Blue Hexagon for AWS
AI You Can Trust™
Powered by Deep Learning
- 1 AWS
- 1.1 Getting Started
- 1.2 Next-Gen Network Detection and Response (NG-NDR)
- 1.2.1 Deploy Blue Hexagon NG-NDR
- 1.2.1.1 Standalone Mode
- 1.2.1.2 High-availability Load-Balanced Autoscaling Mode
- 1.2.2 Enable Traffic Mirroring on Workloads
- 1.2.3 Next Steps
- 1.2.4 Advanced
- 1.2.4.1 Mirror Only Internet Traffic
- 1.2.4.2 Cross-Account Traffic Mirroring
- 1.2.1 Deploy Blue Hexagon NG-NDR
- 1.3 Deep Storage Inspection
AWS
Getting Started
The first step to protecting your cloud with Blue Hexagon Agentless Runtime Cloud Security powered by Deep Learning AI is to connect Blue Hexagon with your AWS account(s).
To complete the steps below, you must have a valid Blue Hexagon SaaS license. Please contact your Blue Hexagon representative to obtain a license. You can request a free trial license here.
Blue Hexagon connects to your account(s) using IAM Role Delegation by creating a Cross-Account Role to allow access to your AWS environment. No need to share secret keys and you have full granular control over what Blue Hexagon can access! By clicking on the “Launch Stack” button(s) below, you will create an IAM role authorizing Blue Hexagon to provide its security services.
Connect Single Account
Click “Launch Stack” below to automatically create a cross-account role using AWS CloudFormation, authorizing Blue Hexagon to start scanning your AWS environment.
Connect Several Accounts (in an Organization)
If you want to connect several accounts at once, e.g. all the accounts in your organization, download the CloudFormation template which you can then deploy and manage as a StackSet across all your accounts in all regions. NOTE: You can choose to restrict the accounts and regions to connect in the wizard. You can find more information about CloudFormation StackSets here.
See note on AWS S3 encrypted bucket inspection.
Next Steps
Once the stack is deployed and Blue Hexagon has connected with your accounts, Blue Hexagon will automatically start scanning your cloud environment for misconfigurations, threats, and report all findings in the Blue Hexagon portal to which you should already have access.
Blue Hexagon scans your cloud environment when the account is connected for the first time and once every 24 hours subsequently.
Next-Gen Network Detection and Response (NG-NDR)
With Blue Hexagon NG-NDR, get deep visibility into your workloads from the network vantage point and threat defense against advanced threats through the power of Deep Learning AI. For example, assume an attacker has discovered your Secure Shell (SSH) key in a public repository, runs a port scan to discover accessible instances of Amazon Elastic Compute Cloud (Amazon EC2), and tries to install Coinminer malware on them. When this happens, Blue Hexagon NG-NDR detects, in real-time, the port scan, the malicious Coinminer payload transfer, and command and control (C2) communications to attacker-controlled known/unknown domains. Deploy Blue Hexagon NG-NDR in minutes through CloudFormation, and configure your VPCs for agentless monitoring via AWS VPC Traffic Mirroring.
First deploy Blue Hexagon NG-NDR in either standalone mode or high-availability auto-scaling mode, and then configure traffic mirroring for your VPCs, subnets, or tagged EC2/EKS instances.
Deploy Blue Hexagon NG-NDR
Deploy Blue Hexagon NG-NDR as either a standalone Amazon EC2 virtual appliance or in high-availability autoscaling mode. Blue Hexagon has already shared the latest AMI named BH Appliance (bh-ami-2.8.0.bhap)
with your registered AWS account in region us-west-2
. You can copy the AMI to other regions as needed. Specify the correct AMI ID for the respective region in the deployment wizards that follow. You can find the AMI ID in the AWS console under EC2 > Images > AMIs as shown in the screenshot below.
Standalone Mode
Click “Launch Stack” below to deploy Blue Hexagon NG-NDR in standalone mode. The stack consists of one EC2 instance along with the necessary Security Group and IAM role for operation.
High-availability Load-Balanced Autoscaling Mode
Click “Launch Stack” below to deploy Blue Hexagon NG-NDR in high-availability autoscaling mode. As shown in the figure below, the stack consists of a Network Load Balancer with cross-Availability Zone load balancing for fault tolerance, an Auto Scaling group for automatic scaling in response to the monitored traffic bandwidth, and EC2 instances launched in the Auto Scaling group in multiple Availability Zones for deep learning-based threat detection and visibility. NOTE: You can find detailed instructions with step-by-step screenshots here.
To launch Blue Hexagon NG-NDR in two availability zones:
To launch Blue Hexagon NG-NDR in three availability zones:
Enable Traffic Mirroring on Workloads
VPC Traffic Mirroring is supported on network interfaces attached to EC2 and EKS instances.
