TL;DR of TAG Cyber and Sonrai Security

6 mins to read

As business leaders recognize the increased revenue growth associated with cloud strategies, Information Security teams must find ways to adapt and, more importantly, participate in this rapid deployment approach. TAG Cyber, world-class cyber security research and advisory, delivers an expert overview of enterprise risk.

TAG Cyber worked with Sonrai Security to better understand how cloud modernization demands a shift in cloud-based infrastructure security. One truth is established right away: cybersecurity risks associated with workloads are inherently different in cloud infrastructure than legacy systems. How? Why? What are the challenges enterprises are facing and how can we remediate them? The campaign addresses the security needs of today’s dynamic, modern security infrastructure and how a cloud security platform provides both the breadth and depth required to secure cloud environments.

A lot of great content was published including a technical report, an editorial interview with Sonrai Security CISO, Eric Kedrosky, and a one-on-one conversation with our founder and CEO, Brendan Hannigan, joined by TAG Cyber’s CEO, Ed Amoroso. Additionally, TAG Cyber named Sonrai Security a ‘Distinguished Vendor’ in Q3 2022.

Now, as mentioned, there is a lot of content, so we’ll summarize the major highlights of this partnership and what learnings organizations can walk away with.

The Technical Report

TAG Cyber released their latest technical report titled, ‘Modernizing the Security Infrastructure: Mitigating Enterprise Cloud Workload Risks in Legacy Infrastructures,’ authored by John J. Masserini. The report reviews the challenge of leveraging cloud-based workload infrastructure, how this modern model differs from its on-prem predecessor, and details how a cloud-native security solution can highlight related risks.

The report begins by establishing the ample benefits in leveraging cloud computing, but equal tradeoff for the potential of new and unique cloud risks. Unlike legacy infrastructure environments, cloud modernization allows quickly developed environments including workloads, data stores, networks and cloud-based firewalls, all with little review and processing time bogging down turnaround time.

This can come at the price of security. The reports continues by detailing the gaps in current security tool coverage and the shifting paradigms in security strategy.

The Challenges of Cloud-Based Infrastructure

Visibility is now a major concern in cloud environments. TAG Cyber points to two root causes: 

“The first is the inherent reliance on legacy process management to identify when changes occur within the infrastructure… The other major issue most security teams are facing is the inability of most legacy security tools to identify the risk and security issues around cloud workloads and applications.”

Furthermore, the technical security risks of most concern are three of the same issues you would find in legacy infrastructure; misconfigurations, vulnerabilities, and access controls/excessive permissions. The report dives into each of these challenge areas.

Trust relationships: TAG Cyber notes that technical security risks are exacerbated in the cloud as, “due to the inherent trust relationships which exist in most cloud environments, risks that would have historically been limited in scope to specific devices or networks now impact the entire platform.”

Access controls: A major difference between legacy infrastructure and cloud, is the proliferation of machine identities, or ‘non-person identities.’ Managing the access controls of these identities is difficult. The report explains, “to ensure everyone on the DevOps team, from the developer to the testers, to the business partner, has access to the applications as needed, common, easily shared non-person cloud identities, such as AWS Roles, Azure Service Principles, etc., are used. Unfortunately, such access rights tend to migrate into production as the application does, providing access that was intended for testing now with full permissions to often sensitive production data.”

Posture and vulnerability management: While this is not a new concern, it has unique challenges in the cloud. Workloads are often designed for ease of deployment and don’t always take security into account. The lack of visibility into workloads “leaves the security teams behind the proverbial 8-ball when it comes to trying to manage risks in the cloud.”

The key concern of vulnerabilities in the cloud is the frequency of exploited misconfigured workloads, resulting in the attacker gaining access to the workload. Due to the frequent misconfiguration of identities and roles within the cloud environments, “the attacker now potentially has elevated access to every other workload within the environment.”

Data Management: The cloud is inherently managed differently, and “due to the nature of the DevOps lifecycle, the various data stores within cloud environments tend to replicate quickly, leaving outdated databases or file extracts lying around unprotected.” TAG Cyber recommends approaching data security in the cloud in four key pillars: location, classification, entitlements, and usage. You must know where your data is, what it is, who can access it and who actually is.

The Sonrai Dig Platform

We worked with TAG Cyber to detail the ways in which our platform was developed to highlight these risks many organizations are not even aware of. Offering visibility into risk, but then remediating them accordingly.

The report notes, “Sonrai Dig identifies and monitors all relationships between workloads, identities, and data stores that exist within your various cloud platforms to provide security teams a continuous view of all risks, unusual activity and automated remediations.” 

If you are further interested in reading the full-length report or how Dig can address the highlighted cloud-based infrastructure challenges, you can access the report here.

TAG Cyber Annual Report 2022, an Interview with Eric Kedrosky

The task at hand for organizations using the cloud is to install the proper controls to manage workloads and data. TAG Cyber sat down with Eric to understand how Sonrai’s holistic approach to protecting cloud deployments using a unified commercial platform employing controls focused on workloads, identities, and data, is successful in protecting cloud environments.

For the full interview, navigate to the report available here. In the meantime, we’ll highlight some of the more fruitful questions and answers.

TAG Cyber: How does your solution integrate with the on-going journey toward greater cloud adoption by most enterprise teams?

Eric: Organizations choose our platform as the foundation of their cloud security operations, whether they’re fully cloud or in the midst of a digital transformation. Modern app development has eviscerated traditional security controls and created unique risks that current tools can’t handle. We believe that when done correctly, the cloud delivers security far better than anything possible on prem. Sonrai Security Dig was built to tackle cloud complexity, and its ability to view identity and data risk in context is at the core of our product. Cloud means an explosion in roles and identities. As an organization’s cloud footprint grows, the complexity becomes unmanageable. The cloud begs for a new method of triaging a flood of alerts, requiring cloud, security, DevOps and audit teams to unite together. Finally, cloud means a multitude of cloud accounts, roles, service principles and data stores, all of which need to be secured. We help reveal risks companies didn’t know they had, by connecting the dots between identities, data, workloads and platform, and then remediating them at the speed and scale the cloud demands. By breaking down the silos between the pillars of cloud security, organizations obtain a level of context that allows them to prioritize concerns and operationalize remediation.

TAG Cyber: Tell us more about the workload security aspect of your solution.

Eric: Knowing the age, CVSS score, and exploit status of business risks is not enough to prioritize the vulnerabilities in an organization’s environment. Recognizing which vulnerabilities are the most dangerous to a business means understanding threats unique to the host. Detecting workload vulnerabilities is just the first step. We examine connected platform, identity and data risks to reveal the full severity of workload vulnerability. We use analytics and proprietary risk amplifiers to highlight vulnerabilities with increased concerns, including sensitive data access, and over-privileged or exposed identities that could allow for lateral movement if that vulnerability were exploited. Our lightweight agentless scanner discovers a full host inventory without impacting performance or cloud spend. This helps enterprises get a clear picture of what every host is connected to, and who (or what) can access it—or already has. This allows teams to spend less time on hardening, configuration, network firewalling and microsegmentation tasks. If a business already has a scanner in place, we offer alert prioritization with host-specific risks to further enrich the solution. Our ability to de-emphasize vulnerabilities without impacting sensitive data is one of our key capabilities, because we know the average team is drowning in security concerns.

1:1 with Ted Amoroso and Brendan Hannigan

Watch the full interview between two CEOs on a “revolutionary” approach to cloud security.