SBN

NDR for AWS Well-Architected

By Roger Cheeks, US-East Sales Engineer, Corelight

Corelight is a powerful network traffic analysis tool that enables network detection and response (NDR) for AWS Cloud workloads by receiving packets from an AWS Virtual Private Cloud (VPC) traffic mirror and cloud packet brokers. Corelight extracts security rich metadata, generates actionable security alerts and exports the metadata and insights to SIEMs and other analytic tools. Corelight can improve operational excellence, performance, reliability, cost effectiveness, and security results in the AWS cloud according to the AWS Well-Architected Framework. 

Operational Excellence

Corelight can be easily integrated into workflows for operational excellence. The Corelight Cloud Sensor Amazon Machine Image (AMI) can be initiated, configured, and deployed with CloudFormation. The Corelight Sensor can also be managed programmatically with the Corelight command line client and a RESTful API. These capabilities allow organizations to expand DevSecOps capabilities. Additionally, Corelight Fleet Manager can be used to deploy, manage and operate Corelight Sensors that monitor your public cloud, private cloud and corporate infrastructure.

Security

The security pillar is where Corelight truly shines within the Well-Architected Framework. Corelight expands network visibility far beyond VPC flow with insightful and durable security metadata that accelerates incident response and investigations. Corelight logs can be used for advanced detective controls not available from flow or end points logs and allow for auditing of network access-lists and security groups. Corelight Fleet Manager can integrate with the organization RBAC and the sensor can be limited to IAM roles to allow least privilege access. Corelight Sensors ensure that all the security telemetry data is encrypted at rest and in transit.

Reliability

Corelight Sensors support high availability (HA) for receiving and exporting data. HA for inbound packets can be set up using AWS EC2 network load balancer (NLB). Both active/passive and active/active (3rd party solutions required) options are available. Corelight Sensors feature fork and filter export with up to five streaming exports each capable of an individual filter. Rapid recovery or scaling of Corelight Sensors can be handled using Cloud Formation.

Performance Efficiency

Corelight Sensors support a broad range of EC2 instance types and sizes. The sensors have native integration with AWS Simple Storage Service and AWS Kinesis data streams. Traffic mirroring may be deployed globally across EC2 instances within minutes and a large number of Corelight Sensors may be deployed behind a Network Load Balancer to allow for almost limitless scale. The sensors stream monitoring metrics to CloudWatch for real-time reporting of performance challenges and bottlenecks.

Cost Optimization

Corelight Sensors make cost optimization easy with zero cost HA options and capacity-based pricing. Corelight Sensors can be deployed as an IaaS VM within a VPC – this keeps the traffic localized to the VPC (eliminating peering costs) and only exports logs to a centralized data store. Take advantage of Corelight’s data reduction packages and preferred SIEM pricing for certain log types to lower SIEM data ingestion costs. 

Corelight is a great network detection and response solution for AWS workloads. Corelight Sensors add significant capabilities in a Well-Architected Framework. There are Corelight physical appliances, and virtual appliances that can work in parallel to the Corelight Cloud Sensor in EC2. These form factors enable unmatched network visibility for cloud and hybrid cloud infrastructures.

For more information on how to implement network detection and response in AWS, please join our webinar


*** This is a Security Bloggers Network syndicated blog from Bright Ideas Blog authored by Roger Cheeks. Read the original post at: https://corelight.blog/2020/08/06/ndr-for-aws-well-architected/