Twistlock sponsored this post.
The scale of the average enterprise endeavor tends to encourage software sprawl and often necessitates efforts at unification by way of a “single pane of glass” by which to view and manage all the siloed software. This struggle was on display last month at Amazon’s security-focused AWS re:Inforce conference, with new products released by both Amazon and Symantec working toward this end.
Leading the charge, Amazon promoted its AWS Security Hub to general availability, providing both AWS partners and users with a central dashboard to aggregate security findings and paths to remediation from various systems, and enable automated compliance checks, starting out with the Center for Internet Security (CIS) AWS Foundations Benchmark. During his opening keynote, AWS Chief Information Security Officer Stephen Schmidt summarized the newly available service.
“With Security Hub, you now have a single place that aggregates organizes and prioritizes your security alerts, your findings from multiple AWS services like Guard Duty, Inspector, or Amazon Macy, as well as from AWS partner solutions,” said Schmidt. “Your findings are visually summarized for you on an integrated dashboard with actionable graphs and tables that help you focus your investigative efforts in the right place at the right time. The point here is that you get not only alerting, but the actionable movements towards a secure environment after the alert occurs if you use a partner integration. Taking action is always more important.”
In an interview with The New Stack, Dave McCann, vice president of AWS Marketplace, said that, while he saw the Security Hub as more than a single pane of glass, it does provide a single point of visibility into the various services often employed by a single enterprise — all of it enabled by something called the Amazon Security Finding Format.
“What we’ve learned is that, in big companies you may have a dozen different security tools. Instead of having to go to a dozen different consoles to find out what’s going on, we’ve created the concept of the Amazon security finding. It’s a metadata format. Very often in a big company, one division’s using Symantec, another division’s using Trend Micro, this division over here is using Palo Alto Networks, and somebody down the hall has CrowdStrike, and they’ve all got their own finding format,” said McCann. “We’ve standardized a finding format and we’ve encouraged over 20 partners to code into the finding format, so now you can go to one console, the Security Hub, and all the security findings are in that hub. It’s a centralized place to have visibility to all your security tools internally.”
Security Hub currently provides findings from AWS Guard Duty, Amazon Inspector, Amazon Macie, and from 30 AWS partner security solutions, but anyone can use the Security Hub API to create their own integrations as well. Beyond providing a central point to view findings, Security Hub also provides a way to setup automatic remediation using CloudWatch rules and events, which can respond by way of Amazon Simple Notification Service (SNS) Topics, Amazon Simple Queue Service (SQS) Queues, and AWS Lambda functions.
The Single Pane of Glass…For the Multicloud
As an Amazon partner, the core of the release by Symantec was that of an integration between Symantec’s Cloud Workload Protection (CWP) and Amazon GuardDuty to provide automated remediation and enhanced threat intelligence for AWS workloads and storage, as well as DLP protection for Amazon Simple Storage Service (Amazon S3) buckets. Symantec was also one of the 30 partners featured in the Security Hub integration. The company also introduced the Integrated Cyber Defense Platform, which provides its own centralized dashboard for visibility and remediation.
Of course, given that the news came from AWS re:Invent, the primary focus was put on Amazon owning the interaction and having their Security Hub be the central security dashboard. In our current multicloud world, however, the case could be made that one of the partners, and not Amazon, Google, Microsoft or otherwise, will be the one to provide that central point of visibility and remediation. In all of the discussions around Security Hub, there was no mention of integrations with other public clouds. In an interview with Peter Doggart, vice president of business development at Symantec, however, the point was made that the Integrated Cyber Defense Platform would work with all of the public clouds.
“Over the past three to four years, we’ve had this super focus on building the cloud generation. Many years ago, we did a big pivot to make sure that all of our solutions are catered for companies, developers, and whoever may be using and building for the cloud, and making sure that journey to the cloud was secure,” said Doggart. “We formulated this concept of an Integrated Cyber Defense. We truly believe an integrated cyber defense is the best defense, not only our own tools working together, but also everything you see here [at re:Inforce] and also with Amazon Web Services, with Azure, and with Google Cloud.”
Doggart painted a similar picture of software sprawl, putting the blame on the security industry’s tendency to create singularly focused companies.
“Over the past decade or so, [the security sector] created all these one-off tools, these so-called feature companies that do one thing really, really well, but didn’t really do a good job of integrating. Customers bought into those kinds of toolsets and we ended up with 150 of them. It’s kind of crazy complex,” said Doggart. “What we’re trying to do is to make sure we can integrate all those pieces together. Instead of having to create links between individual products to individual products, which causes a horrible mesh effect, we can now talk between two companies, with an everyday simple language that we both understand.”
The Integrated Cyber Defense Platform offers security teams the ability to dive down into workloads deployed across multiple clouds and more, not only offering visibility but also the ability to kill problem workloads wherever they may be.
“We’ve, we’ve been developing our endpoint tech for 20 years. So we’re applying the same techniques we’ve used on a visual endpoint and applying it to several workloads. So sitting on the host, but we are essentially doing a few things we can understand and see all the containers and services spun up, track all the IDs and tags, see the data, we can harden the environments,” said Doggart. “We’ve taken all the technology and all the learnings we’ve had over the years and applied it now to the cloud. We can now have a central console for all your workloads, whether it be on AWS, Azure, Google Cloud, on-premise, or a virtual private network, it doesn’t really matter. We apply the same level of policies and apply similar protection remediation across everything.”