In days gone by, highly regulated industries like pharmaceuticals and finance were the biggest targets for nefarious cyber actors, due to the financial resources at banks…
We at Coralogix, believe that cloud security is not a “nice-to-have” feature – something that only large organizations can benefit from or are entitled to have. We believe it’s a basic need that should be solved for organizations of any shape and size. This is why we built the Coralogix Security Traffic Analyzer (STA) tool for packet sniffing and automated analysis. Today we’re announcing several new features to our security product you’ll find interesting.
One of the great things about AWS is that everything can scale up and down as much as needed to keep costs at a minimum while not losing any important data. Now we brought this power to the VPC Traffic Mirroring configuration. You can read all about it here.
The new installation process of the STA now allows you to choose whether you’d like to run the STA as a spot instance of a spot fleet (for example for testing purposes) or as an on-demand instance. Now the choice is absolutely yours.
Now you can choose the size of the machine that will be used for the STA. The instance types that are going to be used based on the selected size are listed below:
During installation, you can set an S3 bucket for the configuration of the STA, if the bucket is empty, the STA will automatically copy its config files to that bucket, if the bucket contains the STA config files and they have been modified (either manually by you or by a script…) the STA will automatically pull the new configuration and apply it. This configuration includes the following files:
|Config file name||Purpose|
|local.rules||Includes snort rules that will be used in addition to those that were downloaded automatically|
|disablesid.conf||List of snort SIDs that should be disabled. Use this file to disable noisy snort rules.|
|bpf.conf||A BPF filter that the STA will use to filter incoming traffic. Usually, you can achieve the same outcome by modifying the VPC Traffic Mirroring filter.|
|wazuh_rules.conf||If the STA is installed with Wazuh support, this file is used to set the policy for all connected Wazuh agents|
During installation, the user can set an S3 bucket that will be used by the STA to upload compressed pcap files of all the traffic that was observed by the STA. The user can then set any lifecycle hook on that bucket for automated cleanup of old pcap files. This bucket will also contain executable files extracted directly from the traffic. These pcap files can be used for many purposes, including forensic investigations, alert tuneups, deeper investigations of applications and services issues, and more.
The new STA contains a built-in Prometheus node-exporter that listens on the third network interface on the default port.
Many cyber attacks nowadays are using command and control servers, and kill-switches for their malicious code. These usually use machine-generated domain names. We added a new capability to the STA to automatically calculate a score for each domain, parent domain virtual host, certificate CN, etc. based on the frequency of letter combinations that are expected to be rare and letter combinations that are expected to be frequent. This score can be used to detect machine-generated domains in certificates, common names, and DNS requests, and several other locations where the domain name can be found.
Employees and even more so, servers that are accessing domains that are “young” in the sense that they were registered only very recently are often good indications of malicious activity. The new version of the STA automatically pulls a list of domains with their creation date and adds the creation date to every domain detected in DNS requests, virtual hosts, and many other fields that contain a domain name. In addition, the new version of the STA contains a special dashboard for displaying such “baby domains” that were accessed by monitored servers and clients.
The STA will automatically attempt to detect the software and version on the client and server machines that took part in the communications seen by the STA. Based on that information, the STA will attempt to detect CVEs (Common Vulnerability Enumeration) numbers associated with that software by MITRE and will alert you if a new type of software is found or if a new vulnerable software was detected.
We added a default set of more than 60 alerts that will be added to your account after the installation of the STA. These alerts will help you to get started with the STA and dramatically improve your organization’s security posture. You can read more about these alerts here.
We added a default set of more than 60 different dashboards to help you slice and dice the data to find your needle in the huge haystack
That’s it for now. We have lots of new exciting features just waiting to be released in the next versions so stay tuned.