Accenture MDR Log Collection Platform (LCP) 4.0 Deployment Guide

This deployment guide will help Accenture MDR customers to build Log Collection Platform (LCP) using VMware deployment.

The document includes the following topics:

Introducing the Log Collection Platform

The Accenture MDR Log Collection Platform (LCP) is designed to collect, compress, and transmit your devices log data securely to the Accenture MDR for analysis and storage.

About the overall log processing cycle:

The LCP is an important linkage of interactions between your network and the Accenture MDR Network. Before your devices log data can be processed and analyzed, it must be gathered and securely transported. The figures and descriptions below illustrate the parts in the process, from the devices generating log data, to the Accenture Portal presenting analysis and reports on detected malicious activities.

 

 

 

  1. Security event sources detect and log network and endpoints activity.

  2. Log data is gathered by Event Collectors and sent to an Event Translator Service. Event Collectors gathers, filter, and aggregate the log data and send both raw and processed log data to the Event Translator Service for transmission to the LCP.

  3. The LCP receives the log data and securely exports it to Accenture MDR Platform. The on- premises LCP receives the log data; which is then compressed for transport and digitally signed as originating from the device in question. The compressed, signed data is sent to the SOC from customer devices secured by TLS 1.2 protocol using RSA-2048-bit encryption.

  4. Customer log data is securely stored with Accenture MDR. The data center is hosted in the AWS, US East (N. Virginia) Region. Log data is stored in a proprietary, a read-only system in a separate database table space residing in a protected environment within the Accenture MDR database infrastructure.

  5. Accenture MDR team correlates and analyzes log data. The device log data is run through the Accenture SOC Technology Platform for multi-layer post- processing and presented to analysts for incident validation.

  6. Reviewed incidents, alerts, configurations and reports are presented to customers via the self-service MDR Portal.

LCP onboarding process

Onboarding is the act of configuring, establishing, and validating the flow of data from your devices into the Accenture MDR. All devices must be onboarded prior to the Accenture MDR being able to utilize data from the device. The LCP onboarding process is as follows:

  1. LCP image needs to be downloaded from the MDR Portal

  2. Connectivity needs to be established for the LCP to access all required services.

  3. LCP virtual hardware requirements need to be in place, as specified in the prerequisites section.

  4. LCP needs to be deployed by following the deployment instructions.

  5. Your Technical Project Manager need to be informed about every new deployed LCP. LCP connectivity details such as Public-facing and Internal IP, hostname and DNS details need to be shared via Service Case created on the MDR Portal.

  6. Accenture MDR will be performing LCP connectivity tests and review deployment success.

  7. Once satisfied with LCP deployment, Accenture MDR will perform LCP baseline and apply hardening scripts. From this point only certified Accenture MDR Technical resources will be able to access and solely manage the LCP. Access to the LCP can’t be granted to anyone else.

 Assumptions​: Accenture MDR customers provide virtual hardware resources to deploy the LCP in on-prem private or public clouds. Customer is responsible for managing the underlying virtual platform. Virtual hardware requirements must be met as listed in Prerequisites. LCP deployment also requires customers to make sure all network configuration is in place prior to beginning the installation.

 The following information is required for each LCP:

Table - 1.1: Installation Requirements

Host Name

The host name of the computer where the LCP will reside; i.e., LCPwest.

Domain name server

A comma-separated list of local domain name server IP addresses. This allows the collector to resolve logged host names to IP addresses, which is critical for Accenture MDR analysis.

Subnet mask

The subnet mask for the network where the LCP will reside, in IPv4 format; i.e., 255.255.255.0

Gateway

The IP address for the default gateway the LCP will use, in IPv4 format; i.e., 128.0.0.1

IP address

Static/reserved IP address for the LCP, in IPv4 format; i.e., 128.0.0.8

Public-facing IP address

Static Management IP for SOC to connect to the LPC at any time as well as for automated fault monitoring MDR systems.

Domain

The LCP's domain name; can be any name you prefer and does not have to be the actual local domain name; i.e., example.customer.com

Prerequisites

Before installing the LCP, please make sure the following prerequisites are met.

  • When deploying an LCP with multiple network cards, ensure that the eth0 interface is dedicated to Accenture inbound and outbound connections. You can configure other interfaces for log collections from different networks. Please inform onboarding team if you are applying this configuration as routing needs to be checked at the LCP level.

  • LCP has a Static Public-facing IP address for SOC to access the LCP at any time. Jump-hosts access for MDR is not supported. In case of deploying multiple LCPs and having issues with providing multiple Public-facing Static IPs, please discuss this subject with your Technical Project Manager.

  • Virtual hardware is provisioned, as per specification listed below and can support the LCP OS base. LCP ISO image is currently based on Linux Ubuntu server.

  • LCP requires to have access to the DNS server holding DNS A-records of all event sources planned to be integrated with the MDR service. We can integrate up to 3 DNS servers and 6 DNS Search Domains per the LCP. DNS information is currently not shared between LCPs.

  • When standing up an LCP server to connect to the MDR , apply the following port settings:

 

Table - 1.2: Port Requirements

Source

Destination

Protocol/Port

Description

213.156.160.99 

192.251.86.32

198.6.48.235

199.43.188.10

<LCP IP>

TCP/2222 and TCP/443

MDR management access and fault monitoring

<LCP IP>

 

<Customer NTP>

UDP/123

Network Time Protocol

<LCP IP>

TCP/443

RSIP - Remote Secure Import Protocol for log uploading

<LCP IP>

TCP/443

LCP Updates

<LCP IP>

TCP/443

LCP configurations.

