The wide-spread adoption of cloud infrastructure has proven to be highly beneficial, but has also introduced new challenges and added costs – especially when it comes to security.
As organizations migrate to the cloud, they relinquish access to their servers and all information that flows between them and the outside world. This data is fundamental to both security and observability.
Cloud vendors such as AWS are attempting to compensate for this undesirable side effect by creating a selection of services which grant the user access to different parts of the metadata. Unfortunately, the disparate nature of these services only creates another problem. How do you bring it all together?
The Coralogix Cloud Security solution enables organizations to quickly centralize and improve their security posture, detect threats, and continuously analyze digital forensics without the complexity, long implementation cycles, and high costs of other solutions.
Using the Coralogix Security Traffic Analyzer (STA), you gain access to the tools that you need to analyze, monitor and alert on your data, on demand.
Here’s a list of data types that are available for AWS users:
|Feature Name||Details||Main Limitations|
|CloudWatch Metrics||CloudWatch metrics provide the most basic form of your metadata as metrics such as used bandwidth on instance's ENIs and CPU usage.||Lacks the information of what caused the change in the metrics trend and whether it was indeed malicious or not|
|CloudTrail||CloudTrail logs provide information about actions made in your AWS account.||Do not provide any insights regarding the applications and services that the organization is using which are running inside AWS instances|
|Flow logs||VPC Flow Logs provide a greater level of detail about your metadata, they include basic contextual information about connections made to or by instances for which you have enabled this feature||Do not provide any layer 7 information about detected connections such as URLs, Web methods, certificates, etc.
Also, does not contain the actual payload which is extremely valuable for forensic investigations.
|GuardDuty||The GuardDuty service analyzes several AWS data sources such as AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs by using a set of rules that are maintained and controlled by AWS and can send an alert when a behavior was detected as malicious by these rules||Has no option for fine tuning its rules to the organization's needs
Has no option for the organization to set tailor-made rules based on the organization's expected behavior.
Does not provide an ability to get the suspected payload or any supporting information which might be relevant for conducting a forensic investigation
|VPC Traffic Mirroring||VPC Traffic Mirroring allows you to copy interesting traffic types to/from selected instances and ENIs to another instance||Provides only VXLAN encapsulated raw traffic data. Leaving the customer with the challenge of analyzing it and getting the relevant insights
Requires a very manual and rigid configuration that doesn't automatically update when new instances are started (for example in auto scaling or spot fleet scenarios)
Well… That doesn’t look very promising, right? This is exactly the reason why we developed the Security Traffic Analyzer (STA).
When you install the STA, you get an AWS instance and several other related resources.
You can mirror your server traffic to the STA (by using VPC traffic mirroring). The STA will automatically capture, analyze and optionally store the traffic for you while creating meaningful logs in your Coralogix account. You can also create valuable dashboards and alerts. To make it even easier, we created the VPC Traffic Mirroring Configuration Automation handler which automatically updates your mirroring configuration based on instance tags and tag values in your AWS account. This allows you to declaratively define your VPC traffic mirroring configuration.
The STA employs ML-powered algorithms which alert you to potential threats with the complete ability to tune, disable and easily create any type of new alerts.
The STA automatically enriches the data passing through it such as domain names, certificate names, and much more by using data from several other data sources. This allows you to create more meaningful alerts and reduce false-positives while not increasing false-negatives.
Connect any source of information to complete your security observability, including Audit logs, Cloudtrail, GuardDuty or any other source. Monitor your security data in one of 100+ pre-built dashboards or easily build your own using our variety of visualization tools and APIs.
The Coralogix Cloud Security solution comes with a predefined set of alerts, dashboards and Snort rules. Unlike many other solutions on the market today, you maintain the ability to change any or all of them to tailor them to your organization’s needs.
One of the most painful issues that usually deters people from using an IDS solution is that they are notorious for their high false-positive rate, but Coralogix makes it unbelievably easy to solve these kinds of issues. Dynamic ML-powered alerts, dashboards, and Snort rules are just a matter of 2-3 clicks and you’re done.
Although Coralogix focuses on detection rather than prevention, it is still possible to achieve both detection and better prevention by integrating Coralogix with any orchestration platform such as Cortex XSOAR and others.
Security logs need to be correlated with packet data in order to provide needed context to perform deep enough investigations. Setting up, processing, and storing packet data can be laborious and cost-prohibitive.
With the Coralogix Optimizer, you can reduce up to 70% of storage costs without sacrificing full security coverage and real-time monitoring. This new model enables you to get all of the benefits of an ML-powered logging solution at only a third of the cost and with more real-time analysis and alerting capabilities than before.
Here’s a full comparison between the STA and all the other methods discussed in this article:
|Feature||Coralogix STA||CloudWatch Metrics||CloudTrail Logs||VPC Flow Logs||GuardDuty||VPC Traffic Mirroring|
|Provides a set of metrics that are calculated based on the traffic||✗1||✓||✗||✗||✗||✗|
|Allows the user to create new metrics and modify existing ones||✓||✗||✗||✗||✗||✗|
|Provides Layer 4 Context Data (IPs, Port Numbers)||✓||✗||✗||✓||✗||✓|
|Provides Layer 7 Context Data (HTTP URI's and methods, SSL Certificates, DNS Queries, FTP commands, files, etc)||✓||✗||✗||✗||✗||✓|
|Detects threats or malicious content||✓||✗||✗||✗||✓||✗|
|Detects potentially malicious behaviors||✓||✗||✗||✗||✓||✗|
|Allows the user to understand, modify, disable and create new detection rules||✓||✗||✗||✗||✗||✗|
|Allows the user to access and store the captured traffic||✓||✗||✗||✗||✗||✓|
|Enriches the data (for example by adding domain creation dates to domain names)||✓||✗||✗||✗||✗||✗|
|Allows integration with OSSEC/Wazuh or similar agents for the purpose of collection of instance specific data such as processes running on each instance||✓||✗||✗||✗||✗||✗|
|Comes with predefined set of alerts, including ML powered ones||✓||✗||✗||✗||✓||✗|
|Allows the user to customize the set of alerts and to create new ones||✓||✗||✗||✗||✗||✗|
|Comes with predefined dashboards for each type of protocol||✓||✗||✗||✗||✗||✗|
|Allows the user to customize the predefined dashboards to his needs||✓||✗||✗||✗||✗||✗|
(1) Will be added soon in upcoming versions
As you can see, the STA is already the most effective solution for gaining back control and access to your metadata. In the upcoming versions, we’ll also improve the level of network visibility by further enriching the data collected, allowing you to make even more fine-grained alerting rules.