Elastic Detector on Amazon Web Services (AWS) User Guide v5 This guide is intended for Elastic Detector users on AWS. Elastic Detector is available as SaaS or deployed as a virtual appliance through an Amazon Machine Instance (AMI) available here. Installation and administrative users creation instructions are specific to AMIs (as the SaaS version comes installed by nature). Table of content: Installation: Elastic Detector virtual machine creation Access to the graphical interface Administration interface: Administrator account creation User Interface: User account creation User account validation User password reset User account initialization Using the user account Quick scan launch User Interface highlights: Dashboard: Status: Scan Reports: Executive view Cloud credentials and continuous tests (auto-checks) parameters
Installation: Elastic Detector virtual machine creation In the AWS Market Place Web interface, click on the most convenient offer for you.
You ll end up on a page similar to the following:
Click on Continue to choose the Elastic Detector instance parameters. Then click on Accept Terms & Launch with 1-Click when you re happy with your order.
Access to the graphical interface In the AWS graphical interface, click on the EC2 tab, and select the region in which you ve deployed the instance. Select the Elastic Detector machine, copy its Public IP address or Public DNS, then open an Internet browser and paste the address to reach it. NB: on the first connection to the Elastic Detector UI, you will have to create the product administrator account. Administration interface: Administrator account creation Go to the Elastic Detector UI and create the Administrator account. Input the following parameters: Name: identifier of the Administrator account. Email address: used to send emails about the product administration and to authenticate the administrator account. Password: used to authenticate the Administrator account. Check the Terms & conditions box after reading (click on the link). The admin part allows managing accounts and associated alerts.
User Interface: User account creation Go to the Elastic Detector UI and click on Sign Up for Free.
Input the following parameter: Name: User account identifier. Email address: used to send mails about the product usage and to authenticate the user account. Company name. Password: used to authenticate the user account. Phone number. check the Terms & Conditions box after reading (click on the link). After parameters have been entered, click on Sign Up. An email including an account validation link will be sent automatically to the email address provided.
User account validation Go to the inbox (with the provided email address for the account) and open the email with the Welcome to Elastic Detector! subject (check your spam folder as well in case you haven t received it). In this email there s a link to validate your user account on Elastic Detector. User password reset In case you forgot your password, there s a Password Forgotten? option (above Sign in ) you can use to reset your password with your email address. User account initialization On your first connection with your Elastic Detector user account, a configuration wizard will show up, allowing to configure the user account.
The configuration mainly consist in entering your AWS infrastructure access keys. Please enter the following parameters: Name: your parameters identifier. Your AWS access key: EC2 Access Key ID, Your AWS secret key: EC2 Secret Access Key, Region(s) of your AWS instances. when the configuration will be done, you ll be redirected on the hosting page of your user account.
Using the user account The Elastic Detector dashboard allows monitoring in real time le security level of your infrastructure and to identify vulnerabilities. Quick scan launch A quick scan launches a direct scan of a virtual machine so that you can run the product scanner quickly and easily. Go to the Dashboard and click on Quick Scan: Immediately Launch a Scan. A wizard will then help you launching the scan. Please enter the following parameters: IP Address (or DNS name): server to be tested identifier. Check the authorization box: it means you are authorized scanning this IP. SSH user: to be able to connect onto the server and launch the scan. SSH private key: so that the product can connect onto the virtual machine.
User Interface highlights:
Dashboard: The Dashboard view shows at any time a global view of instances and events of the infrastructure, while consolidating the deployed Auto-Checks information. Right after infrastructure access keys have been added the detection of assets starts and existing instances can be seen. Status: The Status view shows the current state (in security terms) of the infrastructure and its deployed instances. Each instance has a contextual menu (hover with the mouse to
make it appear) to get more information about the selected instance. Instance detailed view.
From the contextual status menu it s possible starting two different vulnerabilities searches: 1. Scan now: starts a scan directly on the instance with or without credentials (caution: this can impact performances of the machine, or even in rare circumstances make it crash ; it s better using an Elastic Vulnerability Assessment scan - see below) 2. Elastic scanning now (EVA) : it ll clone the server and then launch the scan on the clone, so that there s no impact on the original server. Once the vulnerabilities search has performed, the generated report will be available in the Scan Reports view.
Scan Reports: The Scan reports view shows all performed vulnerabilities searches and the number of found vulnerabilities on each search, as well as multiservers reports (to that end, select the various scans you want to aggregate in the report and click on the PDF or Excel logos).
It s possible to get a detailed view for each report, with associatied vulnerabilities and their references on such vulnerabilities public databases as CVE (http://cve.mitre.org/). Reports can be downloaded (PDF format) with an Excel file listing all found vulnerabilities to help with building a remediation plan (click on export scan report and then choose PDF or Excel).
Executive view The executive view highlights many useful information for executives to consider: e.g. Top 10 vulnerable servers, top most frequent vulnerabilities in the infrastructure... Vulnerabilities are sorted in various categories: Network, Operating system, etc Also find in the executive view, the difference between reports of a specific server allows to
understand its security trend. Cloud credentials and continuous tests (auto-checks) parameters Cloud credentials are used to access machines in your cloud. It s possible adding another cloud provider than Amazon EC2: go to the top right menu and click on settings. Then you can add or remove clouds providers.
To add a cloud provider credentials, go to cloud credentials in the page and click add. To modify auto-checks parameters, go to the List of Credentials page and click customise template for the cloud provider you want to modify.
From the Customize Amazon EC2 Templates page it s possible to configure instances parameters one by one or to modify the default template used for each of this cloud provider instance.