Tag Archives: cloud security

Define a custom session duration and terminate active sessions in IAM Identity Center

Post Syndicated from Ron Cully original https://aws.amazon.com/blogs/security/define-a-custom-session-duration-and-terminate-active-sessions-in-iam-identity-center/

Managing access to accounts and applications requires a balance between delivering simple, convenient access and managing the risks associated with active user sessions. Based on your organization’s needs, you might want to make it simple for end users to sign in and to operate long enough to get their work done, without the disruptions associated with requiring re-authentication. You might also consider shortening the session to help meet your compliance or security requirements. At the same time, you might want to terminate active sessions that your users don’t need, such as sessions for former employees, sessions for which the user failed to sign out on a second device, or sessions with suspicious activity.

With AWS IAM Identity Center (successor to AWS Single Sign-On), you now have the option to configure the appropriate session duration for your organization’s needs while using new session management capabilities to look up active user sessions and revoke unwanted sessions.

In this blog post, I show you how to use these new features in IAM Identity Center. First, I walk you through how to configure the session duration for your IAM Identity Center users. Then I show you how to identify existing active sessions and terminate them.

What is IAM Identity Center?

IAM Identity Center helps you securely create or connect your workforce identities and manage their access centrally across AWS accounts and applications. IAM Identity Center is the recommended approach for workforce identities to access AWS resources. In IAM Identity Center, you can integrate with an external identity provider (IdP), such as Okta Universal Directory, Microsoft Azure Active Directory, or Microsoft Active Directory Domain Services, as an identity source or you can create users directly in IAM Identity Center. The service is built on the capabilities of AWS Identity and Access Management (IAM) and is offered at no additional cost.

IAM Identity Center sign-in and sessions

You can use IAM Identity Center to access applications and accounts and to get credentials for the AWS Management Console, AWS Command Line Interface (AWS CLI), and AWS SDK sessions. When you log in to IAM Identity Center through a browser or the AWS CLI, an AWS access portal session is created. When you federate into the console, IAM Identity Center uses the session duration setting on the permission set to control the duration of the session.

Note: The access portal session duration for IAM Identity Center differs from the IAM permission set session duration, which defines how long a user can access their account through the IAM Identity Center console.

Before the release of the new session management feature, the AWS access portal session duration was fixed at 8 hours. Now you can configure the session duration for the AWS access portal in IAM Identity Center from 15 minutes to 7 days. The access portal session duration determines how long the user can access the portal, applications, and accounts, and run CLI commands without re-authenticating. If you have an external IdP connected to IAM Identity Center, the access portal session duration will be the lesser of either the session duration that you set in your IdP or the session duration defined in IAM Identity Center. Users can access accounts and applications until the access portal session expires and initiates re-authentication.

When users access accounts or applications through IAM Identity Center, it creates an additional session that is separate but related to the AWS access portal session. AWS CLI sessions use the AWS access portal session to access roles. The duration of console sessions is defined as part of the permission set that the user accessed. When a console session starts, it continues until the duration expires or the user ends the session. IAM Identity Center-enabled application sessions re-verify the AWS access portal session approximately every 60 minutes. These sessions continue until the AWS access portal session terminates, until another application-specific condition terminates the session, or until the user terminates the session.

To summarize:

  • After a user signs in to IAM Identity Center, they can access their assigned roles and applications for a fixed period, after which they must re-authenticate.
  • If a user accesses an assigned permission set, the user has access to the corresponding role for the duration defined in the permission set (or by the user terminating the session).
  • The AWS CLI uses the AWS access portal session to access roles. The AWS CLI refreshes the IAM permission set in the background. The CLI job continues to run until the access portal session expires.
  • If users access an IAM Identity Center-enabled application, the user can retain access to an application for up to an hour after the access portal session has expired.

Note: IAM Identity Center doesn’t currently support session management capabilities for Active Directory identity sources.

For more information about session management features, see Authentication sessions in the documentation.

Configure session duration

In this section, I show you how to configure the session duration for the AWS access portal in IAM Identity Center. You can choose a session duration between 15 minutes and 7 days.

Session duration is a global setting in IAM Identity Center. After you set the session duration, the maximum session duration applies to IAM Identity Center users.

To configure session duration for the AWS access portal:

  1. Open the IAM Identity Center console.
  2. In the left navigation pane, choose Settings.
  3. On the Settings page, choose the Authentication tab.
  4. Under Authentication, next to Session settings, choose Configure.
  5. For Configure session settings, choose a maximum session duration from the list of pre-defined session durations in the dropdown. To set a custom session duration, select Custom duration, enter the length for the session in minutes, and then choose Save.
Figure 1: Set access portal session duration

Figure 1: Set access portal session duration

Congratulations! You have just modified the session duration for your users. This new duration will take effect on each user’s next sign-in.

Find and terminate AWS access portal sessions

With this new release, you can find active portal sessions for your IAM Identity Center users, and if needed, you can terminate the sessions. This can be useful in situations such as the following:

  • A user no longer works for your organization or was removed from projects that gave them access to applications or permission sets that they should no longer use.
  • If a device is lost or stolen, the user can contact you to end the session. This reduces the risk that someone will access the device and use the open session.

In these cases, you can find a user’s active sessions in the AWS access portal, select the session that you’re interested in, and terminate it. Depending on the situation, you might also want to deactivate sign-in for the user from the system before revoking the user’s session. You can deactivate sign-in for users in the IAM Identity Center console or in your third-party IdP.

If you first deactivate the user’s sign-in in your IdP, and then deactivate the user’s sign-in in IAM Identity Center, deactivation will take effect in IAM Identity Center without synchronization latency. However, if you deactivate the user in IAM Identity Center first, then it is possible that the IdP could activate the user again. By first deactivating the user’s sign-in in your IdP, you can prevent the user from signing in again when you revoke their session. This action is advisable when a user has left your organization and should no longer have access, or if you suspect a valid user’s credentials were stolen and you want to block access until you reset the user’s passwords.

Termination of the access portal session does not affect the active permission set session started from the access portal. IAM role session duration when assumed from the access portal will last as long as the duration specified in the permission set. For AWS CLI sessions, it can take up to an hour for the CLI to terminate after the access portal session is terminated.

Tip: Activate multi-factor authentication (MFA) wherever possible. MFA offers an additional layer of protection to help prevent unauthorized individuals from gaining access to systems or data.

To manage active access portal sessions in the AWS access portal:

  1. Open the IAM Identity Center console.
  2. In the left navigation pane, choose Users.
  3. On the Users page, choose the username of the user whose sessions you want to manage. This takes you to a page with the user’s information.
  4. On the user’s page, choose the Active sessions tab. The number in parentheses next to Active sessions indicates the number of current active sessions for this user.
    Figure 2: View active access portal sessions

    Figure 2: View active access portal sessions

  5. Select the sessions that you want to delete, and then choose Delete session. A dialog box appears that confirms you’re deleting active sessions for this user.
    Figure 3: Delete selected active sessions

    Figure 3: Delete selected active sessions

  6. Review the information in the dialog box, and if you want to continue, choose Delete session.

Conclusion

In this blog post, you learned how IAM Identity Center manages sessions, how to modify the session duration for the AWS access portal, and how to view, search, and terminate active access portal sessions. I also shared some tips on how to think about the appropriate session duration for your use case and related steps that you should take when terminating sessions for users who shouldn’t have permission to sign in again after their session has ended.

