What is our primary use case?
I use it for security posture management.
What is most valuable?
I really like the seamless integration with the AWS account structure. It can even be made mandatory as part of the landing zone. These are great features.
And there's a single pane of glass for the entire account.
What needs improvement?
There is room for improvement in a couple of things. One is that the dashboard isn't very customizable. Another is that the alerting level is the same across the entire account. Every organization has different needs, like sandbox accounts. Even though they have the same alert level, it might not be critical for them.
Security needs to be measured based on their own criteria. We can't add custom criteria specific to our organization. For example, having an S3 bucket publicly available might be flagged as a critical alert, but it might not be critical in a sandbox environment.
So, it gets flagged as critical, which becomes a false positive. So, customization options and creating custom dashboards would be areas for improvement.
For how long have I used the solution?
I've been using it personally for the past five years.
What do I think about the stability of the solution?
I never had any problems with stability.
What do I think about the scalability of the solution?
It's scalable in the sense that it's good for posture management, but only within AWS. If you have a multi-cloud environment, you can't use Security Hub for anything else. That's a limitation. There are other tools available that are cross-cloud platforms.
How are customer service and support?
AWS support is normally good. Depends on your contract agreement with them. But normally, it's good.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
I've used Splunk and Sentinel. They're considered SIEM tools, more advanced than Security Hub.
Splunk and Sentinel are industry-standard SIEM tools, while Security Hub doesn't easily categorize as one. It's not fully functional as a SIEM tool and lacks some features. It offers some posture management but isn't a full SIEM.
The SIEM tools have more process integration, organization-wide integration, log correlation, and customizable dashboards. They also allow easy alert configuration from the tool itself.
Security Hub can do this, but it requires AWS Lambda and server activity, not an out-of-the-box configuration.
On the other hand, Security Hub has low cost and good performance. SIEM tools sometimes struggle with high log volumes, but Security Hub doesn't.
How was the initial setup?
The initial setup was easy. It's basically just enabling a few things. And there's good documentation available.
What about the implementation team?
It was actually enabled as part of the LandingZone, so it didn't take long to deploy. Maybe a day or two.
We had mainly one dedicated architect and maybe two or three engineers. But they weren't just working on Security Hub; it was part of deploying the LandingZone. Security was enabled as part of the overall setup.
It's a managed service by AWS. We don't have to do much beyond looking at the dashboards and working on it. We did spend some time creating the auto-remediation part, which is an extension of the security app. But otherwise, it's a well-managed service.
What was our ROI?
What's my experience with pricing, setup cost, and licensing?
Security Hub is not an expensive solution. Security Hub is a free AWS product included in the subscription.
What other advice do I have?
Overall, I would rate the solution a six out of ten. Security Hub is a good starting point for security monitoring and management but not the end solution. Unless AWS adds major features, becoming more like a SIEM tool, organizations can't fully rely on it. It lacks the full capabilities of a SIEM, forcing reliance on other paid solutions. That's the biggest drawback right now.
Disclosure: I am a real user, and this review is based on my own experience and opinions.