Hello, everybody. Welcome to our session. I hope you are enjoying the conference so far. My name is Dora Karali and I lead a team of product managers responsible for Security Hub, Security Lake and Detective. I've been at AWS for three years and I've been in cybersecurity for 15 years, building products and services, helping customers detect and prevent cyber attacks.
I want to introduce you to two of my colleagues that are here with me today:
Gal Ordo: Thank you very much, Dora. So my name is Gal. I'm part of the Security Hub product management team. I've been in AWS for about a year and a half now. I've been in cybersecurity basically my entire career. Within the Security Hub team, I work on everything that has to do with our security controls and detections, making sure that they provide the most security value to our customers and on some capabilities that allow you to more easily apply them, some of which we will be discussing today. Thank you, Dora.
Dora: Thanks Gao. And I also like to introduce you to Shahar Hirshberg.
Shahar: Thank you, Dora. Hi everyone. My name is Shahar Hirshberg. I'm a senior product manager at Security Hub. I'm focused on helping customers accelerate their cloud security response and remediation. I've been in AWS for about a year and a half now and spent over a decade in cybersecurity.
Dora: Thanks Shahar.
Okay, so today we will cover the new Security Hub capabilities that we launched here at re:Invent yesterday to help you customize your security settings and contextualize the security findings so you can take better, faster actions.
In more detail, Gal is going to walk us through how you can customize Security Hub controls and standards using a new feature that we call Central Configuration and how you can fine tune the controls, the checks that Security Hub does to meet your company's policies.
Then Shahar is going to show you the finding enrichment capability we are adding in Security Hub to help you better contextualize your security findings so that you can take better, faster actions with more context - applications, research, tags, account names. He also going to give you a demo of the new dashboard capabilities we launched yesterday to help you get a better understanding of your security posture.
But before we dive into all this, I wanted to ask - how many of you are using Security Hub today? Okay, I see a good number of hands. Thank you.
I want to do a quick overview for those of you who don't. Security Hub launched in 2019 to address some key challenges we heard from our customers as development teams started building their applications into AWS and deploy AWS resources. Security teams needed to get visibility into and make sure that these resources are properly configured and secure.
And at the same time as the cloud footprint is growing, there is a need to adjust the security measures at scale to meet the organization's needs. And then at the same time, security teams use multiple tools - maybe from AWS, maybe from third parties. And every single tool comes with their own set of findings with different context, different formats. It's very hard to operationalize that way. And some of these tools also produce way too many alerts and customers don't know where to start, how to prioritize.
So with that in mind, we launched Security Hub that has two main capabilities:
First, it's a fully managed cloud security posture management service that continuously performs security best practice checks on your AWS infrastructure.
Second, it seamlessly aggregates security findings from other AWS services and third party services to enable you to better understand your security posture and enable you to take a response.
So it's very simple to enable Security Hub, whether you choose the console, just a few clicks, or whether you want to use CloudFormation. It's simple to deploy it across your organization.
And we hear customers appreciate how scalable Security Hub is - whether you have an organization with a few accounts or a larger one with thousands of accounts and hundreds of AWS resources sometimes reaching to the millions - Security Hub can help you run misconfiguration checks across your organization and aggregate findings from multiple sources.
So I want to show you a little bit how findings flow in Security Hub. First, Security Hub generates its own findings. These are findings that come from the misconfiguration checks that it does. The checks are organized in controls and controls are organized into standards.
Security Hub maintains AWS's foundational security best practices standard, which is AWS's curated, opinionated view on how AWS security, how AWS resources, different AWS resources should be protected. So we work very closely with the AWS services teams to put these best practice security checks into the Foundational Security Best Practices standard.
But we also support other industry standards from PCI, CIS, and we have more than 290 controls today covering more than 80 AWS resource types and we are adding more on a regular basis.
So findings from the misconfiguration checks are generated within Security Hub. Then Security Hub also ingests findings from other AWS services like AWS Config, Amazon GuardDuty, Amazon Inspector, but also third party providers like CrowdStrike or Qualys.
Now all this data is flowing into Security Hub. What can you do with it? Security Hub offers you a way to normalize all these findings into a single schema and centralize all of the findings in a single region and under a single account. So you get a single pane of glass for all the security findings within AWS.
Now collecting all the security findings, you can basically get a complete view of your security posture. And how can you understand the security posture? We offer a few things:
First, we have a security score. And my favorite is when I meet with customers and they say "Hey, we enabled Security Hub, we saw the score, it wasn't good." And then as we started improving and fixing the issues, now we have, we went a long way and now we have a very good security score.
We also offer different dashboards. We have some out-of-the-box views and Shahar is gonna tell you about the new ones that we're bringing that we released yesterday. So we have different views on how you can slice and dice your data, your security findings. But you can also create your own custom insights, your own custom dashboards from all the findings that are being aggregated.
In addition, we help you prioritize. Last summer, we introduced what we call automation rules that for any finding that comes in, you can specify criteria to either suppress those findings or increase their severity - basically helping you prioritize what's more important for you and discard things that you don't care as much about.
So what else can you do? We have an integration with Amazon EventBridge - all the findings are sent to EventBridge and from there, you can take remediation actions, you can execute an AWS Lambda to do your own additional enrichment or take an action, or you can call AWS Systems Manager and run an SSM runbook to resolve a misconfiguration.
We can also send the findings to one of our AWS partners who have integrated with Security Hub - for example, you can send the findings to Splunk or SIEM, or you can generate tickets that you can then forward to your development teams, your application teams using Jira.
We also integrate with other AWS services depending on the use case. For example, if you want to investigate the finding, we send the findings to Amazon Detective and that's where you can analyze them and combine them with additional logs and information to investigate them.
We also send the findings to Amazon Security Lake if you want to keep them for longer periods of time. We have that integration and it's simple, like one-click enablement to get any of these active in your environment.
So over time, customers have scaled their operations in AWS, they use more services, more accounts, more agents and they also have new ways to govern the AWS environment, for example with AWS Organizations, that now offers organization units. And security teams have asked us for simpler ways to manage their security settings and also avoid repetitive actions and manage the security posture, not only at the resource level and the account level, but also at the application level.
So to this end, this week, we announced four new capabilities within Security Hub:
The first one is Central Configuration and I'm gonna call Gal to come and give you more details about Central Configuration and also give you a demo.
Gal: Thank you very much, Dora. As my colleague Dora said, with customers migrating more and more of their workloads into AWS, your cloud environment scales - there are more resource types, more services that are being used and so on and so forth.
Over time, Security Hub has scaled along with our customer environments to support and cover more and more. And I will discuss what we've done to do that and what we are doing to do that in detail during this part of the session.
In particular, the first capability that I will discuss allows you to easily apply your desired security coverage settings across the organization regions - all of that with a simple process.
But before we do that, I want to take a higher level look and discuss a little bit what we've done in order to scale Security Hub and in order to allow Security Hub to protect, to detect as many misconfigurations across as many possible resource types.
So first of all, as Dora mentioned earlier, we are launching new controls on a regular basis. In fact, in the last three years, we've more than tripled our number of controls. We launch new controls more frequently than quarterly. And we constantly prioritize based on what we see our customers use, which controls we need to launch and deliver to all of you.
In parallel, we are working to be in all AWS regions. And recently we were able to release Security Hub to all commercial AWS regions, so it's currently global as well as to the GovCloud regions and the China regions. So you can protect your workloads basically regardless of the AWS region on which they are running.
And then finally, a couple of years back, we have launched our integration with AWS Organizations that allows you to easily enable Security Hub both in existing accounts as well as any new account that comes into the organization. And it allows you to set it automatically with default settings.
Now this integration has been delightful for our customers and our customers have been telling us that, you know, it makes it easy to make sure that they have the security coverage throughout the entire organization.
However, when customers wanted to customize those security settings, because they only have different resource types than what AWS offers, so they want to add controls or remove controls, they've had to do this account by account and region by region.
Well, with the Central Configuration capabilities that we've just launched, this is no longer the case. And really configuring Security Hub with any sort of settings is now a simple two step process that you do directly from the delegated administrative account that you have already set or that you can set via AWS Organizations.
So first of all, from the delegated administrative account, you define what we call a security configuration policy and that policy includes the set of controls, controls in that sense, as Dora mentioned earlier, is a type - it's a security check that pertains to a specific type of misconfiguration in a specific resource type - and you can decide which standards you want to apply as well.
