of an
integrated view

6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Hub overview

7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Generally availableas of today
Supported Regions (15)
Asia Pacific (Mumbai)
Asia Pacific (Seoul)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
Asia Pacific (Tokyo)
Canada (Central)
EU (Frankfurt)
EU (Ireland)
EU (London)
EU (Paris)
South America (São Paulo)
US East (N. Virginia)
US East (Ohio)
US West (N. California)
US West (Oregon)
New features since
preview began
• Amazon CloudWatch
Events
• CIS compliance standard
improvements
• Tag-based access controls
and cost allocation
• AWS CloudFormation
• Performance
improvements
• Localization

8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Partner integrations
Firewalls
Vulnerability
Taking action
Endpoint
Compliance
MSSP
Other

9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Some of our current customers

11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use pattern 1: Centralized security and compliance
workspace
Goal
Have a single pane of glass to view, triage, and take action on AWS security
and compliance issues across accounts
Personas
SecOps, compliance, and/or DevSecOps teams focused on AWS, Cloud
Centers of Excellence, the first security hire
Key processes
example
1. Ingest findings from finding providers
2. High-volume and well-known findings are programmatically routed to
remediation workflows, which include updating the status of the finding
3. Remaining findings are routed to analysts via an on-call management
system, and they use ticketing and chat systems to resolve them
Taking action
integrations
Ticketing systems, chat systems, on-call management systems, SOAR
platforms, customer-built remediation playbooks

12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use pattern 2: Centralized routing to a SIEM
Goal
Easily route all AWS security and compliance findings in a normalized format
to a centralized SIEM or log management tool
Personas SecOps, compliance, and/or DevSecOps teams
Key processes
example
1. Ingest findings from finding providers
2. All findings are routed via Amazon CloudWatch Events to a central SIEM
that stores AWS and on-premises security and compliance data
3. Analyst workflows are linked to the central SIEM
Taking action
integrations
SIEM

13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use pattern 3: Dashboard for account owners
Goal
Provide visibility to AWS account owners on the security and compliance
posture of their account
Personas AWS account owners
Key processes
example
1. Ingest findings from finding providers
2. Account owners are given read-only access to Security Hub
3. Account owners can use Security Hub to research issues that they are
ticketed on or proactively monitor their own security and compliance
state
Taking action
integrations
Chat, ticketing

14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Views, thoughts, and opinions expressed in the
presentation belong solely to the author and not
necessarily to the author’s employer, organization,
committee, or other group or individual.

15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Background

16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What does AWS Security Hub provide?
Provide insight about account
security posture to account
owners

17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
How do we
use AWS
Security
Hub?

18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
4 of 5
in-car navigation
systems in Europe
and North America
use HERE maps
10,000+
employees in 56 countries
30+
years of experience
transforming location
technology
400+
HERE cars collecting
data for maps
200
countries
mapped
HD live map covering
600,000+
kilometers for autonomous
driving
1,600
cities with transit routing in
over 50 countries
700,000
3D data points per second
per car
15,000
venues mapped globally
HERE in numbers
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
HERE: Open location platform
The place for intelligent data usage and
development
Data
Developer environment
and platform foundation
Services and solutions
Data marketplace

20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
HERE: Current management
Our solution is layered in people and
technologies
Amazon GuardDuty, Cloud
Custodian, AWS Organizations
AWS Security Hub
SIEM, alerting, and security response
AWS

21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Taking action with AWS Security Hub
AWS Security Hub Amazon CloudWatch
Events
Amazon GuardDuty
Amazon Inspector
Amazon Macie
Third-party providers

23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Hub taking action partner integration

24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Taking action on all findings

25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Event pattern examples {
“source”: [
“aws.securityhub”
],
“detail-type”: [
“Security Hub Findings”
],
“detail”: {
“findings”: {
“Resources”: {
“Tags”: {
“Environment”: [
“PCI”
]
}
}
}
}
}
Filter by tags

26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Event pattern examples
Filter by severity
{
“source”: [
“aws.securityhub”
],
“detail-type”: [
“Security Hub Findings”
],
“detail”: {
“findings”: {
“Severity”: {
“Normalized”: [
95,
96,
97,
98,
99,
100
]
}}}}

27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Custom actions in Security Hub

28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Custom actions in Security Hub

29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Custom actions in Security Hub
Rule
Event
{
"source": [
"aws.securityhub"
],
"resources": [
"arn:aws:securityhub:us-west-
2:xxxxxxxxxxxx:action/custom/send_to_email"
]
}

30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Custom actions in Security Hub
Rule
Event
Rule
Event
Rule
Event
Run
command

31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Custom actions in Security Hub

32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Next steps
Try the 30-day trial: https://console.aws.amazon.com/securityhub/
Become a partner: Contact us at securityhub-partners@amazon.com
Learn more: https://aws.amazon.com/security-hub/

35. Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ely Kahn
elykahn@amazon.com
Scott Ward
scotward@amazon.com