Magellan

In this topic:

    CloudGuard Dome9 Magellan allows you to visualize and analyze network activity and traffic into and out of  your cloud environment.  With this, you can identify traffic from unwanted sources, or gaps in network security settings (which you can then fix using other features of the Dome9 console).

    Magellan analyzes network flow logs to visualize the activity on your cloud network, and uses queries to show you traffic of interest. Dome9 has included many common queries with Magellan, and you can create additional custom queries with a graphical query builder based on Dome9's Governance Specification Language (GSL).

    Magellan combines cloud inventory and configuration information with real-time monitoring data from a variety of sources including VPC Flow Logs, CloudTrail, [Amazon GuardDuty], AWS Inspector, as well as current threat intelligence feeds, IP reputation and geolocation databases. This results in enhanced visualization that highlights suspicious traffic from legitimate traffic. For example, sources of network traffic from other AWS elements are shown according to type, and malicious external sources are marked as such. Similarly, outbound network traffic from your account to a suspicious external destination on the internet will 

    Magellan can give you near real-time views of network activity.  You can also view and analyze past network activity. You can configure Magellan to send you real-time alerts for specific events or event types that occur in your cloud environment, so that you will be aware and able to respond immediately. 

    Benefits

    • near real-time view of events
    • fine-tuned queries for specific events
    • enriched contextual information from various log sources allows you to gain a quicker and clearer understanding of events that occur on your network
     

    Use Cases

    1. Streamline Network Security Operations: With Magellan you can conduct network operations such as:

    • Security architecture review based on real-time traffic analysis

    • Gain visibility into your traffic flow

    • Troubleshoot and identify misconfigurations that are causing intrusions/policy violations

    • Identify unusual activity based on user/account behavior

    • Detect malicious sources that are sending traffic to your assets

    2. Reduce meantime for threat detection: On average, it takes about 200 days for incident responders to detect a breach. With Magellan, you can identify and zoom in on a suspected asset and understand the full context from both a configuration and traffic activity perspective, thereby reducing your mean time to detect threats.

    3. Detect Privilege Escalation/Credential Compromise: Dome9 has the full context of your account activity and the types of assets in your environment. Using Magellan, you can create lists of asset types that shouldn’t be instantiated. If someone obtains unauthorized privileges to launch an expensive EC2 instance that is perhaps used for crypto-mining operations or to steal API keys, and is now being misused, Magellan can detect such unauthorized IAM changes or specific EC2 type traffic and immediately provide detailed alerts. 

    4. Expedite and assist in Compliance Validation: Using the Magellan Explorer, you can see a live action replay of traffic that can be used to prove that your cloud environment is adhering to various compliance standards (Control effectiveness). 

    5. Detect unusual or abnormal use of your cloud resources, network activity, logins, etc. For example, detect activity form forbidden geographic locations, suspicious port usage, or abnormal login/authentication attempts.

     
     

     

    See also

    Magellan Explorer view

    Magellan Alerts

    Connectors