Coralogix Cloud Security helps you detect security threats across all of your network traffic with rapid setup and without the need for additional tooling. Once running, Cloud Security easily integrates all your security logs for a multidimensional view of your security posture and gives you the ability to perform deep and wide forensic investigations.
Cloud Security runs on your AWS account to provide real-time monitoring and analysis of your infrastructure.
With Coralogix Cloud Security you can:
- Detect system intrusions
- Monitor your entire enterprise for unauthorized changes
- Centrally manage and analyze all security-related logs
Step 1: Install Cloud Security instance on AWS
- Navigate to the Settings page in your Coralogix account, and click on the “Cloud Security” link
- Fill in the application name and subsystem name that will be used to identify the Cloud Security logs
- Choose an AWS region from the list that you want Cloud Security to be installed in and click “Launch AWS CloudFormation” which will take you to the AWS site in a new browser tab
- Log in to AWS with the account under which you want the Security Cloud to be installed and follow these instructions for the CloudFormation process:
- In the field “KeyName”, choose a key pair to use for the Security Cloud. You’ll only need the key when asked by the Coralogix support team.
- Choose a subnet and a VPC ID for the new Security Cloud, this subnet and VPC must have internet access for the Security Cloud to work properly
- Click “Create Stack”
- In the next screen, you can optionally set a name tag for the instance
- Click next for the remaining screens
- Wait for CloudFormation to finish
- When the CloudFormation process is complete, the top event will indicate the stack’s name and the event type will be “completed”
- Return to the Coralogix browser tab to continue with the next steps
Step 2: Setup VPC Traffic Mirroring
In order to send your AWS inbound and outbound traffic to the Coralogix Security Cloud instance, you need to set up VPC Traffic Mirroring on AWS EC2.
- Go back to the Coralogix Cloud Security setup page and click the “Setup Traffic Mirroring“ button. A new tab with the AWS VPC Mirroring Sessions screen will appear. Once on AWS, click on the “Mirror Targets” link at the bottom of the list on the left side
- Click on “Create traffic mirror target”
- Choose a name and description for your mirror target that indicates the Coralogix Security Cloud instance that it is linked to (e.g. coralogix-cloud-security-us-west-1)
- Set the target type to “Network Interface“
- Set the target field to the ID of the 3rd interface (eth2) of the newly installed Security Cloud (the interface name is “Coralogix Security VxLan Traffic Sniffing Interface”)
- Click “Create“
- At the bottom of the list on the left click on “Mirror Filters” and then on “Create traffic mirror filter.”
- Choose a name and description for your mirror filter (e.g. “ALL-TRAFFIC“)
- Configure the inbound and outbound rules to indicate which traffic should be mirrored to the Security Cloud instance. To mirror all traffic from/to everywhere set the filter protocol to “All protocols” and the source and the destination to “0.0.0.0/0“ for both Inbound and Outbound rules. In addition, if you want to mirror the DNS traffic from your server to the Amazon DNS service, check the box labeled “amazon-dns” below the description) to enable it.
- Once configured, click “Create”
Due to current AWS limitations, you need to create a Mirror Session for every Network Interface that you want to mirror (up to 10 can be connected to a single Cloud Security instance at this time).
- At the bottom of the list on the left click on “Mirror Sessions” and then on “Create traffic mirror session”
- Choose a name and description for your mirror session (e.g. “MyServer.eth0 => coralogix-cloud-security-us-west-1“)
- Choose a mirror source from the list. The source should be a supported network interface (see “Known Issues / Limitations“ below) that you would like to mirror its traffic to the Security Cloud instance.
- Choose a mirror target from the list. This should be the mirror target you created previously.
- Set the field “Session Number” to 1 (It may appear to be set by default to 1, but it’s not)
- Leave “VNI” and “Packet Length” as the defaults
- Set the filter field to the mirror filter you created previously
- Click “Create”
Step 3: Configure Security Groups
- Go to the EC2 console by choosing “EC2” from the “Services” menu at the top left of the screen
- From the list on the left click on the “Security Groups” link
- Click “Create Security Group”. Name it something like “Coralogix-Security-Cloud-Management” so you can quickly find it later in this tutorial.
- Click “Add Rule”
- Set the “Type” to SSH and the “Source” to “My IP”, make sure that the selected VPC is the same VPC in which you installed the Coralogix Security Cloud and click “Create”
- Create another Security Group and name it something like “Coralogix-Security-Cloud-Sniffing”
- Click the “Add Rule” button and set the rule to allow only the traffic you’ve configured in the VPC mirroring filter in the previous steps. For example, if you have configured to mirror all traffic then create the rule here by setting the “Type” to “All Traffic” and the “Source” to “Anywhere”.
- Make sure that the selected VPC is the same VPC in which you installed the Security Cloud and then click “Create”
Connect Security Group
- From the list on the left click on “Network Interfaces”
- Find and select the Security Cloud’s management network interface by searching for “Coralogix Security Service Management” in the search bar on top and choose “Change Security Groups” from the “Actions” menu on the top
- Uncheck the “default” security group and check the new group you created previously.
