Cloud Posture and Threat Analytics with Cisco Secure Cloud Analytics
By Rémi Vacher, Technical Solutions Architect – Cisco Secure Workload & Analytics
By Muffadal Quettawala, Sr. Partner Solutions Architect – AWS
Organizations are challenged in their journey to the cloud in different ways. Many are just starting their on-premises migration of workloads to the cloud, while others have mature cloud experts with deployments in serverless and containerized production environments.
As organizations continue to adopt Amazon Web Services (AWS), their risk footprint increases from both an infrastructure and network perspective as it relates to compliance posturing, configuration risk, and network threats.
Organizations should be equally worried about the network itself as they should be about the configuration of the infrastructure and platform.
You could theoretically be 100 percent compliant with a certain regulatory or best practices standard, but if a zero-day vulnerability on exposed workload is exploited, or if credentials to sensitive workloads are placed on a public repository, a motivated hacker can get front-door access to your assets.
Cisco Secure Cloud Analytics helps organizations across a variety of maturity phases related to compliance, risk, and network threats by providing:
- Inventory of resources and services consumed by their workloads on AWS.
- Risk exposure of their workloads.
- Automated detection and alerting of network-based threats.
- Custom segmentation rules and alerting.
In this post, you will learn about the integration between AWS and Secure Cloud Analytics, a SaaS-delivered Network Detection (NDR) offering from Cisco, that monitors multi-cloud and hybrid environments for threats and policy violations and provides comprehensive visibility for any environment.
Additionally, you’ll see how easy it is to configure your AWS environment with Secure Cloud Analytics and begin modeling public cloud traffic for suspicious behavior and other threats.
Cisco Secure Cloud Analytics has a multi-layered approach that provides a holistic view of your workload security posture on AWS. It does this by utilizing network telemetry as a sensor to protect cloud workloads.
Figure 1 – Cisco Secure Cloud Analytics engine.
Secure Cloud Analytics has native integrations with AWS security and networking telemetry services, including VPC Flow Logs, AWS CloudTrail, Amazon GuardDuty, AWS Identity and Access Management (IAM), AWS Config, Amazon Inspector, and AWS Lambda.
Using these telemetry sources, Secure Cloud Analytics models the behavior of all known entities on the network over time, allowing it to flag alerts on any anomalies. This machine learning technique is called Dynamic Entity Modeling.
Secure Cloud Analytics also leverages Cisco Talos, the largest non-governmental threat intelligence organization in the world, to alert on interaction with known TOR (The Onion Router) doorways, malicious IPs or domains, and other known IoCs (Indicators of Compromise).
Figure 2 – Accessing telemetry for AWS deployments.
Secure Cloud Analytics learns and assesses your public cloud security posture immediately and provides over 80 percent of alerts within 14 days of deployment, with the rest following soon after. The alerts are grouped into different roles out of the box.
Secure Cloud Analytics uses the Cyber Kill Chain and MITRE ATT&CK framework to provide curated alerts conforming to industry-wide compliance standards. Once such example is if an AWS workload that’s never talked to the internet suddenly starts doing so, it will detect and alert the user.
Secure Cloud Analytics is compatible with on-premises as well as multi-cloud environments, and it presents a unified network compliance assurance dashboard for cross-infrastructure visibility. Additionally, easy integrations into SIEM/SOARS such as Splunk enable the SecOps team to quickly take action and remediate security alerts and observations.
The figure below illustrates how Secure Cloud Analytics is able to provide detections in a layered approach in a primary and secondary assurance framework, protecting you throughout a threat manifestation.
Figure 3 – How Secure Cloud Analytics helps.
With a few simple clicks, Secure Cloud Analytics begins to read telemetry from your AWS environment. Here’s how to set up this service with your AWS environment.
In your AWS account:
- Enable VPC Flow Logs from your AWS console in the VPCs you would like to protect.
- Select an IAM role that has permissions to publish the VPC Flow Logs to the AWS CloudWatch logs group.
- Create an AWS cross-account IAM role with a policy that provides Secure Cloud Analytics with least privilege access into your AWS Account. The permissions policy, account ID, and external ID are available from your Secure Cloud Analytics portal.
In your portal:
- Add the AWS cross-account IAM role ARN into the Settings > Integrations > AWS > Credentials tab.
- Add the VPC Flow Logs group name in Settings > Integrations > AWS > VPC Flow Logs.
Figure 4 – Integrating AWS with Secure Cloud Analytics.
According to ESG’s 2020 whitepaper Network Traffic Analysis (NTA): A Cybersecurity ‘Quick Win’, over 80 percent of web traffic is encrypted today.
Secure Cloud Analytics can now use NetFlow to detect threats that may be hiding in encrypted traffic. This means the solution can detect threats without active decryption or packet inspection.
By using telemetry generated by networking devices such as the Cisco CSRv available on AWS Marketplace, Secure Cloud Analytics provides additional context and details based on cryptographic information and packet sequence.
Figure 5 – Encrypted Traffic Analytics with Secure Cloud Analytics.
Secure Cloud Analytics customers can leverage enhanced telemetry generated by an ETA-capable exporter to generate alerts through enhanced NetFlow and other cryptographic packet details.
Some of the core benefits of this integration include:
- Confirmed threat detection: Secure Cloud Analytics’ cloud-based machine learning engine uses a variety of learning techniques and statistical modeling to determine malicious domains and threats across the world.
- High-fidelity threat detection in encrypted traffic: Secure Cloud Analytics analyzes network behavior and detects threats, even if they are hiding in encrypted traffic. ETA looks into attributes like the IDP and SPLT to detect encrypted malware.
- Cryptographic compliance: Secure Cloud Analytics offers an “Encrypted Traffic” report that displays various encryption parameters like protocol algorithm, message authentication code (MAC), and more.
- Effective threat response: The “Confirmed Threat Watchlist Hit” alert not only provides information about the threat and what is infected, but also provides a list of steps that can be taken to remediate the threat.
Customer Success Story
Aspire Technology Partners is a premier technology services firm specializing in the delivery of digital infrastructure solutions and managed services.
After an endpoint security solution started to notice infected devices, their Security Operations Center team became weary there may be a large scale breach. After an Incident Response team was deployed and failed to contain the threat, Aspire decided to configure Secure Cloud Analytics to monitor the network’s behavior rather than just red flags from the agent-based endpoint solution.
Within two hours, Secure Cloud Analytics was deployed on the organization’s private network and used to identify the foothold of the malware and stop this malware dead in its tracks.
Cisco is working to redefine what posturing and compliance means in the public cloud. Your organization’s footprint in the cloud grows rapidly, and your business is investing more in the public cloud than ever before.
Organizations must take a layered approach to detection and assurance. Secure Cloud Analytics supports these ongoing initiatives and helps you stay confident in your public cloud resources.
Cisco Stealthwatch Cloud – AWS Partner Spotlight
Cisco Stealthwatch Cloud is an AWS Competency Partner and security and network visibility analytics tool that consumes VPC flow logs to deliver high precision and low noise alerts.
*Already worked with Cisco? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.