BlogResponse automation that acts quickly without unnecessarily quarantining business-critical workloads has been at or near the top of cloud Security Operation Center wishlists for years. But until now, security teams couldn't trust automation tools because they depended on unreliable data, incomplete information, and low-fidelity alerts to take action.
Developed in partnership with AWS, our new ExtraHop Reveal(x) Cloud integration enables you to automatically quarantine compromised EC2 instances with confidence.
Reveal(x) Cloud empowers your security team to take a nuanced approach to response automation by combining the richest inputs in the cloud—data from network traffic and machine-learning powered behavioral detections—with AWS security group policies.
Watch the video below for a 5-minute deep dive into the capabilities of the new Reveal(x) Cloud quarantine automation, as well as a demonstration of how it works. You can also keep reading to learn more about how Reveal(x) Cloud helps you take control of your automated response.
Here's a 5-Minute Video About How It Works
How It Works + Why It's Valuable + How to Get Started
How It Works:
Reveal(x) Cloud uses Amazon VPC Traffic Mirroring to passively monitor and analyze every communication that occurs in the east-west traffic corridor. When Reveal(x) Cloud detects a threat that exceeds a pre-set risk score, we fire a trigger to an AWS API instructing it to add the offending EC2 instance to a quarantine group, isolating it from everything else in your AWS environment.
Reveal(x) Cloud AWS quarantine integration workflow
Why It's Valuable:
While Reveal(x) Cloud supports automated quarantine out of the box, you can customize the trigger's risk score threshold. You can also modify the trigger, or write a new trigger, to take different actions when a detection violates your policies. Actions could include blocking, ticketing, tagging, and more.
Simply set the automated background process and let Reveal(x) Cloud and AWS do the rest.
Reveal(x) Cloud AWS quarantine integration trigger code
The Reveal(x) Cloud quarantine integration bundle for AWS also includes a dashboard that provides an overview of actions taken, enabling you to see which IP addresses and elastic network interfaces the trigger quarantined. You can also view records associated with quarantine events from the dashboard and, if necessary, take further action, whether it's moving the device out of quarantine or continuing the investigation.
AWS quarantine integration dashboard
With Reveal(x) Cloud, you can access expanded detection cards loaded with information needed to investigate the security event that triggered an automated response. Details include the offender and victim, and background information on the detection, including related detections.
How To Get Started:
If you're not an ExtraHop customer but would like to test out Reveal(x) Cloud in your environment for free, you can request a 30-day trial of the product by filling out the form on this page!
