Visualizing A Lot of AWS Security Hub Findings

4 minute read | Last updated 7-Feb-2022 | An icon depicting a retail tag with a heart for 'favourite' AWS, Security, Cloud

AWS Security Hub is a simple way to collect all of your security data within your AWS Cloud environment.

There are some challenges associated with the service. Namely, getting a handle on a lot of findings from a number of different regions and accounts.

Recently, David Hessler at AWS posted a solution over the AWS Security Blog. My thoughts on that solution in a way-to-big Twitter thread 👇

Tweet 1/15 👇 Next tweet

over on the @awssecurityinfo blog, @davidhessler dropped a great post, "How to build a multi-Region AWS Security Hub analytic pipeline and visualize Security Hub data"

https://aws.amazon.com/blogs/security/how-to-build-a-multi-region-aws-security-hub-analytic-pipeline/

👇 a thread with my thoughts…

🧵 #cloud #security

marknca @marknca tweeted at 07-Feb-2022, 23:06

Tweet 2/15 👇 Next tweet 👆 Start

@AWSSecurityInfo @davidhessler first of all, this solution uses Amazon Quicksight to visualize @awscloud Security Hub findings.

QuickSight has been one of my favourite AWS services since it’s launch. it’s super easy to use and produces some fantastic visuals you can share w/the team

🧵 #cloud #security

marknca @marknca tweeted at 07-Feb-2022, 23:07

Tweet 3/15 👇 Next tweet 👆 Start

@AWSSecurityInfo @davidhessler @awscloud this solution tackles one of the top challenges with @awscloud Seurity services: data distribution across the regions

like any data, Security Hub findings stay in the region where they were generated

that’s good but you (obviously) want a centralized view

🧵 #cloud #security

marknca @marknca tweeted at 07-Feb-2022, 23:07

Tweet 4/15 👇 Next tweet 👆 Start

@AWSSecurityInfo @davidhessler @awscloud Security Hub offers a solution to this: cross-Region finding aggregation

more on that at https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html

🧵 #cloud #security

marknca @marknca tweeted at 07-Feb-2022, 23:07

Tweet 5/15 👇 Next tweet 👆 Start

@AWSSecurityInfo @davidhessler @awscloud in larger orgs, sub accounts send their Security Hub findings to a single administrator account

cross-Region finding aggregation 👆 is then used in that account to get a view of all of the organization’s Security Hub findings in one place

phew…

🧵 #cloud #security

marknca @marknca tweeted at 07-Feb-2022, 23:07

Tweet 6/15 👇 Next tweet 👆 Start

@AWSSecurityInfo @davidhessler @awscloud with all of the data in one place, this solution uses Amazon Athena (eventually) to slice and dice the data for QuickSight

the “eventually” bit is where the solution is a bit frustrating for me

Security Hub outputs to EventBridge (awesome) …

🧵 #cloud #security

marknca @marknca tweeted at 07-Feb-2022, 23:07

Tweet 7/15 👇 Next tweet 👆 Start

@AWSSecurityInfo @davidhessler @awscloud from there, this solution uses Kinesis Firehose to an Amazon S3 bucket to a Lambda function to another Bucket and somehow loops in AWS Glue to get everything into the location and format to make life easier to Athena (the querying engine)

yikes

🧵 #cloud #security

marknca @marknca tweeted at 07-Feb-2022, 23:07

Tweet 8/15 👇 Next tweet 👆 Start

@AWSSecurityInfo @davidhessler @awscloud this is an ongoing theme with the @awscloud. it's taking more and more services to actually solve the problem at hand

the choices in this solution make sense, it’s just frustration that it’s this complex

🧵 #cloud #security

marknca @marknca tweeted at 07-Feb-2022, 23:07

Tweet 9/15 👇 Next tweet 👆 Start

@AWSSecurityInfo @davidhessler @awscloud Security Hub => EventBridge ✅ EventBridge => Kinesis Data Firehose ❓ Kinesis Data Firehose => Amazon S3 ❓ AWS Glue => Amazon S3 => Amazon Athena ✅

when I see challenges like this, I often ask, “What else could I use here?”

🧵 #cloud #security

marknca @marknca tweeted at 07-Feb-2022, 23:07

Tweet 10/15 👇 Next tweet 👆 Start

@AWSSecurityInfo @davidhessler @awscloud in this case, you could use EventBridge => SQS => Lambda => S3

…but that’s even more complicated!

…maybe EventBridge => Lambda => S3?

that’s cleaner but could have throttling issues at scale 🤦

🧵 #cloud #security

marknca @marknca tweeted at 07-Feb-2022, 23:07

Tweet 11/15 👇 Next tweet 👆 Start

@AWSSecurityInfo @davidhessler @awscloud what about price? turns out that Firehose is reasonable for this use case

pricing is up at https://aws.amazon.com/kinesis/data-firehose/pricing/

but I figure it would be about $5.25 per million Findings

🧵 #cloud #security

marknca @marknca tweeted at 07-Feb-2022, 23:07

Tweet 12/15 👇 Next tweet 👆 Start

@AWSSecurityInfo @davidhessler @awscloud ...but the complexity of SQS => Lambda might be worth it AT SCALE

that same million Findings is goign to clock in around $2.60 …and you would save on the AWS Glue charges because you could normalize from Lambda

🧵 #cloud #security

marknca @marknca tweeted at 07-Feb-2022, 23:07

Tweet 13/15 👇 Next tweet 👆 Start

@AWSSecurityInfo @davidhessler @awscloud sidenote: if you're wondering what a Finding is, it's the data format (ASFF) used by AWS security services tools

it’s an open format, with details up at https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html

I really like it, but I’m biased as I was involved in the early days

🧵 #cloud #security

marknca @marknca tweeted at 07-Feb-2022, 23:07

Tweet 14/15 👇 Next tweet 👆 Start

@AWSSecurityInfo @davidhessler @awscloud regardless of how you get the data ready for visualization, QuickSight is a very cool tool to pull this off.

the shared dashboards are extrememly useful here: https://docs.aws.amazon.com/quicksight/latest/user/sharing-a-dashboard.html

🧵 #cloud #security

marknca @marknca tweeted at 07-Feb-2022, 23:07

Tweet 15/15 👇 Next tweet 👆 Start

@AWSSecurityInfo @davidhessler @awscloud this went on way longer than anticipated!

be sure to check out the full post at https://aws.amazon.com/blogs/security/how-to-build-a-multi-region-aws-security-hub-analytic-pipeline/