“Easy” button for cloud NDR visibility

As organizations continue to rapidly adopt cloud services, they struggle to expand network detection and response (NDR) capabilities to their hybrid and multi-cloud environments. Network visibility is critical for security operations center (SOC) teams to secure their cloud environments and ensure they can elevate threat detection and incident investigation capabilities. However, traditional NDR solutions require management, configuration and often lack the security context needed. 

Corelight’s newly launched SaaS solution for AWS eliminates friction by providing a simple, easy to deploy, managed service that generates deep and rich security visibility into cloud network traffic. The service eliminates the additional complexity and management overhead for security and DevOps teams, allowing them to efficiently achieve their security objectives. 

Corelight Cloud Sensors enable SOC teams to quickly detect and respond to threats targeting cloud workloads by turning mirrored traffic into comprehensive logs, extracted files, and custom insights. By providing a standardized dataset across many types of networks, Corelight enables elite defenders with a clear understanding of what is happening in their cloud, multi-cloud, and hybrid environments in real time.

Same great visibility, none of the management overhead

The Corelight SaaS offering for AWS removes the heavy lift of managing a vital security tool while maintaining the visibility needed to keep cloud deployments safe. The service uses AWS’s traffic mirroring capability to securely tunnel mirrored traffic to the SaaS service using AWS Gateway Load Balancer endpoint architecture. Corelight’s SaaS is a highly available and scalable service that transforms this network traffic into network evidence for security detections, incident investigation and threat hunting.

Corelight’s new SaaS offering allows customers to 

1. Deploy in minutes: Create a new sensor cluster with a click of a button. The sensor cluster is created per Region / AZ (availability zone) and the GWLB endpoint service is shared for each cluster of sensors. 
2. Eliminate management burden: The SaaS service takes care of configuring and deploying the sensor cluster as well as scaling, updating, maintaining and high availability. The service is elastic and can scale from a few Mbps of traffic to high Gbps - without the need to pre-provision capacity, thus eliminating complexity and cost.
3. Save cloud costs: Each sensor cluster ensures that the traffic stays within the AZ, thus eliminating costly data transit charges. Additionally, the service also eliminates the cost for hosting and surge / scale of sensors depending on traffic pattern.

All of the above benefits come with no impact to the unparalleled network visibility, intrusion detection, and collections that are expected from a best in breed NDR solution. Additionally, with the adherence to SOC2 Type 2 certification (System and Organization Controls 2) our customers can rest assured that the service meets the Availability, Confidentiality and Security trust service principles. 

This gives security teams time back in their day to focus on remediating risks critical to business and is one of the best investments for any organization.

Network visibility with control plane context 

While network visibility is extremely useful, enriching it with context makes it extremely easy to use for security investigations. In cloud environments, L3 networking is abstracted away from the higher-level applications and services. Because of this abstraction, when Corelight logs are collected for cloud network environments, the attribution of a network flow to actual workload or application is difficult. The SOC analyst would need to know which instance had the IP address seen within the logs at the exact time the log entry was created. In most cloud environments, this simply is not tracked.  

With the addition of this cloud context data to the Corelight logs (now available as a Beta in Cloud Sensor SaaS), SOC analysts will be able to pinpoint exactly which EC2 instance is in play without having to solely rely on IP addresses.

For more information about how to enable threat hunting across an entire AWS deployment, please click here or contact our team directly.

By Todd Morneau, Principal Product Manager, Corelight Cloud Security Solutions