Cloud Detection and Response (CDR)

Cloud Detection and Response (previously known as Intelligence) allows you to visualize and analyze account activity and network traffic into and out of your cloud environment or container cluster. With this, you can, for example, identify traffic from unwanted or malicious sources, or misconfigurations that attackers can use to their advantage.

CloudGuard provides preconfigured queries for CDR, and you can create more custom queries with a graphical query builder based on the CloudGuard Governance Specification Language (GSL).

CDR combines cloud or KubernetesClosed Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. assets and configuration information with real-time monitoring data from network traffic logs account activity logs, and current threat intelligence feeds, IP reputation databases, and geolocation databases. This results in enriched logs and enhanced visualization. For example, sources of network traffic from other AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. elements are shown based on the type and malicious external sources are marked as such.

CDR can give you near real-time views of account activity and network traffic. You can also see and do an analysis of past logs. You can configure CDR to send you real-time alerts for specific events that may occur in your cloud environment and therefore enable you to respond quickly.

CDR features:

  • Near real-time view of events

  • Adjust queries for specific events and threat hunting

  • Enriched contextual information from different log sources allows you to get a quicker and clearer understanding of events that occur in your cloud environment

Benefits

  1. Streamline Network Security Operations: With CDR, you can do network operations such as:

    • Security architecture review based on real-time traffic analysis

    • Increase visibility into your traffic flow

    • Troubleshoot and identify misconfigurations that cause intrusions and policy violations

    • Identify unusual account activity

    • Detect malicious sources that are sending traffic to your network assets

  2. Decrease meantime for threat detection: On average, it takes about 200 days for incident responders to detect a breach. With CDR, you can identify and zoom in on a suspected asset and understand the full context from a configuration and traffic activity perspective, thereby reducing your mean time to detect threats.

  3. Detect Privilege Escalation / Credential Compromise: CloudGuard has the full context of your account activity and the types of assets in your environment. With CDR, you can create lists of asset types that shouldn’t be instantiated. If someone obtains unapproved privileges to launch an expensive EC2Closed Amazon EC2 - A web service for launching and managing Linux/UNIX and Windows Server instances in Amazon data centers. instance that is perhaps used for crypto-mining operations or to steal API keys, and is at this time misused, CDR can detect such unapproved IAMClosed Identity and Access Management (IAM) - A web service that customers can use to manage users and user permissions within their organizations. changes or specific EC2-type traffic and immediately provide detailed alerts.

  4. Expedite and help in Compliance Validation: With the Explorer, you can see a replay of traffic that can be used to prove that your cloud environment is adhering to different compliance standards (Control effectiveness).

  5. Detect unusual or abnormal use of your cloud resources, network activity, logins, etc. For example, detect activity from geographic locations not permitted, suspicious port use, unusual logins, or authentication attempts.

CDR License

As part of the CloudGuard CNAPPClosed Cloud-Native Application Protection Platform - a cloud-native security model that encompasses Cloud Security Posture Management (CSPM), Cloud Service Network Security (CSNS), and Cloud Workload Protection Platform (CWPP) in a single holistic platform. license, CloudGuard customers get the account activity component of CDR. This basic CDR functionality provides 12 GB of logs with retention for one month for each billable asset. This means that when you onboard your environment to CDR, it can analyze 12 GB of logs, no matter how many times it takes, and keep them for no more than one month. When you finish the quota, CDR stops to process your data.

In addition, you can purchase a license for CloudGuard CDR Pro, Check Point's Cloud Security Threat Defense Analytics platform. CDR Pro can help you detect and mitigate threats to users' cloud environments, analyze activity, and leverage UEBA algorithms to fend off cloud attacks. Same to basic CDR, the license for CDR Pro is based on consumption. All processed data is counted against the quota set by your license. The license covers data ingestion while there is capacity left.

Some assets can create a tremendous number of network traffic logs, which you may not want to be analyzed by CDR. You have to examine these numbers and, in general, the architecture of your network before you onboard your environments to CDR. To prevent the cases when your quota is consumed too quickly or spent on irrelevant data, you have to control which logs to onboard to CDR.

To manage the network traffic logs that your AWS assets send to CDR:

  1. Enable Flow Logs only on the applicable VPC, subnet, or ENI.

  2. Configure that the Flow Logs that you want to send to CDR are published to a specific S3 bucket which you then onboard.

When the license quota is near its end, you receive a warning message that the number of ingested logs is at 80%, 90%, or 100% of its capacity. When it reaches 100%, the logs ingestion stops until a new license is purchased. The ingested logs are stored and accessible during the full retention period stipulated by your license.

CDR Connectivity

Based on your Data Center location (region), CDR must have connectivity to this endpoint:

  • United States: magellan.us1.cgn.portal.checkpoint.com

  • Europe: webserver.logic.eu1.cgn.portal.checkpoint.com

  • Australia: webserver.logic.ap2.cgn.portal.checkpoint.com

  • Canada: webserver.logic.cace1.cgn.portal.checkpoint.com

  • India: webserver.logic.ap3.cgn.portal.checkpoint.com

More Links