Deep Security is designed from the ground up to protect your EC2 instances and to help shine a light on their security. A big part of that visibility comes in the form of security events. Today on Deep Security as a Service and soon on the AWS Marketplace and other deployment options, you’ll be able to send Deep Security events directly to an Amazon SNS topic. This functionality complements the existing syslog and email alerting but is far more flexible.
 
 

Easy Setup

Sending events to SNS couldn’t be easier. Simply log into Deep Security and take the following steps;
  1. Under Administration > System Settings > Event Forwarding, check the “Publish Event to Amazon Simple Notification Service”
  2. Enter an access key and secret key for a IAM user with write permissions to the SNS topic that will receive the events
  3. Enter the ARN (Amazon Resource Name) of the SNS topic that will receive the events
  4. Click the blue “Save” button
Now all of your Deep Security events will be sent to the desired topic.

SNS Topic Subscriptions

Now that the event data is flowing to SNS, you’ll want to do something with it. Enter the SNS concept of a subscription. An SNS subscription sends all of the messages received by a topic to a specific endpoint. That endpoint can be any number of things including an email address, a mobile application, HTTP server, or an AWS Lambda function. As you can imagine, this opens up a number of very interesting possibilities especially when combined with the policy language available as a part of this new Deep Security feature.

Filtering Events

The default configuration for event forwarding to Amazon SNS is to send all Deep Security events to a single topic. If this doesn’t suit your needs, you can use the array of checkboxes to enable/disable the forwarding of specific event types. Taking this a step further, you can use a custom JSON configuration that lets you send events to multiple SNS topics based on any number of criteria. You can easily write a policy that sends all Windows events to one topic and Linux to another. You could send critical events to a topic to initial a cross-team incident response. All event properties can be used as decision points for your policies. The help documentation has a complete description of the policy language.
From Deep Security, click Help in the top right corner and search for “SNS”

Event Format

Events are sent to SNS in a simple JSON document. The event structure varies slightly depending on the type of event but the JSON format makes it easy to work with events in the programming language or tool of your choice. Here’s an example of an integrity monitoring event;
{  
  "Change": 4,
  "ChangeString": "Renamed",
  "Description": "No description is available.",
  "EventID": 2187499,
  "EventType": "integrity",
  "HostAgentVersion": "9.0.0.883",
  "HostAssetValue": 1,
  "HostGroupID": 2,
  "HostGroupName": "Intranet",
  "HostID": 2,
  "Hostname": "ec2-52-38-119-255.us-west-2.compute.amazonaws.com",
  "HostOS": "Microsoft Windows Server 2008 R2",
  "HostSecurityPolicyID": 9,
  "HostSecurityPolicyName": "Windows Server 2008",
  "Key": "C:\\Windows\\system32\\explorer.exe -\u003e C:\\Windows\\system32\\explorer2.exe",
  "LogDate": "2014-10-29T13:18:08.380Z",
  "Origin": 0,
  "OriginString": "Agent",
  "Process": "",
  "Rank": 50,
  "Reason": "1002777 - Microsoft Windows - System configuration file modified",
  "Severity": 3,
  "SeverityString": "High",
  "Tags": "",
  "TenantID": 0,
  "TenantName": "Primary",
  "Type": "File"
  }
A list of possible fields and values is available in the online within Deep Security.
You can see from this sample event, that you could quickly filter and react to events by;
  • severity using the “Severity” key
  • computer group (a/k/a AWS Account & Region) using the “HostGroupName” key
  • the timestamp using the “LogDate” key
You can use these key/value pairs to filter via the JSON policy language or in a tool like AWS Lambda.

Reacting To Events

Subscribing to your security event via SNS topics opens up a realm of possibilities. In the video above, we showed the two scenarios using simple AWS Lambda functions. In the first, we send all event data to Amazon CloudWatch Logs. This creates an archive of security event data the you can analyze with the tools available in CloudWatch or your could export the data to S3 and use the new Amazon QuickSight service to quickly visualize it. The second scenario sends key event data to a Slack channel. A lot of teams use Slack to communicate and stay up to date. Sending critical events to Slack immediately notifies the team that there is a potential security issue and lets you kick off your incident response process. Both of these scenarios generate a lot of value for your security practice and are incredibly easy to implement.

Monitoring Practice

Sending security events to Amazon SNS will allow you to take your monitoring activities to the next level. It’s never been easier to integrate Deep Security into your workloads. How will you use this new feature? Let us know at aws@trendmicro.com.