Sign Connecticut Assignment of Partnership Interest Secure

Document type sign assignment of partnership interest connecticut secure

[Music] hello and welcome to this third installment of our arcsite smart connectors series on the amazon web services smart connectors this session is based on the new security hub connector which is a brand new addition to our smart connector framework as a version 8 of the smart connector framework and this connector deserves its own sort of session to actually run through its capabilities and where our strategy is really heading for event collection from a security perspective within arcsight you may be aware that there are two other videos available for your viewing around amazon cloud trail and also amazon cloud watch and if you've watched those videos you'll know that they actually work in quite different ways they also are centered around different types of events and what i wanted to do in today's session was actually explain how this new security hub connector works from a deployment perspective the services that it uses with amazon and so forth but then most importantly show you the different types of events that you're actually going to receive and how they differ greatly from cloud watch and cloud trail so so if you're unfamiliar with what cloud security hub is all about let's take a quick look at what amazon says about it security hub gives your comprehensive view of your high priority security alerts across all of your accounts and so we have a wide range of security tools at our disposal such as firewalls endpoint protection and so forth through vulnerability and compliance scanners with security hub you have a single place that aggregates and organizes all your different security alerts such as amazon guard duty inspector macy iam and so forth so basically what security hub is is this central location for security findings to actually be placed and then consume and this is what we plan on doing with our new smart connector let's consume those security relevant events and bring them into an arc site destination there's many different types of services and products and so forth that can actually feed into and even and even pull out events from security hub the particular service that we are interested in today in our initial release of this connector is called amazon guard duty and amazon guard duty is of course a managed security service within amazon which effectively is a threat detection service that continually monitors for malicious activity and unauthorized behaviour to protect your aws accounts and workloads so it's effectively it's its own miniature seam slash sock service and it is sending these security findings to security hub and it does this via a couple of other amazon services which we'll have have a look at right now so think of it straight away as being that service that is taking a lot of the legwork out of correlation and analytics and so forth and doing it all for us and then it's just sending us that smaller number of events that are events that need to be acted upon so we're not trawling through potentially thousands and thousands of events looking for something that may be malicious it's taking a lot of the workload for us uh in our cloud deployments away from what we what we need to be doing so the smart connector configuration document is available and i want to take you firstly to the actual architecture of the connector to help explain how security hub guard duty and our smart connector actually all fit together because this is an important point because if you've watched the other two videos on cloud trial and cloud watch you'll know that they work in very different ways and the security hub connector is different yet again it's almost like a mixture of the the methods and services that are used in the other two connectors to bring us these security hub events so starting from the top here of the sk of the configuration guide in the cloud we've got these different services as we saw before guard duty inspector macy third party integrations and so forth and all of these services are effectively what we like to call security hub enables so they will find they will create findings they'll do the analysis they'll create findings and i'll send them through to this security hub service and security hub receives events in aws security findings format or asff and it does does this and then sends them across to what we call event bridge which is another amazon service which is sort of taken care of for us we don't need to worry about that too much but as you may be aware our cloud trail connector we we introduced this concept of using the sqs service or simple queuing service and this is really how security hub is working as well so when a new event actually arrives in the event bridge it actually sends a message to the queue and the queue is being polled by our lambda function and if the lambda function is effectively running our smart connector so what happens is basically our java code here polls the queue it sees that there's a new message available it goes and gets that event from the event bridge and then processes it from the asf format into cert format and then after that it sends it off to the destination that we pre-configure which is of course a cef um syslog ng connector running on a given port over tls and this is where we have the concept of the the syslog ng daemon running in a private subnet within your vpc which can then obviously forward off to oxide and monarch site destinations for further processing so just to reiterate the security hub aware or enabled services such as guard duty send their findings so guard duty is doing analysis and so forth of cloudtrail and and cloudwatch logs in the background something that we would have normally done ourselves within esm for example but guard duty is doing a lot of that work for us now and only sending us the findings that it that it has sends them onto security hub it drops them into event bridge it sends a message to the to the sqs service saying hey i have a new message i have an event you need to come and collect our java code effectively our smart connector running in lambda will pick up that message pull the message convert it from asf format into ceph and then send it onto our syslog ng daemon and then we're free to actually send on to any destination that we want to after that so this brings us to a really good point in that security hub is and i guard you are going to give us very very much a subset of events that actually are occurring