After you have your policy created, you can apply your policy to any accounts, organizational units or to your entire organization.
So if you want the same set of controls and standards across your entire organization, simply create one policy and apply that to the entire organization. If you want to detect and monitor different security best practices for different set of accounts, for example, test and production, simply create a few policies, apply each of them to a different set of accounts.
And better yet, the central configuration system expands our concept of the aggregation region in Security Hub into what we now call a home region. A home region is a region that in which you create your configuration policy and they will apply to all other AWS regions that you tell us.
So you will need to configure Security Hub once from the delegated administrative account in your uh home region and that will apply throughout all of the organization accounts or at least those that you tell us about and it will apply across all of the AWS regions that you tell us to configure.
So with that, I would like to show a quick demo of how to get started with the new system.
As you can see, there is now a new configuration page in the Security Hub console and that page is an evolution of our accounts page. It shows the list of all of your accounts within your AWS organization.
As you can see, our current setup is called local configuration, which means that I can only do, I can only set Security Hub with different settings for new accounts and any configuration changes that they make only take place in the current region.
However, there is also a banner telling me that I can start using central config that I can start using the new central configuration capabilities. Clicking on that I get taken to step two centralized organization.
Step one is only if you didn't have a delegated administrative step before. So I'm taken into step two. In this instance, I already had an administrator. And in this, in this step, I choose my home region from which I manage all other regions and I choose my linked regions.
So let's do just that I have the option to link all existing regions, link all future regions. For this demo, we will select North Virginia as a home region and then Ireland and Oregon as all linked regions. But again, you can choose any set of regions that you want.
Now that we've done that we move on to creating our first configuration policy and applying it to accounts. There are really two ways that they could go about that.
The first one is just go with our recommended settings. Those include our best practice controls and have them deployed into all of the organization accounts by creating a custom policy. On the other hand, you can select any list of controls and a list of standards and apply those to any set of accounts that you wish to configure.
In this instance, we'll go with the recommended policy. And in a second, I'll show how to create custom policies as well. So let's apply the default recommended policy.
I have a review stage in which I can confirm I'm doing just that. And once the system completes the process I will be taken into a new policies page that is now populated with my first policy and allows me to see what configuration it contains.
Furthermore, there is a new organization tab that for the first time ever contains organizational unit view within Security Hub and not just account view. And for which organization unit we can see what the policy that is applied to it, whether it has been successful or not.
As you can see currently, all of my organization have a recommended policy. Now, as you can see, we have a finance organizational unit and for finance accounts, it's normally recommended that you also use the Payment Card Industry standard in addition to our foundational security best practice standard.
So let's actually go and create a policy that does just that I go into the policy creation page and it will already be pre populated with the recommended settings to those. I also add the PCI controls. So I've done just that and in the list of accounts to which I choose to apply the policy, I select just the finance OU.
The view is very similar to the one we saw in the accounts page. We give a name and a description to the policy. We review and then we finish applying the policy, going back to the configuration page. I see the new policy and if I click on that one, I will be able to verify the settings.
And going back to the organizations page, I can see that the finance organizational unit has the finance policy attached to it and not the other policy. We can also see that it was successful.
Now moving forward a little bit with that, let's say that I now also want to apply the Center for Internet Security standard, the CIS standard across all accounts in my organization. But now I have two policies. One option would be to add it policy by policy. But we've also created what we call in context views to allow you to edit a specific standard or a specific control and add it to multiple policies.
So we go into the standards details page, we click on configure and it shows me a list of all of my policies, the status of the standard and controlling that policy. I'm able to select the specific policies to which I wanna edit it. I'm applying. In this instance, I selected all policies, let's review them.
And indeed, as we can see, the CIS standard is now included in both of these policies. And furthermore, I didn't have to update any other aspect of our configuration to include those policies. So that means that I only updated the CIS standard, not touching and not changing any other part of my system.
That concludes this part of the demo, but I only showed you certain portions of the system and not the entire system. So let's discuss what else can be done with the central configuration system.
One very strong capability is that you can prevent configuration drift. And really what that means is that after you set the security covered settings for your organization account owners are not able to change those. That means that the security detections, the security controls that you choose to, that you choose to monitor will always apply, will always be monitored until you as the security administrator go back and change that.
