Cisco is a accomplice of the Amazon Safety Lake, supporting the Open Cybersecurity Schema Framework
At AWS re:Invent 2022, Cisco was proud to be a launch accomplice for Amazon Safety Lake, a brand new AWS service that mechanically centralizes a corporation’s safety knowledge from cloud, on-premises, and customized sources right into a purpose-built knowledge lake saved in a buyer’s account. With assist for the Open Cybersecurity Schema Framework (OCSF) customary, the service can normalize and mix safety knowledge from AWS and a broad vary of enterprise safety knowledge sources. Amazon Safety Lake helps you analyze safety knowledge, so you may get a extra full understanding of your safety posture throughout your complete group.
As a part of the Cisco Safe Technical Alliance, I had the chance to construct the Cisco Safe Firewall
integration into Amazon Safety Lake for the general public preview. With the overall availability of Amazon Safety Lake, I up to date the assist of OSCF and validated the mixing.
When you’ve by no means labored with Safe Firewall or eNcore, here’s a abstract:
Safe Firewall serves as a corporation’s centralized supply of safety info. It makes use of superior menace detection to flag and act on malicious ingress, egress, and east-west site visitors whereas its logging capabilities retailer info on occasions, threats, and anomalies. By integrating Safe Firewall with Amazon Safety Lake, by Safe Firewall Administration Middle, organizations will have the ability to retailer firewall logs in a structured and scalable method.
What’s the eNcore Shopper
The eNcore shopper offers a technique to faucet into message-oriented protocol to stream occasions and host profile info from the Cisco Safe Firewall Administration Middle. The eNcore shopper can request occasion and host profile knowledge from a Administration Middle, and intrusion occasion knowledge solely from a managed gadget. The eNcore utility initiates the info stream by submitting request messages, which specify the info to be despatched, after which controls the message circulate from the Administration Middle or managed gadget after streaming begins.
With eNcore you may entry to full listing of firewall occasion varieties and medata information, together with packet information, safety intelligence occasions, enhanced intrusion knowledge, legacy occasions and extra.  In complete over 1000+ information varieties are supported by eStreamer, going again to inception of the Safe Firewall. Extra particulars may be discovered within the full eStreamer specification.
eNcore runs on Python 3.6+ and helps Firepower Administration Middle model 6.0 and above, for extra particulars on the eNcore shopper please see our operations information.
What’s New with the Basic Availability?
With the Amazon Safety Lake launch, I enhanced the Cloud Formation deployment script for the eNcore shopper to automate extra options and make the set up course of simpler. Moreover, a consumer interface has been added for the eNcore shopper to handle and monitor firewall logs out and in of the Amazon Safety Lake . The Community Exercise OCSF schema mappings have been fine-tuned to match fields to the correct class construction definition and assist has been added for extra firewall occasion varieties, together with malware and intrusion occasions.
The Purpose: Present Adaptable Framework to Evolve with OCSFÂ
Normalization:
The OCSF customary goals to offer a standard illustration of nested knowledge constructions of safety knowledge throughout all sources, distributors and purposes. You will discover an interactive schema that permits you to drill down into the OCSF class constructions and knowledge definitions.
Cisco launched an up to date model of the eNcore shopper that may stream firewall logs to a number of locations. The replace offers assist for changing the logs into OCSF format. The Firewall knowledge is represented within the Community Exercise occasions class and the logs are mapped to the varied attributes and knowledge varieties underneath that class.
This integration builds a transportable framework within the eNcore shopper that helps decode Safe Firewall knowledge, interprets it into key worth pair knowledge units based mostly on Python lessons that mirror the OCSF framework offering transformations that adapt Safe Firewall logs to Community Exercise occasions. In brief, eNcore is the glue that maps uncooked Cisco Safe Firewall occasions right into a concise consumable format for the Amazon Safety Information Lake.
Validating OCSF Compliance
OCSF compliance was validated utilizing instruments supplied by the OCSF schema such because the OCSF swagger API.
This API will assist decide if knowledge matches the OCSF schema and its object hierarchy. It’s accessible underneath the OCSF server venture and is continutely up to date to assist new knowledge varieties and constructs, as of this writing the eNcore shopper helps the event model (v0.0.0) of the OCSF schema. Occasions from safe firewall are modeled in opposition to the Community Exercise class construction, by executing the /api/lessons/NETWORK_ACTIVITY URI we are able to validate output in actual time to find out if the output construction matches the most recent OCSF customary.
The Design
The eNcore shopper offers a technique to faucet into message-oriented protocol to stream occasions and host profile info from the Cisco Safe Firewall Administration Middle. The eNcore shopper can request occasion and host profile knowledge from a Administration Middle, and intrusion occasion knowledge solely from a managed gadget. The eNcore utility initiates the info stream by submitting request messages, which specify the info to be despatched, after which controls the message circulate from the Administration Middle or managed gadget after streaming begins.
These messages are mapped to OCSF Community Exercise occasions utilizing a collection of transformations embedded within the eNcore code base, appearing as each creator and mapper personas within the OCSF schema workflow. As soon as validated with an inside OCSF schema, the messages are then written to 2 sources: first, a neighborhood JSON formatted file in a configurable listing path, and second, compressed parquet recordsdata partitioned by occasion hour within the S3 Amazon Safety Lake supply bucket. The S3 directories containing the formatted log are crawled hourly and the outcomes are saved in an Amazon Safety Lake database. From there we are able to get a visible of the schema definitions extracted by the AWS Glue Crawler, establish fieldnames, knowledge varieties, and different metadata related together with your Community Exercise occasions. Occasion logs can be queried utilizing Amazon Athena to visualise log knowledge.
