Avatar

Stealthwatch Cloud is first and foremost known for its overall visibility and high fidelity security threat detection.  These detections range on a spectrum from on-premises endpoints to public cloud workloads and everything in-between.

Where it relates to public cloud workload protection in AWS, many of our customers believe that there should be the option to take action on a threat if deemed of significant criticality.  Some customers may find significant prioritization in activity such as an AWS workload suddenly acting as a server on the Internet for the first time ever whereas others may be more concerned about an overly permissive configuration causing an AWS workload to become brute-forced.

Whatever the scenario, the ability to take action is incredibly valuable to a Security Operations team or Incident Responder.  Stealthwatch Cloud users have a great deal of flexibility when it comes to responses and actions that the system can take once an Alert of importance triggers in the system.  There are built-in options for everything from email to syslog, chat system notifications to vendor-agnostic webhook support.  There are also cloud native service supported features such as public cloud provider storage bucket support and in the case of AWS, the ability to directly integration with the AWS Simple Notification Services or SNS as its commonly referred to.

With SNS built-in support in Stealthwatch Cloud, users are able to directly interact with the AWS infrastructure and take automated operational actions on workloads, configurations and services to mitigate both risk and threats in real-time.  This allows a Security Administrator to implement a proactive set it and forget it approach to implementing appropriate remediation actions for security Alerts that are of urgent criticality to them.  Actions can be in the form of insertion of Access Control List (ACL) rules, workload instance state manipulation or other infrastructure service configurations.  Programmatically speaking, the sky is the limit with how Stealthwatch Cloud can perform a mitigation task within the AWS public cloud environment.

To demonstrate this incredibly useful feature and workflow within Stealthwatch Cloud, I have created a tutorial on how to perform automated remediation in AWS on a breached workload by programmatically inserting VPC Network ACLs (NACLs) to block offenders in real-time as they attempt to exploit an overly-exposed EC2 instance.

Here is a diagram of the Proof of Concept workflow:

The intent of this tutorial is to primarily be a Proof of Concept to demonstrate to Stealthwatch Cloud customers how easily they can implement an automated remediation workflow into their daily operations of the solution.  The idea is that an Administrator can choose one or more alerts that of high criticality to them that they’d like to be remediated automatically should Stealthwatch Cloud detect relevant threat activity.  Stealthwatch Cloud will send out a message to an AWS Simple Notification Service (SNS) topic which will trigger a Lambda.  The Lambda will then parse the Stealthwatch Cloud Alert telemetry and take action on any workload necessary to effectively block threats in real-time.  This is achieved through the insertion of VPC Network ACLs to block attackers as they attempt to exploit an overly exposed workload, in this case an AWS EC2 instance.

As Network ACLs do not scale past 200 ACLs, each with 20 rules per in AWS, this is again primarily meant to be a Proof of Concept to demonstrate the immense programmatic potential to using this workflow and integration to take action on any AWS service, configuration or workload to remediate risk and exposure without manual intervention.

Example of the end result of Network ACL’s being created automatically to block offenders attempting to exploit an exposed workload:

Click here to view the tutorial.



Authors

Jeff Moncrief

Consulting Systems Engineer

Global Security Sales