Recently, one of Sonrai Security’s Principal Solutions Architects, Mindy Schlueter, presented a webinar titled, ‘Continuously Changing Clouds Need Dynamic Security.’ The webinar took a four-prong approach in addressing the following agenda:
- Acknowledging the nonstop growing complexity of the cloud.
- Detailing how vulnerability management has changed from on-prem to cloud.
- Recognizing the specific challenges of a dynamic cloud and how to operationalize remedies.
- Finally, how to identify ‘risk amplifiers’ in vulnerabilities and pick a solution that will help maintain a secure cloud.
The Cloud Complexity Challenge
There are countless options when it comes to compute, and most infrastructure is now deployed by code. On top of that, organizations are tasked with managing non-person identities on top of people users. Compute, containers, serverless functions and more are leveraging roles in the cloud to execute business needs. All of these entities (datastores, compute, keys, IAM principles, etc.) are connected through relationships, and then are coming into contact with those utilizing them like identities, creating a massive interconnected web in your cloud. This web is constantly changing. Code comes in every day, maybe being changed even by the hour – yes, your cloud is complex, but it’s also dynamic.
“Most of the customers that we talk to are struggling to keep up with the dynamic nature of their clouds, and oftentimes security teams are trying to play catch up,” Mindy shares.
A lot of the time, organizations are tasked with a business goal like moving all applications into the cloud in a certain timeframe, and once this transition is complete, that is when security teams are tacked on and then tasked with understanding this new environment and finding where the risks lie. It is not the most efficient model.
The Vulnerability Management Evolution
One area security folks are familiar with from on-prem, and now need to address in the cloud, is vulnerability management. Previously, security was tasked with preserving the network perimeter. Teams scanned networks, servers, and workstations on the network in an attempt to secure all assets. It was an overall slower delivery pipeline, meaning periodic scanning of workloads was sufficient. This process is not sufficient for the cloud environment. The network is no longer the perimeter, in fact, identity is now regarded as the closest thing to resembling a perimeter in the cloud. Some workloads are not even accessible on the network in the cloud, meaning traditional scanners totally miss them leaving you with false negatives. On top of all of this, when vulnerabilities were discovered on-prem, they were typically sent back to the Security team. Now, vulnerabilities are often sent to DevOps as the issue lies in the actual code and should be addressed by whoever was responsible for building the application. The vulnerability management paradigm is changed.
“Vulnerabilities are a part of your attack surface, that’s how people get in, but that’s not the only thing that matters, because it may not be that workloads that they’re after. What’s really important, and what bad actors are looking to do, is move laterally in your cloud environment.”
Bad actors are often actually looking to take advantage of what a workload has access to or the identities on it, not the vulnerability itself. This focus on vulnerabilities is really an out-dated strategy. Ultimately, it is the identities on workloads and their entitlements that leads attackers to your sensitive data. This is a larger picture to consider, but in the cloud the burden does not fall alone on Security teams. The cloud works under a Shared Responsibility Model. This means part of the burden is on Cloud Service Providers, like overall infrastructure, but most of the configuration within your cloud falls under the organization’s responsibility. Consider spinning up a workload that uses an AMI with a vulnerability on it. That vulnerability is your responsibility, even if you’re using a cloud service provider-sanctioned AMI.
Cloud Complexity Challenge Solutions
Organizations that are looking to address these cloud-specific challenges can rely on several solutions and strategies:
- Continuous Monitoring
- Ingesting Logs in Real-Time
- Intelligent Scanning
- Total Risk Detection
- Complete Context
- Effective Alert Prioritization
- Shifting Left
And continues by detailing what capabilities to look for from a vendor.
- Total Visibility
- Customizable Policies
- Custom CSPM
- Continuous Monitoring
- Effective Alert Prioritization
- Attack Path Detection
- Total Risk Detection
After addressing the laundry list of cloud characteristics, and resulting complexities and challenges, as well as the capabilities of solutions to remedy them, the webinar discusses overall vulnerability management strategy. The positioning is strong: put identity and data at the center of your strategy.
This approach starts with first understanding where your data is and what it is with data identification and data classification. Then, considering who and what can access this data.
“There is really no way to get information like that from a cloud provider portal, when you look at a storage account, you will never be able to see who or what can access that storage account. You need a security tool that can tell you that.”
When you establish the ‘who’ of what can access your sensitive data, the next question is ‘how can they move laterally?’ Most identities are overprivileged in the cloud. In fact, more than 95% of accounts in IaaS use, on average, less than 3% of the entitlements they are granted. These entitlements greatly increase your attack surface and are the pathways attackers leverage to move laterally. This is where your organization must lean on a tool to help find these overprivileged identities and detect risks like toxic combinations and privilege escalation scenarios, or locate sensitive data or access keys. You need a clear view of potential attack paths to your sensitive data.
After understanding the web of relationships between identity and data in your cloud, that is when you consider how attackers get in your environment. This strategy basically flips the timeline backwards from how we approached vulnerability management on-prem, where ‘how do they get in?’ was the first question security teams used to address. In the cloud, you need to first address if someone were to get in, what could they do? How do these vulnerabilities tie back to identities, their entitlements, and ultimately, data. This information is what your organization can use to prioritize vulnerabilities and risks.
The Right Tool
Mindy dives deep into the specifics of how the Sonrai Dig platform addresses workload security – the more cloud-specific approach to vulnerability management. This includes how ‘risk amplifiers’ highlight the most pressing vulnerabilities as well as revealing the true blast radius of every potential vulnerability. This critical context is key to arming your teams with the information they need to make decisions about what to fix today and what can wait till tomorrow.
Traditional vulnerability management measurements like CVSS scores do not offer enough context. Teams may find themselves with a hundred 9.8 rated vulnerabilities – how do you approach prioritization when every vulnerability is equally high-risk. When not every workload has a privileged identity on it or access to customer PII, you cannot treat each risk equally.
Cloud Workload Protection Platforms (CWPP) are highly regarded as the solution to lean on for cloud-native vulnerability management.
A CWPP can cover any combination of workloads, making it the go-to choice when organizations need to protect multi-cloud infrastructure. The core components of a CWPP provide the following:
- Since many cloud data breaches are linked to misconfigurations, an integrated development pipeline allows your team to catch configuration risks before they go live.
- Continuous cloud workload monitoring helps your organization detect risks and vulnerabilities sooner (hopefully before would-be attackers ever become aware of them.)
- The latest threat intelligence empowers your team to understand new tactics and apply the right defensive and offensive strategies to detect breaches and stop them in their tracks.
A CWPP combines protection for multiple workloads into one solution, simplifying your tech stack, reducing monitoring blind spots, and giving your team a unified view from which they can see and manage everything.
This blog was a recap from the recent webinar, ‘Continuously Changing Clouds Need Dynamic Security’, presented by Principal Solutions Architect, Mindy Schlueter. For the full in-depth presentation and details on what your organization needs to do modern vulnerability management, consider watching the on-demand webinar available here.