With this new feature, you now have more control over user session management. You can use the console to set configurable session lengths based on your organization’s security requirements and desired end-user experience, and you can also terminate sessions, enabling you to manage sessions that are no longer needed or potentially suspicious.

To learn more, see Manage IAM Identity Center integrated application sessions.

 
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.

Want more AWS Security news? Follow us on Twitter.

Ron Cully

Ron is a Principal Product Manager at AWS where he has led feature and roadmap planning for workforce identity products for over 6 years. He has over 25 years of experience leading networking and directory related product delivery. Ron is passionate about delivering solutions to help make it easier for you to migrate identity-aware workloads, simplify resource and application authorization, and give people a simple sign-in and access experience in the cloud.

Palak Arora

Palak Arora

Palak is a Senior Product Manager at AWS Identity. She has over eight years of cyber security experience with specialization in Identity and Access Management (IAM) domain. She has helped various customers across different sectors to define their enterprise and customer IAM roadmap and strategy, and improve the overall technology risk landscape.

How to improve security incident investigations using Amazon Detective finding groups

Post Syndicated from Anna McAbee original https://aws.amazon.com/blogs/security/how-to-improve-security-incident-investigations-using-amazon-detective-finding-groups/

Uncovering the root cause of an Amazon GuardDuty finding can be a complex task, requiring security operations center (SOC) analysts to collect a variety of logs, correlate information across logs, and determine the full scope of affected resources.

Sometimes you need to do this type of in-depth analysis because investigating individual security findings in insolation doesn’t always capture the full impact of affected resources.

With Amazon Detective, you can analyze and visualize various logs and relationships between AWS entities to streamline your investigation. In this post, you will learn how to use a feature of Detective—finding groups—to simplify and expedite the investigation of a GuardDuty finding.

Detective uses machine learning, statistical analysis, and graph theory to generate visualizations that help you to conduct faster and more efficient security investigations. The finding groups feature reduces triage time and provides a clear view of related GuardDuty findings. With finding groups, you can investigate entities and security findings that might have been overlooked in isolation. Finding groups also map GuardDuty findings and their relevant tactics, techniques, and procedures to the MITRE ATT&CK framework. By using MITRE ATT&CK, you can better understand the event lifecycle of a finding group.

Finding groups are automatically enabled for both existing and new customers in AWS Regions that support Detective. There is no additional charge for finding groups. If you don’t currently use Detective, you can start a free 30-day trial.

Use finding groups to simplify an investigation

Because finding groups are enabled by default, you start your investigation by simply navigating to the Detective console. You will see these finding groups in two different places: the Summary and the Finding groups pages. On the Finding groups overview page, you can also use the search capability to look for collected metadata for finding groups, such as severity, title, finding group ID, observed tactics, AWS accounts, entities, finding ID, and status. The entities information can help you narrow down finding groups that are more relevant for specific workloads.

Figure 1 shows the finding groups area on the Summary page in the Amazon Detective console, which provides high-level information on some of the individual finding groups.

Figure 1: Detective console summary page

Figure 1: Detective console summary page

Figure 2 shows the Finding groups overview page, with a list of finding groups filtered by status. The finding group shown has a status of Active.

Figure 2: Detective console finding groups overview page

Figure 2: Detective console finding groups overview page

You can choose the finding group title to see details like the severity of the finding group, the status, scope time, parent or child finding groups, and the observed tactics from the MITRE ATT&CK framework. Figure 3 shows a specific finding group details page.

Figure 3: Detective console showing a specific finding group details page

Figure 3: Detective console showing a specific finding group details page

Below the finding group details, you can review the entities and associated findings for this finding group, as shown in Figure 4. From the Involved entities tab, you can pivot to the entity profile pages for more details about that entity’s behavior. From the Involved findings tab, you can select a finding to review the details pane.

Figure 4: Detective console showing involved entities of a finding group

Figure 4: Detective console showing involved entities of a finding group

In Figure 4, the search functionality on the Involved entities tab is being used to look at involved entities that are of type AWS role or EC2 instance. With such a search filter in Detective, you have more data in a single place to understand which Amazon Elastic Compute Cloud (Amazon EC2) instances and AWS Identity and Access Management (IAM) roles were involved in the GuardDuty finding and what findings were associated with each entity. You can also select these different entities to see more details. With finding groups, you no longer have to craft specific log searches or search for the AWS resources and entities that you should investigate. Detective has done this correlation for you, which reduces the triage time and provides a more comprehensive investigation.

With the release of finding groups, Detective infers relationships between findings and groups them together, providing a more convenient starting point for investigations. Detective has evolved from helping you determine which resources are related to a single entity (for example, what EC2 instances are communicating with a malicious IP), to correlating multiple related findings together and showing what MITRE tactics are aligned across those findings, helping you better understand a more advanced single security event.

Conclusion

In this blog post, we showed how you can use Detective finding groups to simplify security investigations through grouping related GuardDuty findings and AWS entities, which provides a more comprehensive view of the lifecycle of the potential security incident. Finding groups are automatically enabled for both existing and new customers in AWS Regions that support Detective. There is no additional charge for finding groups. If you don’t currently use Detective, you can start a free 30-day trial. For more information on finding groups, see Analyzing finding groups in the Amazon Detective User Guide.

If you have feedback about this post, submit comments in the Comments section below. You can also start a new thread on the Amazon Detective re:Post or contact AWS Support.

Want more AWS Security news? Follow us on Twitter.

Author

Anna McAbee

Anna is a Security Specialist Solutions Architect focused on threat detection and incident response at AWS. Before AWS, she worked as an AWS customer in financial services on both the offensive and defensive sides of security. Outside of work, Anna enjoys cheering on the Florida Gators football team, wine tasting, and traveling the world.

Author

Marshall Jones

Marshall is a Worldwide Security Specialist Solutions Architect at AWS. His background is in AWS consulting and security architecture, focused on a variety of security domains including edge, threat detection, and compliance. Today, he is focused on helping enterprise AWS customers adopt and operationalize AWS security services to increase security effectiveness and reduce risk.

Luis Pastor

Luis Pastor

Luis is a Security Specialist Solutions Architect focused on infrastructure security at AWS. Before AWS he worked with large and boutique system integrators, helping clients in an array of industries improve their security posture and reach and maintain compliance in hybrid environments. Luis enjoys keeping active, cooking and eating spicy food, specially Mexican cuisine.

Trading Convenience for Credentials

Post Syndicated from Aaron Wells original https://blog.rapid7.com/2023/01/19/trading-convenience-for-credentials/

Tap. Eat. Repeat. Regret?

Trading Convenience for Credentials

Using food or grocery delivery apps is great. It really is. Sure, there’s a fee, but when you can’t bring yourself to leave the house, it’s a nice treat to get what you want delivered. As a result, adoption of food apps has been incredibly fast and they are now a ubiquitous part of everyday culture. However, the tradeoff for that convenience is risk. In the past few years, cybercriminals have turned their gaze upon food and grocery delivery apps.

