CyberHub Deployment Guide for VM - EU Region

Owned by Aparna Rr
Last updated: Aug 19, 2024 by Aparna Rr
8 min read

This deployment guide will help Accenture Adaptive MxDR customers to build CyberHub using VMware deployment.

The document includes the following topics:

Introduction to the Accenture CyberHub

The Accenture CyberHub is designed to collect, compress, and transmit your devices log data securely to the Google Log forwarder for analysis and storage. 

IMage 2.png

Getting Started

The CyberHub is mainly focused on supporting wide range of secure services for customer devices. Devices logs can be processed and analyzed in CyberHub and gathered data can securely transported.

Data collection

  1. Security event sources detect and log network and endpoints activity.

  2. Log data is gathered by Event Collectors and sent to an Event Translator Service. Event Collectors gathers, filter, and aggregate the log data and send both raw and processed log data to the Event Translator Service for transmission to the CyberHub.

  3. A data forwarding service or Google Log Forwarder sends raw / processed security data directly to Chronicle SIEM. The security data is encrypted while in transit to Chronicle.

CyberHub Onboarding process

Onboarding is the act of configuring, establishing, and validating the flow of data from your devices into the Adaptive MxDR. All devices must be onboarded prior to the Adaptive MxDR being able to utilize data from the device. The CyberHub onboarding process is as follows:

  1. CyberHub image will be shared via portal or needs to be downloaded from the Adaptive MxDR portal.

  2. Connectivity needs to be established for the CyberHub to access all required services.

  3. CyberHub virtual hardware requirements need to be in place, as specified in the prerequisites section.

  4. CyberHub needs to be deployed by following the deployment instructions.

  5. Your Accenture SDL need to be informed about every newly deployed CyberHub .

  6. CyberHub connectivity details such as Internal IP, hostname and DNS details need to be shared via CyberHub Techstack created on the Adaptive MxDR Portal.

  7. Accenture MxDR will be performing CyberHub connectivity tests and review deployment success.

  8. After the CyberHub is fully deployed, Accenture MxDR will perform CyberHub baseline and apply hardening scripts. From this point only certified Accenture MxDR Technical resources will be able to access and solely manage the CyberHub.

Access to the CyberHub can’t be granted to anyone else.

Assumptions​: Accenture Adaptive MxDR customers provide virtual hardware resources to deploy the CyberHub in on-prem private or public clouds. Customer is responsible for managing the underlying virtual platform. Virtual hardware requirements must be met as listed in Prerequisites. CyberHub deployment also requires customers to make sure all network configuration is in place prior to beginning the installation.

The following information is required for each CyberHub :

Table - 1.1: Installation Requirements

Host Name

The host name of the computer where the CyberHub will reside; i.e., CyberHub001.

Domain name server

A comma-separated list of local domain name server IP addresses. This allows the collector to resolve logged host names to IP addresses, which is critical for Accenture MDR analysis.

Subnet mask

The subnet mask for the network where the CyberHub will reside, in IPv4 format; i.e., 255.255.255.0

Gateway

The IP address for the default gateway the CyberHub will use, in IPv4 format; i.e., 128.0.0.1

IP address

Static/reserved IP address for the CyberHub, in IPv4 format; i.e., 128.0.0.8

Domain

The CyberHub's domain name; can be any name you prefer and does not have to be the actual local domain name; i.e., example.customer.com

Prerequisites

Before installing the CyberHub, please make sure the following prerequisites are met.

  • CyberHub can connect from SOC using the AWS Session Manager. Please discuss this subject with your Technical Project Manager for more queries.

  • Virtual hardware is provisioned, as per specification listed below and can support the CyberHub OS base. CyberHub ISO image is currently based on Linux Ubuntu server.

  • CyberHub requires to have access to the DNS server holding DNS A-records of all event sources planned to be integrated with the MDR service. We can integrate up to 3 DNS servers and 6 DNS Search Domains per the CyberHub. DNS information is currently not shared between CyberHub's.

  • When standing up an CyberHub server to connect to the MDR, apply the following port settings:

Table - 1.2: Port Requirements

Source

Destination

Protocol/Port

Description

<CyberHub IP>

  1. ssm.eu-west-1.amazonaws.com 

  2. ec2messages.eu-west-1.amazonaws.com 

  3. ssmmessages.eu-west-1.amazonaws.com 

 

TCP/443

SSM Agent service for Adaptive MxDR management access

<CyberHub IP>

 

<Customer NTP>

UDP/123

Network Time Protocol

<CyberHub IP>

updates.monitoredsecurity.com

TCP/443

CyberHub Updates

<CyberHub IP>

lcp-cfg.eu-west-1.apis.monitoredsecurity.com

TCP/443

CyberHub configurations.

