modernisation-platform icon indicating copy to clipboard operation
modernisation-platform copied to clipboard

Published 20 hours ago verified publisher icon ministryofjustice

Tuning Alerts from Security Hub

Open richgreen-moj opened this issue 4 months ago • 0 comments

User Story

As a MP Engineer I want to tune the alerts we are receiving from Security Hub to reduce duplication So that it's easier to see the important findings from the service

Value / Purpose

As part of ticket #8076 we've enabled alerting for security hub issues that are categorised CRITICAL or HIGH.

Lots of alerts are being sent to the #modernisation-platform-security-hub-alerts slack channel and lots of incidents are being raised in the Security Hub Alerts - Modernisation Platform PagerDuty service.

Issues:

  1. We seem to be getting multiple alerts for the same type of finding e.g. when you have a SSH port open to 0.0.0.0/0 it triggers about 4 separate alerts as we have multiple standards applied e.g. AWS Foundational Security Best Practices, CIS AWS Foundations and PCI DSS v3.2.1. Here are some example alerts of this particular issue. This could be fixed by using consolidated control settings
  2. We are getting multiple alerts because config rules associated with the standards are run periodically checking after the first time an issue is raised and triggering a follow-up alert. We could consider removing config rules or using SecHub Automation we can update statuses etc.
  3. We are getting common alerts for rules across the 5 enabled regions of the baseline.

To consider:

  • Do we turn off some of the standards due to the overlap?
  • Do we suppress specific alerts where there is overlap?
  • Do we turn on consolidated control settings?
  • Can we stop receiving alerts from other regions (currently we are alerting from all 5 enabled baseline regions) if cross-region aggregation is already enabled?
  • Should we use Security Hub Automation rules to control the statuses of findings etc. to tame the alerts?

Useful Contacts

No response

Additional Information

No response

Definition of Done

  • [ ] Review alerts for overlap/duplication
  • [ ] Determine best ways of suppressing/taming alerts based on suggestion above
  • [ ] Take action on the agreed process
  • [ ] Test/Review alerts after making changes for improvement

richgreen-moj avatar Oct 24 '24 08:10 richgreen-moj