Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Agents are typically required to be installed on virtual machines so they can collect data and send it to their respective controlling software running in a central location. For example, Ossec is the agent for the SIEM Wazuh. Crowdstrike and Laceworks all have their respective agents. ClamAV anti-virus can also be considered an agent whose results we collect and send to Wazuh.
DuploCloud platform provides seamless installation and management of these agents. There are 3 types of agents that we install:
Docker-based agents
The Kubernetes DaemonSet runs in all or a subset of hosts in a cluster. Typically these containers are launched with privileged access over the host operating system
Containers that run on all or a subset of hosts are orchestrated through DuploCloud's built-in container orchestration. Typically, these containers are launched with predefined access to the host operating system.
Non-Docker VM agents are Linux packages or Windows services that are installed and baked in virtual machine images before they are launched. They can also be installed via user data.
Create an Agent Type. Each vendor or agent software is considered a type. For example, Ossec, Clamav, Laceworks, and Crowdstrike are all different agent types. To add a new agent type, navigate to Security -> Agents and click Add. The Add Security Agent pane displays. Enter the Agent Name and click Create.
Create an agent deployment. Under the desired Agent tab, Add a deployment to deploy the agent to the Hosts. You must deploy at least one agent per Kubernetes cluster. You can deploy on all hosts in a Kubernetes cluster, or you can deploy on all hosts for a specific Tenant. Deploying on all hosts for one Tenant is useful for certain Kubernetes clusters or DuploCloud Infrastructures where you have Tenants on which you don't want specific agents to be run.
Behind the scenes, this deployment is just a regular Kubernetes Daemonset deployment or a built-in container orchestration deployment within a tenant, as documented here.
You can create multiple deployments for multiple tenants. In the case of Kubernetes-based container orchestration, as against Duplocloud built-in orchestration, with just one deployment, you can target all nodes in the cluster. The following are the fields in the Update Security Agent Deployment page:
Name is a desired name to track the deployment.
Cluster is the infrastructure name and is the maximum scope of deployment.
Host Tenant is the tenant namespace where the daemon set will be deployed.
Deployment Type is either a DaemonSet, meaning Kubernetes, or Docker Native for built-in container orchestration.
Once deployed, you can view the deployed instances of the agents under their respective agent tabs, as shown below:
We use Wazuh as the SIEM. The primary functions of the SIEM are:
Data Repository
Event Processing Rules
Dashboard
Events and Alerting
Ossec agents are deployed at various endpoints (VMs in the Cloud) where they collect event data from various logs like syslogs, virus scan results, NIDS alerts, File Integrity events, etc. Data is sent to the centralized Wazuh server deployed in the Compliance Tenant, where it undergoes a set of rules to produce events and alerts stored in an OpenSearch with a Kibana Dashboard. Data is also ingested from cloud provider sources like CloudTrail, AWS Trusted Advisor, Guard duty, Container registry scans, Azure Security Center, etc.
If a customer desires SIEM, setup is fully orchestrated as an an out-of-the-box experience. The platform automatically installs and updates Ossec agents in the DuploCloud Hosts.
Typically, one centralized SIEM is used for multiple accounts, i.e., one DuploCloud implementation implements the SIEM, and more DuploCloud environments can ingest data there.
Ensuring Security of cloud assets using the DuploCloud Portal
The DuploCloud Platform orchestrates several third-party tools to bring together a comprehensive monitoring capability that acts as a validation of the provisioning time controls described in the previous sections. SIEM is a central component here which consolidates all events. In AWS, DuploCloud also integrates with Security Hub
Monitoring file integrity using the DuploCloud Platform
The DuploCloud platform leverages OSSEC to implement File Integrity Monitoring (FIM). Agents on Hosts monitor the key files for any changes, verifying the checksum and attributes of the monitored files. A System Check runs every twelve (12) hours. To verify FIM, navigate to SIEM and click Integrity Monitoring. For more information, refer to the Wazuh Vulnerability Detection Guide.
CIS benchmark monitoring using Wazuh and Ossec for Hosts
The DuploCloud platform orchestrates CIS benchmark monitoring for virtual machines using Wazuh and Ossec. Wazuh provides the Security Configuration Assessment (SCA) module which offers the user the best possible experience when performing scans on hardening and configuration policies. To check the SCA report, navigate to the SIEM dashboard and click Security Events. Using the search field, enter rule.groups: "sca". For more information, refer to the Wazuh SCA.
DuploCloud integrates with AWS Security Hub for cloud provider CIS posture and enables several other conformation packs, such as PCI and AWS Foundational Security Best Practices v1.0.0.
Currently, Azure and GCP need to be set up and managed manually out of band from their portals using Azure Security Center and GCP Security Command Center, respectively. DuploCloud will release the GCP command center integration sometime in Q2 2024 and Azure in Q4 2024.
Antivirus protection in the SIEM dashboard of the DuploCloud Portal
DuploCloud leverages ClamAV for antivirus (AV) protection. The AV database is refreshed once a week, and scans are performed once every hour. The results are centralized in the SIEM dashboard.
Security Events monitoring in the DuploCloud Platform
The DuploCloud platform leverages OSSEC to monitor and log all VM access. Navigate to SIEM and click Security Events.
Network Intrusion Detection System (NIDS) in the DuploCloud Portal
We leverage AWS GuardDuty for NIDS, and those alerts are integrated into the DuploCloud SIEM dashboard. For GCP and Azure, this needs to be set up directly in their respective portals.
Host and cloud inventory monitoring in the DuploCloud Portal
DuploCloud provides inventory monitoring at two levels:
Host inventory is done via OSSEC and integrated in the DuploCloud SIEM dashboard.
Cloud inventory is available by navigating to Administrator -> Inventory.
Vulnerability and Penetration Testing (VAPT) or Pen Test in the DuploCloud Platform
DuploCloud provides annual penetration testing services for customers with DevSecOps or higher packages. This is a combination of manual and automated scans.
The automated scans involve both passive and active scans. For a detailed description of the test methodology, please contact us via your Slack channel or email.
In addition to SIEM, we integrate with AWS Security Hub for centralized monitoring of security events, utilizing predefined AWS Conformance Packs.
We integrate the SIEM alerts to AWS Sentry and configure alerts above a certain level (typically 10) to route via email. Notifications to Security Hub alerts are set up via SNS.
Detect security vulnerabilities in Hosts in he DuploCloud Portal
DuploCloud uses OSSEC for vulnerability detection in Hosts. The data is ingested into the SIEM and is displayed in the dashboard. The DuploCloud operations team typically patches VMs every quarter. To access the vulnerability dashboard, navigate to SIEM -> Dashboard -> Vulnerabilities. For more information on implementation, refer to the Wazuh Vulnerability Detection Guide.
In AWS, the platform integrates with AWS inspector for vulnerability scanning.
Host Intrusion Detection System (HIDS) in the DuploCloud Portal
A Host Intrusion Detection System (HIDS) is implemented using OSSEC and integrated into the DuploCloud SIEM dashboard. Agents installed by DuploCloud combine anomaly and signature-based technologies to detect intrusions or software misuse. They can also monitor user activities, assess system configuration, and detect vulnerabilities.