The Check Point® Identity Awareness and ExtraHop Reveal(x) for AWS integration provides immediate and automated remediation of cybersecurity threats in the cloud. Check Point and ExtraHop have partnered to streamline your automated security response to Reveal(x) detections.
Check Point® Identity Awareness + ExtraHop Reveal(x) for AWS
The new ExtraHop Reveal(x) for AWS integration with Check Point security gateways enables cloud-focused security teams to take automated action on suspect domains and IP addresses.
ExtraHop applies analytics and machine learning to all east-west and north-south traffic, providing broad visibility, detection, and investigation across the entire attack surface.
This integration enables the following investigative tasks and workflows in Check Point as an automated response to ExtraHop Reveal(x) detections:
- Reveal(x) for AWS uses Amazon VPC Traffic Mirroring to bring agentless network detection and response (NDR) to the cloud.
- ExtraHop captures copies of network traffic packets and analyzes the data with cloud-scale machine learning to detect successful attacks and power response automation.
- When Reveal(x) detects security threats with a high risk score, it sends a message through the AWS Simple Notification Service (SNS) in JSON format to a subscribed Lambda function.
- The Lambda function then sends an Identity Awareness command to all Check Point gateways.
- The offending IP addresses are then added to firewall access control lists and quarantined.
By natively integrating with Check Point Identity Awareness gateways, Amazon SNS, and AWS Lambda, Reveal(x) for AWS eliminates the need to use direct API calls to target individual firewalls. Instead, AWS Lambda encodes the targets as a single environment variable, significantly reducing configuration.
Real-time creation of investigations for Reveal(x) detections
Automated action on suspect domains and IP addresses in the cloud
Native integrations eliminate the need to use direct API calls to target individual firewall
ExtraHop continues to bolster its usefulness through its very open integration ecosystem with partners in the SIEM, NGFW, ticketing and orchestration and automation categories. This open approach can significantly enhance the continuity of the security operations practice and facilitate improved automation and speed of detection to investigation.
Senior Instructor, SANS Institute