According to McKinsey, food delivery has a global market worth of over $150 billion, more than tripling since 2017. That equates to a lot of people entering usernames, passwords, and credit card numbers into these apps. That’s a lot of growth at an extremely rapid pace, and presents the age-old challenge of security trying to keep pace with that growth. Oftentimes it’s not a successful venture; specifically, credential stuffing (no relation to Thanksgiving stuffing or simply stuffing one’s face) is one of the major attacks of choice for bad actors attempting to break into user accounts or deploy other nefarious attacks inside of these apps.

Sounding the alarm

The FBI, among its many other cybercrime worries, recently raised the alert on credential stuffing attacks on customer app accounts across many industries. The usual-suspect industries—like healthcare and media—are there, but now the report includes “restaurant groups and food-delivery,” as well. This is notable due to that sector’s rapid adoption of apps, their growth in popularity among global consumers, and the previously mentioned challenges of security keeping pace with development instead of slowing it down.

The FBI report notes that, “In particular, media companies and restaurant groups are considered lucrative targets for credential stuffing attacks due to the number of customer accounts, the general demand for their services, and the relative lack of importance users place on these types of accounts.” Combine that with things like tutorial videos on hacker forums that make credential stuffing attacks relatively easy to learn, and it’s a (to continue with the food-centric puns) recipe for disaster.

Some background on credential stuffing

This OWASP cheat sheet describes credential stuffing as a situation when attackers test username/password pairs to gain access to one website or application after obtaining those credentials from the breach of another site or app. The pairs are often part of large lists of credentials sold on attacker forums and/or the dark web. Credential stuffing is typically part of a larger account takeover (ATO), targeting individual user accounts, of which there are so, so many on today’s popular delivery apps.  

To get a bit deeper into it, the FBI report goes on to detail how bad actors often opt for the proxy-less route when conducting credential stuffing attacks. This method actually requires less time and money to successfully execute, all without the use of proxies. And even when leveraging a proxy, many existing security protocols don’t regularly flag them. Add to that the recent rise in the use of bots when scaling credential stuffing attacks and the recipe for disaster becomes a dessert as well (the puns continue).  

All of these aspects contributing to the current state of vulnerability and security on grocery and food-delivery apps are worrying enough, but also creating concern is the fact that mobile apps (the primary method of interaction for food delivery services) typically permit a higher rate of login attempts for faster customer verification. In fairness, that can contribute to a better customer experience, but clearly leaves these types of services more vulnerable to attacks.

Cloud services like AWS and Google Cloud can help their clients fend off credential stuffing attacks with defenses like multifactor authentication (MFA) or a defense-in-depth approach that combines several layers of protection to prevent credential stuffing attacks. Enterprise customers can also take cloud security into their own hands—on behalf of their own customers actually using these apps—when it comes to operations in the cloud. Solutions like InsightCloudSec by Rapid7 help to further govern identity and access management (IAM) by implementing least-privilege access (LPA) for cloud workloads, services, and data.

Solutions to breed customer confidence

In addition to safeguards like MFA and LPA, the FBI report details a number of policies that food or grocery-delivery apps can leverage to make it harder for credential thieves to gain access to the app’s user-account base, such as:

  • Downloading publicly available credential lists and testing them against customer accounts to identify problems and gauge their severity.  
  • Leveraging fingerprinting to detect unusual activity, like attempts by a single address to log into several different accounts.
  • Identifying and monitoring for default user-agent strings leveraged by credential-stuffing attack tools.

Detection and response (D&R) solutions like InsightIDR from Rapid7 can also leverage the use of deception technology to lure attackers attempting to use stolen credentials. By deploying fake honey credentials onto your endpoints to deceive attackers, InsightIDR can automatically raise an alert if those credentials are used anywhere else on the network.

At the end of the day, a good meal is essential. It’s also essential to protect your organization against credential stuffing attacks. Our report, Good Passwords for Bad Bots, offers practical, actionable advice on how to reduce the risk of credential-related attacks to your organization.

Download Good Passwords for Bad Bots today.

Recap to security, identity, and compliance sessions at AWS re:Invent 2022

Post Syndicated from Katie Collins original https://aws.amazon.com/blogs/security/recap-to-security-identity-and-compliance-sessions-at-aws-reinvent-2022/

AWS re:Invent returned to Las Vegas, NV, in November 2022. The conference featured over 2,200 sessions and hands-on labs and more than 51,000 attendees over 5 days. If you weren’t able to join us in person, or just want to revisit some of the security, identity, and compliance announcements and on-demand sessions, this blog post is for you.

re:Invent 2022

Key announcements

Here are some of the security announcements that we made at AWS re:Invent 2022.

  • We announced the preview of a new service, Amazon Security Lake. Amazon Security Lake automatically centralizes security data from cloud, on-premises, and custom sources into a purpose-built data lake stored in your AWS account. Security Lake makes it simpler to analyze security data so that you can get a more complete understanding of security across your entire organization. You can also improve the protection of your workloads, applications, and data. Security Lake automatically gathers and manages your security data across accounts and AWS Regions.
  • We introduced the AWS Digital Sovereignty Pledge—our commitment to offering the most advanced set of sovereignty controls and features available in the cloud. As part of this pledge, we launched a new feature of AWS Key Management Service, External Key Store (XKS), where you can use your own encryption keys stored outside of the AWS Cloud to protect data on AWS.
  • To help you with the building blocks for zero trust, we introduced two new services:
    • AWS Verified Access provides secure access to corporate applications without a VPN. Verified Access verifies each access request in real time and only connects users to the applications that they are allowed to access, removing broad access to corporate applications and reducing the associated risks.
    • Amazon Verified Permissions is a scalable, fine-grained permissions management and authorization service for custom applications. Using the Cedar policy language, Amazon Verified Permissions centralizes fine-grained permissions for custom applications and helps developers authorize user actions in applications.
  • We announced Automated sensitive data discovery for Amazon Macie. This new capability helps you gain visibility into where your sensitive data resides on Amazon Simple Storage Service (Amazon S3) at a fraction of the cost of running a full data inspection across all your S3 buckets. Automated sensitive data discovery automates the continual discovery of sensitive data and potential data security risks across your S3 storage aggregated at the AWS Organizations level.
  • Amazon Inspector now supports AWS Lambda functions, adding continual, automated vulnerability assessments for serverless compute workloads. Amazon Inspector automatically discovers eligible AWS Lambda functions and identifies software vulnerabilities in application package dependencies used in the Lambda function code. The functions are initially assessed upon deployment to Lambda and continually monitored and reassessed, informed by updates to the function and newly published vulnerabilities. When vulnerabilities are identified, actionable security findings are generated, aggregated in Amazon Inspector, and pushed to Security Hub and Amazon EventBridge to automate workflows.
  • Amazon GuardDuty now offers threat detection for Amazon Aurora to identify potential threats to data stored in Aurora databases. Currently in preview, Amazon GuardDuty RDS Protection profiles and monitors access activity to existing and new databases in your account, and uses tailored machine learning models to detect suspicious logins to Aurora databases. When a potential threat is detected, GuardDuty generates a security finding that includes database details and contextual information on the suspicious activity. GuardDuty is integrated with Aurora for direct access to database events without requiring you to modify your databases.
  • AWS Security Hub is now integrated with AWS Control Tower, allowing you to pair Security Hub detective controls with AWS Control Tower proactive or preventive controls and manage them together using AWS Control Tower. Security Hub controls are mapped to related control objectives in the AWS Control Tower control library, providing you with a holistic view of the controls required to meet a specific control objective. This combination of over 160 detective controls from Security Hub, with the AWS Control Tower built-in automations for multi-account environments, gives you a strong baseline of governance and off-the-shelf controls to scale your business using new AWS workloads and services. This combination of controls also helps you monitor whether your multi-account AWS environment is secure and managed in accordance with best practices, such as the AWS Foundational Security Best Practices standard.
  • We launched our Cloud Audit Academy (CAA) course for Federal and DoD Workloads (FDW) on AWS. This new course is a 12-hour interactive training based on NIST SP 800-171, with mappings to NIST SP 800-53 and the Cybersecurity Maturity Model Certification (CMMC) and covers AWS services relevant to each NIST control family. This virtual instructor-led training is industry- and framework-specific for our U.S. Federal and DoD customers.
  • AWS Wickr allows businesses and public sector organizations to collaborate more securely, while retaining data to help meet requirements such as e-discovery and Freedom of Information Act (FOIA) requests. AWS Wickr is an end-to-end encrypted enterprise communications service that facilitates one-to-one chats, group messaging, voice and video calling, file sharing, screen sharing, and more.
  • We introduced the Post-Quantum Cryptography hub that aggregates resources and showcases AWS research and engineering efforts focused on providing cryptographic security for our customers, and how AWS interfaces with the global cryptographic community.