<LCP IP>

<Customer DNS Server>

TCP/53; UDP/53

DNS resolution (TCP is used in case the message is longer than 512 Bytes)

Note: Other ports may be required depending on what sources are logging to the LCP. There may be specific port requirements for the collectors of that source.

Installation Requirements:

Table - 1.3 : Minimum System Requirements

CPU

RAM       

HDD          

8 CPUs

8 GB

250 GB

Note:

The above LCP Specifications for estimation and guidance only. Post deployment, a detailed understanding on amount of log data being generated in the environment, in combination with the log processing capacity will be required to.

Supported Environments: 

Virtualization

Notes

VMware® ESXi 6.7 or higher.

Please refer the VM compatibility guide.

  • Use LSI Logic Parallel as the SCSI Controller

  • CPU and Memory reservation is mandatory. Please refer the below reservation note for more information.

  • VM Tools installation is mandatory. 

  • Use Typical settings and ensure that the disk type is Eager Zeroed Thick Provision

Hyper-V on Microsoft Windows Server

Hyper-V Gen1

  • Hyper-V Gen 2 is not supported.

  • Hyper-V integration service installation is not recommended for Hyper-V platform. 

Note: Please ensure Ubuntu 20.04 is supported by the Virtualization platform.

Resource Reservation for Virtualization

The LCP is a highly tuned network device that uses a pipelined architecture for receiving logs. Typically, network devices run on dedicated hardware with a customized operating system to meet their performance needs. Network devices must respond in real time to the demands of the network interface to avoid filling buffers and packet loss. Use of UDP protocol could worsen packet loss.

The LCP can run as a virtualized image, but VM resources should be reserved for the image to keep the virtualization system from attempting to time share or swap out the resources, which would impact the real time requirements of the device. The VM memory and CPU resource reservations should match physical hardware one for one; for example, reserving 16 GB for a 16 GB VM sizing and 8 cores for an 8 core VM sizing. Also, use a core equivalent allocation of 2 GHz for all 8 and 16 core sizing. 

Consult your VM vendor's documentation for instructions on how to reserve CPU and RAM resources. For VMware, see https://pubs.vmware.com/vsphere- 60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-resource- management-guide.pdf.

 Note: Please use Static Mac Address for Virtual Machines (Dynamic MAC will lead to connectivity issues for the LCP)

Obtaining the Log Collection Platform installation image

To download the LCP ISO image for Virtualization Installations

  1. Log in to the MDR Portal

 Note: The Download ISO Image button will be visible only for the users who have Administrator privilege.

  2. Click Download ISO Image.

3. Once the ISO is downloaded, check the integrity of the ISO using the MD5 hash of the file and the value should be "de1ce3e1ff48ecd8d2a49057f2092cd2"

4. Proceed with the LCP installation once, the ISO image has downloaded and the integrity check is passed. 

Installing the Log Collection Platform

  • To install the Log Collection Platform on a Virtual Server

To Install the Log Collection Platform on a Virtual Server: 

 Note: Please upload the LCP ISO image to Datastore before creating Virtual Machine 

  1. Create a new Virtual Machine in VMWare vSphere client with the required Memory and CPU cores and click Next. Refer Resource reservation for virtualization.

  2. Specify the name and folder location for Virtual machine and click Next.

  3. Select the destination compute resource and click Next.

  4. Select the storage for configuration and disk file and click Next.

  5. Select the compatibility as ESXi 6.7 and later and click Next.

  6. Select a guest OS Family as Linux and OS Version as Ubuntu Linux (64-bit).

  7. Customize the hardware and select CD/DVD Drive option and mount the LCP ISO image from Datastore. Check Connect at Power ON option. Refer Resource reservation for virtualization.

  8. Click Next to complete.

9. Power on the Virtual Machine and continue with the installation steps provide. 

10. Select English (US) to setup a language.

11. Keep the Keyboard configuration as default.

12. Enter the IP address of the LCP to configure the network and Done.

Note: By default, DHCP configuration has assigned, please follow the below steps to setup the manual IP address.

13. Select the Interface and navigate to Edit IPv4 -> IPV4 Method as Manual.

14. Enter the Subnet, IP address, Gateway and Name server address details and Save.

Notes:

  • The LCP makes extensive use of DNS servers to resolve hostnames from the IP addresses identified in the logs for more context. This is a mandatory field during LCP installation.

  • Please verify that you are entering the correct information for your network. After the installation, notify Accenture MDR to enact any changes you have to this network information.

15. Enter the Proxy address if you need to use for any outside connection from the LCP and Done.

Note: Leave the Proxy address as empty if you wish to proceed without proxy.

16. Continue to below confirm destructive action popup to begin the Installation.

17. Ignore the Reboot Now button as the system get automatically reboots once the installation process completes.

18. When the login prompt appears, the installation is complete.

Please notify Accenture Onboarding Engineer to start the hand-over process.

Creating New Request for Monitoring

When the login prompt appears, the installation is complete, and you are now ready to hand it off for MDR management and monitoring. To complete this process, submit a New Request via the MDR Portal. This new request should contain the following information:

LCP Name:

NAT IP Address:

Internal IP Address:

Network Mask:

Default Gateway:

DNS Server IP(s):

NTP Server IP(s):

If there are 2 or more LCP’s that need to be onboarded, please use the spreadsheet below to gather the information and attach it along with the new request. If you have any questions about this process, please contact your Onboarding Engineer or Service Manager.

 

IMPORTANT: If you are using an ESX host, it is important that you disable time synchronization between the host and the LCP.

 

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.