SEC04-BP02 Analyze logs, findings, and metrics centrally

Security operations teams rely on the collection of logs and the use of search tools to discover potential events of interest, which might indicate unauthorized activity or unintentional change. However, simply analyzing collected data and manually processing information is insufficient to keep up with the volume of information flowing from complex architectures. Analysis and reporting alone don’t facilitate the assignment of the right resources to work an event in a timely fashion.

A best practice for building a mature security operations team is to deeply integrate the flow of security events and findings into a notification and workflow system such as a ticketing system, a bug or issue system, or other security information and event management (SIEM) system. This takes the workflow out of email and static reports, and allows you to route, escalate, and manage events or findings. Many organizations are also integrating security alerts into their chat or collaboration, and developer productivity platforms. For organizations embarking on automation, an API-driven, low-latency ticketing system offers considerable flexibility when planning what to automate first.

This best practice applies not only to security events generated from log messages depicting user activity or network events, but also from changes detected in the infrastructure itself. The ability to detect change, determine whether a change was appropriate, and then route that information to the correct remediation workflow is essential in maintaining and validating a secure architecture, in the context of changes where the nature of their undesirability is sufficiently subtle that they cannot currently be prevented with a combination of AWS Identity and Access Management (IAM) and AWS Organizations configuration.

Amazon GuardDuty and AWS Security Hub provide aggregation, deduplication, and analysis mechanisms for log records that are also made available to you via other AWS services. GuardDuty ingests, aggregates, and analyzes information from sources such as AWS CloudTrail management and data events, VPC DNS logs, and VPC Flow Logs. Security Hub can ingest, aggregate, and analyze output from GuardDuty, AWS Config, Amazon Inspector, Amazon Macie, AWS Firewall Manager, and a significant number of third-party security products available in the AWS Marketplace, and if built accordingly, your own code. Both GuardDuty and Security Hub have an Administrator-Member model that can aggregate findings and insights across multiple accounts, and Security Hub is often used by customers who have an on- premises SIEM as an AWS-side log and alert preprocessor and aggregator from which they can then ingest Amazon EventBridge through a AWS Lambda-based processor and forwarder.

Level of risk exposed if this best practice is not established: High

Implementation guidance

• Evaluate log processing capabilities: Evaluate the options that are available for processing logs.

  • Find an AWS Partner that specializes in logging and monitoring solutions

• As a start for analyzing CloudTrail logs, test Amazon Athena.

  • Configuring Athena to analyze CloudTrail logs

• Implement centralize logging in AWS: See the following AWS example solution to centralize logging from multiple sources.

  • Centralize logging solution

• Implement centralize logging with partner: APN Partners have solutions to help you analyze logs centrally.

  • Logging and Monitoring

Resources

Related documents:

• AWS Answers: Centralized Logging

• AWS Security Hub

• Amazon CloudWatch

• Amazon EventBridge

• Getting started: Amazon CloudWatch Logs

• Security Partner Solutions: Logging and Monitoring

Related videos:

• Centrally Monitoring Resource Configuration and Compliance

• Remediating Amazon GuardDuty and AWS Security Hub Findings

• Threat management in the cloud: Amazon GuardDuty and AWS Security Hub