You can create custom policies that are based on existing settings. And that is especially helpful as you migrate from a pre existing local configuration capabilities to the new central configuration capabilities. If you click on create custom policy, you can also, you can import your existing settings and make the transition completely seamless.
You can create policies such that they automatically apply new controls. And that ensures that as we release additional security coverage options, they are being enforced throughout your and they are being automatically enforced in your organization and automatically tested for ensuring that you have the complete and best coverage possible.
We are the system tracks regional availability of controls for you and it does so in two ways. First of all, we have some security controls that are available in some AWS regions but not in other regions. For a variety of reasons, we are constantly working on making sure that we have parody and launching those controls in the regions from which they are missing. And once we do that, the system will detect that and automatically enable the control in the regions in which it was just launched.
Furthermore, the system also tracks controls that pertain to global resources such as IAM to make sure to only enable them in one region so that you don't get duplicate findings that are being generated in all of the different AWS regions that are into Security Hub.
The system like a local configuration system covers new accounts, but in this instance, new accounts will be configured in accordance to the policy that matches the organization or the organizational unit that they are part of. So you can get new accounts with any security covered settings that you desire.
And finally, this system turns your Security Hub, delegated administrative account in your chosen home region into a single pane of glass for security management. You can use the delegated administrative account to configure Security Hub across all of the organization accounts across all of the regions that you want to use. And like before, you can use it to view findings from all of your AWS linked regions, all of your accounts. So it's really a single pane of glass for configuration management and for your findings.
So we've discussed the central configuration system and I would like to go a little bit deeper and discuss how we can refine our checks, how you can refine our controls to meet your organizational security expectations.
And before I do that, I would like to discuss at a very high level, a few of our most commonly used and most popular controls. So we have a control on EC2 security groups that checks whether they allow unrestricted incoming access from specific ports and fails if it allows access from other ports.
We have control on IAM password policies that check whether they have strong configuration, a combination of specific characters and specific length. We have controls on secrets rotation period.
And what we've heard from our customers is that the vast majority of our customers agree with those security principles that we've identified. However, they may have more granular expectations in terms of the organization on what's considered a risky port or what's considered a strong password policy.
And today, we allow customization capabilities in more than 30 of our controls to allow you to more manually decide what these control is actually check for. The way that we are doing that is by capability that we call control parameters. Basically like a function that runs in your environment. You give us the parameters that you wish to be monitored and we update the result of our detection in accordance with those parameters for all of the, for, for all of the controls that support this, you have the ability to choose between the recommended settings that have been curated by our security experts. Or you have the ability to provide a custom value.
When you do provide a custom value, we validated value to make sure that the security best practice in the control monitor still holds. So for example, if we've spoken about a secret rotation period, we check that you haven't given us a period of time that you know, is years. And at that point, the control loses most of its security value.
Finally, with combination with the central configuration capability, you're able to set parameters everywhere and you are able to choose whether you want the same parameter value for all of your accounts or whether you want different parameters values in different accounts because they are susceptible to different security requirements.
So let's take a look at how the two capabilities match together. And we are going back into the same scenario that we had before our auditors come to us and tell us that for the finance accounts, they want us to enforce most strict restrictions, namely, they want us to have a small shorter list of allowed ports and they want us to use longer passwords.
Luckily, we already have a finance policy so we can go to that policy and edit it such that it includes the relevant parameters. So we can do just that we can go to the policy page and hit edit on that policy. Once we do that, we see a very similar flow to what we've seen before. But we also have the option to customize control parameters.
Once we open the list, we will be able to search for any control that we desire. We start with the security groups. One, once we do that, we will see all of the parameter that the control supports. In the instance of this control, it supports both a list of allowed UDP ports allowed TCP ports.
We will see the current values of the parameters. What are the default, what's current and what are the permitted values and we could go and customize them. So specifically in this instance, we don't allow any UDP port and we allow two TCP ports 8443.
Let's remove a. Once we do that, the customer is labeled as a pill showing us that we updated that control to something that's different from the security hubble commanded value. There is an easy button that allows you to revoke that and go back to the commanded value.
