Xcellerat’ing FedRAMP with Graylog

The following is a transcript of the video:


I’m Jason Shropshire, Chief Operating Officer at InfusionPoints.

 About InfusionPoints

InfusionPoints is a managed security services provider focused on helping commercial companies build their federal and public sector business.

 Overview of the Talk

In this talk, our Director of Security Operations, Chad Spears, and I discuss how we use Graylog in our managed service offerings, XccelerATOr and XBU40, to accelerate our customers’ path to FedRAMP authorization. Thanks for watching.

 The Need for a Versatile SIEM

We needed a SIEM that was going to work across the board for all of our use cases, and that is Graylog. We can deploy it on EC2 backed by AWS, EC2, and all the services that go along with that. We have knowledge of how to do that and meet these requirements right across all the different use cases that we see introducing XccelerATOr as time has gone on.

 Expansion of InfusionPoints

We’ve expanded what Infusion Points does from just advisory to VNSOC360° managed services and then into engineering, which brings us to our XccelerATOr Engineered Builds.

XccelerATOr Engineered Builds

We wrote it in Terraform, and it uses best practices from AWS. Again, a lot of it is just combining all the experiences that we have, pulling those things together, and automating that across a use case that will work for most of our customers.

Blending Advisory Services

And we blend in our advisory services to help support a lot of the FedRAMP controls. Just things like that just have to be done. You have to have written documentation and things built into your management processes and such.

 The Security Stack

But a big, heavy part of it is this security stack, and that security stack is technology-based. It includes scanners that you need to have to do continuous monitoring. It includes things like a SIEM, which is required as a whole control family, but those can be changed out. Graylog is always central to what we do.

 Closer Look at XccelerATOr

This is a closer look at XccelerATOr. The idea is it’s in AWS parlance. There are multi-account best practices that AWS has. We have a root central account, and from there, we can do things in AWS organizations that propagate to all the accounts under that organization.

 Best Practices in Security

A lot of that is best practices around security of the accounts themselves. We have a management account that really features MFA as well as the bastion host capabilities to provide access to the environment.

 Transit Account

The transit account is crucial to the boundary control of the actual application that’s hosted here, right? So all the inbound and egress traffic to the application environment has to go through that transit account. We can look at transit gateway flow logs, VPC flow logs, and just pin the ones that we’re interested in in Graylog.

 Security Account

When we’re looking for ingress, things that are going on, or anomalies there, the security account is where we host Graylog and some of the other security tools, and all that stuff is hosted and automatically built by Accelerator. And we can customize this based on a customer’s need.

 External Services

And then we have the external services which are largely limited to AWS services that are authorized by DOD and FedRAMP. So those are pretty tried and true. And then we have external services like Crowdstrike and Duo.

 Centralized Logging

A closer look at our practices around centralized logging. Notably, we’ve got the security account here in the center with Graylog here, the logging account generally, we’re pulling from services like CloudTrail for AWS API events. We’re pulling from CloudWatch for instance logs, but you ship to CloudWatch logs, and then from CloudWatch logs, we’re plumbing that from each account into Kinesis as a subscription filter.

 Processing Logs

And then with Kinesis, we’re processing that into an S3 bucket, and all of that is independent of Graylog, right? So all that’s just running S3 is a source of record at that point. So deep archive can be found there. Our default is one year and we can also move to Glacier. So we have lifecycle policies that help reduce the cost of long-term log storage.

 Hot Storage with Graylog

So that helps meet the archive requirement. But as far as hot storage goes, that’s Graylog, right? So we’re subscribing to the Kinesis streams from Graylog using the inputs, and we’re pulling out of Kinesis into Graylog.

 Scaling and Performance

We process, put things in OpenSearch. We have one customer now that this architecture is up to about 1.2 terabytes daily, even though the initial design was for 500 gigabytes per day. It’s amazing that it has scaled up without a whole lot of trouble. But we’re super impressed by the ability to scale and use resources in the ways that Graylog can.

