Whitepaper

IntroductionA Brief Introduction to AWS SecurityShared Security ModelKey AWS ServicesBlue Hexagon Key ConceptsThe Blue Hexagon Solution

How Blue Hexagon Works With AWSThreat Prevention Via AWS-Native ServicesAvoiding the Challenges of Traditional Security in the CloudSummary

Threat Protection At TheSpeed Of Cloud

A Brief Introduction to AWS SecurityAWS simplifies life for enterprises by abstracting many of the complications associated with building and maintaining computing infrastructure. On the other hand, it has a sometimes dizzying array of services (and acronyms) that can initially be hard to navigate. So before diving into the integration of AWS and Blue Hexagon, it is important to understand some of the basics of how AWS works particularly in relation to security.

Shared Security ModelFirst, it is important to understand that AWS is built on a shared security model. At the highest level this means that AWS takes responsibility for the security “of” the cloud, while the enterprise customer takes responsibility for the security “in” the cloud. This means that Amazon provides security for the underlying infrastructure itself including compute, storage, and networking needed to support the cloud itself. Essentially, everything that Amazon abstracts as a service is likewise secured by Amazon.

On the other hand, the customer is responsible for securing everything that goes into the cloud and all interactions with the cloud. For example, while it is AWS’s responsibility to provide secure database and storage infrastructure, it is up to the customer to secure the actual data that is stored in those services. If data needs to be encrypted at rest, it is the customer’s responsibility to implement that policy just as they would in a traditional network. Similarly, while AWS provides a secure network infrastructure, that does not mean that they provide network security. It is still up to the customer configure firewalls, implement intrusion detection, prevention, and all of the controls needed to secure enterprise assets and data from outside threats.

In short, infrastructure security belongs to AWS, and enterprise security still belongs to the enterprise.

Introduction

The rise of cloud-based Infrastructure as a Service (IaaS) has fundamentally changed the economics of enterprise computing. Lower costs and reduced operational overhead, paired with the ability to scale on demand and drive faster development cycles have made services like Amazon Web Services the de facto destination for enterprise assets.

However, this sea change to the cloud comes with its own challenges, and for most enterprises, security is at the top of the list. Specifically, many organizations are struggling to translate the policies and protections from their traditional network perimeter to their new cloud-based environments.

What’s even more challenging, cybersecurity is itself in a state of transformation. Threats have proven that they can evolve faster than traditional signatures, intelligence feeds, and sandboxes can deliver defenses. As a result, security teams are in the unenviable position of trying to take security tools that are increasingly outdated even in the traditional architecture, and then try to migrate them to a completely new architecture that they were never designed for.

Blue Hexagon provides organizations with a path forward. The solution directly solves the biggest challenges in cybersecurity by providing sub-second identification of both known and unknown threats with near 100% accuracy, and natively works with AWS infrastructure for visibility and enforcement. Instead of trying to bolt on the old security model to the cloud, organizations can adopt the new generation of security that naturally works with the new generation of infrastructure.

This paper introduces the key concepts of the AWS traffic mirroring and Blue Hexagon integration, and how the combination together delivers malware protection for cloud workloads without agents or re-architecture.

Key AWS ServicesHowever, AWS doesn’t simply stop at the infrastructure level and leave organizations with all the burden of managing the cloud. Amazon provides a wealth of additional services and products that provide organizations with the tools to easily manage their cloud-based environments. While a full listing of all AWS services is beyond the scope of this paper, we have highlighted a few of the most important components related to network security and threat prevention.

• Firewalls - Also known as “Security Groups”, AWS provides basic firewalling capabilities as part of the EC2 environment. These firewalls set ingress and egress rules based on port/protocol and likewise enables customers to create access control lists (ACLs) based on IP address or CIDR block. Note that like all services, AWS provides the firewalling capability, but it is up to the customer to configure and manage the firewall rules themselves.

• Amazon Simple Notification Service (SNS) - Amazon provides a messaging system capable of coordinating the flow of information in the AWS cloud. Customers can use this to communicate between their own application services, to connect distributed systems, and to orchestrate other AWS services. While not exactly the same, SNS is broadly analogous to Apache’s Kafka by providing high-speed messaging to many endpoints. This service provides an important vehicle for orchestrating security responses within the AWS cloud.