within our vpc if you're familiar and have seen cloudtran and cloud watch working at a vpc or level you'll know that it generates it can generate a lot of a lot of events so let's take a quick look at those events to give you an idea so here's my esm i've got three different active channels running here now this this first one here on the left is for cloudwatch and as i've described before in previous videos cloudwatch is really centered around those operational and api type calls so you'll see basically calls to your vpc infrastructure whether it be by the via the console or via an api call and that's why you see a lot of different calls such as describe tags assume role all these sorts of things that you know services and humans are calling upon to to do their roles uh on a day-to-day basis so it's pretty operational there's not a whole lot of truly security-centric events in here secondly if we then pop over here to our cloudwatch active channel you'll notice that we're we're really looking with the cloudwatch logs via vpc flows and we start to see a lot of different things or items around accepts and rejects at a security group level so you know incoming traffic hitting trying to hit my my infrastructure internally internal traffic accepts and denies and so forth so what i set up from a network access perspective security group perspective and so forth those steps and rejects will be reflected in these vpc cloudwatch logs and again there are a lot of logs there are there is a lot to consider here the the eps rates tend to be quite high and so this is something else to consider but what's really wonderful about security hub is that if i now pop over to my security hub smart connector active channel you'll see that out of all of those all of those incoming events that i would typically be analyzing myself i can have guard duty just tell me about what's really most important i can use my cloud watch logs and do further analysis for my own reasons my own use cases and so forth but security hub is doing a lot of great security work for me so you'll notice here even over the last three days i've only had a few alerts now i've got a very very small infrastructure here with virtually no virtual machine so i'm not going to see a whole lot here but the point that i want to make here is that as i said before there's very much a subset of events but they're solely centered around security and security alone so if we take a look at this dns request target for example this is effectively a dga call it guard duty has seen a dns request come through and it is analyzed against its own security capability and it said right this is actually a dji call and i'm going to i'm going to send off a finding to security hub and so i've got one event for possibly thousands of events that need to be analyzed this is a really great piece of functionality and service that security hub offers so just to reiterate cloudtrail very operational cloud watch great for accepts and denies and network network level type acl uh information in terms of logs and events and security hub itself we're taking advantage of that managed service guard duty to bring us just what it finds in terms of security findings but it's important to point out that this initial release of the connector is centered around guard duty so as you start to read the documentation for this connector it is very clear that it is for guard duties even though security hub has the ability to send us lots of different findings for for lots of different reasons and causes we're centered around for our initial release this guard duty piece so make make note of that it is not going to give us events from third party integrations at this point but they they were certainly on the horizon the next thing i want to show you is the networking and aws side of the configuration which needs some consideration and there's a few steps involved to actually getting it set up and working so it's not just a case of simply installing an assist login g connector and hoping for events to come through there are a few caveats and stipulations around the network and how it actually hangs together so i want to run through that right now firstly you're going to have a vpc that would make sense in amazon my vpc has a cider block here 16 of 172.31 i do give an even more detailed iteration of the vpc and networking setup in the cloudwatch video so if you're looking for a step-by-step demonstration of how to perform that please watch the cloud watch video i actually install all of the vpc from scratch but in this video i'll just step you through what i've actually done make it work so first we've got this vpc we're going to have and a requirement of lambda is to actually work within a private subnet if you're not familiar with private and public subnets in amazon effectively a private subnet is one that does not by default have internet access and secondly to that a public subnet is one that can have internet access via what we call an internet gateway and it can have public addresses assigned to internal hosts so it's effectively saying a private subnet by default unless you add a nat gateway to it it will not have any access outside to the outside internet and this is sort of a stipulation on lambert lambda it must run on in the context of a private subnet and so this is why i've created these private subnets a b and c across my three availability zones so effectively i'm giving lambda or in essence our smart connector the ability to run and execute within that private state these private subnets are attached to this second route table that i have in amazon you'll have typically a default route table which takes care of basically everything local to the vpc itself but then anything outside of that wanting to go to the internet will go via typically a default enabled internet gateway and so this is this is really what a public subnet would be utilizing to gain access to the internet but what we do is we create a new sub a new route table and we associate our private subnets with this route table so we're basically saying anything that these private subnets want to do they need to be they need to have this route table applied to them and of course lambda can often require internet access for gaining access to various services and that creates a real problem so you'll we need to actually create what's called a nat gateway to give those that functionality that lambda function internet access one way so to get out to the internet and so to do that we actually create one of these nat