Snare Software and the Cloud
SUMMARY
Jun 16, 2016
The Snare agents can run on any cloud system (e.g. AWS, Azure) where the customer has control over the operating system. Typically these are called Infrastructure as a Service (IAAS) systems. The agents will run and send logs to any destination as normal. It is always recommended to use TLS when sending the logs over third party networks to the SIEM system so the traffic is encrypted to prevent eavesdropping on the communications as the log data can contain sensitive information.
The Snare Agents will not run in other Software as a Service (SAAS) environments where the customer only has access to the Web Interface of the application as the customer does not have access to the operating system to install or run the agent.
The Snare Server can run on any cloud provider that allows the custom ISO to be installed. As the Snare Server is an application appliance the Snare application is tightly integrated into operating system. There are many cloud providers that allow their customers to run custom ISO images in either virtual machines or dedicated hardware. The customer needs to be mindful of the storage and network costs with collecting logs in a cloud provider so there are no surprises with the operational cost.
Where the Snare Server and agents are used in a cloud environments the customer should protect the Snare Server with firewall rules to limit inbound access of the log collection and the web administration interface to the logging systems and administration devices so it is not open to the general Internet. Leaving the logging ports open to the Internet will allow anyone to send unwanted or malicious events to the log collection system. Similarly the web interface of the Snare Agents should not be open to the Internet to limit the scope of unauthorised access. Alternatively all access to the systems in the cloud can be restricted to a private VPN to help prevent unauthorised access to the systems.