Blog
Seamlessly Integrate VPC Flow Logs for AWS Security
Reveal(x) 360 + Amazon Kinesis Data Firehose
Dale Norris
September 8, 2022
Following up on our frictionless threat visibility for AWS announcement, we're excited to announce support for VPC Flow Logs to Amazon Kinesis Data Firehose. This means that ExtraHop customers can now seamlessly integrate VPC Flow Logs with ExtraHop Reveal(x) 360 for advanced threat detection in AWS.
Kinesis Data Firehose is a fully managed service that makes it easier to capture, transform, and load massive volumes of streaming data into numerous data sources. With the new Kinesis Data Firehose capability, AWS customers using partner solutions such as Reveal(x) 360 can go beyond CloudWatch Logs and S3 to easily and reliably stream their VPC Flow Logs data with minimal infrastructure setup and management.
What the Integration Means for ExtraHop Customers
ExtraHop customers can now stream gigabytes per second of VPC Flow Log data into Reveal(x) 360 monitoring and analysis without the need to leverage CloudWatch as a go-between. This new method of ingesting flow logs removes a layer of friction and lowers total cost of ownership (TCO). Users can also take a multi-layered approach to AWS security by using both flow log and packet data sources to defend against advanced threats. Flexible deployment options make it simpler for security teams to use flow logs for broad cloud network coverage and packets for deep forensic investigation. This added depth and breadth of network telemetry enables the Security Operations Center (SOC) to visualize, investigate, and respond to hotspots of malicious activity in a single management pane.
VPC Flow Logs are an important telemetry source because they enable the SOC to have greater visibility into traffic flowing across a virtual private cloud (VPC). They're also an excellent data source for monitoring and analyzing network traffic; however, most security organizations don't leverage VPC Flow Logs for real-time analysis, which can limit their efficacy. ExtraHop eliminates these challenges by combining real-time analysis of flow logs, packets, and protocols in a unified interface to provide the most accurate, real-time threat defense for cloud environments while eliminating friction for security teams.
How the Integration Works
AWS customers can now publish VPC Flow Logs directly to Kinesis Firehose and use an AWS Lambda function to send real-time streaming data to the Reveal(x) 360 sensor for advanced attack detection in the cloud.Reveal(x) 360 gathers log data via a virtual flow sensor. To do this, VPC Flow Logs are published directly to Kinesis Data Firehose, sent to an AWS Lambda function, and then forwarded to the sensor. In addition to Kinesis Data Firehouse, the ExtraHop sensor also supports direct Route 53 DNS logs.
How Reveal(x) 360 Uses Flow Logs in AWS
With real-time analysis of flow logs, Reveal(x) 360 detects malicious activity across workloads with built-in high value detections. Behavior-based detections powered by cloud-scale machine learning and VPC Flow Logs can identify several indicators of attack, including:
Data Exfiltration: Attackers compromise an EC2 instance and then compromise an RDS database, download the data, and then attempt to exfiltrate the data from EC2.
Command & Control Beaconing: An EC2 instance that's compromised and consistently reaching out to an external attack server to determine what commands to run next.
Unconventional External & Internal Connections: Reveal(x) 360 analyzes AWS workloads to establish a baseline of behavior and flag amamlous EC2 instance activity
With these detections, VPC Flow logs can be used to create a full picture of cloud network activity in order to identify and isolate advanced attacks.
Reveal(x) 360 analyzes packet data and VPC Flow Log telemetry in a single pane of glass user interface.
Discover more