New Features THIS MONTH

Updated EC2 Monitoring

On April 15th, we deployed an update to the EC2 Monitoring service with the following changes:

New Features THIS MONTH

Realtime alerting for guardduty findings

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior in your AWS account. There are over 50 scenarios GuardDuty monitors.  Examples of these include Recon:EC2/Portscan, Recon:IAMUser/UserPermissions, and Stealth:IAMUser/CloudTrailLoggingDisabled. Oxygen integrates with GuardDuty by capturing any new findings and executing workflow. Our current workflow has been to store all findings data in our database and review for immediate action, false positives, and standard formats. After refining our process, we are now ready to turn on realtime alerting for new GuardDuty findings. Any new finding will generate a support ticket and will be reviewed by Cloudticity support to see if any action is required.  Potential actions may include: adding an exception for false positives, archiving, or executing remediation. In all cases, Cloudticity support will communicate the action taken.  

New Features THIS MONTH

Oxygen Deep Dive

At Cloudticity, we are constantly iterating to provide ever greater levels of security, compliance, and overall service. Lately, you may have noticed an increased number of requests from our technical team to review your accounts for proper tagging, open ports, and other concerns. This is due to a concerted effort to embark on a deeper dive into your accounts to identify and remediate the next level of all issues (not just critical), including identifying any gaps in coverage created by the introduction of new AWS services or requirements. We have complete our initial review and now are working on remediating any findings. Some remediations require working with you to determine a proper course, while others require development of new checks and workflows. Our goal is to have both of these completed by the end of this month.

New Features

• Migration to Trend Micro Deep Security 11.3
• Last month we announced our intention to migrate to the latest version of Trend Micro Deep Security.  As this was a major upgrade we had to build a completely new Deep Security Manager to run in parallel with our existing installation.  This month we will begin the process of migrating our current Deep Security users to the new installation.  We will be reaching out in the coming days to schedule a maintenance window, and to provide any login information you will need to access the new installation.
• GuardDuty
  
  • In October we announced the implementation of GuardDuty in our customer accounts.  GuardDuty provides real-time security anomaly detection in your account including events for Route53, VPC Flowlogs, and Cloudtrail.  Because GuardDuty provides Flowlog anomaly detection we are deprecating our current Oxygen Flowlog service.  This will impact your service in two ways. First, you will see a decrease in your billing, for Kinesis and Lambda.  Second, you will no longer have access to the Flowlog view in your Oxygen dashboards.  We understand many of our customers use this dashboard to get some insight into geographical originations of their traffic.  If you still wish to view this data please contact Cloudticity support and let us know.  If we don't hear from you we will remove the Oxygen Flowlog service on January 29th, 2019.
• New Service: Automated AMI updates for AutoScaling
  • We have identified a use case that may cause Autoscaling groups to become out of sync with the instances that are running. Once an instance is patched with the latest OS patches and/or security updates, it is no longer in sync with the AMI that is driving the ASG. If a scaling event occurs after the OS patching is complete, the newly launched instance will not have the latest OS patches since it was launched from an AMI that did not have those patches. The same issue may present itself for CodeDeploy deployments. To resolve this issue, we developed a service that subscribes (using CloudWatch Rules) to a successful SSM OS patching event and a successful CodeDeploy deployment. Once any of the CloudWatch Rules fire, the service automatically creates a new AMI from the latest instance and updates the ASG to use the new AMI. If a scaling event occurs after the OS patching is complete (or CodeDeploy deployment is complete), the newly launched instance will have the latest OS patches and/or code since it was launched from an AMI that was built using an instance that had the most recent OS patches or application code.  If you are interested in this service please reach out to Cloudticity support for more details, or to schedule installation.

