November 23, 2020 by Vijit Nair
Visibility is paramount in securing your cloud environment – as the adage goes, you cannot protect what you do not see. However, comprehensive visibility in an IaaS (infrastructure as a service) environment is elusive – you need to make sure that logging is configured (and stays configured) on every service, ingest log types from every service into your SIEM, navigate poorly designed schemas, and correlate across logs from different cloud environments. If all this sounds fraught with error to you, you are not alone.
This is why organizations look to Zeek for a normalized view of their environment. Zeek is the de facto standard for continuous network security monitoring with a schema that is purpose built for SOC teams. Zeek provides a judgement-free view of your environment, and is cloud provider, applications and services agnostic. The extensibility of Zeek (with Suricata alerts, intel frameworks, input frameworks for example) combined with community content, allows you to easily enrich data with context and correlations. With a bird’s eye view of the cloud environment, organizations can shine the light on high value assets, privilege boundaries between multi-cloud environments, and other choke points.
Cloud Sensor for GCP
Until recently, network monitoring in the cloud has been elusive. However, starting mid-last year cloud providers have begun to announce features to mirror packets using virtual TAPs, and Corelight has released its Cloud Sensor for both AWS and Azure. Today we are excited to complete the trifecta by announcing Corelight’s Cloud Sensor for GCP.
The Cloud Sensor for GCP is a lightweight, highly performant wrapper for Zeek purpose built for cloud native environments. The sensor is configured via a flat file with a key and values – designed to be human readable, but can also be expressed by automation tools (such as Terraform or GCP Cloud Deployment Manager) to deploy at scale.
In addition to packages built into Zeek, the GCP Cloud Sensor is pre-packaged with Corelight Collections including the Core Collection and Encrypted Traffic Collection. There are also some experimental goodies packed in here – so reach out to us if you want to learn more. Corelight logs can be streamed real time to Splunk HEC, Kafka, JSON over TCP & syslog. The sensor also supports high performance file extraction. Logs and files may be batched to disk or exported via sftp.
The Cloud Sensor for GCP deploys in your VPC, analyzes traffic from a packet mirror source and generates logs that can be streamed out to your data lake of choice.
GCP reference architecture
The GCP packet mirror clones traffic from instances in the VPC and forwards it to an internal load balancer. This feature also allows you to get intranode visibility by mirroring pod-to-pod traffic on the same Google Kubernetes Engine (GKE) node. Since the mirrored packets are not encapsulated, there are no challenges in handling packets with large MTU.
The mirrored packets are forwarded to an internal load balancer with an autoscale cluster of Corelight sensors. The cluster of sensors may be deployed in a central VPC (by peering the mirrored traffic to the central VPC) or distributed in each VPC (by keeping the mirrored traffic within each VPC).
Setting up a Corelight Cloud Sensor in GCP
The Corelight Cloud Sensor for GCP can be set up with 2 simple steps. The examples below show the steps with cli commands. But these can just as easily be done via the GCP console or API.
Step 1: Set up an instance template from Corelight’s public image. The instance template allows you to define the machine type, disk image, etc.
Step 2: Use the instance template to set up a managed instance group.
With a managed instance group, the sensor can seamlessly grow and shrink based on the traffic capacity – which means you can achieve limitless performance when needed, while making sure there are no instances idling in other times. This also provides high availability by responding to failure events by spinning up additional instances. To change configurations, create a configuration file and an instance template (with the new metadata key value for config) and initiate a rolling update to the instance group.
If you are looking to get better visibility into you GCP environment and would like to try out the Corelight Cloud Sensor, please reach out to us – http://www3.corelight.com/evaluation-form.