In this article:
The Amazon Security Lake integration exchanges Open Cybersecurity Schema Framework (OCSF) Security Findings between SecurityScorecard's massive data lake of threat intelligence through our Attack Surface Intelligence product and Amazon Security Lake.
This streamlines workflows to accelerate security actions directly in your AWS organizations. By consolidating and routing threat intelligence from SecurityScorecard to Amazon Security Lake, the integration delivers greater visibility into crucial gaps that could lead to a cyberattack.
Note: This integration is only available to SecurityScorecard Attack Surface Intelligence Enterprise customers.
As an AWS customer, you can sync a growing list of Attack Surface Intelligence findings and use Amazon Security Lake as the single console for management and prioritization to move all types of threat intelligence directly into your processes and security tooling.
See this article for the list of:
- Current OCSF Security Findings surfaced in the Amazon Security Lake
- Details for each
- How you can use the information
With consolidated security data from SecurityScorecard, unified findings for more informed responses, and faster time to remediation, you can improve your ability to respond to the latest threats. The integration of SecurityScorecard's Attack Surface Intelligence and Amazon Data Lake provides real-time feeds of Indicators of Compromise (IOCs) with additional enrichment data and observables directly to your existing virtual private clouds (VPCs), Route 53 deployments, and Cloudtrail logs.
Before proceeding with the integration, make sure you have the following:
- An AWS account with the Amazon Security Lake enabled for the region with your workload. For setup instructions on Amazon Security Lake, read the AWS documentation for the service. If you are using AWS Organizations and consolidating findings from Amazon Security Lake in various regions and accounts, choose the region and account with the desired level of visibility.
- An Enterprise subscription to SecurityScorecard Attack Surface Intelligence. Because Amazon Data Lake will ingest the full, contextualized feed of data from SecurityScorecard, queries against Attack Surface Intelligence will not be tracked, and an Enterprise subscription based on your expected volume of usage will be required. If you do not already have access to Attack Surface Intelligence in the SecurityScorecard platform, contact us to request a demo.
Attack Surface Intelligence to Amazon Security Lake
This integration acts as a source provider in Amazon Security Lake. It pulls threat intelligence from Attack Surface Intelligence data in Amazon S3 to Amazon Security Lake through the AWS Console. It is ideal to use your existing AWS security tools to analyze and triage issues in your AWS account based on data provided by the Attack Surface Intelligence source provider. Your purpose for integrating with Attack Surface Intelligence is to consume large amounts of findings from SecurityScorecard's in-house collection systems and analysts alongside other tools in your AWS account.
Through this integration, Amazon Security Lake is able to crawl our internal data lake powering the Attack Surface Intelligence product and feed this data directly to the AWS customer-owned data lake in any supported region by Amazon Security Lake through Amazon S3. Once the data is inside the customer-owned data lake setup in the AWS console, this information can then be integrated directly into supported AWS products, where the customer's analysts, threat hunters, and engineers can leverage our data lake for any desired purpose.
Ensure that you have met all prerequisites. Then follow these steps to connect our data lake with yours in Amazon Security Lake:
- From the Amazon Security Lake Console Source or Subscriber pages, go to the catalog of third-party security solutions and select SecurityScorecard Attack Surface Intelligence to connect with Amazon Security Lake.
- Click Add integration.
You see a message to continue with delivery of the data.
- Click Connect.
The Amazon Security Lake Console opens a new browser window that connects to SecurityScorecard's platform.
- Log in using your normal SecurityScorecard platform administrator account.
- When prompted, approve the connection between your AWS account and SecurityScorecard Attack Surface Intelligence.
You are redirected back to the Amazon Security Lake browser window, which confirms that the connection has been established. At this point Amazon Security Lake and SecurityScorecard Attack Surface Intelligence can communicate over a trusted channel to send our data to your security data lake.
- Finalize the configuration workflow in Amazon Security Lake, for example, by selecting the region and account information you want our data delivered to as a source provider, and then validate the creation of the integration.
Amazon Security Lake confirms that the integration is correctly established. SecurityScorecard Attack Surface Intelligence data starts streaming to the chosen Amazon S3 region and path specified. It is available in workflows with Amazon Security Lake compatible AWS products.
For support-related questions or help with setup of this integration, log into the the SecurityScorecard platform and submit a support request with the following settings and information:
- Select Customer Support Form.
- Select Attack Surface Intelligence.
- In the subject, enter Amazon Security Lake Integration.
- Provide details, including:
- Your Amazon account or applicable organization IDs that you are using this integration with
- Any applicable regions
- Any specific Security Findings you are having issues with
Frequently asked questions (FAQ)
How do I set up Amazon Security Lake for this integration?
See the Amazon Security Lake user documentation.
What data is available from Attack Surface Intelligence in the Amazon Security Lake?
We are constantly adding new Security Findings to Amazon Security Lake from our vast threat intelligence sources. For the current listing of Security Findings sent to Amazon Security Lake, read this article.
Why do I need a custom Enterprise subscription to Attack Surface Intelligence to use this integration?
This integration will stream full, unfiltered intelligence from the SecurityScorecard Attack Surface Intelligence data lake to Amazon Security Lake. So, only an unlimited query volume will comply with the usage model of the product and not limit the data available to you. With a custom plan, we are able to adjust what data and how many findings you would like streamed to your AWS accounts or organizations based on the requirements of your use case.
I am having trouble making the integration work. How can I get help?
See the Support section of this article. If the issue is clearly on the AWS console or products, including Amazon Security Lake itself, reach out to AWS Support through your established channels in the AWS console for your support tier.
We can help with any of the following questions or other general questions not listed here:
- .I am stuck trying to setup the integration.
- Specify what step you are stuck at.
- Data is not flowing at all once I set up the integration.
- Provide a one-time 24-hour wait time before reaching out to give our system time to stream the last day's worth of data. Since we collect billions of events every day, data will not appear immediately after you connect the source provider for Attack Surface Intelligence.
- There are gaps in the data available.
- The data is not formatted correctly
- Specify which Security Finding has an issue.
Which AWS products can I integrate with, and which use cases can I enable with this integration?
See the Amazon Security Lake documentation for available AWS products which will accept data in OCSF format from Attack Surface Intelligence.
We have also outlined several use cases for each security finding in the integration security findings article. If you still have questions about those use cases or otherwise, submit a support request.