AWS Control Tower
The following capabilities are included with Alert Logic Managed Detection and Response:
- Threat detection that spans the entire attack surface and operates at scale
- Protection for your business, including your containers and applications, with the proven combination of a network intrusion detection system (IDS), vulnerability management, log management, extended endpoint protection and web application firewall protection for hybrid, cloud, and on-premises environments
- Threat intelligence based on industry data and expert security analyst research, with machine-learning based on data analysis across thousands of customers’ attack surface
- Real-time alerting, incident verification, and remediation guidance from experts available 24/7 with a 15-minute service-level agreement for verified incidents
Supported subscription types
- Managed Detection and Response Essentials
- Managed Detection and Response Professional
Architecture diagram
Alert Logic Control Tower Automation uses the following AWS Services to enable automatic protection of newly added AWS Accounts:
- Amazon EventBridge
- AWS CloudFormation Stack and StackSets
- AWS Lambda
- Cross-account IAM Roles
The automation CloudFormation Stack is deployed in a Control Tower master account which creates two Lambda FunctionsCloudFormation StackSet that deploy to protected linked accounts.
In the Security Account, an SNS Topic is created, two Lambda functions are deployed, and an Amazon EventBridge is created to subscribe for tag updates from linked accounts.
Click image to expand
Accounts Presented in the Architecture Diagram
- Control Tower Account—Master account on which AWS Control Tower was enabled
- Log Archive Account—A centralized CloudTrail log account
- Audit Account—A centralized CloudTrail SNS Topic account
- Security Account—An account where Alert Logic Control Tower automation orchestration is deployed
- Linked Account—One or more AWS accounts protected by Alert Logic. Alert Logic deploys appliances and agents are deployed into this account.
Overview
- During the CloudFormation Stack deployment, the following changes are made to the Control Tower master account of the customer:
- AlertLogic-CT StackSet is created. This StackSet is deployed to linked accounts to correctly set them up to be protected by Alert Logic Managed Detection and Response.
- Onboarding Lambda is created and called to setup CloudTrail SQS to enable Alert Logic subscription to AWS CloudTrail.
- Lifecycle Lambda is created which subscribes to CreateManagedAccount Control Tower events.
- When new linked account is added to Control Tower, Lifecycle Lambda function creates and launches AlertLogic-CT StackSet in a linked account. The following changes are made:
- AlertLogic-CT StackSet creates a third-party role to enable monitoring and automatic deployment of Alert Logic infrastructure to linked Account.
- Sends SNS Notification to Security Account SNS Topic to indicate new account provisioning.
- Security Account Lambdas Alert Logic Managed Detection and Response Deployments in the Alert Logic Managed Detection and Response and scope of protection. The later is done when a VPC is tagged with AlertLogic tag.
Prerequisites
The solution does not require any additional resources to be enabled outside the ones already enabled by AWS Control Tower.
In addition, it is unlikely that a customer will need to increase any limits, but it is important to note that the automation solution creates an EventBridge in a security account to capture tag updates in linked accounts.
Before you implement this solution, Alert Logic recommends that you become familiar with AWS CloudFormation, AWS Lambda, AWS CloudTrail and Amazon EventBridge services.
If you are new to AWS, see Getting Started with AWS.
For additional information on AWSMarketplace, see this documentation on AWS Marketplace.
To get started with awsControl Tower, see the AWS documentation on Control Tower.
Deployment and Configuration
Subscribe to Alert Logic Managed Detection and Response on the AWS Marketplace
-
Locate Alert Logic Managed Detection and Response in the AWS Marketplace (Alert Logic Managed Detection and Response (US), Alert Logic Managed Detection and Response (UK)Alert Logic Managed Detection and Response Professional - SaaS Contract (US) or Alert Logic Managed Detection and Response Professional - SaaS Contract (UK)).
Click image to expand
- Click Continue to Subscribe.
-
Next, configure your contract. You can select the Contract Duration and set the Renewal Settings.
Click image to expand
-
Select the Contract Options to be activated with your contract.
Click image to expand
- When you configure your contract, click Create contract.
- You will be prompted to confirm the contract. If you agree to the pricing, click Pay Now.
- Check your email for the validation email from Alert Logic. After you confirm receipt, Alert Logic sends another email to enable password reset and the access to the Alert Logic console is granted.
Log into the Partner UI
- Create an access key and a secret key in the Alert Logic console. For more information about how to create an access key and secret key, see Create and Manage Alert Logic Access Keys.
- Download the code from <partner-github-repository>
- Log into <MASTER|LOG|XXX> account in AWS Control Tower as <Permissions>.
- To deploy the solution, create a new CloudFormation Stack using this template.
-
Provide the following information to deploy the CloudFormation Stack:
- Alert Logic API Access Key and Alert Logic API Secret Key
- Alert Logic CustomerID – on the Support page in the Alert Logic console
- Control Tower Audit Account ID – Control Tower AWS audit account
- LogArchiveAccount Control Tower account
- SecurityAccount – Designated AWS security account
- TargetRegion – List of regions to enable Alert Logic Managed Detection and Response deployment into
Verify linked accounts
After CloudFormation deployment completion, you will see linked accounts listed as deployments in the Alert Logic console.
Validate that the solution is properly deployed
The Alert Logic appliance will automatically deployed within 15 minutes to the linked accounts.
In addition, you are responsible for installing Alert Logic Managed Detection and Response Agents to protected hosts.
Follow these instructions to deploy Alert Logic Managed Detection and Response Agents for Linux or Windows.
The agents are automatically claimed and assigned to the appliances.
After installation
Alert Logic Managed Detection and Response solution automatically analyzes network traffic, logs (CloudTrail and host logs) and scan hosts for vulnerabilities. This information can be accessed through the Alert Logic console.