The biggest release since 1.0, CrowdSec Security Engine 1.5 brings you new features, major enhancements, and more control of your security management. Discover all that is new in 1.5 and how to get started in this article.
We launched a private preview of the CrowdSec Security Engine 1.5 to our community members in March to allow them to test it out and give us feedback. After a few months of testing, it was clear that the CrowdSec Security Engine 1.5 was ready for its debut by the end of May. So here it is, new features, major enhancements and more ways to manage your security. Check out all the updates and what’s new below. You can also read about the increased performance and faster response times when processing high volumes of logs that our community members experienced with the CrowdSec Security Engine 1.5.
“We are delighted to announce the launch of CrowdSec Security Engine 1.5 today. Following our last release in February 2022, we have been busy listening to our users to deliver a new version with significant enhancements, including the ability to receive “orders” from the console. We have also developed several new features, including compliance and post-exploitation scenarios to the engine. We are also hugely grateful to the CrowdSec community that has been busy testing the release over the last few months to ensure a smooth and successful roll-out for all our users. ” – Thibault Koechlin, Chief Technology Officer, CrowdSec
Polling API Integration
With the polling API, the Console can now send orders to the CrowdSec instances. Allowing users to manage their decisions (banned IPs at a given time). Let’s dive into what that means.
Real-time decisions management
The new Polling API gives you the ability to complete real-time decision management within the console. For users with many instances, you can now ban IPs on all of your instances at once, all from the comfort of a single page, rather than running an automation script to update all instances. A great timesaver for SecOps teams.
Teaser: Secure and custom configure the fleet of instances from the Console
In the future, the polling API feature will allow users to set up parsers and scenarios directly from the CrowdSec Console.
New Blocklist API and Premium Blocklists
We recently announced the external IP blocklists which allow all of our users to subscribe to at least 2 (new) additional blocklists created by the CrowdSec team, in addition to our community fuelled blocklist to better protect your instances.
Viktoria Rei Bauer (@ToeiRei on Discord, Twitch, and Twitter), CrowdSec Ambassador, saw a 190% increase in blocked IP addresses after implementing CrowdSec’s new Blocklist API and subscribing to 2 new blocklists.
“My average number of IP blocks was 2,000 per day. The day isn’t even over and I’ve already blocked 6,000 IPs.”
The chart below shows the impact the blocklist subscription made to Rei’s CrowdSec pfSense deployment. The red line shows the implementation of the blocklists that resulted in a 183% increase of malicious IPs blocked, peaking at a 400% increase.
Kubernetes audit acquisition
The feature we presented at Kubehuddle UK 2022 is finally here:
Kubernetes Cluster Monitoring now gives our users the ability to monitor and protect their whole K8s cluster, and not just the services running on it.
S3 audit acquisition
CrowdSec now supports reading logs stored in S3 bucket, allowing you to process logs generated by AWS services (such as ALB access logs or Cloudfront logs).
Auditd support
Allows for the detection of “Post Exploitation Behaviors”, including:
- base64 + interpreter (perl/bash/python)
- curl/wget and exec
- pkill execve bursts
- rm execve bursts
- exec from suspicious locations
CrowdSec CTI API helpers
You can now query CrowdSec’s Cyber Threat Intelligence (CTI) from your parsers and behavior scenario thanks to our new CTI API, allowing you to react to each threat differently according to each IPs reputation and classification.
This new CTI API allows CrowdSec and the CTI to be more interactive with each other, allowing users to query more information around a specific IP. For example, you can now query the machine’s usage, as well as the type of attack it relates to. CrowdSec is now able to query all this data in real-time, helping users to detect false positives, and also reducing alert fatigue.
AWS Cloudtrail Scenarios
Thanks to 1.5’s new behavior detection capabilities, we were able to create an advanced AWS Cloudtrail scenario helping you to detect and better understand what’s happening on your cloud. Below you can see a list of activities you are now able to detect.
- Detect AWS CloudTrail configuration change
- Detect AWS Config configuration change
- Detect AWS console authentication failure
- Detect AWS IAM policy change
- Detect AWS KMS key deletion
- Detect login without MFA to the AWS console
- Detect AWS NACL change
- Detect AWS Network Gateway change
- Detect AWS root account usage
- Detect AWS route table change
- Detect AWS S3 bucket policy change
- Detect AWS Security Group change
- Detect AWS API unauthorized calls
- Detect AWS VPC change
Feature flag support
This new feature allows us to have some features within the Security Engine that are disabled by default but can be activated manually by the user.
This will facilitate the inclusion of beta features safely and give more chances to the community to preview what’s coming and help us test the features in a range of use cases.
Detection Engine improvements
- Conditional buckets: an improvement of our behavior detection system allows for more complex expression for the alert triggering mechanism
- Event data stash: allows parsers to capture data for future enrichment. Adding the capability to detect advanced malicious behaviors
CAPI Allowlist
While the community blocklist is highly curated, and designed to avoid false positives, sometimes a shared IP used by both innocent and malicious actors will end up in it, so we’ve added the capability to create allowlists that can also be applied to the community-powered blocklist.
Conclusion
We would like to thank our community of users who have helped us reach this major milestone! Thanks to your feedback we have been able to create a release that truly caters to your needs and enhances your use of CrowdSec.
Interested in using CrowdSec Security Engine 1.5? If you haven’t already, install the CrowdSec Security Engine and then, sign-up for the CrowdSec Console. We will also be hosting a live webinar to go over all the new features and enhancements!
About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About CrowdSec
Thibault & Philippe, two of CrowdSec’s founders, used to work in high security hosting, which was a relatively new field back in the 2010’s. They designed a protection stack which would also block IPs that made violations.
One day, one of their clients, a famous sports-oriented e-commerce shop was under attack. It was not a real problem since it was protected by a robust stack, but the hacker used more than 3,000 IP addresses to try to attack the website. This event caused the idea that would be the genesis of CrowdSec.