Watch on demand

Were you unable to join the event in person? See the following for on-demand sessions.

Keynotes and leadership sessions

Watch the AWS re:Invent 2022 keynote where AWS Chief Executive Officer Adam Selipsky shares best practices for managing security, compliance, identity, and privacy in the cloud. You can also replay the other AWS re:Invent 2022 keynotes.

To learn about the latest innovations in cloud security from AWS and what you can do to foster a culture of security in your business, watch AWS Chief Information Security Officer CJ Moses’s leadership session with guest Deneen DeFiore, Chief Information Security Officer at United Airlines.

Breakout sessions and new launch talks

You can watch talks and learning sessions on demand to learn about the following topics:

  • See how AWS, customers, and partners work together to raise their security posture with AWS infrastructure and services. Learn about trends in identity and access management, threat detection and incident response, network and infrastructure security, data protection and privacy, and governance, risk, and compliance.
  • Dive into our launches! Hear from security experts on recent announcements. Learn how new services and solutions can help you meet core security and compliance requirements.

Consider joining us for more in-person security learning opportunities by saving the date for AWS re:Inforce 2023, which will be held June 13-14 in Anaheim, California. We look forward to seeing you there!

If you’d like to discuss how these new announcements can help your organization improve its security posture, AWS is here to help. Contact your AWS account team today.

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.

Want more AWS Security news? Follow us on Twitter.

Katie Collins

Katie Collins

Katie is a Product Marketing Manager in AWS Security, where she brings her enthusiastic curiosity to deliver products that drive value for customers. Her experience also includes product management at both startups and large companies. With a love for travel, Katie is always eager to visit new places while enjoying a great cup of coffee.

Author

Himanshu Verma

Himanshu is a Worldwide Specialist for AWS Security Services. In this role, he leads the go-to-market creation and execution for AWS Security Services, field enablement, and strategic customer advisement. Prior to AWS, he held several leadership roles in Product Management, engineering and development, working on various identity, information security and data protection technologies. He obsesses brainstorming disruptive ideas, venturing outdoors, photography and trying various “hole in the wall” food and drinking establishments around the globe.

Hallmark Channel: Securing the Season

Post Syndicated from Aaron Wells original https://blog.rapid7.com/2022/12/22/hallmark-channel-securing-the-season/

How Crown Media protects its crown jewel

Hallmark Channel: Securing the Season

It’s that time of year again…chestnuts roasting on an open-fire, kids making wish-lists, and company holiday parties where you can showcase your most outlandish ugly sweater. It’s also the time of year we all get a little bit less cynical and take in a cheesy holiday movie or two. Enter Crown Media Family Networks and its holiday hitmaker, Hallmark Channel.

Hallmark Channel—and its streaming counterparts like Hallmark Movies Now—are unique in the entertainment world. The company provides year-round programming and has many fans the world over, but the end-of-the-year holiday season is when its content really pops off. Holiday-season die-hards show up for cheesily-wistful-yet-earnest films that have become a cottage industry and an annual jingle-bell juggernaut.

In 2021, Hallmark Channel finished as the number one network among “women 18 and above”, which led to $147.8 million in revenue generated from holiday programming alone. It’s safe to assume the company doesn’t want intellectual property (IP) theft cutting into those kinds of returns.

Cloud-based content delivery

Here’s a scary-sounding sentence for those wary of vulnerabilities: Hallmark Channel’s entire content library is managed in the cloud. Cloud has obvious advantages for any organization, like quick-scaling and not having to build on-prem systems from the ground up. However, it can also increase risk to intellectual property:

  • High-risk resources open to the public internet: If a particular cloud instance becomes accessible by anyone on the internet, revenue-generating IP may be compromised.
  • Increased complexity: IP can be spread across multiple clouds in multiple locations. This makes identity management critical—who has access? Why do they need access? Where are they located?
  • Delayed remediation: So the risk has been identified. But, how old is the data on which the remediation workflow is based? 6 hours? 12 hours? More? This significantly detracts from the efficiency of the remediation.

Action!

Holidays are a particularly busy time for threat actors. So, how do media companies like Hallmark Channel (or any organization) protect their intellectual property?  

  • Create a cybersecurity IP legal and strategic framework: According to the American Bar Association, film and TV studios should avoid single-event approaches to IP theft and create a framework that prioritizes strategic management of risk in the long term. Treating the risk of IP theft as systemic will yield benefits like faster mean time to detect (MTTD) and mean time to respond (MTTR).  
  • Address supply chain issues: Creating big-budget Hollywood content can involve hundreds of vendors and partnerships. Obviously, not everything can be taken in-house. Therefore it’s critical that a company like Hallmark Channel creates a process whereby each outside vendor’s IT and security is thoroughly vetted prior to engagement of services.
  • Implement a disaster recovery solution: Modern cloud playout to streaming services must continue uninterrupted, so media organizations must build redundancy into their content delivery systems. A disaster recovery solution that protects data, enables rapid restore, and offers failover capability is critical.
  • Keep clouds confidential: When the people that need to approve a cut of an in-progress TV show or film are scattered all over the world, a digital copy is uploaded onto what is essentially a public-facing cloud so they can access it, just like digital collaboration in any number of other industries. For holiday event films driving ratings and subscriber numbers however, that sort of collaboration can leave highly valuable content open to vulnerabilities and theft. Solutions like InsightCloudSec by Rapid7 can help to lock down identity and access management (IAM) protocols, as well as manage risk with real-time context across infrastructure, orchestration, workload, and data tiers.  

