Stealthwatch Cloud is first of all known for its general visibility and higher fidelity security threat recognition.  These detections range upon a spectrum from on-premises endpoints to open public cloud everything and workloads in-between.

Where it pertains to public cloud workload security in AWS, quite a few customers believe that there must be the option to do this upon a threat if deemed of significant criticality.  Some customers could find significant prioritization in exercise such as for example an AWS workload suddenly performing as a server on the web for the very first time ever whereas others could be more worried about an overly permissive construction leading to an AWS workload to become brute-forced.

Whatever the scenario, the opportunity to take action is useful to a Security Procedures team or Incident Responder extremely.  Stealthwatch Cloud customers have significant amounts of flexibility with regards to responses and activities that the machine can take once a good Alert worth focusing on triggers in the machine.  You can find built-in options for from email to syslog, chat program notifications to vendor-agnostic webhook assistance.  Additionally, there are cloud native service supported features such as for example public cloud provider storage bucket support and regarding AWS, the opportunity to straight integration with the AWS Basic Notification SNS or Solutions as its commonly described.

With SNS built-in assistance in Stealthwatch Cloud, users have the ability to directly connect to the AWS infrastructure and consider automated operational actions upon workloads, providers and configurations to mitigate both danger and threats within real-time.  This enables a Security Administrator to implement a proactive set it and forget it method of implementing appropriate remediation actions for security Alerts which are of urgent criticality in their mind.  Actions could be by means of insertion of Accessibility Control List (ACL) guidelines, workload instance condition manipulation or even other infrastructure assistance configurations.  Speaking programmatically, the sky may be the limit with how Stealthwatch Cloud is capable of doing a mitigation task inside the AWS public cloud environment.

To show this useful function and workflow within Stealthwatch Cloud incredibly, I’ve created a tutorial on how best to perform automated remediation within AWS upon a breached workload simply by programmatically inserting VPC Network ACLs (NACLs) to block offenders in real-time because they try to exploit an overly-exposed EC2 instance.

This is a diagram of the Proof Concept workflow:

The intent of the tutorial is to mainly be a Proof Concept to show to Stealthwatch Cloud customers how quickly they are able to implement an automatic remediation workflow to their everyday operations of the answer.  The theory is an Administrator can select a number of alerts that of higher criticality in their mind that they’d prefer to end up being remediated should Stealthwatch Cloud detect relevant threat action automatically.  Stealthwatch Cloud will distribute a note to an AWS Easy Notification Service (SNS) subject which will result in a Lambda.  The Lambda will parse the Stealthwatch Cloud Alert telemetry and do something on any workload essential to effectively prevent threats in real-period.  This is attained through the insertion of VPC System ACLs to prevent attackers as they try to exploit an overly uncovered workload, in this full situation an AWS EC2 example.

As Network ACLs never to scale previous 200 ACLs, each with 20 guidelines per in AWS, that is again primarily designed to be a Proof Concept to show the immense programmatic possible to by using this workflow and integration to do this on any AWS program, configuration or even workload to remediate exposure and danger without manual intervention.

Example of the ultimate end result of System ACL’s getting created automatically to prevent offenders wanting to exploit a good exposed workload:

Click here to see the tutorial.