Cisco is a companion of the Amazon Security Lake, supporting the Open Cybersecurity Schema Framework
At AWS re:Invent 2022, Cisco was proud to be a launch companion for Amazon Security Lake, a brand new AWS service that routinely centralizes a company’s safety knowledge from cloud, on-premises, and customized sources right into a purpose-built knowledge lake saved in a buyer’s account. With assist for the Open Cybersecurity Schema Framework (OCSF) commonplace, the service can normalize and mix safety knowledge from AWS and a broad vary of enterprise safety knowledge sources. Amazon Security Lake helps you analyze safety knowledge, so you may get a extra full understanding of your safety posture throughout your entire group.
As a part of the Cisco Secure Technical Alliance, I had the chance to construct the Cisco Secure Firewall
integration into Amazon Security Lake for the general public preview. With the final availability of Amazon Security Lake, I up to date the assist of OSCF and validated the mixing.
If you’ve by no means labored with Secure Firewall or eNcore, here’s a abstract:
Secure Firewall serves as a company’s centralized supply of safety data. It makes use of superior menace detection to flag and act on malicious ingress, egress, and east-west site visitors whereas its logging capabilities retailer data on occasions, threats, and anomalies. By integrating Secure Firewall with Amazon Security Lake, by means of Secure Firewall Management Center, organizations will be capable to retailer firewall logs in a structured and scalable method.
What is the eNcore Client
The eNcore shopper offers a option to faucet into message-oriented protocol to stream occasions and host profile data from the Cisco Secure Firewall Management Center. The eNcore shopper can request occasion and host profile knowledge from a Management Center, and intrusion occasion knowledge solely from a managed gadget. The eNcore utility initiates the information stream by submitting request messages, which specify the information to be despatched, after which controls the message movement from the Management Center or managed gadget after streaming begins.
With eNcore you’ll be able to entry to full listing of firewall occasion varieties and medata information, together with packet information, safety intelligence occasions, enhanced intrusion knowledge, legacy occasions and extra. In whole over 1000+ information varieties are supported by eStreamer, going again to inception of the Secure Firewall. More particulars could be discovered within the full eStreamer specification.
eNcore runs on Python 3.6+ and helps Firepower Management Center model 6.0 and above, for extra particulars on the eNcore shopper please see our operations information.
What’s New with the General Availability?
With the Amazon Security Lake launch, I enhanced the Cloud Formation deployment script for the eNcore shopper to automate extra options and make the set up course of simpler. Additionally, a person interface has been added for the eNcore shopper to handle and monitor firewall logs out and in of the Amazon Security Lake . The Network Activity OCSF schema mappings have been fine-tuned to match fields to the correct class construction definition and assist has been added for extra firewall occasion varieties, together with malware and intrusion occasions.
The Goal: Provide Adaptable Framework to Evolve with OCSF
Normalization:
The OCSF commonplace goals to offer a typical illustration of nested knowledge constructions of safety knowledge throughout all sources, distributors and functions. You can discover an interactive schema that permits you to drill down into the OCSF class constructions and knowledge definitions.
Cisco launched an up to date model of the eNcore shopper that may stream firewall logs to a number of locations. The replace offers assist for changing the logs into OCSF format. The Firewall knowledge is represented within the Network Activity occasions class and the logs are mapped to the varied attributes and knowledge varieties underneath that class.
This integration builds a conveyable framework within the eNcore shopper that helps decode Secure Firewall knowledge, interprets it into key worth pair knowledge units primarily based on Python lessons that mirror the OCSF framework offering transformations that adapt Secure Firewall logs to Network Activity occasions. In quick, eNcore is the glue that maps uncooked Cisco Secure Firewall occasions right into a concise consumable format for the Amazon Security Data Lake.
Validating OCSF Compliance
OCSF compliance was validated utilizing instruments supplied by the OCSF schema such because the OCSF swagger API.
This API will assist decide if knowledge matches the OCSF schema and its object hierarchy. It is accessible underneath the OCSF server undertaking and is continutely up to date to assist new knowledge varieties and constructs, as of this writing the eNcore shopper helps the event model (v0.0.0) of the OCSF schema. Events from safe firewall are modeled in opposition to the Network Activity class construction, by executing the /api/lessons/NETWORK_ACTIVITY URI we will validate output in actual time to find out if the output construction matches the newest OCSF commonplace.
The Design
The eNcore shopper offers a option to faucet into message-oriented protocol to stream occasions and host profile data from the Cisco Secure Firewall Management Center. The eNcore shopper can request occasion and host profile knowledge from a Management Center, and intrusion occasion knowledge solely from a managed gadget. The eNcore utility initiates the information stream by submitting request messages, which specify the information to be despatched, after which controls the message movement from the Management Center or managed gadget after streaming begins.
These messages are mapped to OCSF Network Activity occasions utilizing a sequence of transformations embedded within the eNcore code base, performing as each writer and mapper personas within the OCSF schema workflow. Once validated with an inner OCSF schema, the messages are then written to 2 sources: first, a neighborhood JSON formatted file in a configurable listing path, and second, compressed parquet information partitioned by occasion hour within the S3 Amazon Security Lake supply bucket. The S3 directories containing the formatted log are crawled hourly and the outcomes are saved in an Amazon Security Lake database. From there we will get a visible of the schema definitions extracted by the AWS Glue Crawler, determine fieldnames, knowledge varieties, and different metadata related along with your Network Activity occasions. Event logs will also be queried utilizing Amazon Athena to visualise log knowledge.