<CyberHub IP>

<Customer DNS Server>

TCP/53; UDP/53

DNS resolution (TCP is used in case the message is longer than 512 Bytes)

<CyberHub IP>

  1. malachiteingestion-pa.googleapis.com

  2. accounts.google.com

  3. gcr.io

  4. oauth2.googleapis.com

  5. storage.googleapis.com

  6. europe-malachiteingestion-pa.googleapis.com

  7. europe-west2-malachiteingestion-pa.googleapis.com

  8. europe-west3-malachiteingestion-pa.googleapis.com

  9. europe-west6-malachiteingestion-pa.googleapis.com

 

TCP/443

To send logs to Chronicle instance. List of Chronicle URLs in link -Chronicle forwarder

Other ports may be required depending on what sources are logging to the CyberHub . There may be specific port requirements for the collectors of that source.

Installation Requirements:

Table - 1.3: Minimum System Requirements

CPU

RAM       

HDD          

8 CPUs

8 GB

250 GB

The above CyberHub specifications for estimation and guidance only. Post deployment, a detailed understanding on amount of log data being generated in the environment, in combination with the log processing capacity will be required to.

Supported Environments

Virtualization

Notes

VMware® ESXi 6.7 or higher.

Please refer the VM compatibility guide.

Use LSI Logic Parallel as the SCSI Controller

CPU and Memory reservation is mandatory. Please refer the below reservation note for more information.

VM Tools installation is mandatory. 

Use Typical settings and ensure that the disk type is Eager Zeroed Thick Provision

Hyper-V on Microsoft Windows Server

Hyper-V Gen1

Hyper-V Gen 2 is not supported.

Hyper-V integration service installation is not recommended for Hyper-V platform. 

Resource Reservation for Virtualization

The CyberHub is a highly tuned network device that uses a pipelined architecture for receiving logs. Typically, network devices run on dedicated hardware with a customized operating system to meet their performance needs. Network devices must respond in real time to the demands of the network interface to avoid filling buffers and packet loss. Use of UDP protocol could worsen packet loss.

The CyberHub can run as a virtualized image, but VM resources should be reserved for the image to keep the virtualization system from attempting to time share or swap out the resources, which would impact the real time requirements of the device. The VM memory and CPU resource reservations should match physical hardware one for one; for example, reserving 16 GB for a 16 GB VM sizing and 8 cores for an 8 core VM sizing. Also, use a core equivalent allocation of 2 GHz for all 8 and 16 core sizing. 

Consult your VM vendor's documentation for instructions on how to reserve CPU and RAM resources. For VMware, see https://pubs.vmware.com/vsphere- 60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-resource- management-guide.pdf.

Obtaining the CyberHub installation image

  1. Click the link to download ISO image

    Once the ISO is downloaded, check the integrity of the ISO using the MD5 hash of the file and the value should be "171874196b0eeacfcd0a618f3e22770c"

  2. Proceed with the CyberHub installation once, the ISO image download is complete, and the integrity check is passed.

Installing the CyberHub

To install the CyberHub on a Virtual Server 

  1. Create a new Virtual Machine in VMWare vSphere client with the required Memory and CPU cores and click Next. Refer Resource Reservation for virtualization.

  2. Specify the name and folder location for Virtual machine and click Next.

  3. Select the destination compute resource and click Next.

  4. Select the storage for configuration and disk file and click Next.

  5. Select the compatibility as ESXi 6.7 and later and click Next.

  6. Select a guest OS Family as Linux and OS Version as Ubuntu Linux (64-bit).

  7. Customize the hardware and select CD/DVD Drive option and mount the CyberHub ISO image from Datastore. Check Connect at Power ON option. Refer Resource reservation for virtualization.

  8. Click Next to complete.

  9. Power on the Virtual Machine and continue with the installation steps provide. 

To Install the Log Collection Platform on a Virtual Server: 

  1. Create a new Virtual Machine in VMWare vSphere client with the required Memory and CPU cores and click Next. Refer Resource Reservation for virtualization.

  2. Specify the name and folder location for Virtual machine and click Next.

  3. Select the destination compute resource and click Next.

  4. Select the storage for configuration and disk file and click Next.

  5. Select the compatibility as ESXi 6.7 and later and click Next.

  6. Select a guest OS Family as Linux and OS Version as Ubuntu Linux (64-bit).

  7. Customize the hardware and select CD/DVD Drive option and mount the CyberHub ISO image from Datastore. Check Connect at Power ON option. Refer Resource reservation for virtualization.

  8. Click Next to complete.

image-20240124-102213.png

  1. Power on the Virtual Machine and continue with the installation steps provided. 

10. Select English (US) to setup a language.

  1. Keep the Keyboard configuration as default.

12. Enter the IP address of the CyberHub to configure the network and select Done.

13. Select the Interface and navigate to Edit IPv4 > IPV4 Method as Manual.

14. Enter the Subnet, IP address, Gateway and Name servers address details and Save.

15. Enter the Proxy address if you need to use for any outside connection from the CyberHub and select Done.

  1. Select Continue below confirm destructive action popup to begin the Installation.

  1. After few minutes, the following screen appears.

  2. Additionally, a screen will pop-up for Region selection, select the desired region.

  1. Once region is selected, next screen will display the summary of the selection.

  • Click Okay, to proceed with setup. Once completed, machine will restart.

20. When the login prompt appears, the installation is complete.

About Accenture:
Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent and innovation led company with 738,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Accenture Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients succeed and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com.

About Accenture Security
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Legal notice: Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.