Making film and TV projects is a painstaking, long, and laborious process. All of the hard work by hundreds of people that goes into each project can be devalued by attackers in the blink of an eye. So to all cybersecurity professionals who are also major fans of holiday films and TV shows, let’s take up the call: Protect the IP!

You can read the previous entry in this blog series here.

Cloud Security and Compliance Best Practices: Highlights From The CSA Cloud Controls Matrix

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/12/22/cloud-security-and-compliance-best-practices-highlights-from-the-csa-cloud-controls-matrix/

Cloud Security and Compliance Best Practices: Highlights From The CSA Cloud Controls Matrix

In a recent blog post, we highlighted the release of an InsightCloudSec compliance pack, that helps organizations establish and adhere to AWS Foundational Security Best Practices. While that’s a great pack for those who have standardized on AWS and are looking for a trusted set of controls to harden their environment, we know that’s not always the case.

In fact, depending on what report you read, the percentage of organizations that have adopted multiple cloud platforms has soared and continues to rise exponentially. According to Gartner, by 2026 more than 90% of enterprises will extend their capabilities to multi-cloud environments, up from 76% in 2020.

It can be a time- and labor-intensive process to establish and enforce compliance standards across single cloud environments, but this becomes especially challenging in multi-cloud environments. First, the number of required checks and guardrails are multiplied, and second, because each platform is unique,  proper hygiene and security measures aren’t consistent across the various clouds. The general approaches and philosophies are fairly similar, but the way controls are implemented and the way policies are written can be significantly different.

For this post, we’ll dive into one of the most commonly-used cloud security standards for large, multi-cloud environments: the CSA Cloud Controls Matrix (CCM).

What is the CSA Cloud Controls Matrix?

In the unlikely event you’re unfamiliar, Cloud Security Alliance (CSA) is a non-profit organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA brings together a community of cloud security experts, industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products.

The Cloud Controls Matrix is a comprehensive cybersecurity control framework for cloud computing developed and maintained by CSA. It is widely-used as a systematic assessment of a cloud implementation and provides guidance on which security controls should be implemented within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing and is considered a de-facto standard for cloud security assurance and compliance.

Five CSA CCM Principles and Why They’re Important

The CCM consists of many controls and best practices, which means we can’t cover them all in a single blog post. That said, we’ve outlined 5 major principles that logically group the various controls and why they’re important to implement in your cloud environment. Of course, the CCM provides a comprehensive set of specific and actionable directions that, when adopted, simplify the process of adhering to these principles—and many others.

Ensure consistent and proper management of audit logs
Audit logs record the occurrence of an event along with supporting metadata about the event, including the time at which it occurred, the responsible user or service, and the impacted entity or entities. By reviewing audit logs, security teams can investigate breaches and ensure compliance with regulatory requirements. Within CCM, there are a variety of controls focused on ensuring that you’ve got a process in place to collect, retain and analyze logs as well as limiting access and the ability to edit or delete such logs to only those who need it.

Ensure consistent data encryption and proper key management
Ensuring that data is properly encrypted, both at rest and in transit, is a critical step to protect your organization and customer data from unauthorized access. There are a variety of controls within the CCM that are centered around ensuring that data encryption is used consistently and that encryption keys are maintained properly—including regular rotation of keys as applicable.

Effectively manage IAM permissions and abide by Least Privilege Access (LPA)
In modern cloud environments, every user and resource is assigned a unique identity and a set of access permissions and privileges. This can be a challenge to keep track of, especially at scale, which can result in improper access, either from internal users or external malicious actors. To combat this, the CCM provides guidance around establishing processes and mechanisms to manage, track and enforce permissions across the organization. Further, the framework suggests employing the Least Privilege Access (LPA) principle to ensure users only have access to the systems and data that they absolutely need.

Establish and follow a process for managing vulnerabilities
There are a number of controls focused on establishing, implementing and evaluating processes, procedures and technical measures for detecting and remediating vulnerabilities. The CCM has dedicated controls for application vulnerabilities, external library vulnerabilities and host-level vulnerabilities. It is important to regularly scan your cloud environments for known vulnerabilities, and evaluate the processes and methodologies you use to do so, as well.

Define a process to proactively roll back changes to a previous state of good
In traditional, on-premises environments, patching and fixing existing resources is the proper course of action when an error or security concern is discovered. Conversely, when things go awry in cloud environments, remediation steps typically involve reverting back to a previous state of good. To this end, the CCM guides organizations to proactively establish and implement a process  that allows them to easily roll back changes to a previously known good state—whether manually or via automation.

How InsightCloudSec Helps Implement and Enforce CCM

InsightCloudSec allows security teams to establish and continuously measure compliance against organizational policies, whether they’re based on common industry frameworks or customized to specific business needs. This is accomplished through the use of compliance packs.

A compliance pack within InsightCloudSec is a set of checks that can be used to continuously assess your cloud environments for compliance with a given regulatory framework or industry best practices. The platform comes out-of-the-box with 30+ compliance packs, and also offers the ability to build custom compliance packs that are completely tailored to your business’ specific needs.

Whenever a non-compliant resource is created, or when a change is made to an existing resource’s configuration or permissions, InsightCloudSec will detect it within minutes. If you so choose, you can make use of the platform’s native, no-code automation to remediate the issue—either via deletion or by adjusting the configuration and/or permissions—without any human intervention.

If you’re interested in learning more about how InsightCloudSec can help implement and enforce security and compliance standards across your organization, be sure to check out a free demo!

James Alaniz and Ryan Blanchard contributed to this article.

Cengage LTI Session Management Leakage

Post Syndicated from Tod Beardsley original https://blog.rapid7.com/2022/12/20/cengage-lti-session-management-leakage/

Cengage LTI Session Management Leakage

Prior to December 10, 2022, Cengage, an education technology provider in use in many higher education environments primarily in the United States, had two issues in the way it handled session management over its Learning Tools Integration (LTI) pipeline.

The first issue involves leaving unexpectedly long-lived sessions and accompanying login links in the end user’s browser history as well as via cached GET requests, which could be used by unauthenticated attackers to impersonate the user. This appears to be an instance of CWE-525, "Use of Web Browser Cache Containing Sensitive Information." This issue is estimated to have a CVSSv3 score of 4.5 (Medium). A fix for this issue is expected in March of 2023.

The second issue involves a failure to check the LTI launch signature from connected applications, which could allow an authenticated attacker to impersonate another user. This appears to be an instance of CWE-347, "Improper Verification of Cryptographic Signature." This issue is estimated to have a CVSSv3 score of 6.5 (Medium). Note, this issue has been fixed by the vendor.

Product Description

Cengage is an education technology provider offering digital products including eTextbooks, homework tools and online learning platforms (such as WebAssign). Cengage’s online learning platforms integrate with Learning Management Systems (LMS). For more information about Cengage’s LMS integrations, please visit the vendor’s website.

