The key to a successful cloud practice is to ensure that any tool you pick provides more significant value than its cost. When it comes to security tools, a common complaint is that the operational burden outweighs the benefits provided. A core tenent of Deep Security is to automate as much of your security operations as possible.
One of the biggest benefits in using tags in Deep Security is that it automatically manages events and reduces the noise your security monitoring efforts have to deal with. Here’s how to get the most out of Deep Security events.
Let’s start with the closest view from the application’s perspective: Events.
All events coming from your Deep Security agents are sent to the Manager where they are processed, correlated, logged, and alerted. Each event is shown in the area that generated it. Intrusion Prevention events under the Intrusion Prevention module, system events in the main Events panel, etc. The goal is to keep actionable information as close to the appropriate security control in the Deep Security Manager as possible.
When an event is first processed by the Deep Security Manager, a tag can also be applied. These tags make it easier to automate event handling either within Deep Security, upstream in a SIEM, or via an Amazon SNS topic.
Do you want to see events for a specific computer? These can easily be found under the Computer Properties of any of your protected computers:
You can also see a collection of events based on the policy that’s in use. This allows you to correlate data coming from multiple resources using the same policy:
Now, let’s say we want to inspect logs coming from WordPress because they’re highly sensitive and in need of additional attention. We can setup an Auto-Tagging rule to automatically apply a Tag based on specific criteria so our logs appear with a custom, searchable, and descriptive tag.
After we select one of the events and select Auto-Tagging, we can match on a number of criteria as defined by the columns including Source Port, Reason, or even the Computer in question:
This allows us to build fully customizable tagging rules to tag your events as they are coming into the Manager. Here is our WordPress logs automatically tagged:
This allows us to expand our search within tagged events or events without tags to find the incidents of importance.
The added information makes it easier to get a quick view of what’s happening in relation to this event. But the real power of tags is when you use them upstream in a SIEM or via an Amazon SNS topic.
Exporting to a SIEM
Deep Security allows you to offload your log data directly to the SIEM for additional logging and reporting metrics. This is configured in the Administration -> SIEM view for System Events and the Policy view for each security policy:
You can then use the Deep Security data in your SIEM alongside other security and operational data. This can help you build a complete view of your deployment. Splunk is one of the most popular SIEM/aggregation tools out there, we’ve got a Deep Security application in the Splunk Marketplace that makes this integration as simple as a few clicks. Expect another article with the details soon.
Pushing to An Amazon SNS Topic
Mark wrote a great article here showing some of the capabilities of posting Deep Security events to a SNS topic within AWS. He also expands on it at the AWS Loft Event. With this technology, why not catalog all of your event data into Glacier for long term storage for compliance. You could even take action on any of the event data using AWS Lambda functions to automate features like opening up a support ticket using PagerDuty or ServiceNow.
With the open API architecture as well as the ability to offload events to a SIEM or SNS topic, you can use Deep Security events to take intelligent automated actions within your environment. If you’d like to share additional use cases or have any questions, please email us at firstname.lastname@example.org
Post written by: Jason Dablow