Zero to Value – Alert Logic SIEMless Threat Management and AWS

Securing your AWS workload can mean many different things, ranging from locking down your environment via the AWS best practices list, to completely outsourcing the security management and responsibility to another company.  While every company’s security journey is different, everyone can agree that the need to monitor and improve security posture is becoming increasingly important.

One of the recurring themes I come across when talking with customers is, “What do we need to be secure, and what’s the timeline on value?”  Sometimes the needs of those companies are clear cut—compliance comes to mind here, as it’s very prescriptive.  Other times I find myself in more of a trusted advisor role, and I always have a few points I use to guide our discussion:

• You can’t protect the assets you don’t know about—especially in AWS where you can have many “hands in the cookie jar” when it comes to users.

• It’s not a matter of if, but when.  No matter how prepared and security-minded you are, you will experience some type of security issue in your environment. 

• You need to be as proactive as possible. The best cloud security is a good offense, and that means hardening your environment’s security posture as much as possible.

• When something does happen, reaction time matters. You need to stop the incident as quickly as possible.

• Afterward, you’re going to need to investigate the situation, and you can only do that if your records and evidence are 100 percent intact and unchangeable.

Alert Logic’s SIEMless Threat Management platform hits on all of these pieces, and also provides extremely quick time-to-value—with customers able to get from zero to up-and-running in as little as 30-60 minutes with technologies like: intrusion detection (IDS), log ingestion/management, automatic vulnerability scanning, visual environmental topology maps, and AWS environment configuration hardening.

We’ve put our experience with AWS to work here to make it easy on customers to deploy–the hard parts are covered.  All appliances and underlying infrastructure deployments are automated, with the option for customers to dictate specific placement of key security infrastructure.  Internal scanning is pre-scheduled to run automatically and scan all assets in your environment, and the assets list is constantly updated by leveraging AWS native services like CloudTrail logs and API describe calls—ensuring that your visibility and knowledge of your current environmental architecture are comprehensive.  We’ve even made the solution available via AWS Marketplace so you can buy, deploy, and gain security insight and value in under an hour.

Deploy SIEMless Threat Management in your AWS Environment

Once you have access to the Alert Logic UI (user interface), you’re ready to start deploying into your AWS environment.  If you’ve got more than one AWS account, no worries—we support that without issue and don’t license based on the number of AWS accounts.  You’ll automatically be routed to the “Deployments” page and will be prompted to set up your first deployment. 

A deployment is basically the way that Alert Logic logically separates each of your different AWS accounts (or Azure accounts and on-premise deployments—all are supported via a single UI (user interface) experience).  You only need one deployment per AWS account, but can also split a single account into multiple deployments if you perhaps have several separate business units using one account, or have your environments divided by VPCs, and would like to separate the provided insights into dev vs production environments, for example.

Once you enter a deployment name, you’ll be prompted to choose a deployment method—either automatic or manual.  With automatic mode, Alert Logic intuitively deploys a subnet to hold our security infrastructure and automatically places the necessary IDS (intrusion detection system) appliance into it in a self-healing, auto-scaling group of one.  We also set up the necessary routing and Security Group (SG) rules to allow the appliance to function properly.  Manual mode still does most of the heavy lifting in regard to the necessary routing and SG rules but does allow you to choose a pre-existing subnet to place the IDS appliance into.

The deployment and deep ties to AWS services are achieved by setting up an IAM (identity and access management) third-party cross-account role.  You can think of this as a documented set of permissions defined in your AWS account that allows Alert Logic’s AWS account access to certain services, data points, and metrics.  Most customers will want to use the CloudFormation Template (CFT) available in the UI to automate the creation of this IAM Role and the IAM Policy Document that defines the individual permissions, but a manual option also exists if you’d like to get more familiar with the inner workings of AWS’ Identity and Access Management (IAM) service.  Regardless of the option you choose, the output will be an Amazon Role ARN (Amazon Resource Name).

The AWS Role ARN is pasted back into the Alert Logic UI and enables the automatic API discovery process.  During this 3-10-minute phase we’re making a number of AWS API describe calls to learn about your environment so that we can build out the first draft of your environmental asset model.  If you watch the UI you can actually see the discovery of your regions, VPCs and subnets in real-time.

