Dome9 Log.ic: Rethinking Threat Intelligence for the Public Cloud

Hundreds of organizations around the world use Dome9 Arc as their go-to solution to establish and maintain a robust security posture in their public cloud environments at scale. Today, we are proud to announce the birth of a powerful new technology in Dome9 Arc that brings context-aware threat intelligence to the public cloud – Dome9 Log.ic.

Dome9 is renowned for its capabilities to analyze and secure public cloud infrastructures based on the cloud inventory, policies and configuration data.

Now using Log.ic, organizations can visualize, search, get intrusion and threat alerts, analyze and reason-about security in their cloud environments using new capabilities to analyze time-based traffic, and other data from a wide variety of sources. Log.ic is a game changer for intrusion detection, forensics and situational awareness in the public cloud

The Dome9 Log.ic Enrichment Engine

At the heart of Dome9 Log.ic is a patent-pending enrichment engine that synthesizes time-based data from cloud-native sources (AWS CloudTrail, VPC flow logs, etc.), user-triggered events and public threat intelligence feeds and combines this with a powerful model of the environment’s assets inventory and security configurations.

This is a first in the industry, and it allows organizations to make sense of the massive amount of data that is available to them. Dome9 is able to take actual network traffic and intel feeds and overlay it with the configuration-based view of security that only Dome9 has. This is the real power of the solution.

The contextually enriched data that is produced can be used within the Dome9 Arc platform for enhanced visualization, querying, intrusion alerts and notifications of policy violations. It can also be piped to third-party SIEM solutions.

Log.ic in Action: Enriched VPC Flow Logs

Let’s look at a tangible example of what Dome9 Log.ic can offer. Here’s a typical VPC flow log entry:

The data in this entry can only be interpreted in the context of an environment and the specific point in time. The IP addresses may have been associated with a load balancer, an RDS instance, a lambda function or an EC2 instance in an auto-scaling group.

In many cases, the IP address association is ephemeral, lasting only a few minutes. So at the time that a security admin is looking at the VPC flow log, these associations may no longer exist. In other cases, admins using built-in cloud services such as load balancers and Lambda may not be aware of the specific IP addresses assigned to resources.

In a dynamic cloud environment that uses cloud-native entities, it is practically impossible to really understand the semantics of this flow log entry. Now, imagine that you could take that flow log entry and expand it to this:

You now have enriched metadata that never existed in the original entry, and you can now understand what’s really going on — AD directory service in us-east-1d is talking to an EC2 instance (of application type ‘scheduler’) in us-east-1b.

Log.ic takes a VPC flow log entry and tells a story. You can consume the enriched events feed in several ways. 

Alerting 

Step 1: Set intrusion detection alerts based on network analysis by using pre-defined rules or creating custom ones for your environment. In this example we are correlating an egress traffic flow originating from RDS servers and targeting a known malicious C&C IP address.

Step 2: Validate that your cloud environments are meeting regulatory and governance requirements. You can do this by creating custom policies using the Dome9 Governance Specification Language (GSL) to reason about security of actual traffic (in addition to reasoning about the configuration/ state). In the next example, we are writing a GSL rule to assist with this PCI/DSS goal – “PCI/CDE instances should never talk directly to the Internet” and generate alerts when these rules are violated

Visualization, querying and investigations

Visualize traffic within the Dome9 Arc platform, then drill down into interesting data flows – zooming into specific instances, cloud services or applications (ex: “show me all traffic of assets with the tag ‘Application A’”). This is a strong capability for network operations and troubleshooting as well as for incident response and forensic use-cases.

Integrate it with additional systems

Pipe it to your favorite SIEM for further events correlation, analysis or unified alerting pipeline

Summary

Every day, we’re seeing businesses waking up to the reality that security in the public cloud is different from the way they’re used to in their datacenter. With the wealth of data available about what’s going on in cloud environments, the real challenge is to quickly make sense of all this data and build appropriate security context around it.

I believe that while different, the cloud is also an enabler for a new kind of security service that is able to connect the dots between assets, configuration, networking and user activities and to apply a consistent set of organizational policies and workflows on top of them.

This announcement is just the beginning – as we consider Log.ic to be a new platform to create and deliver new innovative security services in the future.

Stay tuned,

Roy and the Dome9 Team

Related Resources 

 The Top 12 Threats to Cloud Security 

 The Definitive Guide to Robust Security

 Building a Cloud First Deployment Model – DevSecOps Guide