Let's do the same for the password policy control. So I search for that one. This controller has even more parameters. It has seven different parameters, specific characters that should be included and so on and so forth. Specifically in this instance, I changed the length, the minimum length of the password from 8 to 14 because this is what my aitor have required me.
Again, there is a customized label. I can move forward with that. If I wanted to customize even more controls, I could do that. A policy can contain as many customizable controls as we support.
Once we review, we see the updated values, clicking on the information item will show us the previous values that were in effect. Clicking on saving will go back to the policies page to change that the check has actually taken effect.
Clicking on the policy we will see on the side bar that the policy now shows the controls that have been customized and hovering over each of those controls will show us the value that we have chosen again. Once the policy has been added, this is being propagated across all of the uh relevant accounts in this instance, the finance, so you across all of the linked regions that we had in this instance, we had two linked regions in addition to the main home region that concludes the second demo.
And really with what we've done so far, we've configured security hub across our entire organization in less than 10 minutes with our desired and with your desired security covered settings. After you have done that, a flow of highly relevant findings will be generated by security hub. And now it's time to act on those and to work to immediate them.
My colleague shara will now discuss a few enhancements that we've made in that field.
Thank you gal. So we defined sec we enabled security hub, we customized it to your specific organizational requirements and now findings come in in this section. I'm going to talk about how you can take more effective and faster action on the security findings to ensure that your organization is more secure, to be able to effectively respond and remediate findings.
You need to have solid attribution for them. Meaning you need to understand to which resource account or application these findings is associated with. So we can prioritize accordingly and work with the relevant resource owners or development teams to mitigate these findings.
And earlier this week, we released a simplified way to operate and secure applications in aws. Customers have told us that have as they were building more complex applications in aws and improve their operations, looking at individual resources were became challenging. They wanted visibility into the overall application that is running using these resources. Security teams have told us that to be able to react in a more accurate way. They also need to understand which application is tied with the resource they get alerts about.
We have released a simplified way to define application across aws services in a consistent manner using a dedicated resource tag called aws application. This allows you to use cloud formation terraform or uh you can also define it via the define an application that will persist across the different aws services including and we'll see it very soon security hub as a security professional. This also help you attribute these findings into the relevant application allowing you to take better action.
Now, i wanna talk about two new features we released earlier this week that helps you take action. The first one is enrichment of findings and the second one is major enhancements to our dashboards together. They allow you to not only take action at the individual finding level, but also see the overall picture of how it all ties together.
Starting from finding enrichment. Customers have told us that as they increasingly adopted security hub and now just findings from not only security hub controls but also 12 aws services and over 63rd party vendors ingest all of them into security hub and aggregate them in it. They needed a way to attribute these findings that come from all these different uh finding providers to the right places. And the way they typically do so is by using resource tags, accounts or applications security hub now automatically enriches every finding that comes into security hub with these details.
Specifically the resource tag that the fi of the resource, the finding is associated with the account name and not only ideas we have done in the past and the application name and on that we derive from the aws application tag. This allows you to not only search and filter by these attributes so we can take action in a more accurate manner but also better prioritize and automate because now you can not only use security hubs, automation rule um or the automation workflow using eventbridge and the external integrations, we have to look at findings by these properties.
For example, you might want to prioritize findings from your top um production account or finding associated with specific application team and create these automation workflows to act faster to this.
Now, after, after you take action on these findings, you want to understand the overall impact and improvements to your security posture to do so. We have the security hub dashboard and for those of you who have used or are using security hub, you're probably familiar with it.
We released major enhancements to it and the reasons we've done so is because security teams have told us that as the cloud security landscape evolved, they needed to address a more diverse set of security concerns ranging from infrastructure mis configurations to software vulnerabilities to threats, identity risks and more, this is why we have released a new sets of widgets dedicated to your specific security needs and guided by the lessons that aws have identified from its own security operations and across variety of customers that we work with continuously.
These widgets include dedicated widgets for top threats in your cloud environment and exploitable software vulnerabilities and allow you to shift your focus into the things you want to focus on and take and take action accordingly. But also to track and monitor progress over time.
We also heard from customers that as their organizational um structure grew over time, they simply have more accounts, they need to track now. Security hubs dashboard has already provided you with a comprehensive view of all of the findings across your organization. But you could only view it in the overall all my organization view or in a specific account view.