 Impressions and Adaptation

So Jason’s done a great job of showing the architecture and the backend and the design of XccelerATOr. When Jason and the engineering team at Infusion Points, and we were all sitting around the table brainstorming all of this, and I’ve seen that diagram, I almost shook my head. I was like, this is going to be a lot of data.


Decision to Use Graylog

And so, when we were describing and discussing what SIEM are we looking at here? And I had touched Graylog before, messed around with it. So I said, you know what, let’s try Graylog in this. And I was so impressed by the way that it was able to just adapt to what we were doing, what we’re doing for our customers, and how we’re leveraging Graylog to take them through this FedRAMP process.

 Benefits for Customers

And what that means for them is they have the ability to sell their product to the federal government. And what we’re helping them do is be able to bring this to the auditor quicker, right. Get it to market quicker. We let Graylog do what Graylog is great at doing, and that’s presenting and throwing us data really quickly, and our analysts being able to query that and show the auditor just super-fast.

 Live Graylog Instance

This is exactly what you’d be seeing from an actual XccelerATOr deployment. This is a live Graylog instance up and running. We’re refreshing here. We’ve got logs coming in, and I first want to jump into the indexes. Here is where we would take the auditor when they say, hey, show me that you’ve got 90 days’ worth of logs. Here’s our indexes and how we’re breaking the logs out.

 Seamless Integration

And so our analysts and our engineers have gone through and really engineered Graylog to just work seamlessly with that. The types of logs that were coming in.

 Terraform Built

The one thing about Accelerator, as Jason mentioned, is it’s all Terraform built, right? So it’s all code. So every deployment is pretty much the same until we bring the customer in, and they’re the ones that are going to be bringing in the change for us.

 Backend Perspective

From the backend perspective, when we look at things like authentication solutions, right? We leverage AWS managed AD. We leverage, for the most part, the same MFA devices, the same EDRs, we know what’s coming. So we know how to organize it. And when this is deployed, we can very quickly have the customer up again, accelerating the process for them.

 Log Management

So what we’re actually doing with Graylog logs are just flowing into and through AWS. Graylog is simply subscribing to those logs, those Kinesis streams. We like to be nice and tidy with those.

 Centralized Logging Streams

So you’ll see here that we have a centralized logging stream and that being your managed AD logs or your endpoint logs, right? Microsoft logs, if you will, those are going to be coming in from there. You’ll notice as well, we have a centralized logging CloudTrail stream. This is telling us what’s going on within the AWS console or within the AWS environment itself. There’s RDS, right?

 Collecting Logs

We have to be able to collect the logs from there. So again, another input source and then Security Hub. So another AWS feature that we have turned on there. So all of our security-related findings, hey, we’ll pull those in and organize those as well.

 VPC Flow Logs

And here is the big bad boy VPC flow log. So we have tried our best to go through the FedRAMP controls and determine to ourselves how we can simplify this.

 Control Family States

The control family states that you have to capture north-south traffic but also specific points of interest. So we work with the customer to determine what are those specific points of interest and try to really help them tune that so that we’re not just getting so much noise.

 Additional Logs

But then we also have WAF logs that are coming in. Again, being able to bring in these inputs very seamlessly, just providing the ARN there, hooking up to the Kinesis stream, we’re off and running again, accelerating that process, right.

 Log Deployment and Performance

What do we do with the logs once we get them in? When you start deploying about four or five hundred extractors to each input, you may not necessarily get the system performance that you’re looking for.

 Optimized Pipelines

Our team has gone back through and designed out all the pipelines now and all the stages. Logs are only being passed through the grok patterns that they need to. So if we scroll down here, we can actually see each one of these that was hand-built by our engineers and our analysts, and there’s the actual rule itself that’s pumping this over to grok.

 Normalizing Logs

This is doing nothing more than normalizing the log. Doing this for every log type can be very time-consuming. When we get them into the environment at this point, hey, we’ve deployed XccelerATOr. Graylog has stood up. The goal is accelerating this process.

 Content Packs

And one of the things that we absolutely love about Graylog is content packs. And if you’re not taking advantage of content packs, you need to be.

