Coralogix Cloud Security helps you detect security threats across all of your network traffic with rapid setup and without the need for additional tooling. Once running, Cloud Security easily integrates all your security logs for a multidimensional view of your security posture and gives you the ability to perform deep and wide forensic investigations.
Cloud Security runs on your AWS account to provide real-time monitoring and analysis of your infrastructure.
With Coralogix Cloud Security you can:
Detect system intrusions
Monitor your entire enterprise for unauthorized changes
Centrally manage and analyze all security-related logs
Step 1: Install Cloud Security instance on AWS
Navigate to the Settings page in your Coralogix account, and click on the “Cloud Security” link:
Fill in the application name and subsystem name that will be used to identify the Cloud Security logs.
Choose an AWS region from the list that you want Cloud Security to be installed in and click “Launch AWS CloudFormation” which will take you to the AWS site in a new browser tab
Log in to AWS with the account under which you want the CloudSecurity to be installed and follow these instructions for the CloudFormation process.
In the field “KeyName”, choose a key pair to use for the CloudSecurity. You’ll only need the key when asked by the Coralogix support team.
Choose a subnet and a VPC ID for the new CloudSecurity, this subnet and VPC must have internet access for the CloudSecurity to work properly
Note: The VPC and subnet must also be on the same network.
Click “Create Stack”
In the next screen, you can optionally set a name tag for the instance
Click next for the remaining screens
Wait for CloudFormation to finish
When the CloudFormation process is complete, the top event will indicate the stack’s name and the event type will be “completed”
Return to the Coralogix browser tab to continue with the next steps
Step 2: Setup VPC Traffic Mirroring
In order to send your AWS inbound and outbound traffic to the Coralogix CloudSecurity instance, you need to set up VPC Traffic Mirroring on AWS EC2. For smarter, cost effective mirroring check out the following post
Go back to the Coralogix tab and click “Setup Traffic Mirroring“ (step 2), a new tab with AWS VPC Mirroring Sessions screen. Please note that although you can set the traffic mirroring from this screen it’s not the only way to do it. You can use aws cli to do this (in a script for example) by using the command aws ec2 create-traffic-mirror-session.
Choose a name and description for your mirror session (it can be something like “MyServer.eth0 => coralogix-onion-us-west-1“)
Choose a mirror source from the list. This should be a supported network interface (see “Known Issues / Limitations“ below) that you would like to mirror its traffic to the Security Onion instance.
Select the mirror target that was created for you during the installation. (You can see it easily if you duplicate the current tab and choose CloudFormation from the Services menu and click the stack name you created and under “Resources” look for the mirror target)
Set the field “Session Number” to 1 (It looks like it is already set to 1 but it’s not)
Leave “VNI” and “Packet Length” as they are and set the filter field to the mirror filter you created at step 10 above.
Now you can go back to the Coralogix tab and click “Start Analyzing”
50+ Security Monitoring Dashboards
Coralogix Cloud Security includes all the dashboards you need to monitor your security with deep insights and forensics data for investigations. Here are 13 example dashboards to give you a sense of what’s possible.
Zeek – Connections Displays the number of network connections over time, the number of connections by state (completed normally, rejected, aborted, etc.), number of connections per source/destination IP/destination port, number of connections by source country and a connections list.
Zeek – HTTP Displays the number of HTTP logs over time, destination countries, destination ports, HTTP methods, source, and destination IPs, MIME types, sites, sites that host .exe files, URIs and referrers, User-Agents and full HTTP connections log
Connections – Destination – Sum of Total Bytes Displays a world map with dots that indicate the sum of bytes that were sent to that area (based on IP to Geo translation)
Connections – Destination – Top Connection Duration Displays a world map with dots that indicate the location to which most of the communications were destined. The size of the dot indicates the number of connections related to the other dots (based on IP to Geo translation)
Zeek – Software Displays information about software (i.e, browsers, servers, OSs, web clients, etc.) that was detected and the network nodes on which it was detected based on the communication seen
Zeek – Files Displays information about files that traversed the network, for example, number of files per MIME type, files per protocol, number of bytes, source and destination IPs
Zeek – Notices High severity alerts from Bro-IDS based on network behavior
Zeek – Weird Indications of weird behaviors on the network. Some of which might be benign in some organizations while strictly forbidden in others
Zeek – X.509 Information about certificates that traversed the network such as key length, signing, and encryption algorithms, certificates’ subjects and issuers
Zeek – SSL Information about SSL connections such as countries and IPs involved, SSL/TLS versions, server names, certificates, issuers and common names, validation statuses
Zeek – DNS Information about DNS queries seen such as ports, protocols, statuses, servers, information about phishing attempts (based on Alexa info)
NIDS High severity alerts from Suricata based on the patterns and signatures matching
Baby Domains Domains that were accessed which currently exist for a very short period of time. Usually a good indication for a malicious activity
General Monitoring Tips
Go to each dashboard, and filter out everything that you know is normal and supposed to happen until the dashboard is empty.
Monitor the dashboard for the next few weeks to see what new events appear and if there is any need for additional filters to clear everything that is normal and expected.
Once a dashboard has remained empty for a period of time, you can create a Coralogix Alert based on the dashboard query by copying the query and pasting it into the new alert window.
Review the critical assets of the organization and determine what normal and expected is, and create alerts to notify you of unusual or unexpected behavior. For example, if your servers are known not to communicate with mail (SMTP) or instant messaging (IRC), you can create alerts when such connections have been detected.
The journey of creating meaningful alerts should be a continuous one to limit false positives and get better at securing your environment.
Cloud Security Uninstallation Procedure:
Log in to your AWS account and go to the VPC section
Click on “Mirroring Sessions” in the left side navigation
Select and delete every mirror session you created that mirrors traffic to the Coralogix CloudSecurity instance you originally installed
Click on “Mirroring Targets” in the left side navigation
Select and delete the mirror target that points to the CloudSecurity instance you wish to remove
From the list on the left click on “Mirroring Filters”
Delete all mirror filters that were only used by mirror sessions that were configured to mirror traffic to the CloudSecurity instance you wish to remove
Go to the CloudFormation console by choosing “CloudFormation” from the “Services” menu at the top left of the screen Select the stack you created as part of the installation (by default it’s “CoralogixSecurityCloud“) Click “Delete”
You can delete the management and sniffing security groups you created during the installation if they’re not used for other installations (by going to the EC2 service console)
Known Issues / Limitations:
The CloudSecurity instance MUST be installed in a VPC that has access to the Internet in order to send the logs to Coralogix.
The CloudSecurity instance hasn’t been tested in private VPCs
The CloudSecurity can be installed only in the following regions: eu-west-1 (Ireland), ap-south-1 (Mumbai), us-east-1 (N. Virginia), us-east-2 (Ohio), us-west-1 (N. California), us-west-2 (Oregon)
Currently, the CloudSecurity solution doesn’t offer access to the actual packets that were captured.
No alerts are created in Coralogix during the installation. Security alerts must be created manually.
Mirroring or autoscaling instances are not supported
Mirroring of non-Nitro-based instances are not supported
Currently, you need to create individual Mirror Sessions for each Network Interface that you want to mirror