Enabling Seamless Security and Compliance with Sumo Logic and AWS Security Hub
By Himanshu Pal, Application Developer at Sumo Logic
By Rishi Divate, Principal Technical Product Manager at Sumo Logic
AWS Security Hub gives you a comprehensive view of your high-priority security alerts and compliance status across Amazon Web Services (AWS) accounts.
The service also aggregates security events—called findings—from specific AWS security services such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, while supporting third-party finding providers such as Sumo Logic.
As one of the AWS Security Hub beta partners, Sumo Logic announced at AWS re:Invent 2018 a bi-directional integration with AWS Security Hub.
In this post, we’ll provide an overview on how Sumo Logic’s integration with AWS Security Hub works and how to leverage it to address the following goals:
- Correlate and investigate root causes of findings across infrastructure, application, and security vendors.
- Respond and remediate the root causes of findings.
- Ensure compliance with key regulations.
- Detect critical security events with Sumo Logic platform correlations and forward them to the Security Hub for aggregation.
Sumo Logic is an AWS Partner Network (APN) Advanced Technology Partner with AWS Competencies in Security, Data & Analytics, and DevOps. If you want to be successful in today’s complex IT environment, and remain that way tomorrow and into the future, teaming up with an AWS Competency Partner like Sumo Logic is The Next Smart.
Collecting Findings and Installing the App
Sumo Logic provides bi-directional integration with AWS Security Hub by collecting findings from Security Hub into Sumo Logic for investigation and remediation.
With this integration, critical security events detected via Sumo Logic correlations across all of your security alerts can be forwarded to Security Hub for aggregation.
Sumo Logic collects findings from AWS Security Hub via the following mechanism:
- Security Hub sends notifications based on Amazon CloudWatch Events when a new finding or update to an existing finding is reported.
- A CloudWatch Events rule enables Amazon CloudWatch to send events with the Security Hub findings to an AWS Lambda function deployed via the AWS Serverless Application Repository, which sends the events to a Sumo Logic HTTP source.
Figure 1 – Collection architecture.
Once you have configured this collection, the Sumo Logic app for Security Hub can be installed to analyze findings via out-of-the-box dashboards. For additional details, please see the help page for collecting findings and instructions on how to install the application.
Leveraging App Dashboards
Now that we’ve seen how to get findings and install the app, let’s look at dashboard examples.
The AWS Security Hub Overview dashboard, as shown in Figure 2, provides a high-level view of all findings. From here, you can drill-down in the details by clicking on any of the panels. You can also navigate directly to the finding in the Security Hub console.
Figure 2 – AWS Security Hub Overview dashboard.
In the Resources Affected dashboard, you can view all findings by the type of resource (AWS or otherwise). In Figure 3, we see all findings sorted by severity in the Finding Details by Severity panel.
In this example, a high-severity finding reported by Amazon Macie indicates credentials were uploaded to an Amazon Simple Storage Service (Amazon S3) bucket.
Figure 3 – AWS Security Hub Resources Affected dashboard.
Leveraging Searches for Investigations and Remediations
Sumo Logic customers can investigate root causes of findings by analyzing security events and logs from various security and operational data sources via Sumo Logic search capabilities. This helps you fully understand root causes and address findings.
In the example above, after getting the bucket name, we can run a search in Sumo Logic to show all activity on that bucket in AWS CloudTrail logs and find out which user in Sumo Logic was responsible for uploading those credentials.
Figure 4 – Investigating AWS CloudTrail events.
With this information, you can take action against the user and delete the sensitive file in Amazon S3.
Going forward, you can create searches in Sumo Logic to automate these investigation steps and remediate threats leveraging integrations with ticketing tools, incident response platforms, and notification mechanisms such as AWS Lambda, webhook connections, Slack, PagerDuty, OpsGenie and ServiceNow.
AWS Security Hub reports and aggregates compliance findings, which are collected and reported in the Compliance dashboard. You can use this dashboard to monitor findings that failed compliance checks.
Figure 5 – AWS Security Hub Compliance dashboard.
As shown in Figure 6, panels from this dashboard can be combined with compliance dashboards you may already have, such as for PCI or GDPR, to get a complete view of your compliance posture.
Figure 6 – Compliance Overview dashboard.
Forwarding Sumo Logic Findings to AWS Security Hub
To send findings across your hybrid IT infrastructure to AWS Security Hub for aggregation, follow the steps in the Sumo Logic documentation.
Here’s how it works: A scheduled search in Sumo Logic that identifies critical security events across your hybrid IT and DevOps infrastructure is configured to send its results to a Sumo Logic webhook that invokes a Lambda function.
The triggered Lambda function parses search results and transforms them into findings in the Amazon Finding Format (AFF) and sends those over to Security Hub.
Figure 7 – AWS Security Hub Forwarder architecture.
Say, for example, you are securing web application traffic with AWS WAF and using the threat intelligence capabilities in the Sumo Logic application for AWS WAF, and you discover incoming traffic allowed from AWS WAF is from malicious IP addresses.
You can format your search with the mandatory fields necessary to send these over in the AFF to Security Hub.
Figure 8 – Allowed traffic by malicious IPs search.
After the search has been written, you can schedule and configure it to send results to the Lambda webhook configured earlier, which will forward the results to findings in AWS Security Hub.
Figure 9 – AWS Security Hub Findings console.
In this post, we have shown an overview on how the Sumo Logic bi-directional integration with AWS Security Hub works so you can:
- Collect findings from AWS Security Hub.
- Use Sumo Logic dashboard and searches to investigate root causes, correlate with logs from other services, and respond to security threats.
- Use Sumo Logic out-of-the-box compliance dashboards to ensure regulatory compliance.
- Configure scheduled searches to send critical security events as findings to AWS Security Hub.
The Sumo Logic platform, with its bi-directional integration for AWS Security Hub, provides a complete security detection and response solution for security teams to correlate, investigate, and respond to events across vendors, as well to monitor and address compliance gaps.
For more security and DevSecOps-focused reads, check out the Sumo Logic blog.
The content and opinions in this blog are those of the third party author and AWS is not responsible for the content or accuracy of this post.
Sumo Logic – APN Partner Spotlight
Sumo Logic is an AWS Competency Partner. Its cloud-based machine data analytics service helps customers gain instant insights into their growing and complex pool of machine data.
*Already worked with Sumo Logic? Rate this Partner
*To review an APN Partner, you must be an AWS customer that has worked with them directly on a project.