Managing Log4j 2 Risk: Continuous Monitoring is the First Step

4 mins to read

So What Exactly Happened with Log4j 2 (Log4Shell?)

Log4j 2, is the affected software, written in the Java programming language, which logs user activity on computers. Developed and maintained by a handful of volunteers in an open-source Apache Software that is extremely popular with commercial software developers. It runs across many platforms — Windows, Linux, Apple’s macOS — powering everything from webcams to medical devices. In Log4j is a flaw that lets internet-based attackers easily seize control of everything. Simply identifying which systems use the utility is a challenge; it is often hidden under layers of other code.

By now, you’ve probably read about the vulnerability in the Log4j application. In case you missed it, the top U.S. cybersecurity defense official, Jen Easterly, deemed the flaw “one of the most serious I’ve seen in my entire career, if not the most serious” in a call Monday with state and local officials and partners in the private sector. Publicly disclosed last Thursday, it’s an open door for criminals because it allows easy, password-free entry to nearly everything. The affected software is small and often undocumented. This means bad actors are going to go big on these exploits.  

Patching is a mandatory first step, but it definitely can not be the only action you take. With reports of exploits existing weeks before the vulnerability was announced, you have to seriously consider that something might have already slipped through the cracks.  

The biggest threat with Log4j is that bad actors have already gotten access to your environment, and if they are smart, your enterprise may not know it. With this vulnerability, periodic audits will no longer work and continuous monitoring and audits will help. “You are not going to stop the risk.” said Sandy Bird, CTO, and Co-Founder of Sonrai Security, ”The best your organization can do is keep the blast radius contained.”

In a modern cloud environment, there are often tens of thousands of pieces of compute and, each with a corresponding identity and the bad actor is doing recon (quietly) and waiting for the right moment to make the next move. Your organization is in a real-life chess match. So how do you find risks, as well as the bad actors, before they do some real damage? 

Five Steps to Continuous Monitoring & Audit

First Move: Discovery

Inventory your Identities and their effective (end-to-end) permissions. With an identity inventory and their effective permissions (entitlements), organizations can now determine what data identities can access. You can see context like, how they can access the data and what they can potentially do with the data. With this continuous visibility, you can see security drifts and alert on them.

Next, determine the resources where those Identities are in use. With this visibility, teams can effectively determine where they have risks and then, in turn, manage the risks to ensure that the resources and the data within it stays secure.

Last, your CIEM tool will automatically map out and visualize your cloud’s identity to data relationships to find potential attack vectors. Sonrai Dig’s graph with patented analysis provides a comprehensive identity to data risk mapping –  enabling you to set the security baseline for what you will monitor for continuous audit.

Next, determine the VMs where those Identities are in use. With this visibility, teams can effectively determine where they have risks and then, in turn, manage the risks to ensure that the VM and the data within it stay secure.

Second Move: Classify

Not all data is created equal. To manage your risk, you need to know what is critical to protect now and what can be managed later. For this, you need to classify your data to know where your crown jewels are. Using Sonrai Dig’s patented data classification features, you can identify data based on criteria such as sensitivity (credit card numbers) or PII (names, addresses, phone numbers). You should also be able to classify data based on organizational needs with custom classifiers. Once you establish where your crown jewels are in your environment, and which Identities have access to it, you can take decisive action to protect your most valuable assets.

Third Move: Lock it Down

Just like you would put your most valuable possessions in a safe, secure your crown jewel data – such as sensitive PII –through lockdown. Taking highly sensitive data and locking it down means you’re implementing least privilege by setting security controls that limited the identities and the permissions that they have to only those that are required. This is where most teams stop, but you can’t stop here. Once you’ve established least privilege, you need to maintain it.

CheckMate: Protection

Getting to least privilege establishes your cloud security baseline. You need to maintain this baseline through the continuous audit of your cloud environment for when there is drift from the security baseline. Sonrai Security continuously monitors your environment, 24/7/365, and when a deviation is detected, it alerts the team(s) responsible for protecting the data so that they can take immediate action.

Game Over: Prevention

While you go through this crucial period with Log4j 2, you have many teams working around the clock. However, this is not a long-term, scalable solution. Teams need intelligent workflows and automation to keep the environment secure while the team is asleep. Through continuous monitoring, if deviation should occur and something goes ‘bump in the night’, your workflows and automation react to mitigate the risk at the speed and scale of your cloud. Then, it’s game over for the bad guys.

What Kind of Solution Do You Need for Continuous Audit?

Continuous audit entails ongoing monitoring with reporting on the state of security of your environment, based on any change from the state that you set with your security controls. The tool should have the capability to deconstruct workloads, understand frameworks as they relate to identities and data, and automatically apply remediation and protection controls continuously. The solution should also provide robust reporting, communicating risk widely to security teams and auditors. 

You no longer need to wait for your next security audit to see what to fix to continue passing your audits. Today’s leading enterprises use Sonrai Dig to improve security, ensure compliance and increase operational efficiencies for their AWS, Azure, GCP, and other cloud platforms. To learn more about how Sonrai Dig can help your organization continuously reduce risk, request a demo today.