Network detection and response at scale with ExtraHop and AWS Control Tower
When customers are transitioning to the cloud, the network and security teams have a standard set of goals: build a secure, reliable, scalable network topology. They achieve these goals by creating multiple Amazon Virtual Private Cloud (Amazon VPC) instances across multiple AWS accounts to provide permissions boundaries and isolate workloads from each other. While robust, this approach creates a need to monitor a large amount of VPC traffic without disrupting workload operation or performance across different AWS accounts. To meet this need, ExtraHop has developed an integration with AWS Control Tower. This integration enables you to plug ExtraHop’s cloud-native network detection and response (NDR) security solution into any number of VPCs and centralize network traffic monitoring to a single location.
ExtraHop Reveal(x) 360 is a SaaS-based enterprise network security platform that enables you to monitor on-premises and cloud resources. It gives you full visibility with minimal management overhead and enables workloads to operate at maximum performance. With Reveal(x) 360, you can reduce network blind spots, detect lateral movement on the network, respond quickly to threats, and monitor supply chains for attacks.
The following solution architecture diagram provides an overview of ExtraHop’s usage of AWS services. To enable the ExtraHop Reveal(x) 360 integration with AWS Control Tower, complete the following steps:
- Subscribe or listings in AWS Marketplace.
- Deploy the ExtraHop-AWS ControlTower-Lifecycle AWS CloudFormation (CloudFormation) Stack in the AWS Control Tower management account.
- Enroll AWS accounts in AWS Control Tower management, which creates a CloudFormation StackSet instance based on the type of account enrolled.
The following diagram shows the ExtraHop Reveal(x) 360 Solution Deployment. The AWS Control Tower management account contains the automation to build the initial ExtraHop infrastructure and workload integration resources. It deploys resources into both the Network Monitoring and Workload accounts.
The following diagram shows the Reveal(x) 360 sensor residing in the network monitoring account, with a traffic mirror target for deployed EC2 and Amazon ECS workloads. This account also contains the automation to manage the Reveal(x) Amazon EventBridge rules are deployed into the workload accounts to trigger ExtraHop Automation workflows.
The complete Reveal(x) 360 Architecture is here.
Following is a high-level description of each ExtraHop and AWS prerequisite required to use ExtraHop Reveal(x) 360 with AWS Control Tower.
Following are AWS-related prerequisites:
- AWS Control Tower: To get started with AWS Control Tower, check out the Getting Started This blog post assumes you have disabled AWS Control Tower VPC Creation for new accounts created by Account Factory.
- IP address space management: The ExtraHop sensor in the network monitoring account is an Amazon EC2 instance that will be created in a new VPC. This ExtraHop VPC will connect to your workload VPCs, which requires that CIDRs between peered VPCs not overlap. This blog post assumes you are able to identify a CIDR to assign the ExtraHop VPC that will not conflict with workload VPCs in your workload AWS accounts.
- Service quotas: Your ExtraHop VPC needs connectivity to workload VPCs to enable ingestion of mirrored network traffic. While it is possible to use AWS Transit Gateway for this purpose, it is preferable to use VPC peering connections to optimize costs, as AWS does not charge for same-AZ traffic between two VPCs. If you have more than five workload VPCs to peer with the ExtraHop VPC, you should increase the service quota “active peering connections per VPC.”
- AWS Marketplace and AWS License Manager: To enable automatic Reveal(x) 360 sensor provisioning, AWS Control Tower member accounts must be entitled to use the AWS Marketplace subscriptions entered into by the AWS Control Tower management account. Your ExtraHop network monitoring account is entitled to deploy Reveal(x) 360 sensors via a distributed grant from AWS License Manager. Integrating AWS Organizations with both AWS Marketplace and AWS License Manager enables the ExtraHop-ControlTower-Lifecycle AWS Lambda (Lambda) function to create and activate the needed grants.
- Organizations and RAM: This blog will use AWS Resource Access Manager (AWS RAM) to ensure your ExtraHop traffic mirror target is properly shared to all workload accounts. Verify you have enabled RAM sharing with AWS Organizations.
Following are ExtraHop-related prerequisites:
- AWS Marketplace subscriptions: You must subscribe to the ExtraHop listing in AWS Marketplace for the sensor size you will deploy.
- Active tenant: If you do not already have a Reveal(x) 360 tenant, then you can sign up for a free trial via the SaaS NDR AWS Marketplace listing to get one provisioned.
- User account: Once your tenant is provisioned, you must create a user account to view all packet analysis and threat detection results in the Reveal(x) 360 console.
