Have you ever been asked to find out if any of your databases are exposed to the internet? How do you go about doing this?
A great place to start is by a taking a look at the flow logs, which can show me information to and from my network interfaces. I would go through rows and rows of the flow logs and once I’ve parsed these rows of non-actionable data, I might find something useful.
However, there is a big issue here.
Flow logs only show you an unilateral record of network traffic. For example, say I have traffic going from Node A to Node B. There may be another row in the flow logs that has information about traffic from Node B to Node A. Unfortunately, there is no direct insight on what endpoint took the initial action. In addition, if I wanted to also find out the security groups attached to my databases in question, I would need to check elsewhere.
The RedLock Cloud 360 platform can bring all the information together by giving users network visualization. Using machine learning and heuristics, the platform can determine the directionality of traffic. Users can also write queries, using the RedLock Query Language (RQL), to look for any internet facing IP address talking to my databases. This query can look like:
network where source.publicnetwork IN ( 'Suspicious IPs', 'Internet IPs' ) and dest.resource IN ( resource where role IN ( 'Database' ))
This will populate a beautiful network graph with nodes, edges, and most importantly, actionable data. The platform also populates information about security groups and user attributions as well as other important information, painting the entire picture. After all, a picture is worth a thousand words.
Get a demo to see how RedLock can help you with: