Today, Amazon Web Services (AWS) announced a new service, AWS Network Firewall, which provides network security controls across Amazon Virtual Private Cloud (VPCs). The easy to deploy service enables users to define firewall rules for threat centric visibility including blocking of outbound (SMB) requests to prevent the proliferation of malicious activity.
As part of the announcement, IBM Security was named an AWS Launch Partner across both ISV and MSSP capabilities. This builds off the broad IBM Security support for AWS native services covering both SIEM and managed services offerings as well as demand for deep partner integrations across AWS technologies.
The latest updates include a QRadar Device Support Module (DSM) with the AWS Network Firewall service. QRadar ingests 2 different log sources types that collect data from Amazon Simple Storage Service (Amazon S3) buckets; one handles flows as flows and the second handles flow as events. Here are some of the key features of the integration.
As a QRadar on AWS user, you can leverage the built-in Amazon Elastic Compute Cloud (Amazon EC2) IAM role from the deployed host to streamline the authentication process.
In this view, flow logs have been enabled which shows up within the network activity tab of QRadar. The data includes source IP, destination IP, packets, flow direction and application type among others.
You will be able to drill into the underlying flow data to gain deeper insight into additional network information, like the payload, packet count and source or destination IPs. This information is embedded into QRadar’s advanced analytics to trigger offenses around suspicious activity such as IRC server connections or port scans. Associated magnitude and severity scores are also provided based on the defined network hierarchy.
You can also see firewall alerts that were previously blocked and then allowed indicating potential suspicious activity.
The latest integration extends QRadar’s existing support for AWS native security services including Amazon GuardDuty, AWS CloudTrail, AWS Security Hub, Amazon CloudWatch, Amazon Detective, VPC Flow Log sources among others. The integrations include advanced rules, reports, saved searches, and cloud dashboards for comprehensive visibility across AWS workloads.
By leveraging the extensive QRadar integrations with AWS, as well as broad support via IBM Security Services, organizations can accelerate their migration to AWS with security confidence.