Get Began
To make the most of the eNcore shopper with Amazon Safety Lake, first go to the Cisco public GitHub repository for Firepower eNcore, OCSF department.
Obtain and run the cloud formation script eNcoreCloudFormation.yaml.
The Cloud Formation script will immediate for extra fields wanted within the creation course of, they’re as follows:
Cidr Block:Â IP Tackle vary for the provisioned shopper, defaults to the vary proven under
Occasion Kind:Â The ec2 occasion dimension, defaults to t4.massive
KeyName A pem key file that may allow entry to the occasion
AmazonSecurityLakeBucketForCiscoURI: The S3 location of your Information Lake S3 container.
FMC IP: IP or Area Title of the Cisco Safe Firewall Administration Portal
After the Cloud Formation setup is full, it may well take wherever from 3-5 minutes to provision sources in your atmosphere. The cloud formation console offers an in depth view of all of the sources generated from the cloud formation script, as proven under.
As soon as the ec2 occasion for the eNcore shopper is prepared, we have to enable listing the shopper IP tackle in our Safe Firewall Server and generate a certificates file for safe endpoint communication.
Steps:
Within the Safe Firewall Dashboard, navigate to Search->eStreamer, to search out the enable listing of Shopper IP Addresses which can be permitted to obtain knowledge.
Click on Add and provide the Shopper IP Tackle that was provisioned for our ec2 occasion.
Additionally, you will be requested to produce a password, click on Save to create a safe certificates file to your new ec2 occasion.
4. Obtain the Safe Certificates you simply created and replica it to the /eNcore listing in your ec2 occasion. Or add utilizing the eNcore GUI which is detailed within the subsequent part.
eNcore GUI
Now that we’ve got the certificates, we are able to use the eNcore GUI to add to the certificates, that is the brand new piece that we’ve added for the reason that public preview again in December 2022. Customers can now management and configuration connectivity to the Firepower Administration Console (FMC) in a central location, versus putting in and operating complicated command line scripts. Though system directors and energy customers are greater than welcome to nonetheless use that technique.
To entry the eNcore GUI navigate to <Your EC2 Occasion IP Tackle> – on this case http://52[.]207.21.3:8184. On this instance we run a safe SSL tunnel with port forwarding utilizing the AWS pem file to redirect site visitors from our ec2 occasion to our native host, relying your organizations community safety posture you might be able to entry the eNcore GUI straight and not using a SSL tunnel. Port info may be substituted with any free port on native system, for extra particulars on tips on how to route ec2 cases to your localhost please see the AWS documentation.
ssh -i eNcore-ubuntu.pem -N -L 8141:ec2-52-207-21-3.compute-1.amazonaws.com:3000 ubuntu@ec2-52-207-21-3.compute-1.amazonaws.com
Click on on the Configuration part to see a top level view of the steps wanted to execute the eNcore streaming course of. Since we used the AWS Cloud Formation Script, the primary two steps have already been accomplished as proven within the image above. Â Subsequent, we are able to add the certificates file and supply the password within the area. It will create a key and cert file that might be used to safe communication between the FMC and the EC2 occasion with the eNcore shopper.
Now that we’ve got our communication established, we are able to ship knowledge to Amazon Safety Lake. Click on on SEIM Integrations ïƒ AWS Information Lake hyperlink to see the energetic connections. You will note an inventory populated with the FMC we laid out in our cloud formation script. Click on the Begin button to provoke knowledge streaming.
It will start the info relay and ingestion course of. We will then navigate to the S3 Amazon Safety Lake bucket we configured earlier to see OCSF compliant logs formatted in gzip parquet recordsdata in a time-based listing construction.
We will confirm this by heading again to our AWS Information Lake repository to view the outcomes. As we are able to see within the display under we’ve got new folders that conform to the partitioning required by the Amazon Safety Information Lake. The information we configured earlier within the Cloud Formation script creates partitioning that allow the AWS Crawler to effectively eat and course of occasion knowledge and tie to again to our customized knowledge supply we outlined earlier, CISCOFIREWALL.
Occasion knowledge is positioned into S3 buckets by occasion time, will rotate file creation based mostly on the scale with a maximium file dimension of 256MB.  The recordsdata are named in accordance the time which the final occasion was processed offering a primary hand take a look at how far lengthy the eNcore shopper is within the knowledge streaming course of.
Amazon Safety Lake then runs a crawler process each hour, to parse and eat the logs recordsdata within the goal s3 listing, after which we are able to view the leads to Athena Question. With Amazon Athena we are able to visible analytics in number of totally different device together with Amazon Grafana and Quicksight, sooner or later we plan to construct visualizations to showcase Firewall within the AWS Safety Lake.
Extra info on tips on how to configure and tune the eNcore eStreamer shopper may be discovered on our official web site. This consists of particulars on tips on how to filter sure occasion varieties to focus your knowledge retention coverage, and tips for efficiency and different detailed configuration settings.
You’ll be able to try the Amazon Person Information for extra info. I encourage you to check out OCSF your self and see the way it would possibly assist the neighborhood within the quest for normalization.
We’d love to listen to what you suppose. Ask a Query, Remark Under, and Keep Linked with Cisco Safe on social!
Cisco Safe Social Channels
InstagramFacebookTwitterLinkedIn
Share:
