fbpx

Posted on by admin

Correlate security findings with AWS Security Amazon and Hub EventBridge

In this website post, we’ll walk you through deploying an answer to correlate specific AWS Security Hub findings from multiple AWS services that are related to a single AWS resource, which indicates an increased possibility that a security incident has happened.

AWS Protection Hub ingests results from multiple AWS providers, which includes Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Firewall Supervisor, AWS Identification and Access Administration (IAM) Gain access to Analyzer, and AWS Techniques Manager Patch Manager. Results from each services are normalized in to the AWS Safety Finding Format (ASFF), to enable you to review results in a standardized format and do something quickly. You may use AWS Protection Hub to provide an individual view of most security-related findings, where one can set up alerting, automated remediation, and ingestion into third-party incident management techniques for specific results.

 

Although Security Hub can ingest a massive amount of findings and integrations, it cannot create correlation rules such as a Security Information and Event Management (SIEM) tool can. However, it is possible to create such rules using EventBridge. It’s vital that you have a closer look when multiple AWS security services generate findings for an individual resource, because this means that elevated risk potentially. Based on your environment, the original amount of findings in AWS Security Hub findings may be high, so you might have to prioritize which findings require immediate action. AWS Security Hub offers you the capability to filter findings by resource natively, account, and several other details. With the perfect solution is in this article, when one of these brilliant correlated sets of findings is detected, a fresh finding is pushed and intended to AWS Security Hub utilizing the Security Hub BatchImportFindings API operation. It is possible to react to these new security incident-oriented findings through ticketing then, chat, or incident management systems.

Prerequisites

This solution requires that you have AWS Security Hub enabled in your AWS account. As well as AWS Security Hub, the next services should be enabled and integrated to AWS Security Hub:

Solution overview

In this solution, you shall work with a mix of AWS Security Hub, Amazon EventBridge, AWS Lambda, and Amazon DynamoDB to ingest and correlate specific findings that indicate an increased odds of a security incident. Each correlation is targeted on multiple specific AWS security service findings for an individual AWS resource.

The list following shows the correlated findings which are detected by this solution. The Description section for each finding correlation provides context for that correlation, the Remediation section provides general strategies for remediation, and the Prevention/Detection section provides guidance to either prevent or detect more than one findings within the correlation. With the code provided, you can also add more correlations than those listed here by modifying the Cloud Development Kit (CDK) code and AWS Lambda code. The Solution workflow section breaks down the flow of the solution. If you choose to implement automatic remediation, each finding correlation will be created with the next AWS Security Hub Finding Format (ASFF) fields:

- Severity: CRITICAL
  • ProductArn: arn:aws:securityhub: : :product/ /default

These correlated findings are manufactured within this solution:

