Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »


Wazuh is a Host-based Intrusion Detection service provided by CloudAware via Kibana platform user interface. Wazuh is available via CloudAware Launcher.


This article explains how Cloudaware capabilities should be deployed to improve AWS security, mitigate risks associated with operating cloud-based computing infrastructure, address compliance and change management.

Audience

  • Security Engineers
  • Cloudaware Engineers
  • Chief Security Officers
  • Compliance Officers
  • AWS Cloud Engineers
  • Cloud Operations Teams


HIDS Server Deployment Options


Cloudaware HIDS solution consists of three parts:

  • IDS Agent
  • IDS Server(s)
  • IDS Dashboard


Agents are deployed onto every host where Intrusion Detection capabilities are desired. IDS Servers are managed by CloudAware if a customer is using Managed IDS option.

Optionally, customers can deploy their own IDS servers. IDS dashboard is part of the CloudAware and all IDS servers report into the dashboard. There are two ways to deploy CloudAware IDS services.


Managed IDS


Using Managed IDS deployment option, customers leverage IDS servers that are managed by CloudAware.

    

Advantages

Disadvantages

  • Hassle free operations
  • Customers do not need to worry about IDS Server's 
    • availability
    • patching
    • performance
    • costs
    • scalability
    • maintenance
Not able to deploy common OSSEC customizations without involving CloudAware support.


Customer Managed IDS


Under this approach customers maintain their own set of IDS servers and are responsible for many operational aspects including backup, disaster recovery and availability. CloudAware recommends one IDS server per 500 agents and that IDS servers are deployed in the same region as agents. 


Customers may also choose to deploy a hybrid approach where some agents use CloudAware-managed IDS servers and some agents user customer-managed IDS servers. 


IDS Status


If Intrusion Detection module is deployed, the tile 'IDS status' on an instance may display 3 values:

  • Monitored
  • Not monitored
  • Under Attack






Why Scanning Is Necessary?

  • Not all modifications are captured by Cloudtrail
  • Cloudtrail can be turned off by mistake or intentionally
  • There is a 15-30 minute delay between a change event and a Cloudtrail record.
  • Not all regions including gov regions support Cloudtrail service



Here is a list of services supported by Cloudtrail.

Flow of Changes


Regardless of how change is made, via command line, amazon management console or some other 3rd party tool it ends up in Cloudaware. Using change detection mechanism, change detectors update respective objects in CMDB.

Terminated or Deleted Objects


Once objects are deleted from AWS or, for example, an instance is terminated, they are still available for viewing, reporting and filtering in CloudAware CMDB. By default, objects remain visible in CMDB for 2 weeks after they have been deleted in AWS. However, this retention period can be increased.

All objects in CMDB have a field Deleted From AWS. This field is blank when an object is present and visible in the AWS console. Once the object has been deleted from AWS, this field will be populated with a date and time value.






Working With CloudTrail


CloudTrail is a service within AWS that provides a log of all API requests. The logs contain information about nature of the request such as:

  • Who made the request
  • At what time
  • From what IP address
  • Using which Amazon Library or tool
  • Request and Response Parameters



More information about AWS CloudTrail is available here.
Cloudaware extends functionality of Cloudtrail by making relevant Cloudtrail data readily available within CMDB. There are 3 key ways in which CloudTrail data can be accessed in Cloudaware:

  • Using interactive CloudTrail main Tab
  • From CloudTrail Tab on any CMDB object
  • Using Cloudaware Reports


Main Tab


Once in the main tab, Cloudtrail data be searched for specific object using the search box.

Additional events can be filtered by type. For example if we wanted to only events that were either change, create or delete events, performed by a certain user, we could this as shown below.






Object Tab

While looking at any object in CMDB, user can click on Show Cloud CloudTrail button to view relevant Cloudtrail events.


Similarly if we are looking at an IAM user in CMDB, we can very quickly see what are the recent AWS activities of this user by clicking on CloudTrail tab in the IAM User Object.

Reports

Another powerful way in which CloudTrail events can be utilized is via Cloudaware Reports. Cloudaware come with a powerful report builder where we can zoom in specific CloudTrail events that meet our criteria. Reports can be scheduled, emailed, and converted to dashboards. Here is an example of a Daily Digest Report that summarizes all important changes throughout the day.


More information about building reports in Salesforce is available here and here.

  • No labels