VPC (virtual private cloud) flow log data contains a wealth of data that can be utilized to gain a clear understanding of a network’s security posture. However, it can be challenging and prohibitively time-consuming for analysts to get a handle on the voluminous number of flow logs.
The comprehensive MixMode security platform empowers security teams to gain better insight about VPC flow logs in a manageable way.
What are Amazon VPC Flow Logs?
- Diagnose overly restrictive security group rules
- Monitor traffic that is reaching your instance
- Determine the direction of traffic to and from network interfaces
Because flow log data is collected outside network traffic paths, Amazon says, it does not affect network throughput or latency. Creating and deleting flow logs poses no risk to network performance.
VPC flow logs can include information about VPCs, subnets and network interfaces. Users specify the resource for which to create the log, the type of traffic to capture and the destinations where flow log data will be published.
Amazon VPC Flow Logs and Security Best Practices
As part of an overarching list of security best practices, VPC flow logs have a key role to play. AWS recommends several security monitoring best practices:
- Turn on AWS CloudTrail logging in every Region and integrate it with Amazon CloudWatch Logs. Ensure that log file validation is enabled and that logs are encrypted using AWS Key Management Service (KMS).
- Turn on Amazon VPC Flow Logs for every VPC, or at least for the ones with critical assets.
- Leverage Amazon S3 bucket versioning for secure retention and use Object Lock to block object version deletion. Create Write-Once-Read-Many Archive Storage with Amazon S3 Glacier for long-term storage.
- Aggregate AWS CloudTrail log files from multiple accounts to a single bucket. It is a good security practice to set up a separate account and replicate logs to that account, so logs cannot be deleted for a particular account.
How MixMode Uses Amazon VPC Flow Logs
MixMode uses advanced anomaly detection, alerting, predictive analytics, and forensic search for VPC flow logs through a patented self-learning AI originally built for DARPA and the DoD. Once deployed within an AWS VPC environment, MixMode helps enterprise security teams worldwide to monitor AWS traffic in real-time, shoring up gaps in their organizations’ security postures.
A key benefit of the unsupervised, context-aware AI MixMode platform is its ability to focus on only those threats that pose legitimate risks. The platform doesn’t rely on log data like a traditional SIEM — instead, MixMode creates a baseline of expected network behavior based on real-world environments in real-time. The platform uses VPC flow log data as an additional source that can be tapped to deliver anomaly detection that is more complete than relying on traditional sources alone.
Once VPC flow logs are set up within the platform, MixMode monitors deviations from the baselines of multiple streams, including cloud, network data and SIEM to catch suspicious activity.