gateways it's important to keep in mind that a nat gateway for your customer instantiating instantiating one of these is a managed service by amazon and does carry a per month cost so be aware of that you might also want to look at implementing your own nat device to bring that cost down so that's just something to keep in mind so under the route tables here we'll go back to our private route table and you'll notice that anything from my associated private subnets here stays within this this particular route table if any traffic needs to go outside of my private subnet i've created a new capsule route table rule to go via the nat gateway so it's a bit like your home router every or your your typical small business where everything's sitting behind a single net gateway anything wants to get outside of the local subnet it goes by this this net device is as simple as that and so they're the few steps that we need to actually make sure are in place before we set up any of these connectors because when we set up this connector we actually give we actually associate our lambda function with these private subnets and that allows it to have the access to the various services that it requires but again if you'd like a step-by-step demonstration of building this from scratch watch the cloud watch video for those steps so i just wanted to quickly take you through security hub as a service within amazon i won't go into a whole lot of detail here but i just wanted to point out that security hub can be enabled for a free 30-day trial in your amazon account so i certainly encourage you to have a look at that it might also be a great way to run pocs etc with very little cost but once you have it up and running and enabled you can switch on these various services such as guard duty and guard duty has its own console i'll bring that up now and in the background here it's obviously utilizing vpc logs and so forth analyzing those for us in the background and then coming out with these these findings so there's a couple of things here that are of interest to me already i've got some dga domain requests things like that drive by source traffic etc root credential usage and so forth so these are great these are typically things that i would need to do in my own seam for example but i can let guard duty do that work for me and the nice part about it is out of all the tens of thousands potentially millions of events that it's actually processing there's really only about five events that need to end up in my esm console and i can act upon those so this is a really great feature within amazon as i said you can build at a free trial and you can also do some configuration here so guard duty is just one piece as i said there's lots of different services like macy and third party integrations and so forth from many many other security vendors but at this stage as an arcsight smart connector we support guard duty today as of its initial release in 8.0 and we'll push forward with further enhancements and integrations as time goes on so that's just a quick look at the guard duty and the security hub console and keep in mind that as i said before guard duty is what we support today so you'll notice that although i have uh some guard guard duty events i'm not seeing these the e security hub events here such as these uh essentially vulnerability scans and so forth because these are not coming from guard duty they're coming from other services so i want to make it very very clear that we won't see those in our initial release of this smart connector because we are focused on guard duty itself so just keep that in mind next let's take a look at the actual connector framework and what we can expect in terms of the files and so forth that we need for a successful installation so i've unpacked version 8 of the connector framework into a temporary folder here so we can take a look at it and it looks very much the same as any other connector framework deployment from the 7 series 7.14 and 5. this is of course 8.0 our initial release and we've got our windows collectors connectors linux etc etc so not nothing uh surprising here but one of the really nice additions is of course the the security hub connector and you'll find that as a small zip file just like just like the cloudwatch connector it's it's a small zip file down the bottom here so when we unpack it i just want to quickly run through the files that are part of this actual connector just so we're very clear on what we're actually sending up to the s3 buckets and what what the function of each of these actual files is so this is all the files from the security hub connector that i've unpacked that zip file the we've got a maps file maps directory which contains all of our mappings for the af asf format through to ceph and at this stage it's it's really centered around guard duty we've got the security hub connected jar so this is effectively our event processor for processing asff to cef file so this is effectively that java code for parsing to surf it's as simple as that and that's the piece that runs inside of lambda in a serverless configuration for parsing of events we've got external.properties and external.properties if we take a quick look at myexternal.properties it's just like very similar to the cloud watch connector in that you provide the upstream syslog connector and g information you also provide things like the the actual s3 bucket for where we will find our remote management uh certificate 40s syslog ng connector or load balancer one interesting change you'll see is that the password is now obfuscated as opposed to plain text as it was in 7.1 of the connector framework particularly for cloudwatch and then of course our uh map overrides uh folders uh folder as well last but not least and so in saying that external dot properties will go into our s3 bucket as well what doesn't go into the s3 bucket is this installer.json file and this is effectively our cloudformation template and this is what we will actually feed in to the cloud formation setup process which i'll go through next and that contains all of the all of the policy creation and so forth around roles and resources and so forth that are generated and created for the purpose of running the event processor dot jar file in lambda so that's a that's another important file there but again we won't actually put that on the s3 bucket we'll actually upload that to the a to the aws console so that's a quick look at the files that are involved with the actual connector itself in aws all right so