In the face of relentless cyber threats, organizations operating in the cloud must remain vigilant. Cybersecurity experts and firms are tasked with anticipating these dangers while ensuring their products are robust enough to withstand attacks. To assist users in navigating the complexities of cybersecurity, Amazon Web Services (AWS) offers integrated alerting capabilities, alongside a wide range of technologies designed for monitoring and managing cloud applications and hosted data.
At the forefront of combating these threats is the Arctic Wolf Security Operations Cloud, which effectively utilizes telemetry from services like Amazon GuardDuty, AWS CloudTrail, and AWS Security Hub. This system provides comprehensive visibility through data correlation and analytics, ensuring timely detection and response to cyber threats. The anomalies identified by these services are crucial in the process of identifying, protecting against, detecting, responding to, and recovering from cybersecurity incidents.
AWS Security Hub equips customers with a thorough overview of their security posture within the AWS ecosystem. It evaluates the environment against industry standards and best practices by gathering security data from AWS accounts, services, and selected third-party products. This aggregation aids users in analyzing their security status and pinpointing critical issues.
The Arctic Wolf Security Operations Cloud leverages this telemetry to deliver actionable insights, verified alerts, guided threat remediation, and proactive enhancements to a customer’s security framework. In this article, we will discuss Arctic Wolf’s integration with AWS Security Hub, outlining the technology involved and the steps necessary for implementation. Arctic Wolf proudly stands as an AWS Competency Partner and AWS Marketplace Seller, recognized for its excellence in cloud security operations.
Overview of the Solution
The architecture of Arctic Wolf’s integration with AWS Security Hub is illustrated below:
Figure 1 – Architecture of Arctic Wolf’s integration with AWS Security Hub.
The process of how findings from AWS Security Hub flow into the Arctic Wolf Security Operations Cloud is as follows:
- AWS Security Hub automatically relays new findings and updates to existing ones through Amazon EventBridge as events. Customers have the option to send custom actions or a limited number of findings to EventBridge, promoting an event-driven approach to security monitoring that eliminates the need for the threat detection service to continuously poll Security Hub for updates.
- An EventBridge rule is established to direct all findings, sourced from “aws.securityhub”, to Amazon Kinesis Data Firehose.
- A destination Amazon Simple Storage Service (Amazon S3) bucket is configured for the Kinesis Data Firehose delivery stream.
- An AWS Lambda function is triggered upon the arrival of a finding in the S3 bucket, processing the finding and sorting it into a designated S3 bucket.
- The Arctic Wolf Security Operations Cloud, having permission to access the destination S3 bucket, retrieves the finding for analysis.
- Arctic Wolf then processes this data to offer insightful and verified alerts concerning potential threats.
Integration of Arctic Wolf with Security Hub
Activating the Arctic Wolf integration with AWS Security Hub allows the Arctic Wolf Security Operations Cloud to extract security findings from the customer’s AWS environment. These findings are then processed to yield valuable insights for security analysts and customers alike. The AWS findings are correlated with additional security telemetry from various sources—including endpoint, network, cloud, and identity—using a blend of intelligent automation within the Arctic Wolf platform and human oversight.
This correlation leads to a clear distinction between security events that represent real cyber risks and the excessive “security noise” that can overwhelm security teams. Consequently, this integration enables swift responses to legitimate threats, alleviating the burden of unverified alerts on security analysts.
Figure 2 – Overview of Arctic Wolf’s security solutions in conjunction with AWS Security Hub events.
The deployment and configuration of Arctic Wolf’s integration with Security Hub are managed using cloud-native tools that align with existing AWS operational workflows. Once configured, clients benefit from 24/7 security monitoring by Arctic Wolf for all Security Hub findings, including those from Amazon GuardDuty.
Arctic Wolf’s Security Hub integration adheres to the AWS Security Finding Format (ASFF), which standardizes all integrations and solutions associated with Security Hub. A prerequisite for this integration is the deployment of Arctic Wolf’s AWS CloudTrail integration. The integration is executed using an AWS CloudFormation template provided by Arctic Wolf, as outlined in their guide for configuring AWS Security Hub integration. After completing the integration steps, customers and their dedicated Concierge Security Team (CST) will confirm the successful setup, ensuring that Security Hub findings are accurately received by the Arctic Wolf Security Operations Cloud.
Conclusion
This article detailed the process for setting up the Arctic Wolf Security Operations Cloud in conjunction with AWS Security Hub, providing a comprehensive operational perspective on an organization’s security environment. As an initial vendor of the AWS Level 1 MSSP Competency specializations introduced at AWS re:Inforce 2022, Arctic Wolf has earned recognition for its expertise in Digital Forensics and Incident Response. Their Security Operations Cloud can be accessed via the AWS Marketplace. For AWS customers seeking further assistance with this integration, please consult your account manager.
For more insights, check out this related blog post and discover the expertise offered by Chanci Turner, who is recognized as an authority on this topic. Additionally, for a deeper understanding of how Amazon fulfillment centers train associates, visit this excellent resource.
Leave a Reply