Get Started
To make the most of the eNcore shopper with Amazon Security Lake, first go to the Cisco public GitHub repository for Firepower eNcore, OCSF department.
Download and run the cloud formation script eNcoreCloudFormation.yaml.
The Cloud Formation script will immediate for extra fields wanted within the creation course of, they’re as follows:
Cidr Block: IP Address vary for the provisioned shopper, defaults to the vary proven beneath
Instance Type: The ec2 occasion measurement, defaults to t4.giant
KeyName A pem key file that may allow entry to the occasion
AmazonSecurityLakeBucketForCiscoURI: The S3 location of your Data Lake S3 container.
FMC IP: IP or Domain Name of the Cisco Secure Firewall Management Portal
After the Cloud Formation setup is full, it might take anyplace from 3-5 minutes to provision sources in your atmosphere. The cloud formation console offers an in depth view of all of the sources generated from the cloud formation script, as proven beneath.
Once the ec2 occasion for the eNcore shopper is prepared, we have to permit listing the shopper IP handle in our Secure Firewall Server and generate a certificates file for safe endpoint communication.
Steps:
- In the Secure Firewall Dashboard, navigate to Search->eStreamer, to seek out the permit listing of Client IP Addresses which can be permitted to obtain knowledge.
- Click Add and provide the Client IP Address that was provisioned for our ec2 occasion.
- You may even be requested to provide a password, click on Save to create a safe certificates file on your new ec2 occasion.
4. Download the Secure Certificate you simply created and replica it to the /eNcore listing in your ec2 occasion. Or add utilizing the eNcore GUI which is detailed within the subsequent part.
eNcore GUI
Now that now we have the certificates, we will use the eNcore GUI to add to the certificates, that is the brand new piece that we’ve added because the public preview again in December 2022. Users can now management and configuration connectivity to the Firepower Management Console (FMC) in a central location, versus putting in and operating complicated command line scripts. Although system directors and energy customers are greater than welcome to nonetheless use that technique.
To entry the eNcore GUI navigate to <Your EC2 Instance IP Address> – on this case http://52[.]207.21.3:8184. In this instance we run a safe SSL tunnel with port forwarding utilizing the AWS pem file to redirect site visitors from our ec2 occasion to our native host, relying your organizations community safety posture you could possibly entry the eNcore GUI instantly with no SSL tunnel. Port data could be substituted with any free port on native system, for extra particulars on the best way to route ec2 cases to your localhost please see the AWS documentation.
ssh -i eNcore-ubuntu.pem -N -L 8141:ec2-52-207-21-3.compute-1.amazonaws.com:3000 ubuntu@ec2-52-207-21-3.compute-1.amazonaws.com
Click on the Configuration part to see an overview of the steps wanted to execute the eNcore streaming course of. Since we used the AWS Cloud Formation Script, the primary two steps have already been accomplished as proven within the image above. Next, we will add the certificates file and supply the password within the area. This will create a key and cert file that shall be used to safe communication between the FMC and the EC2 occasion with the eNcore shopper.
Now that now we have our communication established, we will ship knowledge to Amazon Security Lake. Click on SEIM Integrations AWS Data Lake hyperlink to see the energetic connections. You will see an inventory populated with the FMC we laid out in our cloud formation script. Click the Start button to provoke knowledge streaming.
This will start the information relay and ingestion course of. We can then navigate to the S3 Amazon Security Lake bucket we configured earlier to see OCSF compliant logs formatted in gzip parquet information in a time-based listing construction.
We can confirm this by heading again to our AWS Data Lake repository to view the outcomes. As we will see within the display screen beneath now we have new folders that conform to the partitioning required by the Amazon Security Data Lake. The knowledge we configured earlier within the Cloud Formation script creates partitioning that allow the AWS Crawler to effectively eat and course of occasion knowledge and tie to again to our customized knowledge supply we outlined earlier, CISCOFIREWALL.
Event knowledge is positioned into S3 buckets by occasion time, will rotate file creation primarily based on the dimensions with a maximium file measurement of 256MB. The information are named in accordance the time which the final occasion was processed offering a primary hand take a look at how far lengthy the eNcore shopper is within the knowledge streaming course of.
Amazon Security Lake then runs a crawler activity each hour, to parse and eat the logs information within the goal s3 listing, after which we will view the ends in Athena Query. With Amazon Athena we will visible analytics in number of totally different instrument together with Amazon Grafana and Quicksight, sooner or later we plan to construct visualizations to showcase Firewall within the AWS Security Lake.
More data on the best way to configure and tune the eNcore eStreamer shopper could be discovered on our official web site. This contains particulars on the best way to filter sure occasion varieties to focus your knowledge retention coverage, and pointers for efficiency and different detailed configuration settings.
You can try the Amazon User Guide for extra data. I encourage you to check out OCSF your self and see the way it may assist the neighborhood within the quest for normalization.
We’d love to listen to what you suppose. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Instagram
Facebook
Twitter
LinkedIn
Share: