We have an exciting webinar coming up on the 3rd of June at 9:00 AM PDT. You will learn all about SecureX third party integrations, but specifically we will discuss how to integrate AWS in a very neat way, using a Serverless Relay Module. Read more about those modules in the blog of my colleague.

You don’t want to miss this one!  Register here for the webinar!

Want to get started right away? Then try this self-paced Serverless Relay Module learning lab on DevNet.

Introduction to SecureX and Serverless Relay Modules

SecureX is a cloud-native, built-in platform that connects our Cisco Secure portfolio and your infrastructure. It allows you to radically reduce dwell time and human-powered tasks. For SecureX, the Cisco Threat Intelligence Model (CTIM) is like Wikipedia, an abstract data model that organizes data and defines data relationships. CTIM is of utmost importance for SecureX because it provides a common representation of threat information, regardless of whether its source is Cisco or a third-party. In the following sections, we will dive deeper into CTIM and its components.

Serverless relay modules are the components that enable SecureX integrations with third-party (security) solutions. They are serverless Python Flask applications that are intended to be deployed into AWS as Lambda applications. Because they are Flask applications, they could basically be deployed into any Python-capable host. The important feature that serverless relay modules can do, is that they can translate back and forth between CTIM, and whatever data model the third-part solution is using.

securex aws 1

Introduction AWS (VPC)

Whether you’re looking for compute power, database storage, content delivery, or other functionality, AWS has the services to help you build sophisticated applications with increased flexibility, scalability, and reliability. The adaptive nature of the cloud, including its global presence and auto-scaling capabilities, are invaluable to organizations.

However, this can also pose a significant risk. The cloud can often obfuscate many of the underlying resources SecOps teams require as part of their daily operations. Being able to understand the traffic flows, and device interaction within the AWS cloud or external devices is a critical component to providing comprehensive security. The SecureX AWS Relay bridges this gap by providing flow log telemetry into the robust SecureX ecosystem, allowing for dynamic classification of devices communicating with those of an organization and even dynamic host isolation.

What can the AWS Relay Module do?

This entire solution is built for SecureX and AWS, consisting of three main components:

1. Dashboard Tiles

Dashboard tiles in SecureX to view high-level statistics and pivot straight into AWS:

securex aws 2

The five tiles available provide metrics on the overall infrastructure, VPC flows, EC2 instances, and IAM credentials. All links even pivot to the appropriate resources, reducing the time from detection to mitigation significantly.

2. SecureX Threat Response Flow Log

By analyzing flow logs directly from AWS, all logged traffic can be visualized along with corresponding judgements. When SecureX Threat Response performs the investigation, both the private and public IP addresses are captured. VPC flow logs only show the private addresses, since these are what the virtual machines use to communicate, however the public IP is what would be identified over the internet. The public and private IP addresses are combined into a single target for easy identification. The traffic is also denoted within the relationship to show if it was ingress, egress, or bidirectional. Additionally, within the setup steps a configuration options exists on whether to show blocked traffic or only what was allowed.

securex aws 3

3. AWS Host Isolation for Threat Response

Following on the investigation within SecureX Threat Response, if immediate action is needed to isolate the instance from the network, a host isolation response action was added. By simply clicking the dropdown associated to either the internal or public address you will be presented with the option to either immediately isolate, or in the event an instance is isolated, return the instance to its previous permissions. All of this is done leveraging native AWS features and does not have any interaction with the endpoint itself. Upon performing host isolation, the instance will still be in a running state with network interfaces enabled, just unable to communicate with any other internal or external devices. As soon as the isolation is removed, the devices network permissions will be returned to their original state.

See the power of AWS Relay

If you want to learn more about this awesome new integration, then we highly recommend joining our upcoming DevNet webinar. Join us on June 3rd as we walk through the setup process and showcase the power the SecureX AWS Relay can have in your environment.

Register here for the webinar:

Cisco SecureX and AWS: integrating AWS VPC flows into SecureX threat response


We’d love to hear what you think. Ask a question or leave a comment below.
And stay connected with Cisco DevNet on social!

Twitter @CiscoDevNet | Facebook | LinkedIn

Visit the new Developer Video Channel


Brennan Bouchard

Security Architect