 Content Pack Components

Now what’s contained in the content pack, we have those inputs, they’ll change because the orgs change. We have all of those pipeline rules, but more so than anything, we have all those beautiful dashboards that we’ve built, and that tells the story so nicely.

 Utilizing Content Packs

So we pull all of those in with content packs but not only dashboards alerting as well. There are some control families that actually state that yes, you’ve got to log it, but you’ve also got to alert on it. So the auditor is going to come and want to see that information as well.

 Audit Success and Preparedness

Again, knowing FedRAMP and the experience that Jason and Gary brought with InfusionPoints of going through this several times, we were able to harness all of that together and have our teams bring this together and develop this content pack. And I truly believe that’s one of the things that leads to our audit success and preparedness is the ability to just take it from environment to environment because at the end of the day, yes, we may have a new auditor.

 Consistency Across Audits

It may be a new 3PAO that’s coming in and auditing the customer. But we can say, hey, we just took this through audit. We know the questions they’re going to be asking, so simply deployed over here.

 Efficient Audit Process

And let’s get the show on the road, if you will. We started building these dashboards out, and we got an idea, and we said, hey, if we can present this information to the auditor like this and they’d like it, then why don’t we just make them a whole auditing dashboard?

 Auditing Dashboard

Now, we’re speaking Mr. Auditor’s language. All right. So we can go down through there, and the auditor says, OK, I need you to show me how you are logging or how you’re bringing in when an account within managed AD because that’s what I read in your SSP. Show me how you log that. OK. Right here is the information in a nice pretty graph for you there.

 Simplified Audit Queries

And it seems like such a simple thing. But to the auditor, it really just took away all the questions, it took away all the doubts, right? And so that’s why it’s so beneficial for us.

 Reduced Audit Time

What used to take the auditor when they got our SecOps team on the phone used to take the auditor for an hour, two hours, three hours for us to go through and query this information, show this information. We just cut that time down to 15-20 minutes on the phone. And now the auditor sits there and he’s like, what am I going to do with all this extra time?

 Real-Time User Account Changes

We noticed that they actually started going in and asking and requesting those teams to make changes to user accounts. Now, typically, they’re not going to come into an environment and request you to do that type of stuff.

 Flexibility of Graylog

The beauty behind Graylog, another piece of this right? These dashboards being able to be so liquid and so fluid through there, we can simply just throw in the user account name.

 Quick Search Capability

So they give us the user account. And let’s just say, for in this instance, the user is right in here, and we just simply search, and we say, OK, Mr. Auditor, there’s not a problem. Here you go. I search for the user account. There’s every interaction that happened with said user name there.

 Customization and Efficiency

Graylog has done a phenomenal job allowing us to accelerate this process for our teams and accelerate this process for our customers overall.


I could go on for days about this. Love the product, love the ability to be customizable with the product, and really make it our own and ensure that it is working for our customer.

About InfusionPoints

InfusionPoints delivers a comprehensive set of advisory and managed security services that cover the full lifecycle of Cybersecurity, from concept to operations. A proven leader in Cybersecurity since 2007, InfusionPoints combines extensive U.S. Government security requirements knowledge with cloud expertise, advanced technology, and solid methodologies to provide customer success. In addition, InfusionPoints is an Advanced Consulting Partner in the Amazon Partner Network (APN). InfusionPoints is a part of the Solution Provider Program, Public Sector Solution Provider Program, Public Sector Partner Programs and has the AWS Security, Level 1 MSSP, Government Consulting, Well Architected Framework Competencies. InfusionPoints is also an active member of the AWS Global Security Compliance Acceleration (GSCA) group. InfusionPoints is a Veteran Owned Small Business (VOSB) and Historically Underutilized Business Zones (HUBZone) Small Business, ISO 9001, ISO 27001, and ISO 17020 Certifications as well as an A2LA FedRAMP 3PAO Certification.

InfusionPoints – https://infusionpoints.com/

FedRAMP acceleration – https://infusionpoints.com/solutions/xccelerator

Managed AWS GovCloud PaaS – https://infusionpoints.com/xbu40

VNSOC360° Managed Security Services – https://infusionpoints.com/solutions/soc-as-a-service