Tag Archives: Automated remediation

Three Steps for Ramping Up to Fully Automated Remediation

Post Syndicated from Marla Rosner original https://blog.rapid7.com/2023/03/15/three-steps-for-ramping-up-to-fully-automated-remediation/

Three Steps for Ramping Up to Fully Automated Remediation

The number one threat to cloud security is misconfiguration of resources, and frankly, it’s not hard to understand why. The cloud is getting bigger, more tangled, and flat-out more unmanageable by the day.

In modern Amazon Web Services (AWS) environments, there are typically millions of resources being added and spread across various environments on the regular, and each resource has its own set of configurations, roles, and permissions. The result of this tangled web is that for one in four organizations, resolving misconfigurations manually takes at least a week—and for one in ten, it takes over a month. What’s a security team to do?

The answer: don’t try to resolve misconfigurations manually. At least, not entirely manually. Why do it all yourself when automation can help?

Benefits of automation include:

  • Time saved: Common issues are handled automatically, dramatically decreasing the hours teams spend addressing them.
  • Increased security and reduced risk: You can set up remediation automation to take immediate action before a security event occurs.
  • Improved compliance: Proof of automated remediation results helps keep cloud environments compliant.
  • Consistency: Repeatable workflow actions ensure consistent results across your environment.

Of course, as great as all that sounds, implementing automation can’t be done overnight. We’re talking about major, pervasive change to your processes and workflows; setting that up within your organization takes time, and a good roadmap. We’re here to help you get started with an incremental crawl, walk, run approach.

1. Crawl: Use automatic notifications to find misconfigurations

Using automated notifications is the first step to implementing an automated remediation strategy. Automated notifications can alert resource owners of misconfigurations through whatever channel they prefer, and even offer recommended steps for remediation. This eliminates the need for security teams to work to identify the owner of a resource, and significantly speeds the remediation process—even when the actual fix is done manually.

Automated notifications are a great way to dip your toes in the water and start getting used to working with an automatic process, without having to make any huge changes just yet.

2. Walk: Meet security policies and standards automatically

Once you’ve gotten comfortable with automated notifications, a great next step is to implement automation for security policies and standards associated with compliance. By automating compliance in this way, you’ll still have a lot of control over the whole process, but your automation can now help resolve a much wider range of issues.

For this middle phase, you can establish the standards and policies your organization wants to follow—whether those are standard frameworks or custom policies—and use automation to enforce them. This means using specific actions like identifying when an account has a required service turned off and automatically turning it back on. This will also be a huge help in maintaining good security hygiene for your organization.

3. Run: Embrace automation to address risk signals and control costs

After you’ve spent some time working with automated notifications and policy enforcement—and verified that automation isn’t going to break anything in your cloud environment—you’ll be ready to make the full plunge. That means using automation for a full range of tasks, including:

  • Identifying misconfigurations or noncompliant actions
  • Taking remedial action
  • Updating resource configurations, roles, and permissions
  • Cleaning up or removing unused or over-provisioned resources

Implementing a full process like this for automated remediation drastically saves time and creates efficiencies, and ensures a consistent approach to fixing issues across your cloud.

Adding new technologies and workflows to your organization can feel like a daunting task, but it doesn’t have to be. All you need is a proper plan to put it into action.

Ready to learn more about how to automate remediation for your organization? Rapid7 and AWS have teamed up for a full ebook on the subject.

Download it now!

Automated remediation level 3: Governance and hygiene

Post Syndicated from Aaron Wells original https://blog.rapid7.com/2021/06/28/automated-remediation-level-3-governance-and-hygiene/

Mold it, make it, just don’t fake it

Automated remediation level 3: Governance and hygiene

At a quick glance, it seems like the title of this blog is “government hygiene.” Most likely, that wouldn’t be a particularly exciting read, but we’re hoping you might be engaged enough to gain a few takeaways from this fourth piece in our series on automating remediation and how it can benefit your team and cost center.

The best way to mold a solution that makes sense for your company and cloud security is by adding actions that cause the fewest deviations in your day-to-day operations. Of course, there are several best-practice use cases that can make sense for your organization. Let’s take a look at a few so you can decide which one(s) work(s) for you.

Environment enforcement

Sandboxes are designed to be safe spaces, so they should also be clean spaces. As Software Development Life Cycles (SDLC) accelerate and security posture moves increasingly left into the hands of the developers spinning things up, it’s important to not only isolate and lock down your sandbox space, but to create a repeat cleaning schedule. Your software release cycle can also act as regularly scheduled sandbox maintenance.