We have released a new set of powerful filters that allow you to zoom into specific account team resource tag application and more allowing you to quickly focus on specific areas of interest. But you can also save this set of filters to create dedicated views that you can go back to allowing you to start and end your day focusing and flipping through the dedicated views you have created in security hub.
So let's see how it looks like that's the fun part of the demo. Now, if we are a specific cloud security professional or a security team, and now we want to use security hub, including the new features that were released to act on our security concerns and better and more effectively address them.
We start from security hubs. Findings page here. Every finding is a specific security concerns and you can now use the filters in conjunction with the new and reached fields to identify and work towards improving the security of specific areas.
So for example, you can now use aws account name and not only account id to see the findings that are associated with a specific account that you might have in mind and want to make sure it's all right. And in this case, we are filtering by this account, we can see all the different findings associated with it.
And this a this account could be a specific application, but i can also use the new application definition. And as i mentioned, we derive it from the tag to filter by application name or arm. So let's filter by a specific production application that we have. And we want to work on the findings that are associated with this application to make sure it's not uh uh exposed for compromised, the findings can be sorted by severity.
And as we dive into a specific finding, we see all the details about the specific issue and we now have the new fields as the account name, application name and on that allow you to attribute it to the relevant places. And we also have a new table of resource tags that gives you more context. So you can now better understand the importance of this finding and decide if you want to take action now, next week, next month or never.
And in this example, we see that the that the resource have an environment equals production resource tag associated with it indicating that we will probably want to prioritize it. We can also use security hub automation capability and more specifically its custom action to take action faster. And in this example, we can use an action to open a ticket to the relevant people or isolate the instance if for example, it's an easy two instance that it's actively compromised.
All of this helps you to more effectively and in a faster manner, address security concerns. And now we want to use the dashboard to see the overall status of that application that we are working to improve its security. You can use the filters and you can see both the new fields such as the account name and also um existing attributes such as product name, research, tag, severity, label and more and using these filters will filter the whole dashboard.
So let's start with focusing on critical security hub findings and filtering the whole dashboard by it. When we do so, you will see that the assets with most findings, the widget on the right hand side is updated and filtered by only findings that are related to security hub. And you can view for example, the resources or applications that you have defined quickly see all the findings associated with it and then save that view.
And this allows you to create dedicated views that you can come back to and quickly focus on specific parts of your business that you want to address your security for. And you can combine the filters, for example, to focus on threats in production accounts, critical software vulnerabilities. And more in this example of threats in production accounts, you can see that it's filtered by specific account names and core duty findings.
Not only that you can filter the dashboards to focus on specific part of your business, you can also customize it. So we have a new library of widgets that we added, you can move them around, organize the dashboard, for example, as operational dashboard or executive reporting dashboard, and you can remove widgets that you are not just not as interested about and also see the new widgets that we added such as frets in your cloud environment or software vulnerabilities that are exploitable and fixable, meaning it's not only a high concern, but you can actually take action and do something about it most likely in collaboration with your application teams from here, you can pivot directly to the findings page and then look at the findings uh perform a custom action as we saw earlier.
And this helps you to close the feedback loop faster and address these concerns. Overall, you can use the combination of these two new weed and features to accelerate your cloud security response and remediation and report and track on the progress.
Over the past few years, we've seen customers from across every size, geography and industry adopt security hub and use it to improve the state of their security posture. And now i would like to invite my colleagues back to the stage and dora will share more about what's next from aws.
Thanks shaar and thanks to all great demos. Um so kind of concluding and wrapping up. Uh what can you do after we leave this room? How can you learn more about security hub? So you can try it for free for 30 days across your organization and you can also join one of our activation days. We do those regularly and get, uh you can get hands on guidance both to set up security hub, but also how to operationalize it.
And if you want to stay on top of uh all the new releases, what's new with security hub, uh you can subscribe to security hub announcements with uh amazon sns and save the date. Uh aws reinforce is going to be on june uh between the 10th and the 12th in philadelphia. This is a conference specifically focused on security and would uh love to see you uh there to share more about uh the latest about security hub, but also of uh anything new and exciting in security at the ws.
So, thank you. And we're gonna be um off stage uh for q and a for a few minutes once uh we finish the session. Thanks for coming.
扫一扫
8047
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
