Posted: 3 Min ReadProduct Insights

Connecting the Dots with Symantec Cloud Workload Protection and AWS Security Hub

When it comes to the cloud everyone is looking to automate manual tasks. Here’s an easy way to automate investigation and remediation

It always fascinates me to learn history and see how we repeat patterns but with new challenges. Case in point is the history of our phone system. Alexander Graham Bell unveiled the first telephone in 1876. Although the phone eventually changed the world, in its early days the phone had limited use due mostly to an inability to scale. The phone couldn’t carry sound over long distances, and there weren’t any phone numbers or operators back then. If you wanted to talk to more than one person, you’d need a direct line to each person.

Based on these limitations, the telegraph remained popular until the introduction of switchboards. With switchboards, customers could now use a single phone line to connect to more than one person. The process was manual – you had to talk to an operator – but the concept took off and eventually paved the way for the mobile smartphone that you’re probably using right now to read this blog. The iconic image of a telephone operator sitting at a lit-up switchboard, wearing headphones and directing phone calls, will forever symbolize our first attempts at scaling the phone system.

This image recently popped into my head as I was interviewing one of our customers about how they handle security events in Amazon Web Services (AWS). The customer walked me through a scenario where he gets security alerts (findings) from Amazon GuardDuty and then logs into Symantec Cloud Workload Protection (CWP) to look up events for the same period. Sometimes the results are conclusive that there was no security compromise, but sometimes there’s enough ambiguity that he does some additional steps. These steps can include running a manual scan using CWP, correlating events between different systems, backtracking logs, cleaning up files, and then watching more events come in to make sure the problem has been resolved. I couldn’t help but imagine the customer sitting in front of a “security switchboard”, trying to connect the dots by correlating timestamps from one service to another in an attempt to determine if a compromise has really happened or if the finding was benign.

Unfortunately, this problem isn’t uncommon. Many customers who follow a Defense in Depth approach wind up using multiple security services and tools. An alert from one service may just as easily mean a compromise or turn out to be noise. Customers often fall back on manual intervention to make sense of all the alerts or don’t know for certain what happened and hope for the best.

This is hardly a model of efficiency, and when it comes to the cloud everyone is looking to automate manual tasks. When we looked at how our customers were using native AWS security services, we thought wouldn’t it be great if you could ingest a finding from one of these services and then automate the process of scanning EC2 instances and applications for a deeper level of investigation. That thought led us to integrate CWP with the newly-announced AWS Security Hub.

Launched as public preview during AWS re:Invent 2018, AWS Security Hub is designed to provide users with a comprehensive view of their high-priority security alerts and compliance status by aggregating, organizing, and prioritizing alerts, or findings, from multiple AWS Services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie as well as from other AWS Partner Networks (APN) security solutions.

The best part is that integrating CWP with the AWS Security Hub is straightforward.

CWP integrates with the AWS Security Hub by allowing customers to execute remediation steps like anti-malware scans, identifying exploits, quarantining files, and publishing those scan results to AWS Security Hub. Customers can use this information to help determine if their Amazon EC2 instances, applications, or containers have become compromised, and use CWP to create security policies to mitigate exposures.

The best part is that integrating CWP with the AWS Security Hub is straightforward. If you’re a current CWP customer, just follow the steps outlined in Integration with AWS Security Hub. If you haven’t had a chance to use CWP, sign up for a free trial in the AWS Marketplace  and follow the same steps listed before.  

Just like the switchboard for the early telephone system, CWP integration with AWS Security Hub allows customers to scale their security teams and provides an easy way to automate investigation and remediation. And that’s just the beginning! We’re looking to extend other CWP events and functionality to the AWS Security Hub. Leave us a comment below and let us know what type of integration you’d like to see in CWP and the AWS Security Hub.

If you found this information useful, you may also enjoy:

Symantec Enterprise Blogs
You might also enjoy
4 Min Read

Deciphering DevSecOps

Security needs to be an integral part of the DevOps roadmap. Enterprise Strategy Group’s Doug Cahill shows the way

About the Author

Rich Vorwaller

Principal Product Manager IaaS Security

Rich Vorwaller is a Principal Product Manager for Symantec IaaS Security. Rich has worked in cyber security since 2006 with roles in technical support, operations, and product management.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.