Migrating from a traditional on-prem security infrastructure to a scalable cloud platform is the dream. But in practice, the process of restructuring a legacy framework can become a costly and troublesome endeavor.

Cloud migration requires detailed restructuring, data validation, and knowledgeable Security Engineers.   

So, what’s an enterprise to do? The stop-gap solution is to hybridize, keeping essential on-prem infrastructures for compliance while taking advantage of cloud benefits.  

The Challenge  

Datashield facilitated a hybridization of a client on the RSA NetWitness platform and their new business unit on Amazon Web Services (AWS) Cloud. Their newly acquired business unit had existing cloud infrastructure in the cloud.  

Company Background  

• US-based enterprise insurance company  
• 500+ employees  
• State-specific operations across the country  
• Recently acquired new business unit with plans for expansion  

“When we talk about cloud-based solutions everything is very customizable,” said Clayton Paplaczyk, Manager of Security Engineering and Solutions Architecture at Datashield. “So is NetWitness; in this case we were able to create a scalable custom solution for our customer.”  

AWS Cloud Security integrates with a variety of SIEM and endpoint technologies, making it a flexible solution to build a security architecture on. Additionally, the RSA NetWitness platform has an expansive catalog of leading security integrations and software.  

The Process  

Datashield began with our consultative approach. Our team held an initial overview of our client’s new working requirements and other wanted features and integrations. Scoping included understanding their on-prem architecture, industry and compliance needs, and future needs in terms of scaling and flexibility within AWS.  

Next, we determined what log and packet data the client wanted to receive, maintain, and their security requirements. This list includes necessary data for our analysts to continue providing our Managed Detection and Response (MDR) services, as well as any additional retention requirements beyond Datashield’s recommended requirements.  

A Security Information and Event Management (SIEM) product works only as well as the data being sent to it and stored. Therefore, Datashield’s client relied on our expert security engineers to provide guidance and leadership to make sure their data flowed seamlessly across their respective Virtual Private Clouds (VPC). 

Datashield’s team then went to work creating the new architecture and determining the costs based on the number of virtual machines (VMs), amount of data storage, amount of data transfer, and infrastructure time management costs. This process took multiple meetings and iterations, as well as conversations about a future full infrastructure migration to AWS.  

The largest costs to factor when considering a hybrid or cloud deployment are compute resources (vCPUs and vRAM) for the Virtual Machines and the necessary required additional Storage. When collecting log data, you want to be able to query for at least 60 days. Having a competent team to help estimate current and future data costs is essential in the success of a cloud or hybrid deployment.  

This case was unique in that the client initially wanted logs sent into an S3 bucket, which is very cost effective for long term storage, whereas a traditional deployment to AWS may not require the additional infrastructure. If your organization has unique operating requirements, storage needs, or compliance conditions, make sure to hire a tool-agnostic firm that can determine the correct product suite or tool set along with architecting a custom security solution.  

Example Deployment  

An example architectural diagram of a hybrid cloud deployment between an AWS and on-premise NetWitness stack.  

Currently, VPC Flow Logs and CloudTrail Logs are directly supported by RSAs NetWitness via custom plugins but require a pull initiated from the NetWitness environment. Exporting data from AWS can increase the cost of the cloud solution therefore in this case we are storing data within AWS and only pulling/querying the necessary data from the on-premise NetWitness stack. Results very depending on which cloud hosting infrastructure you are utilizing, AWS, Azure, Google, etc. 

Datashield has provided a high-level walkthrough of how an RSA NetWitness and Amazon Web Services Cloud deployment would occur:  

• Logs are collected by either CloudWatch, VPC Flow Logs or CloudTrail AWS services in their respective Virtual Private Clouds.  
• Then, data is sent to an AWS Lambda object, which is running a function that takes the raw logs and encapsulates them to transfer downstream to the NetWitness Log Collector service via Syslog.  
• NetWitness then saves the raw log data, parses the meta based on the parser for the device type and then the meta data is stored on the Log Concentrator ready to be queries from the upstream NetWitness devices.  
• The collection process enables SHIELDVision and Datashield’s analysts to query the data via the upstream broker. Based on NetWitness architecture the data is queried directly on the Concentrator which saves on cloud data transfer costs.  
• Alerts are handled by the Event Stream Analyst (ESA) service (such as Datashield’s MDR services) which alerts the content team based on custom threat hunting queries.  

Turnaround was fast, as our client had outsourced the architecture to our team that also handles their Managed Detection and Response services. This ensured that all logs were readable and easily queried by our expert analysts, who assist our client in alerting and threat hunting via SHIELDVision.  

The Results  

Datashield prides itself on being able to deliver world-class results for our clients. Our client was able to merge its new business operations and upgrade part of their infrastructure to the cloud while also planning for future acquisitions and full cloud deployment. By doing so, they have also reduced the amount of hardware maintenance costs to their business.  

Their business operations across 46 states and over 500 employees required extreme attention to detail and cloud security expertise.  

Datashield is a steward of cybersecurity resilience. This hybridization allowed our client to grow their business needs while maintaining a uniform infrastructure. The uniformity allows the company to easily scale, maintain, troubleshoot, and mitigate alerted threats.  

Moving forward, our client will continue to utilize Datashield for additional scaling, full-cloud transition, and leading Managed Detection and Response services.  

If your organization is looking to hybridize or transfer your entire security architecture to the cloud, Datashield is ready to help. Contact us today for a no-cost consultation.