- REST API credentials: To provide context to Security Operations Center (SOC) analysts, ExtraHop automation will synchronize Amazon EC2 inventory and detection data to or from Reveal(x) 360 using the Reveal(x) 360 REST API. You must have separate API credentials to synchronize metadata and detection data.
Solution walkthrough: Network detection and response at scale with ExtraHop and AWS Control Tower
A. Prepare and create accounts
The CloudFormation stack you deploy in the AWS Control Tower management account includes a Lambda function that will act on accounts created using Account Factory. This creates the necessary resources to onboard them to your Reveal(x) 360 deployment.
1. Create the ExtraHop-ControlTower-Lifecycle stack
You must use CloudFormation to deploy the ExtraHop-ControlTower-Lifecycle stack, which lays the foundation for your Reveal(x) 360 deployment. This stack includes a Lambda that processes the AWS Control Tower lifecycle events. It also creates two CloudFormation StackSets that create the relevant AWS resources in your network monitoring account and workload accounts. Refer to the solution architecture diagram for a high-level overview of these AWS resources and how they interact with each other. To do this, do the following:
- Sign in to the AWS Management Console using your AWS Control Tower management account. Search for the CloudFormation service. Choose Create stack and select with new resources (standard).
- To Specify template, enter the following Amazon S3 URL:
- The stack name should be ExtraHop-ControlTower-Lifecycle, and most users should use the suggested default parameter settings.
- To create the stack and configure stack options, choose Next. No custom stack options are needed. To review selections and create stack, choose Next.
2. Use Account Factory to vend a new network monitoring account
- Sign in to the AWS Management Console using your AWS Control Tower management account and search for the AWS Control Tower service.
- On the Account Factory page, choose Enroll account. Enter the following parameters for this dedicated ExtraHop network monitoring account.
Recommended new Account Parameters:
|Account email||An email address like firstname.lastname@example.org|
|Display name||Must be ExtraHop-NetworkMonitoring|
|AWS Single Sign-On (SSO) user email||The AWS Control Tower management account’s AWS SSO user email address|
|AWS SSO user name||The AWS Control Tower management account’s AWS SSO user first and last name|
|Organizational unit||Must be an OU that is already enrolled in AWS Control Tower|
During this enrollment process, the ExtraHop-ControlTower-Lifecycle Lambda function processes the CreateManagedAccount event and creates the Extrahop-NetworkMonitoring-Account CloudFormation StackSet in the network monitoring account.
3. Use Account Factory to vend a new workload account
- Sign in to the AWS Management Console using your AWS Control Tower management account and search for the AWS Control Tower.
- On the Account Factory page, choose Enroll account. Provide details for this new workload account.
4. Validate the network monitoring account resources
- To validate that the StackSet creation was successful, search for the CloudFormation service and view the StackSets page. This page should show two StackSets: i) ExtraHop-Network-Monitoring-Account and ii) Extrahop-Workload-Account.
- Select the name of the ExtraHop-NetworkMonitoring-Account StackSet and view its Operations. You should notice a SUCCEEDED status for the most recent operation ID.
- Sign into the network monitoring account and search for the Amazon EC2 You should have one running instance in your AWS Control Tower home Region: your Reveal(x) 360 sensor.
B. Configure ExtraHop Reveal(x) 360 Sensor
1. Configure ExtraHop sensor interfaces
- Sign in to the AWS Management Console using your network monitoring account and search for the CloudFormation.
- Identify the ExtraHop-NetworkMonitoring-Account Stack and view its outputs.
- Sign in to the sensor with the username setup and register your sensor.
- Remain in the sensor’s Admin User Interface (UI). On the Admin UI page, select Connectivity and update the network interface settings as follows:
- Interface 1: Set Mode to Management Port. Leave DHCP Enabled.
- Interface 2: Set Mode to Management + RPCAP/ERSPAN/VXLAN Target and Enable DHCP.
- View and Save the Running Config from the prompt.
The following screenshot shows the Interfaces section of the sensor Admin UI. Interface 1 shows a mode of Management Port, and Interface 2 shows Management Port +. RPCAP/ERSPAN/VXLAN Target.
2. Connect to ExtraHop Cloud Services
- Remain in the sensor’s Admin UI at https://<sensor_ip_address>/admin. Follow the prompt to change the default passwords for the setup and shell.
- On the Admin UI page, select ExtraHop Cloud Services, review the Terms and Conditions, and choose Connect to ExtraHop Cloud Services and Enable Performance and Security Detections. Refer to Connect to ExtraHop Cloud Services for more information.
When successfully connected to ExtraHop Cloud Services, the page should show status as Connected to ExtraHop Cloud Services and should also show the recent Connection Last Active time.
