Cisco helps the Open Cybersecurity Schema Framework and is a launch associate of AWS Security Lake
The Cisco Secure Technical Alliance helps the open ecosystem and AWS is a valued expertise alliance associate, with integrations throughout the Cisco Secure portfolio, together with SecureX, Secure Firewall, Secure Cloud Analytics, Duo, Umbrella, Web Security Appliance, Secure Workload, Secure Endpoint, Identity Services Engine, and extra.
Cisco Secure and AWS Security Lake
We are proud to be a launch associate of AWS Security Lake, which permits prospects to construct a safety information lake from built-in cloud and on-premises information sources in addition to from their personal purposes. With assist for the Open Cybersecurity Schema Framework (OCSF) commonplace, Security Lake reduces the complexity and prices for purchasers to make their safety options information accessible to handle quite a lot of safety use circumstances corresponding to risk detection, investigation, and incident response. Security Lake helps organizations combination, handle, and derive worth from log and occasion information within the cloud and on-premises to provide safety groups better visibility throughout their organizations.
With Security Lake, prospects can use the safety and analytics options of their alternative to easily question that information in place or ingest the OCSF-compliant information to handle additional use circumstances. Security Lake helps prospects optimize safety log information retention by optimizing the partitioning of knowledge to enhance efficiency and cut back prices. Now, analysts and engineers can simply construct and use a centralized safety information lake to enhance the safety of workloads, purposes, and information.
Cisco Secure Firewall serves as a company’s centralized supply of safety data. It makes use of superior risk detection to flag and act on malicious ingress, egress, and east-west site visitors whereas its logging capabilities retailer data on occasions, threats, and anomalies. By integrating Secure Firewall with AWS Security Lake, by Secure Firewall Management Center, organizations will be capable to retailer firewall logs in a structured and scalable method.
eNcore Client OCSF Implementation
The eNcore consumer gives a option to faucet into message-oriented protocol to stream occasions and host profile data from the Cisco Secure Firewall Management Center. The eNcore consumer can request occasion and host profile information from a Management Center, and intrusion occasion information solely from a managed gadget. The eNcore software initiates the info stream by submitting request messages, which specify the info to be despatched, after which controls the message movement from the Management Center or managed gadget after streaming begins.
These messages are mapped to OCSF Network Activity occasions utilizing a collection of transformations embedded within the eNcore code base, performing as each creator and mapper personas within the OCSF schema workflow. Once validated with an inner OCSF schema the messages are then written to 2 sources, first a neighborhood JSON formatted file in a configurable listing path, and second compressed parquet information partitioned by occasion hour within the S3 Amazon Security Lake supply bucket. The S3 directories comprise the formatted log are crawled hourly and the outcomes are saved in an AWS Security Lake database. From there you may get a visible of the schema definitions extracted by the AWS Glue Crawler, determine fieldnames, information varieties, and different metadata related together with your community exercise occasions. Event logs will also be queried utilizing Amazon Athena to visualise log information.
Get Started
To make the most of the eNcore consumer with AWS Security Lake, first go to the Cisco public GitHub repository for Firepower eNcore, OCSF department.
Download and run the cloud formation script eNcoreCloudFormation.yaml.
The Cloud Formation script will immediate for extra fields wanted within the creation course of, they’re as follows:
Cidr Block: IP Address vary for the provisioned consumer, defaults to the vary proven beneath
Instance Type: The ec2 occasion dimension, defaults to t2.medium
KeyName A pem key file that may allow entry to the occasion
AmazonSecurityLakeBucketForCiscoURI: The S3 location of your Data Lake S3 container.
FMC IP: IP or Domain Name of the Cisco Secure Firewall Mangement Portal
After the Cloud Formation setup is full it may possibly take wherever from 3-5 minutes to provision sources in your atmosphere, the cloud formation console gives an in depth view of all of the sources generated from the cloud formation script as proven beneath.
Once the ec2 occasion for the eNcore consumer is prepared, we have to whitelist the consumer IP handle in our Secure Firewall Server and generate a certificates file for safe endpoint communication.
In the Secure Firewall Dashboard, navigate to Search->eStreamer, to search out the permit checklist of Client IP Addresses which can be permitted to obtain information, click on Add and provide the Client IP Address that was provisioned for our ec2 occasion. You can even be requested to provide a password, click on Save to create a safe certificates file to your new ec2 occasion.
Download the Secure Certificate you simply created, and replica it to the /encore listing in your ec2 occasion.
Use CloudShell or SSH out of your ec2 occasion, navigate to the /encore listing and run the command bash encore.sh check
You shall be prompted for the certificates password, as soon as that’s entered you need to see a Successful Communication message as proven beneath.
Run the command bash encore.sh foreground
This will start the info relay and ingestion course of. We can then navigate to the S3 Amazon Security Lake bucket we configured earlier, to see OCSF compliant logs formatted in gzip parquet information in a time-based listing construction. Additionally, a neighborhood illustration of logs is obtainable below /encore/information/* that can be utilized to validate log file creation.
Amazon Security Lake then runs a crawler job each hour to parse and devour the logs information within the goal s3 listing, after which we will view the leads to Athena Query.
More data on how one can configure and tune the encore eStreamer consumer will be discovered on our official web site, this consists of particulars on how filter sure occasion varieties to focus your information retention coverage, and tips for efficiency and different detailed configuration settings.
Participate within the public preview
You can take part within the AWS Security Lake public preview. For extra data, please go to the Product Page and evaluation the User Guide.
re:Invent
While you’re at AWS re:Invent, go see a demo video of the Security Lake integrations within the Cisco Booth #2411, from November 29 to December 2, 2022, on the Cloud, Network and User Security with Duo demo station.
Learn extra about Cisco and AWS on the Cisco Secure Technical Alliance web site for AWS.
Acknowledgement
Thank you to Seyed Khadem-Djahaghi, who spend lengthy hours working with the beta to develop this integration and is the first for developer of eNore.
We’d love to listen to what you suppose. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Instagram
Facebook
Twitter
LinkedIn
Share: