CyberHub Deployment Guide for AWS Environment (Global)

This deployment guide will help Accenture Adaptive MxDR customers to build CyberHub for AWS using CloudFormation.

The document includes the following topics:

Introduction to the Accenture CyberHub

The Accenture CyberHub is designed to collect, compress, and transmit your devices log data securely to the Google Log forwarder for analysis and storage.

image-20240828-081108.png

Getting Started

The CyberHub is mainly focused on supporting wide range of secure services for customer devices. Devices logs can be processed and analyzed in CyberHub and gathered data can securely transported.

Data collection

  1. Security event sources detect and log network and endpoints activity.

  2. Log data is gathered by Event Collectors and sent to an Event Translator Service. Event Collectors gathers, filter, and aggregate the log data and send both raw and processed log data to the Event Translator Service for transmission to the CyberHub.

  3. A data forwarding service or Google Log Forwarder sends raw / processed security data directly to Chronicle SIEM. The security data is encrypted while in transit to Chronicle.

CyberHub Onboarding Process

Onboarding is the act of configuring, establishing, and validating the flow of data from your devices into the Adaptive MxDR. All devices must be onboarded prior to the Adaptive MxDR being able to utilize data from the device. The CyberHub onboarding process is as follows:

  1. The image of an AWS CyberHub is in the form of Amazon Machine Image (AMI) which will be transferred to customer AWS storage Account.

  2. Connectivity needs to be established for the CyberHub to access all required services.

  3. CyberHub virtual hardware requirements need to be in place, as specified in the prerequisites section.

  4. CyberHub needs to be deployed by following the deployment instructions.

  5. Your Accenture SDL need to be informed about every new deployed CyberHub .

  6. CyberHub connectivity details such as Internal IP, hostname and DNS details need to be shared via CyberHub Tech Stack created on the Adaptive MxDR Portal.

  7. Accenture Team will be performing CyberHub connectivity tests and review deployment success.

  8. After the CyberHub is fully deployed, Accenture Team will perform CyberHub baseline and apply hardening scripts. From this point only certified Accenture Adaptive MxDR Technical resources will be able to access and solely manage the CyberHub.

Access to the CyberHub can’t be granted to anyone else.

The following information is required for each CyberHub :

Table - 1.1: Installation Requirements

Host Name

The host name of the computer where the CyberHub will reside; i.e., CyberHub001.

Domain name server

A comma-separated list of local domain name server IP addresses. This allows the collector to resolve logged host names to IP addresses, which is critical for Accenture MDR analysis.

Subnet mask

The subnet mask for the network where the CyberHub will reside, in IPv4 format; i.e., 255.255.255.0

Gateway

The IP address for the default gateway the CyberHub will use, in IPv4 format; i.e., 128.0.0.1

IP address

Static/reserved IP address for the CyberHub , in IPv4 format; i.e., 128.0.0.8

Domain

The CyberHub 's domain name; can be any name you prefer and does not have to be the actual local domain name; i.e., example.customer.com

Prerequisites

  • To request the CyberHub Amazon Machine Image.

  • Kindly reach out to SOC onboarding team along with AWS account ID with region via service request.

  • Onboarding engineer will update the respective service request, once the CyberHub AMI is shared over the mentioned AWS account ID to proceed with the below steps.

Security group rules (Inbound and Outbound), Instance Type, 250 GB HDD and Elastic IP are assigned automatically to the instance during the stack creation process.

The above CyberHub Specifications for estimation and guidance only. Post deployment, a detailed understanding on amount of log data being generated in the environment, in combination with the log processing capacity will be required to.

Before installing the CyberHub, please make sure the following prerequisites are met.

  • CyberHub can connect from SOC using the AWS Session Manager. Please discuss this subject with your Technical Project Manager for more queries.

  • Virtual hardware is provisioned, as per specification listed below and can support the CyberHub OS base. CyberHub image is currently based on Ubuntu 20.4 version.

  • CyberHub requires to have access to the DNS server holding DNS A-records of all event sources planned to be integrated with the MDR service. We can integrate up to 3 DNS servers and 6 DNS. Search Domains per the CyberHub. DNS information is currently not shared between CyberHub(s).

  • When standing up an CyberHub server to connect to the Adaptive MxDR Platform, apply the following port settings:

Table - 1.2 : Port Requirements

Source

Destination

Protocol/Port

Description

<CyberHub IP>

  1. ssm.us-east-1.amazonaws.com 

  2. ec2messages.us-east-1.amazonaws.com 

  3. ssmmessages.us-east-1.amazonaws.com 

  4. kms.us-east-1.amazonaws.com

TCP/443

SSM Agent service for Adaptive MxDR management access

<CyberHub IP>

 

<Customer NTP>

UDP/123

Network Time Protocol

<CyberHub IP>

TCP/443

CyberHub Updates

<CyberHub IP>

TCP/443

CyberHub configurations.

<CyberHub IP>

<Customer DNS Server>

TCP/53; UDP/53

DNS resolution (TCP is used in case the message is longer than 512 Bytes)

<CyberHub IP>

<Chronicle Cloud Instance>

TCP/443

To send logs to Chronicle instance. List of Chronicle URLs in link -Chronicle forwarder

Configuration for Amazon Web service (AWS) using Cloud Formation

  1. Login to AWS portal.

  2. Enter CloudFormation in search bar, then select the CloudFormation service from the list.

image-20240522-025520.png
  1. Click Create Stack.

 

  1. In Choose a template, click Template is ready

  2. Select the Template source as Upload a template file. Download the below attached json file and choose file under Upload a template file from local to upload.

This Cloud formation template will create CyberHub with encrypted EBS storage.

  1. Provide the below mandatory details:

  • Enter the stack Name of your choice in Stack Name.

  • Enter the meaningful hostname for the instance in Hostname.

  • Enter the Instance name of your choice in InstanceTag (Note: This instance name will be used in Step 11).

  • Select any one Instance type from the drop-down list as recommended below.

Family

Type

vCPUs

Memory (GB)

Instance Storage

Compute optimized

c5a.2xlarge

8

16

EBS only

Compute optimized

c5a.4xlarge

16

32

EBS only

  • Enter your local NTP in the NTP IP text box (Please provide only one IP address).

  • Select the Subnet from drop-down list (Select a subnet to host this instance)

  • Select the VPC from drop-down list (select a VPC to host this instance)

  • Click Next.

  • Skip the Options page and click Next

  • Review the information and click Create.

  1. Select the Stack Name and ensure the Status field value appears as CREATE_COMPLETE.

  1. Click on the Services tab and select EC2.

  1. Click on Instances.

  1. Search the keyword Name and then click on it.

 

  1. Click Name under Tag keys and supply the Instance Tag Name value provided in Step 6 and click on the Instance Tag Name (Example: CyberHub4.0)

  1. Instance details will appear in the screen.

  2. Share the Elastic IP address details to Accenture Adaptive MxDR team to proceed with the CyberHub qualification process.

About Accenture:
Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent and innovation led company with 738,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Accenture Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients succeed and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com.

About Accenture Security
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Legal notice: Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.