there's a number of other steps we've got to partake in to actually deploy the connector like i said before each of our connectors have has been a slightly different install process because because we're utilizing different services and so forth within amazon and the security hub connector is in the same bucket so to speak so as per the documentation we've got a number of different steps we're going to take but arguably a little bit uh more straightforward than the cloudwatch connector i showed you in the previous section where we set up the vpc and networking side of things so we're good to go there and basically the next step is to now upload all of the relevant files for the smart connector or the lambda to actually execute and pass these security hub events into ceph and then send them onto the syslog daemon so what we firstly do is set up a new s3 bucket you can see i've got a cloud trial and a cloud watch bucket there from from our previous videos and previous demonstrations we'll leave them in so this security bucket here of aptly named security hub bucket i click on it i go into it and effectively what i do now is upload all of the files from the smart connector.zip file that you'll find in amongst the smart connectors so this is not the syslog ng smart connector this is the actual security hub connector itself and what we're going to be uploading is several different pieces of information firstly there's going to be the maps folder that we upload so this is all the different map files for the different type of guard duty events and so forth that we will that we support we've got the event processor itself so security hub connected 1.1.jar so that's obviously very important this is effectively the java code that gets sent to lambda for execution external.properties we need to update that with the relative information for lambda to actually read when it invokes itself it will pull that information down that file it will read the properties and so forth and from there it works out where it needs to go to next installer.json is basically a template for cloud formation and that's an important file we'll get to that very shortly it's effectively setting our policy for what services and so forth and how our connector will actually run so very important there the just like the cloudwatch connector we need to upload the remote management certificate from our syslog ng smart connector or our load balancer if we're going down that path so once you've installed your syslog ng connector make sure that you give copy remote management.p12 into this bucket as well now i've been particularly lazy here i've just put them all in the root folder obviously we would under best practices we would create a a new subfolder security hub files or something like that and then place all these files under there but i have just placed them all on the root folder not not not best practice so let's take a look now at external.properties and it's very very similar to what we saw in cloudwatch but just a couple of minor changes and actually a few deletions actually firstly our host and port names port number so where we're sending our ceph events downstream right so we obviously need that you'll notice that 98.242 that was my syslog ng in the private subnet so my syslog ng connector has no real way of getting out at this stage but lambda can talk to it because we will associate lambda with the private subnet port one triple nine uh it will be a tls based syslog ng connection uh that's what we must uh stipulate it is a tls connection and then we've got our certificate uh information here as well so we're telling the installer we're going to be going to our security hub bucket now the the bucket must be in the same range region as the the connector itself so be aware of that we're telling it where our actual certificate is and if i was being a little bit neater in how i did things i would put it in a you know a subfolder but i haven't done that at this stage one thing you'll notice in the new version is that we're actually using the obfuscated password for the for the keystore password which is a nice addition in the past and in cloud watch in the 7.1 series you'll notice that it's actually in clear tech so that's a nice little change to security there map override bucket and also the folder so this is this maps folder here so if i've got extra map files and i can switch on or off logging info debug etc and so forth so as long as we've got all that information we save that file we then upload it here as you can see in terms of the remote management port certificate you'll remember that that is under user agent and you'll see that p12 file there under current user agent so we grab a copy of that we dump that also into the into the s3 bucket and that's all that we need to do from an s3 perspective so we're pretty much ready to go so next we're actually now going to move on to the actual cloud formation template installation this so this is where we deploy the actual event process surfer itself so let's get started on that one so to get over to cloud formation what we do is we simply click on services on any console within the aws easiest thing to do is just type the word formation there's a number of different answers that will come up we want to click on cloud formation and you'll notice here that i've already got a stack uh my cloud watch stack so we we utilize stacks uh for the cloudwatch connector as you remember from the previous video and we do it in a very similar fashion here but instead of using an actual installer script like you might remember we're actually going to use a template this time so it's a even a little bit cleaner and neater and nicer to work with so let's go ahead and do that so firstly we click on create stack and with new resources standard and we're going to use this temp we're going to use a template and we have the option of uploading a template file or using an amazon s3 url so we'll use a amazon url url so let me just quickly go back to the bucket and what we're going to be doing is grabbing the file locator information for the installer.json file so we've copied that url bring it back to the cloud formation piece and we just simply pop it in there click on next uh give it the bucket name where the everything is available as we know it's in security hub bucket it's going to be in the same in the same region we give the stack a name to begin with we grab the bucket name which is security hub bucket the region ap south east 2 in my case make sure you get this right because it