By Joel Bork, Sr. Threat Hunter – IronNet
By Tiberiu Oprisiu, Partner Solutions Architect – AWS
By Steven Pozarycki, Partner Solutions Manager – AWS
For many organizations operating in the cloud, building out new skills and business practices to support this approach brings some uncertainty about whether their cloud environment is just as secure as their on-premises network.
Working with Amazon Web Services (AWS), IronNet delivers threat detection and mitigation at scale across networks that are on premises, in the cloud, or both.
IronNet collects logs and traffic data to identify indicators of attack or abnormal behavior in order to stop advanced cyberattacks.
At its foundation, the IronNet solution consists of one or more sensors to feed network data and logs to IronDefense—the backend collection and analysis point for detection.
For physical enterprise networks, an IronNet Sensor is placed directly in the physical network to monitor network traffic and data. But that leaves the question: What about my AWS environment and network? In this post, we’ll cover how AWS and IronNet work together to further protect your cloud environment.
IronNet Cybersecurity is an AWS Partner with a qualified software offering. IronNet works with clients across a range of industry sectors to develop sector-specific cyber defenses.
Gain Visibility into Your Cloud Environment
IronNet has worked closely with security teams around the world and learned that it’s hard to know what information and data is relevant to gain visibility and monitor your cloud against cyber threats.
Like many organizations, your cloud environment produces massive amounts of logs. IronNet begins by running additional user and entity behavior analytics (UEBA) to give security teams additional insight and prioritization over the logs you already have.
While this works, IronNet found the data needed to detect both small incidents and large-scale cloud incidents is not always available in the logs. By monitoring behavioral analytics within the network traffic, IronNet was able to detect the behaviors associated with a recent high-profile attack.
The logs collected from cloud environments are very API-centric. While there is value in them, they still don’t provide security analysts the ability to deep-dive the traffic occurring over the wire.
Enter the IronNet Cloud Sensor for AWS , which monitors and prioritizes the traffic of your cloud environment, giving your security team visibility into what is happening in your cloud environment.
Figure 1 – IronNet Cloud Sensor for AWS backend environment.
The diagram in Figure 1 shows an example of the IronNet Cloud Sensor for AWS installed on a customer’s network and the IronDefense backend, which is offered in most AWS regions.
IronDefense is deployed in managed AWS accounts for customers, and it consumes IronNet Cloud Sensor for AWS metadata used by analytics and stored in Amazon Simple Storage Service (Amazon S3).
Multiple AWS Auto Scaling groups provide the different instance workload types needed to process the various parts of the system, and provide access to the IronDefense product. Additionally, this allows IronNet to support multiple AWS Availability Zones (AZs) and keep operations up and running even if an outage occurs.
Similar to what IronNet can do in an enterprise environment, the product is now able to mirror the traffic within an AWS environment and allow security analysts to hunt through raw traffic to find indicators of compromise (IOCs).
How the IronNet Cloud Sensor for AWS Works
An IronNet Cloud Sensor for AWS runs on a customer’s account to parse the raw network traffic. By increasing the visibility of your cloud environments, security teams can perform threat intelligence sweeps, perform signature and behavioral analytics, and run queries and hunts across hybrid and cloud environments all the way down the raw packet captures (PCAP).
This puts enterprise processes for monitoring cloud environments on par with those for on-premises networks. All of the policies, procedures, and security controls that have been put in place in the cloud can now be audited and verified.
Your internal monitoring team and/or security operations center team can dig into the raw network traffic just the way they would for physical networks. They can even create custom hunts and queries to filter out expected domain name system (DNS) queries and transport layer security (TLS) server name indications (SNIs) to analyze unexpected traffic that may be suspicious and even potentially malicious.
It’s even possible to access your local enterprise network traffic alongside your AWS Cloud network traffic using IronDefense.
Visualize IOCs with IronNet
Around the world, DevOps build environments are compromised and used to deliver supply chain attacks. It’s time to seriously monitor these environments.
For many software organizations, these environments are their entire business and cyberattacks can have a devastating impact.
Figure 2 – “Hunt” query in IronVue.
Take the example of a “Hunt” query in IronVue, IronNet’s dashboard, which demonstrates how analysts have the capability to view cloud-related “network tap” traffic, along an organization’s AWS CloudTrail logs and Amazon VPC Flow Logs.
For analysts, this information can be helpful to begin diving into the expected vs. unexpected in hybrid and fully cloud environments.
Figure 3 below visualizes how IronNet can take anonymized IOCs to correlate and identify malicious or suspicious behaviors coming from the cloud and hybrid environments, and correlate them at machine speed across members of an IronDome.
As IronNet’s threat-sharing solution, IronDome analyzes threat detections across the community to identify broad attack patterns and provide real-time anonymized threat intelligence, giving members early insight to potential attacks to protect the collective.
Figure 3 – IronVue of IOCs across different IronDomes.
Working with AWS, IronNet has been able to build a robust, scalable solution for greater visibility and insight into the cloud environments businesses trust and rely upon daily.
Together, IronNet and AWS create a cyber radar view of the threat landscape, allowing organizations across a sector, supply chain, state, or nation to share actionable attack intelligence in real time.
As we covered in this post, traffic mirroring, the virtualization of sensors, and cloud-based behavioral analytics enables IronNet and AWS to deliver a collective defense strategy for hybrid and cloud environments.
Learn more about how IronNet transforms cybersecurity through collective defense, how behavioral analytics enhance visibility and detection of unknown threats within AWS environments, and how cloud-based collective defense enables enterprises to scale cyber defense.
IronNet Cybersecurity – AWS Partner Spotlight
IronNet Cybersecurity is an AWS Partner that works with clients across a range of industry sectors to develop sector-specific cyber defenses.
*Already worked with IronNet? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.