Security Hub

Security hub was announced at re:invent 2018 and aims to provide an overall view of security findings across AWS services and partner products. It also helps consolidate and prioritize large volumes of alerts. In many organizations this evolves into a fragmented space, mixed between traditional security tooling, logging solutions and native AWS services. Here we take AWS Security Hub for a test drive to see how fares as a consolidated security view.

Overview

SecurityHub1

Components of the above diagram:

  • Findings - Are the central component of Security Hub, an [extensive json document format] (https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) to consistently describe security findings.
  • Providers - generate security findings, the native AWS services, Macie, Guard Duty and Inspector integrate directly with Security Hub. In addition partner security tools such as palo alto firewalls and sumo logic can create additional findings specific findings from their respective products.
  • Standards - Currently security hub has one standard, the CIS AWS Benchmarks. When enabled this creates a set of AWS config rules implementing the standards compliance checks. These rules create findings in the standards findings format.
  • Insights - Light weight aggregation and correlation rules to group findings. Users can define custom insights in addition to the default provided by security hub, for example filter by AMI with the most findings, or filter by source.
  • Actions - Performed against findings, security hub actions create cloudwatch events which can in turn invoke lambdas or step functions. These could be used to:
  • Isolate suspect resources
  • Snapshot and terminate EC2 instances
  • Send alerts
  • Automatically fix permissions issues
  • Automatically update firewall rules

Setup

Security hub can be enabled via the console or CLI.

$ aws securityhub enable-security-hub

Note it is currently a regional service, to cover all regions:

$ for region in `aws ec2 describe-regions --query "Regions[].RegionName" --output text`; do aws --region $region securityhub enable-security-hub ;done

This will create a service linked role and enable the security hub service.

SecurityHub2

In addition to the standard granular IAM permissions, two managed policies exist to control access to the security hub service itself.

SecurityHub3

Findings

Findings represent a security or compliance issue. All providers, AWS services, partners and standards create findings in the same format defined by Security Hub. With about 130 attributes the structure should cover a wide range of integrations going forward.

Key attributes within the findings format are used by the Security Hub console.

SecurityHub4

Some of the key attributes are:

  • RecordState: ACTIVE|ARCHIVE - by default the findings UI hides archived findings
  • Severity.Normalized: 0 to 100, with;
    • 1-39 mapping to low
    • 40-69 medium
    • 70-89 high
    • 90-100 critical
    • This fields purpose is to normalize the severity across multiple providers, for example within guardduty both InstanceCredentialExfiltration and PhishingDomainRequest are classified equally as highs. However within Security Hub InstanceCredentialExfiltration gets a normalized score of 75 (High) vs PhishingDomainRequest with a normalized score of 60 (Medium). This is a useful field to prioritize different types of findings across multiple providers.
  • Types: A path representing Mitre Matrix of techniques, useful for further sorting and classifying findings.
  • Findings can be filtered by attributes with EQUALS, CONTAINS and CONTAINS operators and further grouped by additional attributes within the UI.

SecurityHub5

Native AWS Providers

GuardDuty

GuardDuty is a threat detection service. It is not automatically enabled by Security Hub, once enabled GuardDuty findings are automatically sent to Security Hub in the same account. There is some overlap between the multi account configuration of GuardDuty and security hub which we’ll cover later. The GuardDuty finding information is automatically mapped into Security Hub finding format.

SecurityHub6

Security Hub View

SecurityHub7

Inspector

Amazon Inspector checks applications for exposure and vulnerabilities. The findings of any inspector assessment runs are automatically send to Security Hub in the local account if enabled.

The Inspector findings are automatically mapped into Security Hub finding format.

SecurityHub8

Security Hub View

SecurityHub9

Macie

Macie discovers, classifies, protects and alerts on sensitive data in AWS. When both services are enabled in an account the integration works as expected.

SecurityHub10

Macie alarms are sent to security hub as findings.

SecurityHub11

Partner Providers

In addition to the native AWS services, many AWS partners have updated their solutions to provide Security Hub findings.

SecurityHub12

Standards

Currently security hub contains one standard, the CIS AWS Foundations. his depends on AWS config, and automatically enables the CIS Foundation config rules in the current account and region.

SecurityHub13

After enabling, security hub creates a set of config rules. Many of these are non-compliant in fresh AWS accounts.

SecurityHub14

Warning, these config rules are not free. Be cautious running across multiple accounts and regions as it can quickly add up.

SecurityHub15

After about two hours Security Hub catches up and we see some findings from the CIS rulesets within Security Hub.

SecurityHub16

A fresh AWS account passes about 26 of the 43 CIS rules. A few quick areas to improve the score are:

  • Set a strong password policy. We generally recommend taking it a step further and restricting IAM users in general, instead preferring roles from an identity provider.
  • Configure Cloud Trail to an audit account with a security bucket
  • Configure a set of log metric filters and alarms to alert on changes to important components such as NACLs, gateways, route tables and VPCs.

Insights

Insights are saved searches, filtering and grouping on finding attributes. Security Hub provides a number of default insights and users can create and save their own.

A default insight:

SecurityHub17

Actions

Actions can be performed against one or more findings, often grouped by insights. Security hub provides a single default action to archive a finding. Actions are executed by users via the console.

SecurityHub18

In addition users can create custom actions.

SecurityHub19

These actions integrate with cloudwatch events, this is linked by the arn of the custom action, e.g. arn:aws:securityhub:ap-southeast-2:123412341234:action/custom/TerminateInstance

A CloudWatch events rule can be created:

{
  "source": [
    "aws.securityhub"
    ],
    "resources": [
      "arn:aws:securityhub:ap-southeast-2:123412341234:action/custom/TerminateInstance"
    ]
}

This rule could then invoke a lambda to perform any action required based on the finding.

Multiple Accounts

Security Hub uses the standard master and member account configuration used by other AWS services. Master accounts invite member accounts, member accounts then share findings with the master accounts.

SecurityHub20

From the perspective of finding fowarding between accounts:

SecurityHub21

Providers forward findings to the local accounts Security Hub, which then share those findings with the master account. This can be used to provide a centralized security team view across a companies set of accounts, and a per account view visible to account owners.

The approach overlaps with the existing GuardDuty and Macie cross account configurations. Security Hub should simplify the deployment of those two tools as it centralizes the aggregation configuration in one setup. In addition Inspector findings can now also be centralized to a single account.

Limits

Security hub only stores 90 days history of findings, companies requiring longer retention may need to automate the “aws securityhub get-findings” call and archive the results.

The remainder of the limits are currently all hard limits but should be sufficient for most environments.

Costs

During the public preview there are no additional costs for AWS security hub itself, however any config rules created by the service are charged at standard config rates.

Summary

A few features that would be great to see soon to complete the product are:

  • Multi account multi region support, to avoid having to aggregate across regions to a single view outside the tool.
  • Organizations integration, to complete the account handshake seamlessly using organizational permissions and fetch account lists from organization.
  • A Security Hub generated critical calling out ‘coverage gaps’, eg GuardDuty missing in a region in one account.

However, for a preview release service Security Hub appears to hit the sweet spot. Minimal configuration required to get started and quickly and provide useful findings with great filtering. By performing the cross account forwarding in a single tool security hub saves on management of GuardDuty and Macie master and member accounts lists. It also allows inspector results to be aggregated to a central account.

We’re excited to see what’s next with security hub as it heads towards general release and work with customers to get the most out of it.