Supercharging AWS Security Hub: Part 1, the Secret Weapon
Like many AWS services, Security Hub is one of those products that sneaks up on you. Security Hub was pretty anemic when it first launched; it appeared to just collect the results from a few AWS products and a dozen partners into some basic dashboards so Amazon could say they had a “security center”. But it turns out Security Hub had a secret weapon the entire time, and as the product has matured and grown it’s well on its way to become an essential AWS security service, but one with the potential to overwhelm teams with information they are compelled to take actions on. In this series we will dig into the weeds of Security Hub, why we think most organizations will turn it on even if they never log into the dashboard, and how to use security hub to improve your security capabilities well beyond some pretty graphs and compliance reports.
This isn’t to say Security Hub will solve all your needs. In particular it still lacks one key feature that is pretty essential for larger AWS customers. This series will also highlight key limitations and, where possible, techniques for working around them. And based on the product advances we fully expect these issues to be addressed relatively soon (or already, depending on when you read this).
What Security Hub Is… and Isn’t
When Security Hub first launched I thought it was just a basic dashboard, but it turns out I… should have paid attention to the name. Amazon, like its competitors, has a wide range of security services and capabilities. Some of these are built into other services, such as Security Groups in EC2/VPCs, and others are stand alone products like Inspector. Security Hub is designed to pull all these together centrally, including a marketplace of vetted third-party products that are designed to be compatible (like DisruptOps, or Open Source tools like Electric Eye).
Security Hub doesn’t configure these services, although some can be enabled right within the console. It’s designed to serve as the overlay to tie them together and provide a single place for management. Security Hub then layers on its own analysis to take the results of those tools and use them for compliance and other purposes. Security Hub:
- Aggregates findings from multiple AWS and third party security services.
- Makes these findings accessible through the console or via API.
- Creates CloudWatch events for findings and security events from other services. For example, Security Hub will create a CW event for a Guard Duty finding in effectively real time. This reduces the number of places you need to capture events from.
- Provides compliance dashboards for three standards today (PCI, CIS, and AWS Best Practices) with more coming. These predominantly perform their analysis using AWS Config, which will be enabled and billed if you turn on this feature.
- Allows filtering and sorting of findings across all the integrations using the Insights tab.
- Includes a marketplace of commercial and open source Security Hub partners. Oh hey, look who’s in there!
- Includes basic support for taking action on an event. The capability is very limited but in this series I’ll show you how to make it really work at enterprise scale.
- Can aggregate findings from multiple AWS accounts.
In the cloud world we often talk about embracing and extending the capabilities of cloud providers. AWS Security Hub embraces and extends their own disparate internal tools to provide customers a central point for managing security findings and events on a day to day basis. Then it enriches these capabilities with built-in analysis, dashboards, and third party tooling.
You can get a heck of a lot of value out of Security Hub without ever logging into the console and touching the dashboard. That’s a pretty neat trick.
The Secret Weapon
The real secret of Security Hub is the Amazon Security Findings Format (ASFF). This is a structured JSON template that *all* integrations use to send or read findings out of Security Hub. It doesn’t matter if a finding comes from Config, Guard Duty, Inspector, Detective, DisruptOps, Prowler, Electric Eye, or any other partner source… it WILL always use the ASFF. And better yet, it will also generate a CloudWatch Event for those findings.
Think about the implication here for a moment. One single format for dozens of security products to communicate findings. And as a partner myself, I can tell you that unlike previous attempts by security vendors to create their own “marketplace” there is no fee, and even Open Source tools can participate.
This means if you ingest information from Security Hub you only need to worry about a single defined format for findings and events (all findings are events). It means all these products can talk to each other without having to cooperate. This puts the power in the customers’ hands and reduces the massive amount of effort it normally takes to aggregate information from such a wide range of security services.
The ASFF is really powerful, and vastly under appreciated.
The Biggest Limitation
Security Hub supports aggregating across multiple accounts but it does not yet aggregate across regions. That means you need to look at or tap into every region separately. Also, if you want to turn on the compliance dashboards those still require Config and you should have a good understanding of the cost implications. Config has strong capabilities, but the cost and complexities can be significant.
This should give you a better idea of what Security Hub is and pique your interest in turning it on. In the next post I’ll cover how to get it up and running, including how to decide which integrations to turn on. Then we will really get into the weeds on how to squeeze out every little bit of value, including how to integrate with OSS tools and products like ours, understand the nature of Security Hub events and how to collect them, and how to take action on findings.