Transcript
1SEIZE THE HIGH GROUND
NDR for AWS Well-Architected
2SEIZE THE HIGH GROUND
Agenda
What is NDR?
NDR for AWS Well Architected
Reference Architecture
Live Demo!
3SEIZE THE HIGH GROUND
Network visibility is crucial for multilayer defense
THREAT INTEL FEEDS
NETWORK DETECTION AND RESPONSE
ENDPOINT DETECTION AND RESPONSEUEBA / ANALYTICS STACK
NDR SIEM EDR
4SEIZE THE HIGH GROUND
Components of an NDR platform
3. Validation (Forensics)
Retain network traffic in PCAP files to aid investigation and forensics
1. Alerts & Insights(Signature Alerts and Behavioral Analytics)
Signatures, behavioral, and threat intel based detections
2. Investigation (Incident Response & Threat Hunting)
Structured and linked metadata accelerates incident response, and threat hunting
3
1 2
5SEIZE THE HIGH GROUND
IDS Suricata, for signature based detection
NTA Zeek, the industry standard for IR and threat hunting
PCAP The backstop of last resort
SIEM
Network
NDR: A design pattern
1. Alerts and Insights2. Investigation
3. Validation
6SEIZE THE HIGH GROUND
AWS Well-Architected Framework
Performance Efficiency Security Reliability
Use computing resources
efficiently as demand changes and technologies
evolve
Protect data, systems, and
assets; leverage cloud technologies to improve security
Recover from failures,
dynamically acquire compute
resources to meet demand, mitigate
disruptions
Cost Optimization
Operational Excellence
Run systems to deliver business
value at the lowest price point
Develop, monitor and run workloads;
continuously improve
supporting processes and
procedures
7SEIZE THE HIGH GROUND
NDR for AWS Well-Architected
Performance Efficiency Security ReliabilityCost
OptimizationOperational Excellence
● Deploy globally, scale elastically
● Cloud-native, event driven log streaming
● Integrate with Cloud SIEMs & metrics monitoring
● Least privilege access with Org RBAC and AWS IAM roles
● Audit logging to track & flag config changes
● End-to-end data encryption; VPC Endpoint services
● Deploy sensors cross-AZ behind NLB
● Fork and filter logs for data resiliency
● Immutable sensors for automated deployment
● Self-hosted sensors to keep traffic within VPC
● Track traffic mirroring billing - especially for dynamic instances
● Preferential SIEM pricing, reduced logs
● Automation to deploy at scale using CFT
● Serverless app model to enforce mirroring policies
● Central console to manage distributed deployments
8SEIZE THE HIGH GROUND
AWS Cloud
VPC
Availability Zone 1
Reference Design
Availability Zone 2
Auto Scaling group
ENI Interfaces
Corelight1Active
Corelight2 /Standby
ENI Interfaces
NLB
Traffic mirroring
Region Amazon Kinesis
Kafka
9SEIZE THE HIGH GROUND
Live Demo
10SEIZE THE HIGH GROUND
Setting up traffic mirror
11SEIZE THE HIGH GROUND
Setting up traffic mirror session
12SEIZE THE HIGH GROUND
Demo lab
13SEIZE THE HIGH GROUND
Try Corelight in AWS for free
Request an evaluation of the Corelight Cloud Sensor for AWS:
https://www3.corelight.com/evaluation-form
● Corelight’s best-in-class NTA product in an Amazon Machine Image (AMI)● Built-in Zeek packages for detection, monitoring, and data enrichment● Intuitive, fast configuration with a beautiful web UI● Zeek log export to Splunk, Elastic, Kafka, Syslog, Amazon S3, and SFTP● High performance and efficient file extraction
14SEIZE THE HIGH GROUND
Q&A
15SEIZE THE HIGH GROUND
Thank You
top related