Credit

This issue was discovered by Tony Porterfield, Principal Cloud Solutions Architect at Rapid7, while observing a family member use the application as an end-user. It is being disclosed in accordance with Rapid7’s vulnerability disclosure policy.

Exploitation

For the CWE-525 issue, it was observed that the "Cengage Single Sign-On" link was usable in the browser history, even though the user had already logged out of the application:

Cengage LTI Session Management Leakage

Clicking the circled link would log the user back in, and was active for at least an hour post-logout.

For the CWE-347 issue, it was observed that the signature check on an LTI launch request to https://gateway.cengage.com/rest/launchBasicLTI responds with a hidden form post containing the LTI parameters from https://gateway.cengage.com/launchBasicLTI/smartlink/basicLTILaunch.gwy as well as a field signatureVerified that is set to false if the signature is invalid. An end user could alter this response by setting signatureVerified to true, as shown below:

Cengage LTI Session Management Leakage

Once modified, the LTI session context would then be accepted by the server as authentic.

Impact

For the CWE-525 issue involving cached credentials, an attacker wishing to impersonate an authenticated user would either need to have access to the browser session of the targeted user, or access to network proxy logs which can cache these tokens (thus, implying a privileged position either locally or on the local network). Assuming this is the case, the attacker could go on to read and alter personal information involving the student. It appears possible to similarly hijack the sessions of instructors or administrators, but this hasn’t been tested or confirmed directly.

For the CWE-347 issue involving signature verification, an authenticated attacker may be able to assume sessions belonging to other users, possibly including other students, instructors, and administrators.

Vendor Statement

Cengage is continuously implementing and refining measures aimed to protect the privacy and security of the customer information entrusted to us. We value the contributions of security researchers like you, as reviews like this help us strengthen our security posture. We use multiple tools and processes, including DAST, SAST, penetration testing and VDP to identify and address security defects in our software.

[The CWE-347 issue] was fixed on December 9, 2022. The second issue is currently in remediation, and we plan to launch a fix as soon as possible.

We continually update and regularly identify ways we can improve our products both to better the learning experience for students and instructors and to ensure information remains secure. If you have found something you would like to report, please submit at https://bugcrowd.com/cengage-vdp.

Remediation

In December of 2022, Cengage released an update to its webassign.net service to address the CWE-347 (signature verification) issue, and is developing a fix for the CWE-525 issue, which we expect to see in March of 2023. Since this is a SaaS-based/cloud-hosted solution, end users, implementers, and integrators should not need to do anything to update or patch locally to address the signature verification issue — the latest version of the LTI implementation will already be available. Beyond this fix, end users have nothing to do to ensure they’re safe from impersonation, as they’re reliant on the provider to properly verify signatures.

While the SSO issue is being developed, end users would be wise to completely sign out of the local computer when complete with whatever academic tasks they were performing, as this would prevent opportunistic attackers from using stored session tokens locally. This is generally good advice anyway, even after the CWE-525 issue is resolved.

Avoiding caching session tokens inadvertently exposed through GET requests on a web proxy is more difficult for the average user to avoid, but as long as no untrusted users have access to proxy logs, the risk from exploiting proxy-cached session tokens is remote (an attacker who does have access to web proxies used by students, instructors, and administrators tend to already have more expansive offensive options).

Disclosure Timeline

  • September, 2022: Issue discovered by Tony Porterfield
  • Mon, Sep 12, 2022: Contacted Bugcrowd, Cengage’s VDP provider, to work out a disclosure agreement
  • Mon, Sep 19, 2022: Contact attempted to alternate contacts at Cengage
  • Wed, Sep 21, 2022: Agreement reached on disclosure terms
  • Thu, Sep 22, 2022: Vulnerability details communicated to Cengage via Bugcrowd with a public disclosure goal of November 15, 2022.
  • Fri, Sep 23, 2022: Triage begun at Bugcrowd (Issue 4464ed3d-3fb6-4287-ba46-786d21bebad0)
  • Sep 23 – Oct 25, 2022: Triage and reproduction work continued
  • Oct 26, 2022: Bugcrowd verified reproduction of the report
  • Nov 1, 2022: Extended disclosure time by approximately 30 days
  • Thu, Dec 15, 2022: Vendor provided update on fix status
  • Fri, Dec 20, 2022: This public disclosure

Spoiler Alert: Your Favorite Content Might Not Be Secure

Post Syndicated from Aaron Wells original https://blog.rapid7.com/2022/12/15/spoiler-alert-your-favorite-content-isnt-secure/

Securing intellectual property in the age of consolidation

Spoiler Alert: Your Favorite Content Might Not Be Secure

Rapid7, of course, is not in the entertainment industry. However, we have worked with some clients out there in that golden land of dreams and enchantment—also known as Hollywood. Case in point: the company formerly known as Discovery, Inc. A few years back, Rapid7 helped the entertainment conglomerate transform itself into a cloud-first company. Discovery’s IT team leveraged InsightCloudSec to facilitate the company’s strategic shift.

In the time since, the company has undergone some, shall we say, changes. Now known as Warner Bros. Discovery following a merger of the two legacy media companies, there’s a new CEO at the helm who is likely feeling pressure to offset the billions of dollars in debt the company currently holds.

From an intellectual property (IP) security standpoint, there are a number of factors that could put the company in a potentially vulnerable position, as we’ve seen with other entertainment giants. In this blog, the first of a two part series, we’ll look at the macro issue of the entertainment business shifting to a streaming-first focus, and the increasingly loud alerts of cybersecurity professionals to the fact that content and IP must be better secured—especially prior to its release.

The big content-distribution shift

Direct-to-consumer services and maximum choice are at the center of the content-distribution shift of the past decade. Netflix kicked off their streaming project with little fanfare back in the early 2010s, but quickly became the gold standard for popular, on-demand content from Hollywood’s biggest studios. And nothing accelerates a seismic shift in any industry like competition. Like dominoes falling, Paramount, Universal, Disney, Warner Bros., and Apple launched their own proprietary streaming services—all in the past few years. Try to picture the digital earthquake that resulted as cloud operations at all of those companies scaled up with blazing speed, challenging their security teams to keep pace.

A few years back, Netflix was one of the first to experience an IP theft of the type we now see in the current age of streaming-service proliferation. A vendor vulnerability exploited by an attacker became a supply-chain issue that saw an entire unreleased season of the popular Netflix series Orange is the New Black dumped online before it could premiere. This was especially disconcerting due to the nature of Netflix’s binge model dictating that all episodes of a series are completely finished prior to release—in the can, as they say in Hollywood. This meant all episodes were stolen as opposed to one or two.  

That breach occurred just as the other previously mentioned streaming services were being prepped but prior to market entry, perhaps suggesting that cybersecurity naiveté on Netflix’s part could have been to blame. It seemed they simply weren’t ready for this next stage in digital theft that attackers were about to unleash upon the world.

Since then, companies have begun to realize the education and actions they must undertake—not to mention the talent they must hire—to secure not just finished TV shows and movies, but all forms of valuable IP that exist under a production company or studio’s purview: scripts, unfinished edits of completed footage, the musical score of a piece of content, and much more.