all it is all regional uh you'll notice in the documentation certainly in this in this uh pre-release pre-release stages you do actually set up a security group for the lambda function but relate inbound or outbound rules but you do have to select something so just you can actually just create a an empty security group if you want with no no inbound or outbound rules but i'll just copy over the one that i'm using from cloud watch because it's effectively the same and most importantly what subnet id or are we actually going to be associating the lambda function with and i'm obviously going to put it in one of my private subnets and you'll notice there 172 3198 network so that's that's what that's my private subnet that is actually funnily enough has my syslog ng connector in there click on next there's really not a whole else whole else you you need to do a a whole lot here you can create a special role for the creation of the cloud formation stack if you wish if you as it says if you don't choose a role cloud formation uses permissions based on your user credentials and you will know from the documentation that the actual credentials that are required or the permissions that are required are these they're listed in the configuration guide so unless you actually configure a an iam role specifically with the correct permissions it will assume the user that's that's creating this stack or this formation uh to have those to have those at a minimum for credentials i'm using my own root account so i'm assuming administrator i have those i have those credentials i don't i don't need to worry about that at this stage and for everything else we just leave default there's nothing really we need to worry about at this stage this this will get our formation up and running so click on next everything's ready to go it gives us a summary page and what you're going to do here is you've got to acknowledge that cloudformation will create actual resources so we're basically consenting to uh things occurring on our behalf so just acknowledge that and then click on create stack and just like you may remember from our cloud watch installation in a pre in the previous video this stack creation now starts to take place and you'll see the status create in progress and that will take a minute or two and once it's finished it will be up and running now while that's actually being created just like cloudwatch we need to make sure that there's certain network level access for lambda to actually send events to the actual syslog connector you remember from the cloudwatch video i deliberately didn't open up the port 1 9 deliberately so you would actually see those failure messages within the event processor but i've i've actually already got those open now but let's go and take a quick look at those so we can get a get a feel for it so my default policy here that i apply to anything that's a syslog connector uh syslog ng port one triple nine from anywhere tcp now i can lock that down a little bit further and just make it so it's only from my private subnets that would be an even better way to go as a security purist but for the purpose of just getting things up and running that's just fine so while that's creating that stack again it takes a couple of minutes still going so all this information here such as the description comes from that installer.json file that's effectively our cloud formation template so that's that's where this all information around what resources need to be created and so forth so forth is actually coming from and then lambda itself will actually read external dot properties from the s3 bucket as well for its own configuration so this security hub connector is my agent my syslog ng agent and it will be receiving the events from lambda in the security hub so let's give that a couple of minutes when it's finished we'll come back and we'll start looking at some of the events right so we're back now after a few minutes and security hub is starting to send through some logs very very slowly it's important to keep in mind that it can take some time for something to actually show up so don't think that you're going to be flooded with events straight away so keep that in mind when you're taking a look at so we can see our events here as we saw earlier in the video here some dga type events that have come from guard duty via security hub so when the actual stack has been finished in terms of its creation you'll see if all has gone well green tick create complete and the template information itself so you can go into the stack itself and take a look at the resources if you want to look at any logs that have been generated in terms of the event processor and so forth you can do that here click on the log group because it is essentially sending logs of itself and its own execution back to a log group or a stream within cloudwatch itself so so just to finish off in summary the differences between the three different types of aws connectors that we have cloud trail obviously pulling trail information bbc logs very much on an operational level what's interesting about cloudtrail is that it is actually picking up what you see there is security hub events now let's it's important to keep in mind we don't mistake those for actual findings so these are essentially programmatic calls to security hub to get things like insight results uh security findings and so forth so they are the actual api calls and the console calls to those particular services so these are not uh security event hub findings so we've got to be very very clear on that so these are cloud trail logs operational type of logs our second one is of course the cloud watch connector which is really giving us a lot of interface and vpc level network type information so if i take a look at this one here i know with a priority of five it's more than likely a network reject so i can take a look at that and informative failure category outcome so a network block of some description is probably occur there there we go device action equals reject as opposed to these other ones or probably a lot of them are except so a lot of that subnet and vpc level accept and reject type events as what we'll see from cloud watch and last but not least security hub so these are the findings from guard duty and remember guard duty is the first iteration of the security hub capability that we're going to support and we'll continue to ro l our support for new products and services within security hub so i hope you found that informative and thank you for watching you