• AWS Lambda - At the highest level, AWS Lambda enables organizations to run code on virtually any backend without worrying about the server infrastructure. This can allow organizations to do anything from designing completely serverless applications to designing simple functions to automate virtually anything within AWS. As such, Lamba provides an ideal mechanism for orchestrating a variety of responses to security events.

• Amazon VPC Traffic Mirroring - This new feature was recently introduced to simplify the ability to enable security and compliance in AWS. Customers can use this feature to copy network traffic from an elastic network interface of Amazon EC2 instances to security platforms like Blue Hexagon, without needing to install agents or rearchitect their environment.

Source: Amazon, AWS Security Whitepaper, 2017

Blue Hexagon Key ConceptsThis section provides a very brief introduction to the Blue Hexagon platform, how it works, and the key differences from existing approaches to security. For more details on how Blue Hexagon works, please review our whitepapers and additional resources available here.

Gaps in CybersecurityWhile the security industry has experienced incredible growth and innovation in the past several years, organizations continue to face some of the same fundamental challenges when it comes to cybersecurity.

• Signatures Are Still the Default - In spite of all the innovation in the security industry, most tools continue to rely on simple signatures when making fast, high-confidence security decisions. This includes IPS signatures, hashes of known malware, various IoCs of known threats, IP addresses, URLs and so on. All of these indicators rely on a threat being seen in the wild, analyzed, and then used to create a new signature. The problem is that the first attack is and remains successful, and it takes time to create and deliver the new intelligence and signatures. By the time the signature is delivered, the threat has likely evolved to avoid the signature, making the signature obsolete on delivery.

• Malware Sandboxes Are Too Slow - Malware sandboxes, which were once seen as the solution to evolving threats, fall into this same conundrum. First, modern malware have become highly adept at evading sandbox-based analysis. Secondly, sandbox analysis is slow even in the best of cases, taking minutes of time to render a verdict, thus putting security well behind the speed of the attack. When a threat is detected, the sandbox then enters the same signature-writing approach referenced above, meaning that actual sandbox-based protections are often not implemented until days after the threat was first seen.

• Early Machine Learning is Slow and Inconclusive - Algorithms, AI, and machine-learning models are capable of detecting threats without the need for simple signatures and IoCs. However, these detection models often rely on detecting anomalies in high-level data such traffic flows, logs, and other metrics, and require time to learn normal baselines of behavior. In addition to taking days and weeks of analysis, these detections are often unreliable and require analysts to manually investigate and confirm the nature of the anomaly.

The Blue Hexagon SolutionBlue Hexagon bridges the cybersecurity gap by retaining the best of the models above while removing the limitations. By applying deep-learning to network traffic (including both header-level information as well as payloads), Blue Hexagon is able to identify both known and unknown threats with near 100% accuracy in less than a second.

• Detects Threats Not Anomalies - Unlike most AI-based security tools, Blue Hexagon identifies and names specific threats. Instead of detecting anomalies or high-level patterns, Blue Hexagon models can automatically analyze over 100,000 traits within payloads, protocols, or headers to conclusively identify the threat in question. Threats are classified down to the name of the malware family and categorized in terms of the type of threat.

How Blue Hexagon Works With AWSBlue Hexagon intuitively integrates with AWS and works hand-in-hand with AWS services to provide fast threat detection and seamless response and threat prevention. While most security tools try to bolt on a virtualized version of their traditional appliances or agents, Blue Hexagon offers best-of-breed security that fits into a cloud-native AWS architecture.

Simplified Blue Hexagon DeploymentAs a part of the Amazon Partner Network (APN), the Blue Hexagon solution takes advantage of the newly announced VPC Traffic Mirroring capabilities from AWS. This means that Blue Hexagon can easily inspect and analyze network traffic from any Elastic Network Interface (ENI) within an organization’s VPC. Flexible configuration lets security teams analyze traffic for specific subnets, workloads, gateways, or across the entire VPC. Better yet, organizations can deploy Blue Hexagon without configuring in-line devices or installing and managing agents on every workload. And since, all analyzed data remains within the customer VPC, organizations don’t have to worry about running afoul of data privacy regulations.