Setting a Scope

On the Scope of Protection page in the UI, you’re presented with a visualization of your AWS Regions and VPCs. This is where we decide what assets you’d like to protect and what level of protection you assign to assets based on VPCs.  Clicking on an individual VPC will give you the option to leave it either unprotected, or the choice of either Alert Logic Essentials or Professional level coverage.  You also have the choice to define coverage at the Region level.

SIEMless Threat Management Essentials Level Coverage

The Alert Logic SIEMless Threat Management Essentials level of coverage provides you with AWS account configuration hardening checks, a visual topology model of your environment, and once-daily automatic internal vulnerability scans of your in-scope EC2 instances. 

The Essentials vulnerability scans leverage an EC2 appliance per VPC to conduct the daily scans, but also utilize a scale-to-zero feature that terminates the scan appliance once it has finished scanning to save on EC2 runtime costs.

We also have an optional Amazon Guard Duty integration that enhances the default GuardDuty incidents with asset model information collected from your environment as well as both short- and long-term remediation suggestions.

The visual topology model and AWS account configuration hardening remediations are available immediately after finishing the deployment in the Alert Logic UI. The vulnerability scanning appliance will also spin up and commence scanning.  The scan findings are usually available a few hours after the initial deployment.

SIEMless Threat Management Professional Level Coverage

For customers looking for more insight via IDS and log ingestion/log management we have the Alert Logic SIEMless Threat Management Professional level of coverage.  This includes all the features of the Essentials level (topology map, vulnerability scanning, GuardDuty, and config checks) and also adds in real-time network-based intrusion detection as well as log ingestion and alerting of nefarious activity found in both network traffic and logs.

The deployment process is very similar to the Essentials level of coverage. Basically, you choose the Professional level of coverage for one or more VPCs or a region.  This will trigger an IDS appliance per in-use Availability Zone (AZ) in addition to the auto-terminating daily scan appliances.  Once you’ve completed the scope settings, the only thing left to do is install the Alert Logic agent to enable the ingestion of network traffic and host logs.

The Alert Logic Agent

The Alert Logic agent is a lightweight “dumb” agent with two main jobs.  First, it makes a copy of all of the network traffic flowing across your EC2 instance and sends it to the IDS appliance in your environment.  Second, it takes a copy of your system logs, compresses and encrypts them, and then ships them directly back to Alert Logic’s data center where they are stored securely, parsed, and made available to you 24/7 via the online user interface.

The agent is available for both Windows and Linux instances and can be installed manually, via the EC2 boot argument, or via popular automation tools like Salt, Puppet, or Chef.

Once the agent is installed and started it automatically recognizes that it’s in your environment and routes traffic to the most logical IDS appliance and transmits log messages back to Alert Logic.

Alert Logic SOC Provides Cybersecurity Experts Behind the Scenes

In regard to the network side of the solution, once the traffic gets to the IDS appliance it undergoes a first-pass analysis to see if there’s anything interesting from a security standpoint.  Only the “interesting” packets are then compressed, encrypted, and shipped back to Alert Logic for further correlation and analysis.  Events or groups of events that warrant your attention are turned into security incidents and are then escalated via phone or email (all escalation preferences are customizable).  All incidents are escalated within a 15-minute SLA (service level agreement).

Incidents come in four varieties: low, medium, high, and critical.  Low and medium incidents are automatically escalated via email.  Any high or critical level incidents are reviewed by an Alert Logic Security Operations Center (SOC) analyst (Yes. A real human!).  Analysts are able to weed out false positives and use contextual knowledge of your environment to add incident notes or recommendations before escalating the incident to you or your team via phone.

All Alert Logic solutions include no-cost, unlimited, 24/7 support via both phone and email—so help or security insight is only a call or click away. This really allows you to expand your team by leveraging Alert Logic’s experts, and ensures you have a leg up on both daily operational security as well as unexpected incidents most companies will statistically face in the upcoming years.

As I mentioned earlier in the post, the best defense is a good security offense and the ability to investigate those unforeseen security incidents.  By patching hosts with the data from the daily scans, hardening your environment with the configuration check information, and monitoring logs and network traffic, you can ensure you’re taking the proper steps for securing AWS workloads.