Coming Soon

• Unified Server Access Logging
• A common request we receive from our customers is to provide a logging solution that captures server access and security events and aggregates them in a single storage location for querying and visualization.  We are working on this solution now with an official release in Q1 of 2019.  We are leveraging native AWS services such as Kinesis, S3, Athena, and QuickSight to provide an end-to-end system for monitoring, alerting, and visualizing server access logs.  If you are interested in being a beta tester, or have any question regarding this feature, please reach out to our support desk.

New Features

• Migration to Trend Micro Deep Security 11.2
• We are in the process of migrating current Trend Micro users to the latest version of Trend Micro Deep Security.  The latest version of Trend Micro Deep Security offers an exciting set of features including: support for containers, improved api interaction, improvements in event notifications, inactive agent cleanup, and automatic malware agent updates.  Along with these improvements, we will be offering deeper integration between server agent events and our support ticket system, giving you immediate feedback and potential resolution for critical events.  We will also be adding new dashboards to provide a quick summary of your EC2 security posture. 
• EC2 Inventory
  • We have created a process for gathering high-level information on your fleet of EC2 instances.  This process runs from the Cloudticity management account every 12 hours and collects the latest information on your EC2 instance configuration including: tagging, SSM agent status, installed services, OS platform type, and OS version.  We are currently using this information in our internal processes used to track SSM installations and proper tagging.   Future plans include adding alerts for new instances (if requested), compliance-based configuration issues, and outdated OS platforms.  

Coming Soon

• Unified Server Access Logging
• A common request we receive from our customers is to provide a logging solution that captures server access and security events and aggregates them in a single storage location for querying and visualization.  We are working on this solution now with an official release in Q1 of 2019.  We will be leveraging native AWS services such as Kinesis, S3, Athena, and QuickSight to provide an end-to-end system for monitoring, alerting and visualizing server access logs.  If you are interested in being a beta tester, or have any question regarding this feature, please reach out to our support desk.

New Features

• OS-Level Compliance Checks
• We have developed an automated process for running server-level compliance checks using Chef Inspec. Our current suite of checks are based on the DevSec Hardening Framework and include specific checks from the windows-baseline and linux-baseline repositories.  Once installed, the compliance checks will run every day with results posted to the Oxygen dashboards.  The compliance checks are configured to run by using server tagging to identify each server to be included in the daily process.  OS-Level Compliance checks are not installed in your account by default, but you can request installation by reaching out to Cloudticity support. 
• EC2 Inventory
  • We have created a process for gathering high-level information on your fleet of EC2 instances.  This process runs from the Cloudticity management account every 12 hours and collects the latest information on your EC2 instance configuration including: tagging, ssm agent status, installed services, os platform type, os version, etc.  We are currently using this information in our internal processes used to track ssm installations and proper tagging.   Future plans include adding alerts for new instances (if requested), compliance-based configuration issues, and outdated OS platforms.  

Coming Soon

• Migration to Trend Micro Deep Security 11.2
• The latest version of Trend Micro Deep Security offers an exciting set of features including: support for containers, improved api interaction, improvements in event notifications, inactive agent cleanup, and automatic malware agent updates.  Along with these improvements, we will be offering deeper integration between server agent events and our support ticket system, giving you immediate feedback and potential resolution for critical events.  We will also be adding new dashboards to provide a quick summary of your EC2 security posture. 
• Improved AWS Limit Detection
• We are improving our AWS limit detection service to include direct customer feedback for increasing service limits. In addition to the current process of approving Cloudticity support to increase limits on your behalf, you will now be able to increase limits with a click of your mouse.

