In this blog, I will explain how you can secure your AWS-hosted applications by using Illumio ASP to enrich AWS Security Hub with high fidelity findings, then take custom action from the Security Hub to mitigate identified threats.
About AWS Security Hub
AWS Security Hub provides you with a comprehensive view of your security state within AWS and compliance with security industry standards and best practices. Security Hub centralizes and prioritizes security and compliance findings from across AWS accounts, services, and supported third-party partners like Illumio to help you analyze your security trends and identify the highest priority security issues.
Benefits of Integration
Illumio Adaptive Security Platform (ASP) easily integrates with AWS Security Hub to dynamically mitigate the potential attacks on your AWS environments directly from AWS.
- This integration enriches AWS Security Hub's "single pane of glass" with Illumio security findings.
- Customers now correlate multiple events from different providers in one place – the Security Hub.
- Customers can act on critical events from the Security Hub dashboard to directly quarantine suspicious or compromised workloads.
Illumio ASP and AWS Security Hub Integration
The security events generated by Illumio ASP are made available through AWS Security Hub. Illumio's Security Hub Connector (SHC) acts as a facilitator between Illumio ASP and AWS Security Hub and uses the Amazon Security Findings Format (ASFF), a communication standard for data interchange between Security Hub and its partner software. ASFF is a simple representation of several data points in a “finding” that is sent to or from the AWS Security Hub. These security findings from Illumio include blocked traffic events, VEN tampering events, and more. Along with the security event logs, the findings generated by Illumio SHC provide detailed context about threats such as instance metadata and workload labels as shown in Figure 1 below.
Figure 1: Illumio ASP and AWS Security Hub Integration Workflow
To receive Illumio ASP findings:
1. A SOC operator has to enable AWS Security Hub in the EC2 region.
2. Subscribe to receive findings from Illumio ASP on the AWS Security Hub dashboard. It is assumed that Illumio ASP is already deployed in the AWS environment.
3. The SOC operator has to then deploy the Illumio Security Hub Connector (SHC) application in the same region. The Illumio SHC starts communicating with the Illumio Policy Compute Engine, specified in its deployment configuration and identifies the instances running in the region where it is deployed.
4. For the identified instances, it starts gathering the type of events specified in the SHC deployment configuration, which is blocked traffic events in this case, and converts them in to findings using the workload labels and network metadata.
5. These findings are decorated by EC2 instance metadata.
6. They are then posted to AWS Security Hub by the Illumio SHC. These findings notify the SOC operator about the traffic flows that are being blocked for the workload by the Illumio firewall policy.
Let's consider a high-value business critical HRM application deployed in AWS cloud that provides expense and recruiting services. Since this application hosts private data for current and future employees, it is continuously monitored by a SOC team to identify and mitigate threats. It is therefore critical for the SOC operator to identify and avoid any potential attacks on these application instances. The SOC operator notices security findings from Illumio ASP on the Security Hub dashboard and investigates those findings via the Illumio PCE web console UI to get more information about the potential threat. To resolve this issue before it creates more security concerns, you can use Illumio ASP's real-time application dependency map (Illumination) to analyze the current traffic flows between AWS instances, as shown below.
Figure 2: Illumination View of the HRM Application
The green lines in the map indicate flows that are allowed by policy rules and the red lines indicate policy violations. As explained earlier, the SOC operator has already enabled Security Hub and subscribed to Illumio findings in this region. As soon as the developer instance running it's Onboarding-v2 application (shown in figure 2) inadvertently does port scans on production instances, blocked traffic events will be generated by Illumio PCE because there is no policy that will allow the development instance to access the production instance. The Illumio Security Hub connector detects this event in addition to other security events generated by Illumio ASP and creates a high fidelity AWS Security finding decorated with workload labels which are a combination of Role, Application, Environment, and Location (for example, Onboarding-v2 has Role=Onboarding, Application=HRM, Environment=Development, and Location=AWS) and EC2 metadata by the Illumio Security Hub Connector. Once created, these findings will be posted to Security Hub using the BatchImportFindings API.
Figure 3: AWS Security Hub dashboard showing Illumio Security Hub Finding
These findings helps the SOC operator to identify the Onboarding-v2 instance, which is running in Development is doing a port scan on all application instances that are running in production. The SOC operator understands that it is necessary to quickly stop the communication of the Onboarding-v2 instance. The SOC operator then decides to mitigate the threat by quarantining in Illumio ASP by using:
7. The Security Hub custom actions, which will
8. Invoke the AWS Lambda function, and
9. This will immediately disable all the access for the Onboarding-v2 instance and only allow the operator to SSH into the instance and rectify the error.
Figure 4: Utilizing Illumio findings to take custom actions on AWS Security Hub
Let me demonstrate this scenario in the following short screencast:
Screencast: Demo of Illumio ASP and AWS Security Hub Integration
To learn more about Illumio, go to www.illumio.com/what-we-do.