Lacework FortiCNAPP for AWS FAQ
AWS
In which AWS regions can I deploy Lacework FortiCNAPP Integrations?
We support deployment of any of our AWS integrations (CloudTrail, Configuration, EKS Audit Log, and AWS Security Hub) in any non-China region, provided the AWS services required to run our integrations are available in the region. Additionally, CloudTrail and Config integrations are supported in GovCloud environments. For the list of AWS regions, see AWS Services by Region.
Does Lacework FortiCNAPP use AWS Config service to pull configuration resources?
No, Lacework FortiCNAPP uses AWS configuration data pulled via API.
However, Lacework FortiCNAPP polls the status of AWS Config service to determine the status of the service across regions in order to apply Compliance and Benchmarks against the service.
Can I search raw CloudTrail events in Lacework FortiCNAPP, and what frequency can I alert on these?
Through LQL, you can search the CloudTrailRawEvents data source on your Lacework FortiCNAPP tenant. Frequency for alerting is 1hr or 24hr periods. See LQL Overview on page 1.
AWS CloudTrail
What is AWS CloudTrail?
AWS CloudTrail is a management service offered by Amazon Web Services (AWS) that supports auditing, governance, compliance, and security operations. CloudTrail logs, continuously monitors, and retains events related to API calls across your AWS infrastructure.
What information does CloudTrail monitor?
CloudTrail logs AWS API calls. These calls capture meaningful activities in an AWS account, from security and compute resource changes to storage and network access.
How does Lacework FortiCNAPP work with CloudTrail?
Lacework FortiCNAPP Polygraph uses CloudTrail data to monitor AWS account activity and establish a baseline of normal behavior. Lacework FortiCNAPP then detects any deviation from the baseline to surface potential security incidents, facilitate investigations, and improve operations. Lacework FortiCNAPP for AWS CloudTrail is a zero-touch solution that requires minimal software and configuration.
I’m using CloudTrail today. Why do I need Lacework FortiCNAPP?
Although CloudTrail captures comprehensive and detailed information, it presents that information as simple log files. Lacework FortiCNAPP aggregates and organizes CloudTrail data into useful maps and dashboards that illustrate conceptual relationships, causes and effects, and interactions between AWS entities.
Lacework FortiCNAPP also automatically generates alerts whenever a CloudTrail event represents a security risk. These alerts are triggered when AWS account activity deviates from the baseline. Lacework FortiCNAPP Polygraph is integrated with a number of alerting and workflow management tools (like Slack and Splunk) so you can easily integrate Lacework FortiCNAPP into your existing security workflow.
Lacework FortiCNAPP automatically performs all capabilities - mapping, alerting, aggregating, and organizing - without rules, policies, or signatures. Lacework FortiCNAPP makes CloudTrail far more powerful without the need for extra processing or tools. To use IT security jargon, this is the “attack surface” the solution protects. In comparison, the attack surface protected by Lacework FortiCNAPP for AWS CloudTrail is the AWS account itself, where administrators establish and maintain AWS infrastructure, including user accounts, storage and compute resources, and security infrastructure.
The attack surface protected by the two solutions can overlap. For example, CloudTrail monitors AWS APIs that start new machine instances or create new storage buckets. Lacework FortiCNAPP for cloud workloads typically detects new hosts even when Lacework FortiCNAPP for CloudTrail is not in use.
On the other hand, CloudTrail provides insights on certain events that Lacework FortiCNAPP for cloud workloads does not see. For example, CloudTrail captures every identity and access management (IAM) event on an AWS account. These events can’t be seen by Lacework FortiCNAPP for cloud workloads. Abuse of IAM commands can result in attackers gaining the ability to create new EC2 or S3 instances for nefarious purposes, such as bitcoin mining.
To clarify, note that IAM activities on AWS are different than the similar-sounding user management tasks that are a part of the lifecycle of a virtual machine or container. Though Lacework FortiCNAPP for cloud workloads does not see AWS IAM events, the solution sees user permission changes on the workloads themselves.
Is it easy to install Lacework FortiCNAPP with CloudTrail?
Yes. You only need to configure CloudTrail to ensure that the correct information is being sent. Lacework FortiCNAPP even offers a template to easily create a basic CloudTrail configuration.
