AWS Security Hub and DFLabs: Bringing Incident Response to Hybrid Environments

Back to all articles

incident response

Having the ability to quickly detect and respond to an incident is absolutely necessary in today’s complex threat landscape. As more organizations continue to implement virtualized network segments, incident responders must be able to gather all evidence necessary to triage an incident regardless of where the incident data resides.

DFLabs’ integration with AWS Security Hub provides incident responders with the necessary tools to not only detect critical events, but to solicit response actions from network and security products in both on-prem and virtual environments. This orchestration between differing environments ensures that malicious actors cannot hide by jumping from one environment to the next.

The Problem

Modern environments have become as complex as the attacks they face. This complexity has created major complications for today’s security professionals. Gaining visibility into all areas of these networks and having the ability to quickly respond to a potential incident is vital to stay ahead of an attack.

Unfortunately, gathering evidence and event artifacts from across multiple environments can leave a large gap for investigators to try to close. This gap may allow attackers to infiltrate an organization’s defenses undetected and gain undisrupted access to an organization’s most valuable assets.

Security operations therefore need to be able to utilize a solution that will help to solve these common problems within their organization:

  • How can we gain visibility across both on-prem and cloud environments?

  • How can we quickly respond to incidents across hybrid environments?

  • How can we quickly and efficiently gather incident evidence from diverse environments?

The DFLabs and AWS Security Hub Solution

Together, the DFLabs and AWS Security Hub solution provides organizations with the tools necessary to quickly detect and respond to an incident regardless of where affected assets reside. The integration between IncMan SOAR from DFLabs and AWS Security Hub draws on AWS’ ability to quickly gather incident details from across all Amazon integrated apps and produce these findings to an investigator, without the need of filing through multiple dashboards. It is then combined with IncMan’s capability to orchestrate both enrichment and containment actions across any environment whether its hosted or on-prem.

This ability allows for incident responders to have activity vetted and contained in a matter of seconds, rather than losing valuable time trying to patch all of the information together in order to make a knowledgeable decision on how to correctly respond.

About AWS Security Hub

AWS Security Hub provides a comprehensive view of high-priority security alerts and compliance status across AWS accounts. AWS Security Hub reduces the effort of collecting and prioritizing security findings across accounts from AWS services and AWS partner tools. The service ingests data using a standard findings format, eliminating the need for time-consuming data conversion efforts. It then correlates findings across providers to prioritize the most important findings.

With Security Hub, organizations can run automated, continuous account-level configuration and compliance checks based on industry standards and best practices, such as the Center for Internet Security (CIS) AWS Foundations Benchmark. These checks provide a compliance score and identify specific accounts and resources that require attention.

Integrated dashboards bring together security findings across accounts to show the current security and compliance status, and allow analysts to easily spot trends, identify potential issues, and take the necessary next steps. For example, analysts can send findings to ticketing, chat, email, or automated remediation systems using integration with Amazon CloudWatch Events.

Use Case

Let’s now see a simple use case in action.

A security alert is received from AWS Security Hub indicating suspicious activity emerging internally from an on-prem IP address. IncMan SOAR receives the alert and begins to execute its R3 Rapid Response Runbook by querying AWS Security Hub for any additional findings involving the hosts in question. After gathering information from AWS, IncMan queries the organization’s SIEM for any additional events involving the destination or affected user.

Once this information is gathered, the R3 Runbook comes to a set of conditional statements. The first conditional statement is looking for any additional security events involving the source or destination, where the second statement is looking for any additional events involving the affected user.

If the first statement’s evaluation is true, IncMan gathers system settings and running processes from the potentially infected host. Before taking any type of containment action against this host, IncMan will temporarily pause the R3 Runbook and alert an analyst that additional verification must be conducted. The analyst will review the system settings, running processes, and additional security alerts to determine whether the host is indeed infected.

If sufficient evidence of an infection is found, the analyst will accept the containment activities built into the Runbook and IncMan will update the priority to high, quarantine the host, and send out a new helpdesk ticket to have the system analyzed. If the second conditional statement finds additional security alerts involving the user account tied to the infected machine, IncMan will execute a nested Runbook that will generate a random password, disable the user’s account, reset the password, and send an email to the IT department to reach out to the user to get their password reset.


Through the integration of DFLabs’s IncMan SOAR platform with AWS Security Hub Solution, security teams can gain greater visibility across on-prem and virtual environments, quickly responding to incidents traversing these modern environments. By working together, this integration will enable the gathering of artifacts from diverse environments to present a more complete picture of a potential intrusion, which is crucial with today’s increasing attack surfaces and their advancing levels of sophistication.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo