This past week, Principal Security Architect, Nathan Schmidt, presented a webinar on the value of prioritizing cloud vulnerabilities, why it’s necessary specific to the cloud, and tactical next steps to get you started. This recap blog will cover cloud vulnerability management highlights and key takeaways from the session. Let’s begin!
The webinar first details the evolution of vulnerability management from on-prem to cloud. Previously, vulnerability management could arguably be drilled down to patching software. A defense-in-depth strategy and seeing your network as the perimeter to protect characterized on-prem security. And while there are still firewalls, WAFs, and problems like load balancing in the cloud, there is a new frontier and set of challenges and processes unique to the cloud. Things are fundamentally different. Identity is now the perimeter.
Entities like cloud resources and services (think e.g. Containers, Azure data warehouse,) do not pass through a network, instead it is identities that connect these entities. Understanding what is in your cloud is a massive challenge in itself, but then having insight into how these entities all connect is even harder. Only then can you address whether these resources, services, identities and data should be connected.
The Pitfalls of Blindly Trusting CVSS Scores
Previously, vulnerabilities were understood using CVSS scores. CVSS scores consist of three sets of metrics: Basic, Temporal, and Environmental. How exploitable is this vulnerability, how mature or old is it, and are there confidentiality or integrity requirements associated with it. In sum, CVSS scores addressed likelihood and impact.
CVSS scores have their drawbacks or limitations when it comes to cloud vulnerability management. Nathan proposes that while each vulnerability gets a score that previously may have helped determine what gets addressed first, there is no insight into the risk associated with your entire environment. The logic of patching vulnerabilities to minimize possible attack vectors for gaining access to your environment is a logical approach, however, there is more beneath the surface when dealing with the cloud.
Why Cloud Vulnerabilities are Different
The webinar details the cloud kill chain, following the path of recon, vulnerability, infiltration, privilege escalation, lateral movement, exfiltration, and business impact. For example, this can look like an attacker capitalizing on a platform posture risk, to a zero-day vulnerability, to IAM relationship recon, to expanding permission boundaries and assuming new identities, to maneuvering through your environment, to downloading data, and finally impacting your business.
While vulnerabilities can be one of the ways into your cloud, it is truly the data in your cloud that attackers are after and looking to monetize. There is a hyper-focus on cloud vulnerability management in the market, because it is a very linear and logical route for malicious attackers, but it is not the only way people can exploit your cloud.
How to Prioritize Critical Vulnerabilities
Prioritizing your most critical vulnerabilities in the cloud is only possible through gaining context and information regarding other facets of your cloud – platform, identity, and data. This means flipping the approach to an attack path from starting at the network protection, to starting at what an attack has in mind: your data.
The order of operations should be as follows:
- Can they get PII? You must know where your most critical data is.
- What can they access? You need to discover and classify your data.
- How can they move laterally? You must reveal all overprivileged identities, toxic trust chains, and unprotected access keys.
- How do they get in? You must discover all entryways into your environment: misconfigurations, vulnerabilities, or stolen credentials.
This strategy flips more traditional on-prem vulnerability management on its head to drive data and identity to the center of your cloud vulnerability management strategy.
How to Operationalize Team Workloads
Every organization is at a different stage in their public cloud migration or maturity. Those that have settled in are likely looking for ways to bring all the pieces together and operationalize security practices.
Security begins with the development process, when code is being built. This means Infrastructure as Code (IaC) scanning, code analysis, and ensuring security and overall architecture review.
Following the best methodology means altering scanning code, sending it for testing. This means platform security tests, CSPM checks, additional scanning, or architecture vulnerabilities. This stage helps you understand how this code (and potential vulnerabilities on it) can interact with other elements already in Production.
Then, you can send code on to Prod for production runtime, continuous vulnerability scanning, Least Privilege evaluation, and Pen Testing.
Nathan finishes by reviewing a takeaway plan for controlling your cloud security strategy. It begins with:
Gaining visibility into everything in your cloud: your infrastructure, your platform, your identities and your data. Also, visibility into all the continuous changes affecting all these entities.
Understand how all these pieces connect to each other. This means revealing all paths to your data and uncovering toxic risks through identity rights. You want to map the effective permissions of all identities.
With this understanding, you now can interpret business impact and then prioritize risks accordingly. Context means understanding workloads, blast radius, and risk amplifiers (think overprivileged identities on a workload, or customer PII being accessible.)
Leverage automation and a security platform that can operationalize alert triaging, prioritization, and remediation for you.
If you’re looking to watch the whole session for a more in-depth review of cloud vulnerability management and strategy consider watching the webinar.