- Click Save
- Your new cloud security setup is complete. Now you can go back to the Coralogix tab and click “Start Analyzing” to begin analyzing the security logs.
50+ Security Monitoring Dashboards
Coralogix Cloud Security includes all the dashboards you need to monitor your security with deep insights and forensics data for investigations. Here are 13 example dashboards to give you a sense of what’s possible.
Bro – Connections
Displays the number of network connections over time, the number of connections by state (completed normally, rejected, aborted, etc.), number of connections per source/destination IP/destination port, number of connections by source country and a connections list.
Bro – HTTP
Displays the number of HTTP logs over time, destination countries, destination ports, HTTP methods, source, and destination IPs, MIME types, sites, sites that host .exe files, URIs and referrers, User-Agents and full HTTP connections log
Connections – Destination – Sum of Total Bytes
Displays a world map with dots that indicate the sum of bytes that were sent to that area (based on IP to Geo translation)
Connections – Destination – Top Connection Duration
Displays a world map with dots that indicate the location to which most of the communications were destined. The size of the dot indicates the number of connections related to the other dots (based on IP to Geo translation)
Bro – Software
Displays information about software (i.e, browsers, servers, OSs, web clients, etc.) that was detected and the network nodes on which it was detected based on the communication seen
Bro – Files
Displays information about files that traversed the network, for example, number of files per MIME type, files per protocol, number of bytes, source and destination IPs
Bro – Notices
High severity alerts from Bro-IDS based on network behavior
Bro – Weird
Indications of weird behaviors on the network. Some of which might be benign in some organizations while strictly forbidden in others
Bro – X.509
Information about certificates that traversed the network such as key length, signing, and encryption algorithms, certificates’ subjects and issuers
Bro – SSL
Information about SSL connections such as countries and IPs involved, SSL/TLS versions, server names, certificates, issuers and common names, validation statuses
Bro – DNS
Information about DNS queries seen such as ports, protocols, statuses, servers, information about phishing attempts (based on Alexa info)
High severity alerts from Snort based on the patterns and signatures matching
Domains that were accessed which currently exist for a very short period of time. Usually a good indication for malware being transmitted
General Monitoring Tips
- Go to each dashboard, and filter out everything that you know is normal and supposed to happen until the dashboard is empty.
- Monitor the dashboard for the next few weeks to see what new events appear and if there is any need for additional filters to clear everything that is normal and expected.
- Once a dashboard has remained empty for a period of time, you can create a Coralogix Alert based on the dashboard query by copying the query and pasting it into the new alert window.
- Review the critical assets of the organization and determine what normal and expected is, and create alerts to notify you of unusual or unexpected behavior. For example, if your servers are known not to communicate with mail (SMTP) or instant messaging (IRC), you can create alerts when such connections have been detected.
- The journey of creating meaningful alerts should be a continuous one to limit false positives and get better at securing your environment.
Cloud Security Uninstallation Procedure:
- Log in to your AWS account and go to the VPC section
- Click on “Mirroring Sessions” in the left side navigation
- Select and delete every mirror session you created that mirrors traffic to the Coralogix Security Cloud instance you originally installed
- Click on “Mirroring Targets” in the left side navigation
- Select and delete the mirror target that points to the Security Cloud instance you wish to remove
- From the list on the left click on “Mirroring Filters”
- Delete all mirror filters that were only used by mirror sessions that were configured to mirror traffic to the Security Cloud instance you wish to remove
- Go to the CloudFormation console by choosing “CloudFormation” from the “Services” menu at the top left of the screen
Select the stack you created as part of the installation (by default it’s “CoralogixSecurityCloud“)
- You can delete the management and sniffing security groups you created during the installation if they’re not used for other installations (by going to the EC2 service console)
Known Issues / Limitations:
- Currently, a single Security Cloud instance can support no more than 10 mirrored network interfaces. This is due to some limits in the VPC mirroring product by AWS. We’re currently looking for a way to get past this limitation (by using an NLB)
- The Security Cloud instance MUST be installed in a VPC that has access to the Internet in order to send the logs to Coralogix.
- The Security Cloud instance hasn’t been tested in private VPCs
- The Security Cloud can be installed only in the following regions: eu-west-1 (Ireland), ap-south-1 (Mumbai), us-east-1 (N. Virginia), us-east-2 (Ohio), us-west-1 (N. California), us-west-2 (Oregon)
- Currently, the Security Cloud solution doesn’t offer access to the actual packets that were captured.
- No alerts are created in Coralogix during the installation. Security alerts must be created manually.
- Mirroring or autoscaling instances are not supported
- Mirroring of non-Nitro-based instances are not supported
- Currently, you need to create individual Mirror Sessions for each Network Interface that you want to mirror