No exemptions for expensive instances

Spinning up instances that suck up resources from other critical applications can cost you. Sometimes they’re necessary, often they’re not. Whether it’s by cost, family type, or hardware specs, continuous monitoring is key so that even when unnecessarily resource-intensive processes aren’t automatically killed, you still have a good idea of what’s costing too much time and too much money. AWS CloudWatch, for instance, can help you monitor EC2 instances by stopping and starting them at scheduled intervals.

Cleanliness ≠ costliness

Properly automating anything in cloud security is ultimately going to save money for the organization. But, as we’ve discussed to some extent above and throughout this series, you’ll want to make sure automation isn’t creating unnecessary instances, orphaning outdated resources, or stagnating old snapshots and unused databases. Yep, there are a lot of things that can start to add up and begin puffing out a budget. Creating more efficient data pipelines and discovering which parts of the remediation process are the most labor-intensive can help identify where you should focus effort and resources. In this way, you can begin to target those areas that will require the most regular hygiene and cleanup.

Put a cork in the port (exposure)

Since everything on the internet is communicated and transferred via ports, it’s probably a good idea to think about locking down exposed ports that may be running protocols like Secure Shell (SSH) or Remote Desktop (RDP). Automating this type of cleanup will require knowing, similar to the above section, which ports do most of the heavy lifting in the daily rhythms of your cloud -security operations. If a port isn’t being used in a meaningful way — or you simply don’t have any idea what its use is — best to shut it down.

Stay vigilant while basking in benefits

Ensuring you’re getting the most organized automation framework as possible takes work, but it’s considerably less work than if you had no framework at all. Automating good governance and hygiene practices can add time saved to the overall benefits gained from this work. But, we must all be good monitors of these processes and put checks in place to ensure your automation framework actually works for you and continues to save time and effort for years to come.

With that, we’re ready for a deep-dive into the final of 4 Levels of Automated Remediation. You can also read the previous entry in this series here.  

Level 4 coming soon!

Automated remediation level 2: Best practices

Post Syndicated from Aaron Wells original https://blog.rapid7.com/2021/06/22/automated-remediation-level-2-best-practices/

A low-impact workaround

Automated remediation level 2: Best practices

When it comes to automating remediation, the second level we’ll discuss takes a bit of additional planning. This is so that users will see little to no impact in the account fundamentals automation process.  

This framework aligns with the Center for Internet Security Amazon Web Services (CIS AWS) benchmark, which helps security organizations assess and improve processes by providing a set of unbiased industry best practices. Again, planning is the key here to calibrate automation properly and maintain hygiene of your cloud security. In this second level, let’s take a look at 3 housekeeping best practices that can have a tremendous impact when it comes to automating remediation.

Organize the unused

Security groups act as a sort of traffic control checkpoint. Specifically, AWS Launch Wizard will automatically create security groups that define inbound traffic. If you’re not careful, many of these groups could go unused and subsequently become vulnerabilities. Think of it this way: if a security group isn’t attached to an instance, why would you leave it hanging around, especially if it can be exploited?

This is why it’s a good idea to perform regular maintenance of these groups. If Launch Wizard is automatically provisioning resources, then the “why” of it all should be understood by all key players  so that automation doesn’t create chaos and continues to work for you.

Delete the defaults

You should control and calibrate the rules that best suit the organization and its workflows. As such, a tip from your friendly team at Rapid7 for good housekeeping is to delete default rules for default security groups. In AWS, for example, if you don’t specify a group alignment for an instance, it’ll be assigned to the default security group. A default security group has an inbound default rule and an outbound default rule.

  • The inbound default rule opens the gates to inbound traffic from all instances aligned with a default security group.
  • The outbound default rule grants permission to all outbound traffic from any instance aligned with the same default security group.  

Ensuring you have maximum control and visibility over that inbound and outbound traffic is just good hygiene, and will put checks on the process of creating default instances and any rules associated with them.

Protect AMI privacy

Ensuring the privacy status of an Amazon Machine Image (AMI) is also good hygiene. Essentially, setting an AMI to private enables individual access—so you and only you can use it—or you can assign access privileges to a specific list. This crucial step continues the best practice of closing your monitoring and cloud-security loops to fit the needs of your organization.

Stay in best-practice mode

If it seems like these 3 routines and rhythms are fundamentals of configuring automated remediation, that’s because they are. The thing is—and here’s another mention of the word—constant calibration is key in configuration processes. When there are so many details to lock into place, that’s when automation and its lasting benefits begin to make all the sense.  

With that, we’re ready for a deep-dive into the third of 4 Levels of Automated Remediation.  You can also read the previous entry in this series here.

Level 3: Governance and hygiene

Read now