AWS provides a serverless application to automate setting up traffic mirroring based on VPCs, subnets, or tags as input. See figure below for the application architecture. Blue Hexagon has packaged the application in an easy-to-use CloudFormation template, which you can launch by clicking on “Launch Stack” below. Select the VPCs or subnets you would like to monitor, and the serverless application will set up traffic mirroring sessions on existing instances or instances launched in the future in the VPCs or subnets selected. You can also specify instance tags, and the serverless application will set up traffic mirroring sessions on instances (existing or launched in the future) with matching tags.
Next Steps
As soon as you enable traffic mirroring on your workloads, Blue Hexagon NG-NDR virtual appliances will start inspecting your network traffic providing deep L3-L7 visibility and threat detection; surfacing security findings, compliance and configuration issues, and validated threats in the Blue Hexagon portal.
Advanced
Mirror Only Internet Traffic
If you wish to mirror only internet traffic or “North-South” traffic, and not mirror any internal “East-West” traffic, you can either (a) update the Blue Hexagon NG-NDR CloudFormation template with the below traffic mirror filter rules, or (b) instantiate the template and update the created VPC Traffic Mirroring Filter via the AWS Console or other means.
BHTrafficMirrorFilterRuleIngressRejectLocal:
Type: "AWS::EC2::TrafficMirrorFilterRule"
Properties:
Description: "Blue Hexagon Traffic Mirror Filter Rule"
TrafficMirrorFilterId: !Ref BHTrafficMirrorFilter
TrafficDirection: "ingress"
RuleNumber: 10
DestinationCidrBlock: "10.0.0.0/8"
SourceCidrBlock: "10.0.0.0/8"
RuleAction: "reject"
BHTrafficMirrorFilterRuleEgressRejectLocal:
Type: "AWS::EC2::TrafficMirrorFilterRule"
Properties:
Description: "Blue Hexagon Traffic Mirror Filter Rule"
TrafficMirrorFilterId: !Ref BHTrafficMirrorFilter
TrafficDirection: "egress"
RuleNumber: 10
DestinationCidrBlock: "10.0.0.0/8"
SourceCidrBlock: "10.0.0.0/8"
RuleAction: "reject"
BHTrafficMirrorFilterRuleIngress:
Type: "AWS::EC2::TrafficMirrorFilterRule"
Properties:
Description: "Blue Hexagon Traffic Mirror Filter Rule"
TrafficMirrorFilterId: !Ref BHTrafficMirrorFilter
TrafficDirection: "ingress"
RuleNumber: 20
DestinationCidrBlock: "0.0.0.0/0"
SourceCidrBlock: "0.0.0.0/0"
RuleAction: "accept"
BHTrafficMirrorFilterRuleEgress:
Type: "AWS::EC2::TrafficMirrorFilterRule"
Properties:
Description: "Blue Hexagon Traffic Mirror Filter Rule"
TrafficMirrorFilterId: !Ref BHTrafficMirrorFilter
TrafficDirection: "egress"
RuleNumber: 20
DestinationCidrBlock: "0.0.0.0/0"
SourceCidrBlock: "0.0.0.0/0"
RuleAction: "accept"
Cross-Account Traffic Mirroring
To mirror traffic from VPC B in Account B to a (Blue Hexagon) traffic mirror target in VPC A in Account A (created by deploying the templates in earlier steps):
Share the Blue Hexagon traffic mirror target using AWS Resource Access Manager (RAM).
Set up VPC Peering or Transit Gateway to route traffic from VPC B to VPC A.
Ensure that the
AllowCIDR
parameter in the Blue Hexagon NG-NDR template includes the CIDR address block of VPC B so that packets are delivered to the Blue Hexagon NG-NDR instances without being blocked by the respective security groups.
Deep Storage Inspection
Attackers are increasingly looking to exposed S3 buckets to bring malware into otherwise legitimate business functions and code. Blue Hexagon Deep Storage Inspection provides Deep Learning based inspection of AWS S3 objects at scale, analyzing objects to identify malware such as ransomware and backdoors, including zero-day payloads.
Enable Inspection
Click “Launch Stack” below to deploy Blue Hexagon Deep Storage Inspection for your S3 buckets. You can choose to enable inspection for all S3 buckets or for select buckets which have the tags you specify.
Deploying the stack enables Blue Hexagon Deep Storage Inspection for existing buckets, while also setting an automatic trigger to enable inspection for buckets created later (matching any tags if specified). All AWS S3 Object Create events trigger inspection by Blue Hexagon.
Next Steps
As new objects are uploaded to or existing objects modified in any of the buckets for which inspection has been enabled, Blue Hexagon will automatically scan the object for any malware and report findings to the Blue Hexagon portal.
Analyzing Encrypted S3 Objects with Blue Hexagon
When you connect your account(s) with Blue Hexagon, one of the options presented is to allow encrypted S3 objects to be scanned or not. If the option is selected, the created IAM role grants Blue Hexagon the permissions it requires to decrypt and inspect an S3 object for malware. However, this depends on the type of encryption used to encrypt the object as discussed below.
Blue Hexagon Proprietary