Security is a whole lot like quantum mechanics. It’s rife with uncertainty and you can’t observe your infrastructure without affecting it. Following this analogy, it’s vital to have a system that can cut through the noise and signal to provide value. Today I’m going to take a look at how different types of tools can impact an environment and how to ease that burden. Since we need some kind of tooling to monitor the environment, let’s think about the different types: passive and active, each of which could operate on the network, host, or platform layer. Let’s talk a little bit about those in general and then we’ll take a look at how Alert Logic approaches in the cloud, specifically AWS to streamline and simplify deployment of security tools.
Examples of passive methods are SPAN (switch port analyzer) port traffic monitoring for NIDS (network intrusion detection systems) or collection CloudTrail logs from AWS. In both of these examples, some initial configuration is required, but the ongoing impact and maintenance are typically minimal. The big advantage with passive tools is providing a rich dataset for detective controls and a low likelihood of breaking anything.
WAF’s (web application firewalls), traditional firewalls, VA (vulnerability assessment) scanners and IPS (intrusion prevention systems) are active solutions. You either need to set up an appliance or use a cloud-based solution to filter traffic or run scans. An inline technology will either send network traffic through one path on to its destination or drop it. Inline technologies are great blocking known-bad traffic but have the habit of getting into trouble in production with false positives on gray area traffic.
Finally, let’s investigate host-based tools. With a host-based tool, you are putting a piece of software—an agent—on a host such as a virtual machine or a container. Agents can do all sorts of things like vulnerability detection, log collection, FIM (file integrity monitoring), and more. Agents can be either active or passive. For example, an agent could simply collect log data, or it could actively isolate a host. While they can do all sorts of cool stuff, there is a huge variance on ease of deployment and impact on the monitored host.
Alert Logic SIEMless Threat Management
Let’s take a look at how Alert Logic approaches monitoring within AWS. In the Essential tier of our SIEMless Threat Management offerings, we use both active and passive cybersecurity tactics (network internal, external and PCI vulnerability scans, asset discovery, AWS CloudTrail collection), and for the Professional tier we add additional passive monitoring (NIDS, server log collection) to enable 24x7 monitoring by our SOC (security operations center). On the passive side, we use a role to collect Cloudtrail logs for security/asset discovery along with integration with GuardDuty and Security Hub. We use agents to collect host log data off the individual EC2 instances. Uniquely, we also use the agent to mirror network traffic from each individual EC2 instance. In the case of containers, we have a containerized agent that performs the same function, collecting log data and giving visibility into all container network traffic with Docker / Kubernetes metadata. This network traffic from agent-to-appliance is how we provide technology parity in hybrid deployments while taking advantage of unique characteristics of platforms such as AWS or Docker.
Operationally, you want to make sure that the agent is as low impact as possible, both in terms of resource utilization and deployment. The Alert Logic agent and container agent are both lightweight agents that are focused on offloading as much processing work to the appliances as possible. Today, that means that all network data is simply copied and sent to the appliance, and all syslog / file logs / Windows Event Log data is sent directly back to Alert Logic. We typically observe low single-digit percentage resource utilization on the underlying base host. In the near future, we will also be adding further host-based monitoring capabilities to the agent which will not add significant resource utilization, as correlation is offloaded to Alert Logic in the cloud.
Deploying SIEMless Threat Management
Deployment can be achieved in either an automated or manual mode. In the automated mode, you select which regions or VPC’s you want to cover, and Alert Logic will automatically deploy appliances in the appropriate Availability Zones only when they are needed, and then scale them down when they are no longer necessary. In the screenshot below, you can see how different parts of your environment can be protected at different levels simply by toggling the mode as seen in the screenshot. Agents can be either baked into the image you are using or deployed using orchestration tools such as Chef, Puppet, or Kubernetes. These agents will then automatically configure themselves to communicate with the appropriate appliances, whether you choose to automate appliance deployment or not.
If you do not want Alert Logic automation to manage the deployment of appliances, you have the option to manually deploy the appliances. We will share the appliance AMI (application management interface) with you so that you can easily configure it where you would like. Even in the manual deployment mode, the appliance will still configure itself, and agents will still bind themselves to the correct appliance within the environment.
Simplify and Streamline Cybersecurity
When selecting security tooling, it’s vital to balance your security needs against the effort of deployment. All too often, the difficulty of deployment results in security solutions not being fully deployed. In order to get deep visibility without a lot of operational impact on the host, on the network, and at the platform level, it’s critical to ensure that configuration remains easy as possible.