by Vanessa Kong and Felix Philipose
from CMD Solutions

In the cloud, detective controls are essential since they may assist you in detecting misconfigurations, vulnerabilities, and potentially malicious activity. To name a few AWS security services for detective control purposes, we have Amazon GuardDuty, AWS Inspector and AWS Security Hub, which are all widely used in different organisations. AWS Security Hub provides a single pane of glass for viewing security findings and managing security alerts produced by AWS service, AWS partner security products, and other integrated third-party solutions. In addition, Security Hub does automated checks against best practices and industry standards, which can assist customers to meet compliance requirements.

Although AWS Security Hub has some similarities to security information and event management (SIEM) tools, it is not designed as a standalone SIEM replacement. However, it may be used to enhance an existing SIEM system or form part of a hybrid solution built on top of AWS native technology.

SIEM with AWS Security Hub and Amazon OpenSearch

Amazon OpenSearch Service is an AWS-managed search service that makes it easy to deploy, operate, and scale a search solution for your website or application. In this post, we will demonstrate how you can use AWS Security Hub and Amazon OpenSearch together to build a SIEM solution.

AWS Security Hub collects security data from across your AWS environment and provides you with a comprehensive view of your high-priority security alerts and findings, while Amazon OpenSearch can easily add search capabilities to those logs collected.

When used together, AWS Security Hub and Amazon OpenSearch give you a complete SIEM solution that covers the collection, analysis, and investigation of security data. The combination of these services provides the ability to quickly search for and find the information you need to respond to security incidents.

This solution allows correlating Security Hub findings with each other and other log sources. Security Operations Teams often collect various log sources (application logs, security scanning logs, vendor logs, and other solutions) and need to store and correlate those logs for incident investigation purposes. For example, Inspector scans AWS workloads for software vulnerabilities and unintended network exposure. These findings should be stored and if needed, queried properly. Leveraging AWS native security services to provide security event data, and then aggregating these with a combination of Security hub and OpenSearch can provide valuable insights which can in turn generate meaningful alerts.

Another benefit highly regarded by customers is the ability to store all security events for more than the default 90 days of event retention that AWS Security Hub provides, to comply with industry standards and compliance, historical investigation, or audit requirements.

Solution Architecture:

All logs from AWS security services, AWS Security Hub findings, and non-AWS services that use Amazon Kinesis Firehose or directly can be written to an Amazon S3 bucket.

An AWS Lambda ETL (extract, transform, and load) function can be used to convert and send structured log data to Amazon OpenSearch. Dashboards can be created based on queries run in Amazon OpenSearch either natively or using a third-party solution such as Kibana. In addition, security analysts can be notified depending on distinct rules and thresholds established in Amazon OpenSearch and delivered to them via Amazon SNS topics to their preferred platform.

Shipping logs to an existing SIEM Solution

Also in this post, we will show how security events collected in AWS Security Hub can be integrated into a SIEM solution for customers that already have an established system such as Splunk. Splunk is a leading SIEM platform that can be used to monitor, search, and analyse data from AWS Security Hub.

If you want to use AWS Security Hub to supplement an existing SIEM solution, such as Splunk, you can refer to the following solution to stream security events from AWS Security Hub into your SIEM system. In this solution, Security Hub ingests findings from multiple products such as AWS Config and Amazon GuardDuty. We use multiple log groups per product here to separate findings in order to reduce the complexity of further analysis. A Kinesis Data Stream can enable cross-account streaming and streaming in order. A Firehose Delivery Stream will consume the data from the Data Stream. The AWS Lambda function is used to transform the format of findings from AWS Security Hub and then send them to Amazon Kinesis Data Firehose. Amazon Kinesis Data Firehose then streams the data into Splunk with a Splunk Event Collector for analysis and storage. This solution also provides a second Lambda function for disaster recovery for any failed findings from the S3 bucket.

Solution Architecture:

Conclusion

In this post, we have shown how AWS Security Hub and Amazon OpenSearch can be used together to build a SIEM solution. We have also shown how security events collected in AWS Security Hub can be integrated into a SIEM solution for customers that already have an established system such as Splunk.

If you are looking to supplement your current SIEM solution or build a new one, AWS Security Hub and Amazon OpenSearch provide the ability to quickly search for and find the information you need to respond to security incidents.

To get started with AWS Security Hub, visit the AWS Security Hub service page. To learn more about Amazon OpenSearch, visit the Amazon OpenSearch service page. For more information on Splunk Enterprise on AWS, visit Splunk page on AWS Marketplace.

Technical details of the AWS Security Hub and Amazon OpenSearch implementation can be found on AWS Security Blog.