Action Or Task
|
Description
|
Directive Or Collateral
|
Provide a static internal IP for appliance management
|
Static IP Assigned by you that will be assigned to the appliance.This will be the interface enabled for SSH access by the SOC for port 22 |
Best practice is to build a separate vlan to aviod any looping
|
Provide a static internal IP for security sensor
|
Static IP Assigned by you that will be assigned to the security sensor. This will also be the target IP for syslog that may be forwarded on UDP port 514
|
Best practice is to build a separate vlan to avoid any looping.
|
Provide a public IP for the SOC to use for troubleshooting the appliance if needed
|
A Public IP that is provided to the SOC to be used for troubleshooting the appliance over SSH
|
|
Enable port forwarding or port address translation to port 22 of the provided management IP
|
Port forwarding (you can choose a custom port) and forward port 22 to the management IP you assigned.
|
Each vendor has it's own process for enabling port mirroring. Please refer to your vendors documentation or support resources. |
Physical cabling of LAN1 Appliance interface
|
Ethernet connectivity to LAN1 Interface that will have internet connectivity per the firewall requirements identified below
|
|
Physical cabling to LAN2 and above interface for receiving mirrored traffic
|
Ethernet connectivity for listening ports to receive network traffic for network Intrusion Detection System capabilities |
|
Enable port mirror from managed switches
|
Requires a managed switch or network packet broker. Copies network traffic to designated port(s) for Network IDS evaluation
|
Each vendor has it's own procedure for enabling port mirroring. Below is a list of common switches and links to vendor documentation for port mirroring.
|
Deploy provided windows/linux server agent(s)
|
Used to collect server event logs and provide File Integrity Monitoring on servers
|
For Windows Agents: CLICK HERE
For Linux Agents:
CLICK HERE
|
Enable sending of syslog from in scope devices
|
Syslog is a standard feature on network devices to forward log data to the security sensor for compliance enablement and security correlation
|
Send syslog level 2 over UDP Port 514 to the IP Address of your security sensor
|
Generate and share API Tokens to SOC as needed (OKTA, Office365, AWS, etc..) |
The BDS has various API integrations to allow for logs data to be securely ingested. Once provided, the SOC will configure in the backend to validate the connection succeeded and logs are flowing.
|
Office 365 KB:
CLICK HERE
AWS Cloudtrail KB:
CLICK HERE
|
Modify Firewall Policy per the requirements
|
Allows required connectivity to and from the appliance to the CyFlare cloud for data processing and analytics
|
This document - see "Firewall Rules"
|
Complete SOC Survey
|
SOC Survey provides context to your environment and allows the SOC to create properly tune the BDS and corresponding playbook so that alerts are not raised that are previously known or authorized by your organization
|
SEE ATTACHED TEMPLATE. Once populated please send to
socir@cyflare.com and the soc will update playbooks accordingly
|
Provide a distribution list or email address to be designated as the Incident Handler (IH) for all SOC generated tickets to be sent to |
This is the main contact the SOC will use for sending of all tickets. This is typically an email distribution list if multiple contacts need to be notified at ticket creation time
|
Please send this to your assigned CSM
|
If a different contact than the IH, identify an email or distribution list that should receive reporting from the SOC
|
Identifies the recipient of any automated or manual reporting that is sent from the SOC to your organization
|
Please send this to your assigned CSM
|
Accept support portal invite
|
Your CSM will send you an invite that must be accepted in order to completely setup the support portal account enabling ticket management and knowledge base article review
|
Check spam folder as the invite may go to spam. You may see the invite come from "
socir@cyflaresupport.zohodesk.com"
|
Action or Task
|
Description
|
Send welcome email from Customer Success Manager (CSM)
|
Introduction email to you that includes contact information for your Customer Success Manager, project sequencing and several other links to help you get started with the service
|
Create BDS Portal account
|
Your unique BDS account within the CyFlare cloud |
Create requested user account(s) within the portal
|
Individual credentials for users that require access to your portal account
|
Build and ship the BDS appliance(s) to requested location(s)
|
CyFlare configures, validates and ships your appliance(s) based on the IP information provided at time of order |
Provide "MST" file for bulk Windows agent deployments |
The SOC or CSM will provide you with a unique Microsoft Transform (MST) file to be used for bulk agent deployment. This is useful if you use SCCM or another software deployment tool. This custom file is tokenized and specific for your portal. |
Create CyFlare support portal account(s) as requested
|
The support portal is where you can create & view tickets as well as search and view the knowledgebase. Your CSM will send invites requiring you to accept and complete your account setup
|
Validate SSH access to deployed appliance(s)
|
SOC will confirm we can connect via the SSH details provided (public ip and port) to the appliance in the event troubleshooting is required. This is provided to ease the burden on your organization if sensor specific troubleshooting is required
|
Validate appliance connectivity
|
SOC will confirm that the sensor is connected, sending traffic as expected and working as expected
|
Step 1: Connect power supply and power on. A blue indicator light on the power switch should now be visible.
Step 2: Connect an Ethernet cable to “LAN1. This is the management interface in which an IP has been pre-assigned. This connection requires internet access. This Interface responds to 2 static IP addresses that you will have previously assigned. One is for the appliance IP and the other is for the security sensor IP.
Step 3: Connect an Ethernet cable to “LAN2”. This is the data port that will receive mirrored / TAP traffic and used for network monitoring.
Step 4 (optional): Connect “LAN3” and “LAN4” ports if additional data ports are required for your network. These ports are enabled and in listening mode by default. No IP address is required for these ports.
The following rules are required to allow us to completely manage the appliance, analyze security data and store vulnerability scan reports.
Outbound From The Management Static IP Of The Appliance:
Outbound From The Network Sensor IP:
From time to time the SOC will require SSH access to troubleshoot the sensors and can do that without burdening your staff.