3. Connect Sensor to Reveal(x) 360
- Sign in to your Reveal(x) 360 Console at https://<customername>.cloud.extrahop.com. To access the Administration page,select the system settings icon (gear icon). Choose Connect Appliances and generate a pairing token.
- Sign in to your sensor’s Admin UI. On the Admin UI page, choose Connect Command Appliances. Choose Add Appliance and paste in the pairing token you generated from the Reveal(x) 360 console. Add a Discover Appliance Nickname and choose Connect.
Refer to Connect to Reveal(x) 360 from self-managed sensors for more information.
C. Validate deployment
1. Confirm network monitoring account StackSet deployment
- Sign in to the AWS Management Console using your network monitoring account and search for the CloudFormation.
- Find the stack for your ExtraHop-NetworkMonitoring-Account and confirm its status is Create Complete.
2. Confirm workload account StackSet deployment
- Sign in to the AWS Management Console using your workload account and search for the CloudFormation.
- Find the stack for your ExtraHop-Workload-Account and confirm its status is Create Complete.
3. Create workload account resources
ExtraHop sensor deployments are regional. To validate that your deployment’s ExtraHop Automation components are working as intended, you must create a temporary VPC and Amazon EC2 instances in the same AWS Region as your sensor.
When you create the temporary workload VPC, you realize it is automatically peered to the ExtraHop VPC in the network monitoring account. A route to the ExtraHop VPC’s CIDR is automatically added to the workload VPC’s route tables. Similarly, when you create temporary Amazon EC2 instances (your “monitored workloads”), you should notice that mirror sessions automatically forward a copy of their network traffic to the ExtraHop sensor’s traffic mirror target.
After you have observed the automatically generated peering connection, route, and mirror sessions, you must decommission the temporary Amazon EC2 instances and VPC.
4. View analyzed traffic
- Sign in to your Reveal(x) 360 console at https://<customername>.cloud.extrahop.com.
- From the navigation bar at the top of the page, select Assets. Change your Time Selector to Last 30 Minutes and select the link for DNS Clients to view DNS transaction data for the DNS Client Activity Group.
Congratulations! You have integrated your AWS Control Tower landing zone with ExtraHop Reveal(x) 360 and are using it to monitor network traffic inside of your AWS environment.
To avoid charges in the future, follow these steps to remove deployed resources from your account.
1. Delete StackInstance from workload account
- Sign into the AWS Management Console using your AWS Control Tower management account and search for the CloudFormation service.
- Select the StackSets page and select the ExtraHop-Workload-Account StackSet. Review the Stack instances tab and note the account IDs of the accounts where the Stack instance is deployed.
- From the Actions menu, choose Delete stacks from StackSet, and enter the account IDs.
- Specify your AWS Control Tower home Region. To review your selected deployment options, choose Next, and then choose Submit.
- To see the DELETE operation and its status, choose the StackSet’s Operations. When its Status changes to SUCCEEDED, proceed to the next step.
2. Delete StackInstance from ExtraHop-NetworkMonitoring account
This step repeats the instructions from step D.1 to remove the ExtraHop-NetworkMonitoring-Account Stack instance.
- Remain signed in to your AWS Control Tower Management Account and remain on the CloudFormation StackSets page.
- Select the ExtraHop-NetworkMonitoring-Account StackSet. Review the Stack instances tab and note the account ID of the account where the Stack instance is deployed.
- From the Actions menu, choose Delete stacks from StackSet, and enter the account number.
- Specify your AWS Control Tower home Region. To review your selected deployment options, choose Submit.
- To see the DELETE operation and its status, choose the StackSet’s Operations. When its Status changes to SUCCEEDED, proceed to step D.3.
3. Delete Stack from your AWS Control Tower management account
- Remain signed in to your AWS Control Tower management account and in the CloudFormation Service.
- On the Stacks page, select the ExtraHop-ControlTower-Lifecycle Stack and choose Delete stack.
When the ExtraHop-ControlTower-Lifecycle Stack is deleted, you have removed all resources created in this tutorial.
In this blog post, I showed you how to integrate your AWS Control Tower landing zone with ExtraHop Reveal(x) 360 and use it to monitor network traffic inside of your AWS environment. This automated solution automatically provisions new VPCs into ExtraHop monitoring, giving you visibility of all the traffic going into and coming out of those accounts.
For more information on solutions for AWS Control Tower in AWS Marketplace, visit Network orchestration. For more information about the ExtraHop platform and integration with AWS Control Tower, visit the Reveal(x)360 + AWS Control Tower blog post on the ExtraHop website.