SOCFortress Integrations — Nutanix HCI

SOCFortress Integrations — Nutanix HCI

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

Intro

SOCFortress integration and visualisation tools allow security analysts the visualisation and triage of Nutanix HCI logs and events using a single pane of glass.

About Nutanix

Nutanix is known for its hyper-converged infrastructure (HCI) solutions, which combine storage, computing, and virtualisation into a single, integrated platform. This architecture simplifies IT operations, making Nutanix a popular choice for organisations that want to consolidate and modernise their infrastructure without relying on traditional SAN and NAS storage solutions.

Solutions available

  • Nutanix AHV (Acropolis Hypervisor):
     — Hypervisor Integration: Nutanix AHV is a native hypervisor based on KVM, integrated into the Nutanix platform to simplify management. It’s positioned as an alternative to VMware ESXi and Microsoft Hyper-V and is designed for enterprises looking to avoid hypervisor licensing costs.
     — Seamless Management with Prism: Nutanix’s Prism management software allows users to manage AHV clusters, VMs, and storage resources through a single interface.
     — VM Mobility and High Availability: AHV offers features like live migration (similar to vMotion in VMware) and VM high availability (HA), along with advanced scheduling and resource allocation features.
  • Prism Central and Prism Element:
     — Unified Management: Prism Element is used for managing individual clusters, while Prism Central allows for multi-cluster management across locations. Prism provides a clean, easy-to-use interface with built-in analytics, automation, and reporting tools.
     — One-click Upgrades and Automation: Prism supports one-click upgrades for the full Nutanix stack, minimising downtime and operational complexity.
  • Nutanix Calm for Application Automation and Orchestration
     — Self-Service and Blueprinting: Nutanix Calm simplifies deploying applications across multiple environments by creating reusable blueprints, which automate multi-tier app deployment and lifecycle management.
     — Hybrid Cloud Support: Calm enables consistent application management across private clouds and public cloud providers like AWS, Azure, and Google Cloud.
  • Hybrid and Multi-Cloud Integration (Nutanix Clusters)
     — Seamless Extension to Public Cloud: Nutanix Clusters allows organisations to extend their on-premises Nutanix environments to AWS and Azure. This provides a hybrid cloud solution with workload mobility, letting organizations scale resources on-demand without complex reconfigurations.
     — Single Pane of Glass Management: You can manage your on-premises Nutanix infrastructure and your cloud resources through the same Nutanix Prism console.
  • Data Protection and Disaster Recovery
     — Nutanix offers built-in data protection, disaster recovery, and backup solutions, such as asynchronous replication, snapshots, and failover capabilities.
     — Nutanix Mine: An integrated backup solution that works with AHV and other hypervisors to provide native backup and data recovery options within the Nutanix ecosystem.
  • Advanced Security Features (Flow and Files)
     — Nutanix Flow: Provides micro-segmentation and network security, allowing administrators to define and enforce policies between applications and users within the Nutanix infrastructure.
     — Nutanix Files and Objects: File and object storage solutions integrated into the Nutanix HCI stack, providing scalable, software-defined storage for enterprise data needs.

Ingesting Nutanix Hypervisor Logs and Events

Reference: https://docs.trendmicro.com/en-us/documentation/article/trend-micro-web-security-online-help-cloud-syslog-forward

Nutanix log analysis often involves auditing different types of system activities for security, performance, and troubleshooting purposes.

Some log types and their relevance from a security point of view here:

1. PATH: Useful in tracking access to files and directories, especially in security monitoring to trace which paths are being accessed by processes.

2. SYSCALL: Important for understanding actions performed at the OS level, such as file manipulation, network operations, and other critical system interactions. Common in forensic analysis and intrusion detection to detect unauthorised actions.

3. PROCTITLE: Useful for identifying what specific commands were issued by processes, which helps in tracking down suspicious commands or processes initiated by potentially unauthorised users.

4. USER_ACCT: Essential for monitoring logins and account access, especially to identify failed login attempts or unusual login behaviour, which may indicate account compromise.

5. USER_START: Useful in tracking the beginning of user sessions, which is helpful for monitoring active user sessions and identifying unusual or unauthorised access.

6. USER_END: Complements USER_START logs by marking the end of a session, enabling full tracking of session durations and identifying if sessions were terminated unexpectedly.

7. CRED_DISP: Important for auditing and ensuring that credentials are disposed of securely after use, helping to detect potential security issues where credentials might otherwise linger in memory.

8. CRED_REFR: Useful for detecting unusual credential refresh patterns, which can indicate either a user’s re-authentication or potential malicious attempts to keep a session alive.

9. USER_CMD: Vital for monitoring user actions on the system. This can help detect unauthorised or suspicious command executions, providing insight into potential insider threats or compromised accounts.

10. AVC (Access Vector Cache): Valuable for security analysis, especially when troubleshooting access control issues or detecting policy violations that may indicate unauthorised access attempts.

11. CONFIG_CHANGE: Essential for monitoring any configuration adjustments, helping in change management and identifying unauthorised configuration changes that could affect system security or performance.

Visualisations

Landing page:

Log volume and logs by source (node):

Log by module / type:

(See above for logs and log types relevance in security analysis).

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

原始链接: https://socfortress.medium.com/socfortress-integrations-nutanix-hci-79094a6888d3?source=rss-36613248f635------2
侵权请联系站方: [email protected]

相关推荐

换一批