Security Cloud Courses About
imgs/hero.webp

Visualizing A Lot of AWS Security Hub Findings

AWS Security Hub is a simple way to collect all of your security data within your AWS Cloud environment.

There are some challenges associated with the service. Namely, getting a handle on a lot of findings from a number of different regions and accounts.

Recently, David Hessler at AWS posted a solution over the AWS Security Blog. My thoughts on that solution in a way-to-big Twitter thread πŸ‘‡

Tweet 1/15 πŸ‘‡ Next tweet

over on the @awssecurityinfo blog, @davidhessler dropped a great post, "How to build a multi-Region AWS Security Hub analytic pipeline and visualize Security Hub data"

https://aws.amazon.com/blogs/security/how-to-build-a-multi-region-aws-security-hub-analytic-pipeline/

πŸ‘‡ a thread with my thoughts…

🧡 #cloud #security

Tweet 2/15 πŸ‘‡ Next tweet πŸ‘† Start

@AWSSecurityInfo @davidhessler first of all, this solution uses Amazon Quicksight to visualize @awscloud Security Hub findings.

QuickSight has been one of my favourite AWS services since it’s launch. it’s super easy to use and produces some fantastic visuals you can share w/the team

🧡 #cloud #security

Tweet 3/15 πŸ‘‡ Next tweet πŸ‘† Start

@AWSSecurityInfo @davidhessler @awscloud this solution tackles one of the top challenges with @awscloud Seurity services: data distribution across the regions

like any data, Security Hub findings stay in the region where they were generated

that’s good but you (obviously) want a centralized view

🧡 #cloud #security

Tweet 4/15 πŸ‘‡ Next tweet πŸ‘† Start

@AWSSecurityInfo @davidhessler @awscloud Security Hub offers a solution to this: cross-Region finding aggregation

more on that at https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html

🧡 #cloud #security

Tweet 5/15 πŸ‘‡ Next tweet πŸ‘† Start

@AWSSecurityInfo @davidhessler @awscloud in larger orgs, sub accounts send their Security Hub findings to a single administrator account

cross-Region finding aggregation πŸ‘† is then used in that account to get a view of all of the organization’s Security Hub findings in one place

phew…

🧡 #cloud #security

Tweet 6/15 πŸ‘‡ Next tweet πŸ‘† Start

@AWSSecurityInfo @davidhessler @awscloud with all of the data in one place, this solution uses Amazon Athena (eventually) to slice and dice the data for QuickSight

the “eventually” bit is where the solution is a bit frustrating for me

Security Hub outputs to EventBridge (awesome) …

🧡 #cloud #security

Tweet 7/15 πŸ‘‡ Next tweet πŸ‘† Start

@AWSSecurityInfo @davidhessler @awscloud from there, this solution uses Kinesis Firehose to an Amazon S3 bucket to a Lambda function to another Bucket and somehow loops in AWS Glue to get everything into the location and format to make life easier to Athena (the querying engine)

yikes

🧡 #cloud #security

Tweet 8/15 πŸ‘‡ Next tweet πŸ‘† Start

@AWSSecurityInfo @davidhessler @awscloud this is an ongoing theme with the @awscloud. it's taking more and more services to actually solve the problem at hand

the choices in this solution make sense, it’s just frustration that it’s this complex

🧡 #cloud #security

Tweet 9/15 πŸ‘‡ Next tweet πŸ‘† Start

@AWSSecurityInfo @davidhessler @awscloud Security Hub => EventBridge βœ… EventBridge => Kinesis Data Firehose ❓ Kinesis Data Firehose => Amazon S3 ❓ AWS Glue => Amazon S3 => Amazon Athena βœ…

when I see challenges like this, I often ask, “What else could I use here?”

🧡 #cloud #security

Tweet 10/15 πŸ‘‡ Next tweet πŸ‘† Start

@AWSSecurityInfo @davidhessler @awscloud in this case, you could use EventBridge => SQS => Lambda => S3

…but that’s even more complicated!

…maybe EventBridge => Lambda => S3?

that’s cleaner but could have throttling issues at scale 🀦

🧡 #cloud #security

Tweet 11/15 πŸ‘‡ Next tweet πŸ‘† Start

@AWSSecurityInfo @davidhessler @awscloud what about price? turns out that Firehose is reasonable for this use case

pricing is up at https://aws.amazon.com/kinesis/data-firehose/pricing/

but I figure it would be about $5.25 per million Findings

🧡 #cloud #security

Tweet 12/15 πŸ‘‡ Next tweet πŸ‘† Start

@AWSSecurityInfo @davidhessler @awscloud ...but the complexity of SQS => Lambda might be worth it AT SCALE

that same million Findings is goign to clock in around $2.60 …and you would save on the AWS Glue charges because you could normalize from Lambda

🧡 #cloud #security

Tweet 13/15 πŸ‘‡ Next tweet πŸ‘† Start

@AWSSecurityInfo @davidhessler @awscloud sidenote: if you're wondering what a Finding is, it's the data format (ASFF) used by AWS security services tools

it’s an open format, with details up at https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html

I really like it, but I’m biased as I was involved in the early days

🧡 #cloud #security

Tweet 14/15 πŸ‘‡ Next tweet πŸ‘† Start

@AWSSecurityInfo @davidhessler @awscloud regardless of how you get the data ready for visualization, QuickSight is a very cool tool to pull this off.

the shared dashboards are extrememly useful here: https://docs.aws.amazon.com/quicksight/latest/user/sharing-a-dashboard.html

🧡 #cloud #security

Tweet 15/15 πŸ‘‡ Next tweet πŸ‘† Start

@AWSSecurityInfo @davidhessler @awscloud this went on way longer than anticipated!

be sure to check out the full post at https://aws.amazon.com/blogs/security/how-to-build-a-multi-region-aws-security-hub-analytic-pipeline/

…and let me know what you think of this solution in the replies πŸ‘‡

/🧡 #cloud #security