1SEIZE THE HIGH GROUND

NDR for AWS Well-Architected

2SEIZE THE HIGH GROUND

Agenda

What is NDR?

NDR for AWS Well Architected

Reference Architecture

Live Demo!

3SEIZE THE HIGH GROUND

Network visibility is crucial for multilayer defense

THREAT INTEL FEEDS

NETWORK DETECTION AND RESPONSE

ENDPOINT DETECTION AND RESPONSEUEBA / ANALYTICS STACK

NDR SIEM EDR

4SEIZE THE HIGH GROUND

Components of an NDR platform

3. Validation (Forensics)

Retain network traffic in PCAP files to aid investigation and forensics

1. Alerts & Insights(Signature Alerts and Behavioral Analytics)

Signatures, behavioral, and threat intel based detections

2. Investigation (Incident Response & Threat Hunting)

Structured and linked metadata accelerates incident response, and threat hunting

3

1 2

5SEIZE THE HIGH GROUND

IDS Suricata, for signature based detection

NTA Zeek, the industry standard for IR and threat hunting

PCAP The backstop of last resort

SIEM

Network

NDR: A design pattern

1. Alerts and Insights2. Investigation

3. Validation

6SEIZE THE HIGH GROUND

AWS Well-Architected Framework

Performance Efficiency Security Reliability

Use computing resources

efficiently as demand changes and technologies

evolve

Protect data, systems, and

assets; leverage cloud technologies to improve security

Recover from failures,

dynamically acquire compute

resources to meet demand, mitigate

disruptions

Cost Optimization

Operational Excellence

Run systems to deliver business

value at the lowest price point

Develop, monitor and run workloads;

continuously improve

supporting processes and

procedures

7SEIZE THE HIGH GROUND

NDR for AWS Well-Architected

Performance Efficiency Security ReliabilityCost

OptimizationOperational Excellence

● Deploy globally, scale elastically

● Cloud-native, event driven log streaming

● Integrate with Cloud SIEMs & metrics monitoring

● Least privilege access with Org RBAC and AWS IAM roles

● Audit logging to track & flag config changes

● End-to-end data encryption; VPC Endpoint services

● Deploy sensors cross-AZ behind NLB

● Fork and filter logs for data resiliency

● Immutable sensors for automated deployment

● Self-hosted sensors to keep traffic within VPC

● Track traffic mirroring billing - especially for dynamic instances

● Preferential SIEM pricing, reduced logs

● Automation to deploy at scale using CFT

● Serverless app model to enforce mirroring policies

● Central console to manage distributed deployments

8SEIZE THE HIGH GROUND

AWS Cloud

VPC

Availability Zone 1

Reference Design

Availability Zone 2

Auto Scaling group

ENI Interfaces

Corelight1Active

Corelight2 /Standby

ENI Interfaces

NLB

Traffic mirroring

Region Amazon Kinesis

Kafka

9SEIZE THE HIGH GROUND

Live Demo

10SEIZE THE HIGH GROUND

Setting up traffic mirror

11SEIZE THE HIGH GROUND

Setting up traffic mirror session

12SEIZE THE HIGH GROUND

Demo lab

13SEIZE THE HIGH GROUND

Try Corelight in AWS for free

Request an evaluation of the Corelight Cloud Sensor for AWS:

https://www3.corelight.com/evaluation-form

● Corelight’s best-in-class NTA product in an Amazon Machine Image (AMI)● Built-in Zeek packages for detection, monitoring, and data enrichment● Intuitive, fast configuration with a beautiful web UI● Zeek log export to Splunk, Elastic, Kafka, Syslog, Amazon S3, and SFTP● High performance and efficient file extraction

14SEIZE THE HIGH GROUND

Q&A

15SEIZE THE HIGH GROUND

Thank You