The Internet of Things on AWS – Official Blog

Importing AWS IoT Device Defender audit and detect findings into Security Hub

Introduction

In this post, you’ll learn how the integration of IoT security findings into AWS Security Hub works, and you can download AWS CloudFormation templates to implement the solution. After you deploy the solution, every AWS IoT Device Defender audit and detect finding will be recorded as a Security Hub finding. The findings within Security Hub provide an AWS IoT Device Defender finding severity level and direct link to the AWS IoT Device Defender console so that you can take possible remediation actions. If you address the underlying findings or suppress the findings by using the AWS IoT Device Defender console, the solution will automatically archive any related findings in Security Hub.

In this previous blog on implementing security monitoring across OT, IIoT and cloud with AWS Security Hub, we discussed how a siloed approach to OT, IIoT and cloud security monitoring, could result in blind spots. Bad actors could exploit these blind spots, and that’s why it is important to implement security monitoring across the entire attack surface including edge and cloud as well on-site and off-site assets. We used AWS Security Hub to gain a centralized view of security findings across both factory and cloud environments when implementing IIoT solutions.

In a previous blog How to import AWS IoT Device Defender audit findings into Security Hub, we discussed how to import AWS IoT Device Defender audit findings into Security Hub. In this blog, we added AWS IoT Device Defender detect findings and show you how to import AWS IoT Device Defender audit and detect findings into Security Hub using a custom solution.

AWS Security Hub provides a comprehensive view of the security alerts and security posture in your accounts. In this blog post, we show how you can import AWS IoT Device Defender audit and detect findings into Security Hub. You can then view and organize IoT and IIoT security findings in Security Hub together with findings from other integrated AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM), Access Analyzer, AWS Systems Manager, and more. In addition, you can integrate security events from OT Intrusion Detection Solutions (IDS) like Dragos, Claroty and Nozomi into AWS Security Hub. You can use AWS Security Hub to provide a centralized view of all security-related findings, where you can set up alerting and automatic remediation.

With AWS IoT Device Defender detect, customers can monitor for intellectual property theft, data exfiltration, impersonation, cloud infrastructure abuse, denial-of-service (DoS), lateral threat escalation, surveillance, cryptocurrency mining, command and control, malware and ransomware. How can you send these security findings to AWS Security Hub?

Solution scope

For this solution, we assume that you are familiar with how to set up an IoT environment and set up AWS IoT Device Defender. To learn more how to set up your environment, see the AWS tutorials, such as Getting started with AWS IoT Greengrass and Setting up AWS IoT Device Defender

The solution is intended for AWS accounts with fewer than 10,000 findings per scan. If AWS IoT Device Defender has more than 10,000 findings, the limit of 15 minutes for the duration of the serverless AWS Lambda function might be exceeded, depending on the network delay, and the function will fail.

The solution is designed for AWS Regions where AWS IoT Device Defender, serverless Lambda functionality and Security Hub are available; for more information, see AWS Regional Services. The China (Beijing) and China (Ningxia) Regions and the AWS GovCloud (US) Regions are excluded from the solution scope.

Solution overview

With this solution, you can configure AWS IoT Device Defender audit, rules detect and ML detect.

The templates that we provide here will provision an Amazon Simple Notification Service (Amazon SNS) topic notifying you when the AWS IoT Device Defender report is ready, and a Lambda function that imports the findings from the report into Security Hub. Figure 1 shows the solution architecture.

Figure 1. Solution architecture

Solution workflow:

1.     AWS IoT Device Defender detects a misconfiguration (audit finding) or a behavioral anomaly from the monitored IoT device

2.     AWS IoT Device defender publishes the event to an SNS topic.

3.     As a result, an AWS Lambda function processes the generated finding (AWS IoT Device Defender audit) or anomalies (AWS IoT Device Defender Detect).

4.     If it’s an audit finding, the Lambda function gets additional details using AWS IoT Device Defender API. If it’s an detect violation, it tries to get the severity from the name of the behavior that triggered the anomaly. You can customize each behavior’s severity directly in the AWS CloudFormation templates.

5.     Finally, the Lambda function imports a new finding into Security Hub. An example of findings in Security Hub is shown in Figure 3.

Additionally, when a security operator marks the alarm as either “False positive” or “Benign positive” through AWS IoT alarms console:

1.     An Amazon Event Bridge rule monitoring AWS Cloudtrail event triggers an AWS Lambda function

2.     The Lambda function archives the related finding in AWS Security Hub.

Prerequisites

  • You must have Security Hub turned on in the Region where you’re deploying the solution.
  • You must also have your IoT environment set. (To use test environment, you can use the following workshop – Get Started with AWS IoT )

Walkthrough

To get started, you need to setup the sample solution.

1. Log in to your AWS account if you haven’t done so already. Choose Launch Stack to launch the CloudFormation console with the sample template. Choose Next.

Additionally, you can download the latest solution code from GitHub.

2. Configure your stack parameters as shown in Figure 2. If you haven’t configured any AWS IoT Device Defender on-going audits or security profiles, change to true the following parameters:

  • Create security profile BY creating rules of expected device behavior
  • Enable on-going audits for your fleet

3. Optionally, you can deploy additional AWS IoT Device Defender configurations using the following AWS CloudFormation parameters:

  • Create a security profile using machine learning models.
  • Adjust the confidence level for ML-based anomalies (if enabled we can tweak the ML model).
  • Extend the created security profiles (ML or rules) to monitor device-side metrics.
  • Specify your own subset of IoT devices ARNs to monitor for anomalies. By default, the solution monitors all devices using the deployed security profiles.

We’ll use rule-based behavior to test the solution is working in the next step.

Figure 2. AWS CloudFormation parameters

Test the solution

We’re going to simulate a security event that will trigger an AWS IoT Device Defender rule-based security profile. The rule-based profile has defined two behavior rules for Connection attempts and disconnects that are triggered after one occurrence. For this test, we’ll use the MQTT test client, which acts as an IoT device that can publish and subscribe to MQTT topics.

Go to AWS IoT Core console, and select MQTT test client. Select Subscribe to a topic and enter # (all topics) in Topic Filter. Finally, under Subscriptions

Select the cross to disconnect from topic. This should trigger a disconnect event that will trigger AWS IoT Device Defender rule-based alarms.

You can then go to AWS Security Hub console, under the navigation panel select Findings and then order findings based on “Updated at” to find these related findings. Under the description, you’ll find the profile, rule and criteria related to the alarm.

Figure 3. AWS Security Hub findings

Next, we’ll mark the anomaly as a false positive to archive its finding in AWS Security Hub.

Go to AWS IoT Core console, under the Security navigation panel, expand Detect and select Alarms. Select the alarm that has been triggered and then press the Mark verification state button. Select FALSE_POSITIVE and add any description. When you to return to AWS Security Hub findings console, search for Workflow status is SUPPRESSED to find the suppressed finding related to the anomaly.

Figure 4. Marking alarm as false positive

Conclusion

In this post, you’ve learned how to integrate AWS IoT Device Defender audit and detect findings with Security Hub to gain a centralized view of security findings across both your enterprise, IoT and IIoT workloads. By ingesting security events into AWS, customers can triage alarms and get deeper insights and situational awareness of their OT, IIoT and cloud security posture. The solution can be extended by using additional AWS services, including Amazon EventBridge, AWS Lambda, and Amazon DynamoDB to correlate AWS Security Hub findings from multiple AWS security services. To learn more, read Correlate security findings with AWS Security Hub and Amazon EventBridge.

About the Authors

Ryan Dsouza AWSRyan Dsouza is a Principal Solutions Architect for industrial IoT at AWS. Based in New York City, Ryan helps customers design, develop, and operate more secure, scalable, and innovative solutions using the breadth and depth of AWS capabilities to deliver measurable business outcomes. Ryan has more than 25 years of experience in digital platforms, smart manufacturing, energy management, building and industrial automation, OT/IT convergence and IIoT security across a diverse range of industries. Before AWS, Ryan worked for Accenture, SIEMENS, General Electric, IBM, and AECOM, serving customers for their digital transformation initiatives.
Syed Rehan is a Sr. Global IoT Evangelist at Amazon Web Services (AWS) and is based out of London. He is covering global span of customers working with developers and decision makers at large enterprises to drive the adoption of AWS IoT services. Syed has in-depth knowledge of IoT and cloud and works in this role with global customers ranging from start-up to enterprises to enable them to build IoT solutions with the AWS Eco system.
Joaquin Manuel Rinaudo is a Senior Security Architect with AWS Professional Services. He is passionate about building solutions that help developers improve their software quality. Prior to AWS, he worked across multiple domains in the security industry, from mobile security to cloud and compliance related topics. In his free time, Joaquin enjoys spending time with family and reading science-fiction novels.