Warner Bros. Discovery IP security

We, of course, have no inside knowledge of Warner Bros. Discovery’s actual current security posture. However, from an outside perspective, there are a few factors that could potentially increase its IP security risk:  

  1. The skip-hop of Warner Bros. from one conglomerate to another: The legacy Hollywood studio was formerly owned by AT&T and then departed that relationship to merge with Discovery, Inc. As cybersecurity professionals know, a time of mergers and acquisitions (M&A) can be quite joyous for attackers and put the cloud security of organizations at severe risk. Without taking the proper steps to keep environments secure during that time of change, companies leave themselves open to massive financial, regulatory, and reputational risk.
  2. The race to make their streaming service competitive in an extremely crowded market: Warner Bros. Discovery’s streaming service is stuffed with a legacy Hollywood studio’s back catalog, original series, and all sorts of additional content. In the race to be competitive by getting as much of that content as possible up on the service, are they leaving the door more open to attackers? Everyone knows that as soon as a film goes live on any sort of digital service, it’s almost immediately pirated and disseminated globally, cutting into the profits of streaming services.
  3. The axing of high-profile projects in favor of tax write-offs: In some cases, content was complete—or nearly so—when the decision was made to cancel the release. In the high-profile case of Batgirl, the filmmakers made public their attempt to save a copy of the film from its digital storage before they were locked out and the project forever shelved.

As we can see from that last point, the moves the company is making are decisive and have little mercy for talent or content. As a recent mega-merged conglomerate, the new company has its work cut out for it in several areas. Combining the content catalogs of the two previously separate companies is most certainly the largest and most critical challenge facing the current business. Protecting those decades worth of valuable IP from attackers should be just as much of a priority as the creation of the next Batman or Harry Potter film.

Making film and TV projects is a painstaking, long, and laborious process. All of the hard work by hundreds of people that goes into each project can be devalued by attackers in the blink of an eye. Plus, there’s nothing bad actors love more than a high-profile Hollywood hack. So, to all cybersecurity professionals who are also major film and TV fans, let’s take up the call to Hollywood studios: Protect the IP!

Next week, in the second part of this blog series, we’ll look at cloud-based content delivery systems for Hallmark Channel’s holiday programming as well as actionable steps studios (and other organizations) can take to protect their valuable IP.

Can Cloud Security Be Easier Than Complex?

Post Syndicated from Aaron Wells original https://blog.rapid7.com/2022/12/01/can-cloud-security-be-easier-than-complex/

A bigger piece of the meal

Can Cloud Security Be Easier Than Complex?

For those in the United States and certain parts of the world, it’s time for end-of-year holidays. That means lots and lots of big meals to celebrate these special occasions. Each dish created becomes part of that larger meal.  

Another important event that occurs around this time each year is budget planning for next year. Cloud security is one dish in the larger meal of the company’s entire budget, and you can bet that meal will be eaten quickly. Fighting for scraps of budget at the end of the meal won’t do. It’s important to identify exactly what you need so that you can get organized and get funding that will best secure cloud operations.  

The patchwork of tools that make up an effective cloud security solution shouldn’t be too complex or become siloed. In fact, if it can come from one provider offering a suite of out-of-the box solutions that operate from one platform, that would make things even simpler. And in the process of searching out that package of solutions – ideally from that single, trusted provider – and customizing it to your needs, you’ve gone through a similar process of preparing the dish that gets added to the larger meal.    

Impossible to secure?

In the new Rapid7 eBook 13 Tips for Overcoming the Cybersecurity Talent Shortage, we detail how Gartner® says the unique nature of cloud-native applications makes them impossible to secure without a complex set of overlapping tools spanning development and production. Admittedly, this sounds pretty dire. However, there are solutions – like InsightCloudSec from Rapid7 – that incorporate multiple capabilities into one, unified platform in order to remove the previously mentioned complexity. Let’s take a look at some of those different parts that can make up your ideal solution:

  • Cloud Security Posture Management (CSPM): Detects and reports on issues ranging from cloud misconfigurations to security settings.
  • Cloud Infrastructure Entitlement Management (CIEM): Provides identity and access controls to reduce excessive permissions and streamline LPA controls across dynamic cloud environments.
  • Cloud Workload Protection Platform (CWPP): Protects the unique capabilities or workloads running in a cloud instance.  
  • Cloud-Native Application Protection Platform (CNAPP): Provides instrumental data context across CSPM and CWPP archetypes to better protect workloads.

The ultimate goal would be to secure the entire lifecycle of your cloud-native applications, regularly scanning code throughout development and runtime. This ultimately enables a holistic security process that uncovers and remediates issues quickly and can be automated according to your burgeoning best practices.

What does easier cloud security look like?

Those best practices that will surface over time will tell you exactly what easier cloud security looks like for your organization. Customizing practices specific to your operations is technically the hard part, with the easier part to follow. Once automation protocols have been implemented, those protective and reactive controls help you innovate at the speed enabled by cloud environments. But even in the hard part of cloud setup, there are vendors providing platforms for unified solutions to make it easier out of the box.

InsightCloudSec from Rapid7

InsightCloudSec helps teams secure even the most complex cloud environments by surfacing and applying context to risk signals to understand and prioritize them based on potential impact. The solution significantly reduces mean time to respond (MTTR) by utilizing real-time detections and native automation to detect and remediate misconfigurations, vulnerabilities, policy violations, and overly-permissive roles.

  • Get agentless, real-time visibility into every resource and service running across your cloud environment.
  • Simplify cloud risk assessment with rich contextual insight into every layer of your environment.
  • Enforce organizational standards without human intervention with native, no-code automation.

More efficient cloud security solutions create happier teams. And that helps you to gain savings in multiple areas like time, money, and satisfaction.

More resources

Whatever your ultimate cloud operational needs are or whatever your multi-cloud environment looks like, you can now learn more about tactics to help you make your case for more – or any – cloud security at your company. Plus, get a handy checklist to use when looking into a potential solution. Get started now with the 2022 edition of The Complete Cloud Security Buyer’s Guide from Rapid7. You can also read the previous entry in this blog series here.

Rapid7 Integration For AWS Verified Access

Post Syndicated from Aaron Sawitsky original https://blog.rapid7.com/2022/11/30/rapid7-integration-for-aws-verified-access/

Rapid7 Integration For AWS Verified Access

Today at re:invent, Amazon Web Services (AWS) unveiled its new AWS Verified Access service, and we are thrilled to announce that InsightIDR — Rapid7’s next-gen SIEM and XDR — will support log ingestion from this new service when it is made generally available.

What Is AWS Verified Access?

AWS Verified Access is a new service that allows AWS customers to simplify secure access to private applications running on AWS, without requiring the use of a VPN. Verified Access also lets customers easily implement Zero Trust policies for each application reached via the service. The data needed for these policies is provided by integrations between Verified Access and third-party solutions like IdPs and device management tools. For example:

  • Access to a low-risk application might be granted to any employee who is logged into the organization’s IdP solution
  • Access to a highly sensitive application might only be granted to employees who are logged into the organization’s IdP solution, are part of a specific team at the company, are accessing from a company-managed computer that is fully updated, and have an IP address coming from a country on an allowlist

For customers who already have IdP and device management solutions, Verified Access can integrate with many of these vendors, allowing the customer to use their existing provider to define policies while still getting the convenience of VPN-less access to their private applications through Verified Access.