    1. Any Amazon GuardDuty Backdoor findings and three critical common vulnerabilities and exposures (CVEs) from Amazon Inspector which are from the same Amazon Elastic Compute Cloud (Amazon EC2) instance.
        • Description : Amazon Inspector has found at least three critical CVEs on the EC2 instance. CVEs indicate that the EC2 instance is vulnerable or exposed currently. The EC2 instance is performing backdoor activities. The combination of these two findings is a stronger indication of an elevated security incident.
        • Remediation : It’s recommended that you isolate the EC2 instance and follow standard protocol to triage the EC2 instance to verify if the instance has been compromised. If the instance has been compromised, follow your regular Incident Response process with regard to post-example forensics and compromise. Redeploy a backup of the EC2 instance through the use of an up-to-date hardened Amazon Machine Image (AMI) or apply all security-related patches to the redeployed EC2 instance.
        • Prevention/Recognition : To mitigate or prevent an Amazon EC2 example from missing critical protection updates, contemplate using Amazon Techniques Manager Patch Supervisor to automate installing security-associated patching for managed situations. Alternatively, it is possible to provide developers up-to-time hardened Amazon Machine Pictures (AMI) through the use of Amazon EC2 Picture Builder . For detection, it is possible to set the AMI home known as ‘ DeprecationTime ’ to point when the AMI can be outdated and respond appropriately.
    1. An Amazon Macie delicate data selecting and an Amazon GuardDuty S3 exfiltration obtaining for exactly the same Amazon Basic Storage Services (Amazon S3) bucket.
        • Explanation : Amazon Macie offers scanned an Amazon S3 bucket and discovered a probable match for sensitive information. Amazon GuardDuty provides detected a feasible exfiltration finding for exactly the same Amazon S3 bucket. The mix of these results indicates an increased risk safety incident.
        • Remediation : It’s suggested that you review the foundation IP and/or IAM principal that’s making the S3 item reads contrary to the S3 bucket. If the foundation IP and/or IAM principal isn’t authorized to gain access to sensitive information within the S3 bucket, follow your regular Incident Response procedure for post-compromise arrange for S3 exfiltration. For instance, it is possible to restrict an IAM principal’s permissions, revoke current credentials or unauthorized periods, restricting accessibility via the Amazon S3 bucket policy, or utilizing the Amazon S3 Block Public Entry feature.
    1. AWS Safety Hub detects an EC2 example with a open public IP and unrestricted VPC Security Team ; Amazon GuardDuty uncommon network traffic behavior getting ; and Amazon GuardDuty brute push finding .
        • Explanation : AWS Protection Hub offers detected an EC2 instance which has a public IP address connected and a VPC Safety Group that allows visitors for ports beyond ports 80 and 443. Amazon GuardDuty in addition has identified that the EC2 instance provides multiple brute force tries and is interacting with a remote control host on a unique interface that the EC2 example has not used for network conversation. The correlation of the lower-severity results indicates a higher-severity protection incident.
        • Remediation : It’s suggested that you isolate the EC2 example and follow regular protocol to triage the EC2 example to verify if the example has already been compromised. If the example has been compromised, stick to your regular Incident Response procedure for post-example compromise and forensics.

The perfect solution is workflow, shown in Physique 1, is really as follows:

    1. Protection Hub ingests results from integrated AWS safety services.
    1. An EventBridge rule is invoked predicated on Security Hub results in GuardDuty, Macie, Amazon Inspector, and Security Hub security specifications .
    1. The EventBridge principle invokes a Lambda functionality to store the Safety Hub finding, that is approved via EventBridge, in a DynamoDB desk for further evaluation.
    1. Following the new results are kept in DynamoDB, another Lambda functionality is invoked through the use of Dynamo StreamSets and a time-to-live (TTL) established to delete locating entries which are older than 1 month.
    1. The next Lambda function talks about the resource linked to the new finding entry in the DynamoDB table. The Lambda function checks for specific Security Hub findings which are linked to the same resource.

Figure 1: Architecture diagram describing the flow of the solution

Figure 1: Architecture diagram describing the flow of the answer

Solution deployment

You can deploy the perfect solution is through either the AWS Management Console or the AWS Cloud Development Kit (AWS CDK) .

To deploy the answer utilizing the AWS Management Console

In your account, launch the AWS CloudFormation template by choosing the next Launch Stack button. It will require ten minutes for the CloudFormation stack to perform approximately.
Select the Launch Stack button to launch the template

To deploy the perfect solution is utilizing the AWS CDK

You can find the most recent code in the aws-security GitHub repository where you can also donate to the sample code. The next commands show how exactly to deploy the solution utilizing the AWS CDK. First, the CDK initializes your uploads and environment the AWS Lambda assets to Amazon S3. Then, it is possible to deploy the solution back. For , specify the account number, and for , specify the AWS Region that the answer is wanted by you deployed to.

< div class=”hide-language”>

< pre> cdk bootstrap aws:// /

cdk deploy

Conclusion

In this website post, we walked by way of a treatment for use AWS services, including Amazon EventBridge, AWS Lambda, and Amazon DynamoDB, to correlate AWS Security Hub findings from multiple different AWS security services. The answer offers a framework to prioritize specific sets of findings that indicate an increased likelihood a security incident has occurred, to enable you to prioritize and enhance your security response.

When you have feedback concerning this post, submit comments in the Comments section below. If any questions are had by you concerning this post, take up a thread on the AWS Security Hub forum .

Want more AWS Security how-to content, news, and show announcements? Follow us on Twitter .