Blue Hexagon can analyze and correlate information across multiple EC2 instances an organization’s on-premise assets, ensuring comprehensive threat detection across the enterprise regardless of where assets are hosted. Additionally Blue Hexagon for AWS analyzes north-south traffic between AWS and the Internet as well as east-west traffic between workloads within AWS. For example, analysis of north-south traffic could identify specific malware infection attempts or command-and-control traffic, while east-west traffic could reveal lateral movement within the VPC.

Key Points• Integrates with VPC Traffic

Mirroring

• Dashboard visibility across all EC2 instances and on-premise assets

• North-South (Internet) and East-West (lateral) visibility

• No agents or in-line configuration

• Unmatched Speed and Detection Rates - Blue Hexagon detection rates are consistently well over 99.5% with false positives less than 0.03%. Verdicts are rendered in less than a second and often in less than 50 milliseconds. Blue Hexagon applies this approach multiple times and correlate multiple events, phases, and payloads of malware across the lifecycle of an attack. This unique combination of accuracy and speed allows organizations to recognize new threats and take action before damage is done.

To learn more about the Blue Hexagon detection model, please refer to our white paper.

Avoiding the Challenges of Traditional Security in the CloudThe examples above illustrate the simplicity and speed of using Blue Hexagon in the cloud. It is likewise important to note that this approach avoids many of the common pitfalls associated with porting other security approaches to the cloud.

• Traditional Network Security - Tools such as next-generation firewalls, IPSs, and other filtering tools suffer from the same challenges that exist at the perimeter - namely the dependence on signatures when providing real-time detection and enforcement. Since new signatures can lag for days, threats can easily morph to stay ahead of these traditional controls. By contrast, Blue Hexagon can deliver high-quality verdicts on completely new threats in less than a second.

• Malware Sandboxes - Again, malware sandboxes retain all of their traditional limitations, but add the further complication of being cloud-hosted themselves. This means that file attachments within a customers’ AWS environment may need to be sent to a sandbox vendors’ cloud (which may not be in AWS), leading to issues for privacy and scalability.

In contrast, Blue Hexagon teams can simply choose the traffic they want to analyze by VPC traffic mirroring. The solution immediately sees the right traffic and can scale up and down in lockstep with the cloud environment without impacting threat detection capabilities.

Threat Prevention Via AWS-Native ServicesThe speed and accuracy of the Blue Hexagon platform opens the door to fast, automated responses that can stop threats and prevent damage. Better yet, Blue Hexagon integrates components and services directly within the AWS environment for automated, end-to-end orchestration within the cloud.

When a threat is detected, Blue Hexagon can generate a notification into AWS Simple Notification Service (SNS). The many-to-many capabilities of SNS allow Blue Hexagon verdicts to be used in a virtually unlimited number of ways.

As an example, SNS messages from Blue Hexagon can drive actions using AWS Lambda. In turn, Lamba could trigger an AWS Cloud Formation Template (CFT) to shut down or quarantine an affected workload, ensuring complete security for business-critical applications. This allows organizations to quickly shift from detection to response within seconds.

Blue Hexagon is a deep learning innovator focused on protecting organizations from cyberthreats. The company’s real-time deep learning platform is proven to detect known and unknown network threats with speed, efficacy, and coverage that set a new standard for cyber defense. Blue Hexagon is headquartered in Sunnyvale, CA, and backed by Benchmark and Altimeter Capital. For more information, visit www.bluehexagon.ai or follow @bluehexagonai.

Headquarters298 S. Sunnyvale Avenue, Suite 205Sunnyvale, CA 94086www.bluehexagon.aiinquiries@bluehexagon.ai

BH-WP-10-00-19

Summary

Blue Hexagon for AWS provides organizations with a modern approach to security that naturally aligns with the modern approach to computing. By combining high-accuracy, high-speed threat detection with the native orchestration services within AWS, Blue Hexagon can detect and defend against unknown and evolving threats in ways that have never been done before. If you have additional questions or would like to learn more about how Blue Hexagon or Blue Hexagon for AWS could work in your environment, please contact us at www.bluehexagon.ai and inquiries@bluehexagon.ai.