Cloud Visibility Insights for Exfiltration in Egress Traffic

February 11, 2021  •  Jigar Shah

Cloud Visibility Insights for Exfiltration in Egress Traffic

Cloud Visibility Insights for Public Clouds

The perennial challenge in security is finding what is insecure and securing it quickly (hours, not days/weeks). In an ideal world one would just set security policies on everything to secure and you’re done… but its hard to know your exposure and fine tuning the policies. And visibility is where you start. You can then put in the proper controls. Same problem happens in public clouds, but at a scale of 10s and 100s of VPCs, 100s and 1000s of instances, most of them ephemeral, across lots of accounts. What’s leaking? Is some instance connected to a malware or phishing site? Who else is potentially connected to command-and-control (C2)? Is it your production workloads or a compromised machine doing malicious things?

Solving this visibility problem, at scale, and combining with threat intelligence and cloud discovery is what Valtix is now solving with this release. In minutes and without complex tools or agents. With visibility information in-hand, its much easier to deploy Valtix Gateways and create the correctly fine tuned security policies. 

Features in Valtix release 2.6:

  • Cloud Visibility Insights for Exfiltration Attempts in Egress Traffic
  • Deep Visibility and Control of AWS PaaS using Valtix Gateways
  • AWS Gateway Load Balancer Support for Cross-zone load balancing and Appliance Mode Support
  • Automated Rule Updates for IDS/IPS, Antivirus, WAF Rules
  • URL and FQDN Filtering Optimizations
  • Official HashiCorp Terraform provider for Valtix
  • Documentation Updates

How to Update to the Latest Valtix Release

In true cloud-native style the Valtix Controller (aka management plane) has all the latest features upgraded automatically - its a SaaS. And, the Valtix Gateways (aka dataplane) that are running in customer cloud accounts can be upgraded, fully under customer control, with a one-click blue/green hitless upgrade. Select your Valtix Gateway, click on the ‘hamburger’ icon and select ‘Upgrade’.

Cloud Visibility Insights for Exfiltration Attempts in Egress Traffic

Valtix is deepening the power of our Discovery features to give you deep insights into where egress traffic (i.e. outbound to Internet) is flowing without Valtix Gateways being deployed. This helps you find out who is connecting where; if an instance is compromised, what actual VPC traffic flows are related to this instance, and who else is connecting to malicious destinations. All in a few clicks.

Using standard AWS IAM controls Valtix integrates contextual information to help you find a needle in the haystack by combining: 

  • Traffic: AWS DNS (Route 53) query logs and VPC flow logs
  • Discovery: Cloud asset information, continuously gathered in near real-time, of your workloads: instances, VPCs, load balancers, regions, tags etc
  • Threat Intelligence: FQDN/domain categorization of millions  of egress flows to millions of egress destination domains. DNS queries for egress traffic from an AWS deployment across all categories and malicious

All this is designed for a simple workflow from the Discovery > DNS Traffic in the dashboard:

  • Review DNS traffic across all destination domain categories
  • See which malicious site categories are part of that mix of seven really bad ones: Phishing, Malware sites, Spam URLs, Proxy and Anonymizers, Keyloggers, Spyware & Adware, and Botnets. 
  • Find out which instances might be connecting to the malicious sites and review the logs
  • Quickly see what are the tags (“pci”, “production”, “staging”, “web”) associated with those instances and search across the logs to find potentially compromised machines.
  • Next, for actual inline protections you can deploy Valtix Gateways for protecting against attacks and preventing exfiltration using TLS decryption, DLP, and URL filtering. 

Instances connecting to malicious sites and detailed logs with instance tag information

Cloud visibility is part of our Discovery feature that is available for all customers. There is no additional cost to using this feature. This release supports AWS; future releases will include support for other public clouds. 

For a free trial, or a proof of concept (PoC) in your environment contact us at info@valtix.com.

Deep Visibility and Control of AWS PaaS using Valtix Gateways

The visibility features in the Discovery part of our story work with API integration, the Valtix Controller engine and our analytics. When Valtix Gateways are deployed, we can do much more to protect egress traffic to AWS platform-as-a-service (PaaS) offerings:

  • Service-level visibility of all traffic passing through Valtix Gateways
  • Control of a vast number of AWS PaaS offerings from S3, RDS, EKS and others
  • Combine discovered inventory information to map cloud assets to PaaS, i.e. which instances are using AWS S3, who’s connecting to RDS and then outbound to Internet?

AWS PaaS controls via policy and visibility

AWS Gateway Load Balancer Support for Cross-Zone Load Balancing and Appliance Mode Support

In November 2020, Valtix participated in the launch for AWS Gateway Load Balancer (GWLB) as the only SaaS partner. Using GWLB and Transit Gateway simplifies hub-and-spoke designs for customers to secure 10s and 100s of spoke/application VPCs. Valtix is now enabling support for cross-zone load balancing and Appliance Mode with AWS Transit Gateway. 

To learn more see:

Automated Rule Updates for IDS/IPS, Antivirus, WAF Rules

Deployment of rule updates for IDS/IPS, Antivirus, WAF and malicious sources can now be either manual (pick the exact version) or automated - with option to defer deployment by up to 30 days beyond the publish date of the signatures. 

This gives customers greater flexibility and control in how and when their Valtix Gateways are updated. Most customers have expressed that they normally expect to use the automatic option with deployment 7 days after availability to give them some time to test the rules. And, use the manual option on a case-by-case basis when new issues arise. As a SaaS platform Valtix is able to simplify the distribution and deployment of these updates compared to traditional firewall management products.

Official HashiCorp Terraform provider for Valtix

Earlier, in January, we released the official Terraform provider for Valtix. Customers are using this to bake security into their DevOps workflows with no compromises, i.e. no additional supporting Go, Python scripts or Ansible modules are needed. This update announces that Valtix is now releasing an official aka HashiCorp verified Valtix provider for Terraform. To learn more see here. For example templates see our GitHub repository or contact us at info@valtix.com.

Documentation Updates

Documentation is now publicly available at docs.valtix.com.  Previously this was embedded inside each customer’s Valtix portal login.

 

Available on AWS and Azure Marketplace

PAYG Bundled pricing