Can I use Lacework FortiCNAPP with CloudTrail to avoid using Lacework FortiCNAPP agents?
Yes, with a qualification: it depends on what you want to protect. Agents are the only way to extend Lacework FortiCNAPP’s capabilities to the production elements of your cloud solution. Without agents, Lacework FortiCNAPP for CloudTrail protects administrative and some production activities on your AWS solution (for example, starting/stopping new EC2 instances or S3 buckets), but it provides very little protection for your in-production servers, applications, containers, and processes. Our CloudTrail solution complements our cloud workload solution. It does not replace it.
Which CloudTrail events does Lacework FortiCNAPP analyze?
CloudTrail management events are ingested and analyzed by Lacework FortiCNAPP, which allows the Polygraph and alerts to be based off of them. CloudTrail data events are not analyzed.
Does Lacework FortiCNAPP support trails from different regions?
Yes. Currently Lacework FortiCNAPP can ingest data from only one trail. Lacework FortiCNAPP recommends using the default trail (which includes all AWS regions associated with the account). Region tags are available as filters within Lacework FortiCNAPP if you need to analyze data by region.
How does Lacework FortiCNAPP compare to AWS CloudWatch?
CloudWatch is a monitoring solution offered by AWS. Its focus on performance monitoring and metrics complements Lacework FortiCNAPP’s focus on security, compliance, and incident investigation.
CloudWatch monitors log files, including files from CloudTrail, and can generate security alerts based on unusual log activity. However, these alerts are rule-based and must be manually developed and maintained. Lacework FortiCNAPP’s zero-touch solution is a more comprehensive and easier-to-use alternative to CloudWatch for security alerting.
What are some of the use cases supported by Lacework FortiCNAPP for CloudTrail?
Lacework FortiCNAPP supports two primary use cases: breach detection very early in the cyber kill chain and investigation support for security incidents.
The cyber kill chain model, originally developed by security thought leaders at Lockheed, describes the phases a typical cyber attack passes through before it becomes a damaging incident. Reconnaissance, for example, happens early in most cyber attacks as the adversary probes for weaknesses. Exfiltration of sensitive data is one of the final phases in the kill chain.
Lacework FortiCNAPP for CloudTrail excels at detecting attacks during the early phases of the kill chain. By correlating and assessing information across different AWS services, Lacework FortiCNAPP can highlight especially suspicious events, such as a new user attempting to create a new key in AWS KMS, a user trying to change access control policies on an S3 bucket, or the creation of a new EC2 instance in a new region. Each of these behaviors is an early red flag for potential cybercrime activity.
Incident investigation is another compelling Lacework FortiCNAPP for CloudTrail use case. Evaluating security breaches can be a tedious process: without the right tools, investigators are often left to deal with incomplete and confusing logs from disparate systems. Even with CloudTrail, correlating AWS account events with logs from production workloads (i.e. the containers, applications, and servers running your production solution) is not an easy task.
With Lacework FortiCNAPP, events from every corner of your cloud solution - including those from AWS CloudTrail - can be visualized in the context of the overall cyber kill chain. Once the attack’s structure and strategies are understood, security professionals can quickly and definitively remediate problems and evaluate impacts.
What kind of threats are caught by Lacework FortiCNAPP for AWS CloudTrail?
Lacework FortiCNAPP for AWS CloudTrail focuses on administrative activities that underpin every solution hosted on AWS. Here’s a sample of the types of attacks that can take place in the AWS administrative domain:
- Deleting EC2 instances or keys to deny or degrade service
- Changing S3 bucket permission to expose or steal sensitive data
- Starting unauthorized EC2 or S3 instances for bitcoin mining or file sharing
- Restoring AWS snapshots to steal data that was thought to be unavailable
- Adding new privileged users with wide administrator privileges in the AWS account
What information about CloudTrail events is available in Lacework FortiCNAPP for AWS CloudTrail?
Lacework FortiCNAPP for AWS CloudTrail does not retain full event records for CloudTrail events. We provide a link to the source CloudTrail file if the user needs more detail. Here are the fields available from within Lacework FortiCNAPP for CloudTrail:
- Account
- Region
- Service
- API
- Time period
- User
- Originating IP address
- Count