Event-Driven Security Monitoring with Arctic Wolf and AWS Security Hub
By Chavi Gupta, Partner Solutions Architect – AWS
By Jeremiah Cornelius, Principal Alliance Architect – Arctic Wolf
By Britt Serra, Product Marketing Manager – Arctic Wolf
By Alex Packman, Product Owner – Arctic Wolf
Malicious activity with continuous and ongoing cyber threat is a reality for today’s modern cloud infrastructure. Cybersecurity companies and experts must consider these threats while designing their products, and operations teams should have robust mechanisms in place to detect and respond to security threats.
To help customers deal with cybersecurity challenges, Amazon Web Services (AWS) provides capability for aggregated and unified alerting—with a large array of technologies to monitor and control cloud-based application stacks and hosted data.
Making intelligent use of this information—to end the opportunity of cyber threat—is the role of the Arctic Wolf Security Operations Cloud. It ingests telemetry from Amazon GuardDuty, AWS CloudTrail, AWS Security Hub, and other AWS security services to provide holistic visibility with data correlation and analytics, assuring detection and response of cyber-threats.
The findings and anomalies detected by these security services are utilized to identify, protect, detect, respond, and recover from cybersecurity threats.
AWS Security Hub provides customers with a comprehensive view of their security state within AWS, and helps check their environment against security industry standards and best practices. It collects security data from AWS accounts, services, and supported third-party partner products to help customers analyze their security posture and identify the highest priority security issues.
The Arctic Wolf Security Operations Cloud utilizes telemetry from AWS security services to provide actionable, correlated, and verified alerting, guided remediation of threats, and proactive hardening of a customer’s security posture.
In this post, we’ll cover Arctic Wolf’s integration with AWS Security Hub, including a description of the technology and steps for setting up the integration. Arctic Wolf is an AWS Competency Partner and AWS Marketplace Seller that is a leading provider of cloud security operations.
The figure below depicts the architecture and AWS services that are deployed in the customer’s AWS environment when they enable the AWS Security Hub integration by Arctic Wolf.
Figure 1 – Architecture of Arctic Wolf’s integration with AWS Security Hub.
Here’s how Hub findings flow from AWS Security Hub in to the Arctic Wolf Security Operations Cloud:
- AWS Security Hub automatically sends new findings and updates to existing findings to Amazon EventBridge as events. Customers can also choose to send custom actions, or a small set of findings to EventBridge. This provides an event-driven approach to security monitoring and does not require the threat detection service to poll Security Hub for security findings.
- An EventBridge rule is created to automatically send all the findings with source as “aws.securityhub” to Amazon Kinesis Data Firehose.
- An Amazon Simple Storage Service (Amazon S3) bucket is configured as the destination for Kinesis Data Firehose delivery stream.
- An AWS Lambda function will be triggered as soon as the finding arrives in the S3 bucket. The Lambda function processes the finding and puts the sorted finding in a destination S3 bucket.
- The Arctic Wolf Security Operations Cloud, which has authorization to read data from the destination S3 bucket, receives the finding.
- Arctic Wolf then processes this information to provide intelligent insights and verified alerting of threats.
Arctic Wolf Security Hub Integration
Enabling Arctic Wolf’s AWS Security Hub integration allows the Arctic Wolf Security Operations Cloud to retrieve security findings from the customer’s AWS environment and process those findings to provide meaningful insights to the security analysts and customers.
AWS findings are then correlated with a customer’s other security telemetry (from sources such as endpoint, network, cloud, and identity) using a combination of intelligent automation in the Arctic Wolf platform and human verification.
The result is a comprehensible identification of security events that pose an actual cyber risk vs. volumes of “security noise” signals. This means rapid responses to threats without fatiguing security analysts with numerous unverified alerts.
Figure 2 provides an overview of Arctic Wolf’s suite of security solutions working in conjunction with security events received from AWS Security Hub.
Figure 2 – Arctic Wolf solution-level integration with AWS Security Hub.
Deployment and configuration of Arctic Wolf’s Security Hub integration is managed using cloud-native tools, suited to AWS operations workflows already in use by organizations for their infrastructure.
Upon configuration of the solution, clients will have 24×7 security monitoring via Arctic Wolf for all Security Hub findings, including findings from Amazon GuardDuty.
- Arctic Wolf’s Security Hub integration supports AWS Security Finding Format (ASFF), which is the standard format for all Security Hub integrations and solutions.
- Arctic Wolf’s AWS CloudTrail integration is a prerequisite for this integration.
- Arctic Wolf’s Security Hub integration is deployed using an AWS CloudFormation template, provided to customers by Arctic Wolf, in Arctic Wolf’s Configuring AWS Security Hub integration guide.
- After completing all of the steps in the integration guide, customers and their Concierge Security Team (CST) will verify the setup was successful. The CST is a customer’s dedicated team of security operations experts at Arctic Wolf, and they will confirm that Security Hub findings are successfully received by the Arctic Wolf Security Operations Cloud.
In this post, we showed you how to set up the Arctic Wolf Security Operations Cloud and AWS Security Hub integration to provide a holistic and operational view of an organization’s security environment.
As a pilot vendor of the AWS Level 1 MSSP Competency specializations launched at AWS re:Inforce 2022, Arctic Wolf has achieved specialization in Digital Forensics and Incident Response. Arctic Wolf’s Security Operations Cloud can be transacted through AWS Marketplace.
If you are an AWS customer and need help with this procedure, please reach out to your account manager.
Arctic Wolf – AWS Partner Spotlight
Arctic Wolf is an AWS Competency Partner and AWS Marketplace Seller that is a leading provider of cloud security operations.