New Features

• AWS Personal Health Dashboard Integration
• We are now capturing AWS Personal Health Dashboard events for notifications and visualization.  The Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you.  The Personal Health Dashboard is enabled by default in your account and displays its results in the AWS console.  Oxygen integration will be capturing new dashboard results and providing workflow starting with support ticket creation.  Future enhancement will include custom workflow such as automated instance stop/start to address degraded hardware alerts.
• AWS GuardDuty Integration
• We are now capturing GuardDuty findings events. Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads.  As issues are detected, GuardDuty will create findings.  These findings are then captured by Oxygen and workflow is executed.  Initial workflow includes support ticket creation with future enhancements to include automated blocking of suspicious IP addresses.  For more information on Amazon GuardDuty you can view the documentation found here.
• Improvements to Server Monitoring
  • We are releasing a new version of server monitoring providing better filesystem alarm aggregation.  The current configuration creates alarms based on each volume mount point.  While this provides added granularity, it also can create too much "noise" with multiple alarm points for each volume.  This release will now aggregate alarms based on each ebs volume (for Linux) and each drive (for Windows).  We are also revising the Oxygen Dashboards to support the new filesystem aggregations. 

Coming Soon

• OS-Level Compliance Checks
• We have developed an automated process for running server-level compliance checks using Chef Inspec. We will be releasing this feature to all of our customers in the coming weeks. The compliance checks can be configured to run on a subset of servers using tagging. The results of the compliance check will be made available in the Oxygen dashboards.
• Improved AWS Limit Detection
• We are improving our AWS limit detection service to include direct customer feedback for increasing service limits. In addition to the current process of approving Cloudticity support to increase limits on your behalf, you will now be able to increase limits with a click of your mouse.

New Features

• Oxygen Dashboard Improvements
• Dashboards are now organized into folders, instead of having everything in a single folder called “general.” The folders are more specific and include:
• Compliance
• Server Metrics
• AWS
• Security
• The HIPAA Assessment dashboard has been revised to include a separate metric for unauthorized access attempts. We have also increased the assessment cycle to every 12 hours versus every 24 hours.
• We have added a System Compliance dashboard to display results from our real-time HIPAA compliance checks. These metrics are based on the AWS config rules created in your account. We have a small set of real-time checks deployed and will be expanding these in the coming months.
• The server metrics dashboards have been revised to use CloudWatch metric data. Server metrics are now displayed in two dashboards; Windows and Linux
• Server Performance Monitoring Improvements
• We have deprecated Metricbeats as our server monitoring platform and now use the AWS-Native SSM Cloudwatch agent. The Cloudwatch agent is a more robust solution providing direct integration with Cloudwatch custom metrics and alarms. Our metrics alarms have also been revised to give the customer much more control on what instances are included in alarms and what thresholds should trigger a response. For more information on configuring alarms you can view the article in our knowledge base.
• Hardened Linux images
• We can now provide hardened images for CentOS, Amazon Linux, Ubuntu, and RHEL. The images are hardened using the DevSec Hardening Framework Linux Baseline and are verified using CIS base profiles. We will continue to update our images as new versions become available in the AWS marketplace. If you are interested in using the hardened images please contact Cloudticity Support.
• Automated Health Dashboard Event Detection and Workflow
• On occasion, AWS will detect an issue with underlying EC2 instance hardware and will send a notification to the technical account contact informing them of an upcoming maintenance event to start and stop the instance. We have traditionally handled these communications manually, but moving forward we will be polling the AWS Personal Health dashboard and proactively creating a support ticket to notify you of upcoming maintenance events.

Coming Soon

• AWS GuardDuty Integration
• The release of AWS GuardDuty has provided an opportunity for us to move from our custom flowlog anomaly detection product to an AWS-native service. GuardDuty not only will reduce the cost of providing anomaly detection, but will also add features such as Cloudtrail and DNS anomaly detection.
• OS-level Compliance Checks
• During our development for providing hardened images, we developed an automated process for running server-level compliance checks using Chef Inspec. We will be releasing this feature to all of our customers in the coming weeks. The compliance checks can be configured to run on a subset of servers using tagging. The results of the compliance check will be made available in the Oxygen dashboards.
• Improved AWS Limit Detection
• We are improving our AWS limit detection service to include direct customer feedback for increasing service limits. In addition to the current process of approving Cloudticity support to increase limits on your behalf, you will now be able to increase limits with a click of your mouse.