Unlock a Complete Picture of Your Cloud Security with InsightIDR

Verified Access generates detailed logs for every authorization attempt. InsightIDR will be able to ingest these logs from AWS’s just-announced Amazon Security Lake. InsightIDR customers will be able to see ingress activity from Verified Access alongside ingress events from sources like AWS Identity Access Management (IAM), VPNs, productivity apps, and more — not to mention telemetry from their broader cloud and on-premises environments. Like all ingress activity logs sent to InsightIDR, logs from Verified Access will be able to be used to detect suspicious activity, as well as be brought into investigations to help establish a complete timeline and blast radius of an incident. In addition, customers will have the ability to create custom alerts off of Verified Access logs to further scrutinize and monitor access to sensitive applications.

InsightIDR’s support for Verified Access is just the latest capability to come out of our never-ending dedication to support our customers as they adopt the newest cloud technologies. To learn more about how InsightIDR helps organizations using AWS, click here.

InsightIDR Launches Integration With New AWS Security Data Lake Service

Post Syndicated from Aaron Sawitsky original https://blog.rapid7.com/2022/11/29/insightidr-launches-integration-with-new-aws-security-data-lake-service/

InsightIDR Launches Integration With New AWS Security Data Lake Service

It has been an action-packed day at AWS re:Invent. For security professionals, one of the most exciting announcements has to be the launch of Amazon Security Lake. We see a lot of potential for this new service, which is why Rapid7 is proud to announce the immediate availability of an integration between InsightIDR and Security Lake. Read on to learn more!

What Is Amazon Security Lake?

Amazon Security Lake gives AWS customers a security data lake that centralizes AWS and third-party security logs. What’s more, all data sent to Security Lake is formatted using the recently-launched OCSF standard. That means even if logs come from different services or different vendors, all logs for a given activity (e.g. all cloud activity logs, all network activity logs, etc.) will have the same format in Security Lake. This will make it easy for customers and their third-party vendors to make use of the data in Security Lake without first having to normalize data.

Another big feature in Security Lake is the granular control it offers. Customers can choose which users and third-party integrations can access which data sources and determine the duration of data that is available to each. For example, a customer might give their developers the ability to view CloudTrail data from the past five days so they can troubleshoot issues, but give InsightIDR the ability to view CloudTrail data from the past year.

InsightIDR’s Integration With Amazon Security Lake

InsightIDR’s new integration allows it to ingest log data from Security Lake. At the moment, InsightIDR will only ingest logs from AWS CloudTrail. Over time, we plan to add support for additional OCSF log types, which will allow customers to send data from multiple AWS and third-party services to InsightIDR through one Amazon Security Lake integration. This will give us the potential ability to immediately ingest and parse logs from any new third-party solution that gets introduced, as long as that solution can export its logs to Security Lake. Another customer benefit is that by consolidating the ingestion of multiple logs via Moose, onboarding and ongoing maintenance will be greatly reduced.

If you are an existing InsightIDR customer and want to take advantage of the new integration with Amazon Security Lake, instructions for setup are here.

Unifying Threat Findings to Elevate Your Runtime Cloud Security

Post Syndicated from Alon Berger original https://blog.rapid7.com/2022/11/29/unifying-threat-findings-to-elevate-your-runtime-cloud-security/

Unifying Threat Findings to Elevate Your Runtime Cloud Security

The widespread growth in cloud adoption in recent years has given businesses across all industries the ability to transform and scale in ways never before possible. However, the speed of those changes, combined with the drastically increased volume and complexity of resources in cloud environments, often forces organizations to choose between slowing the pace of their innovation or taking on massive amounts of unmanaged risk.

Cloud security teams still struggle to gather all the relevant insights such as alerts, threat findings, and notifications in a single, consolidated place, and even when they succeed, these findings are often missing much of the context needed to perform quickly and conduct proper investigations with confidence.

A Single Pane of Glass for Runtime Security Threats

To address and overcome these challenges, we’ve introduced a series of agentless cloud detection and response (CDR) capabilities, empowering our customers to utilize better observability and context for proactive and collaborative investigations.

As part of our new CDR capabilities, we first introduced a unified threat findings view that curates runtime threat detections from various customer resources and cloud service providers to allow faster intelligence analysis and detection of potential risks.

This offers frictionless workflow integrations with third-party cloud vendors, collecting cloud events, alerts, and threat intelligence feeds from associated services, such as AWS GuardDuty. The new unified view not only consolidates all runtime threat detections from various sources, but also provides richer security context by associating the findings with the affected cloud resources and their properties, all in a single place.

These seamless integrations also ensure that companies are able to leverage their CSP’s newest security tools and capabilities, as well as keeping up with the latest developments in the ever-changing world of cloud infrastructure.

In addition to consolidating third-party threat findings, we’ve also built native detection for suspicious events in customer cloud environments. These native detection capabilities, which are based on research from Rapid7 cloud security experts and detect suspicious events within 90 seconds, include identifying potential threat actor behaviors such as:

  • A user marking an existing resource as publicly accessible/exposed to the world
  • A user making a resource unencrypted at rest
  • A user removing transit encryption for a resource
  • A user removing cloud protective measures, such as password policy
  • A user adding overly permissive policies to an existing resource

Along with providing individual alerts for these detections, admin can now also filter resources to get a view of only those assets that have seen a suspicious event in the last 24 hours. This allows flexibility in how individuals and teams are able to review, investigate, and report on recent threats across their cloud environment.

Simplify Mitigation at Scale

Runtime security is key to providing visibility and detecting a variety of threats that piggyback on network resources. With Rapid7’s continuous monitoring and analysis of native and third-party threat findings, teams are able to leverage advanced automated remediation of risks in their environment, including misconfigured resources and hygiene drifts, known and unknown vulnerabilities, uncontrolled access (Secrets, tokens, credentials, etc.), and more.

Along with identifying threats, teams are now able to leverage an intelligent automated notification for third-party integrations such as SIEM, ticketing platform, or chat solutions. This significantly helps with an advanced and much faster remediation process to isolate relevant resources and prevent further suspicious activity until a thorough investigation is completed.

Take a Holistic Approach to Runtime Security in
the Cloud

Rapid7 is on a mission to help drive cloud security forward across the entire industry and community. With this new set of capabilities, including our recently launched unified threats findings view, getting visibility into risks and threats is easier and more powerful than ever. Ultimately, we aim for our customers to benefit from our current and upcoming offerings, helping them to create greater impact and to drive business forward faster and at scale.

Want to learn more? Click here.

Reducing Risk In The Cloud with Agentless Vulnerability Management

Post Syndicated from Alon Berger original https://blog.rapid7.com/2022/11/28/reducing-risk-with-agentless-cloud-vulnerability-management/

Reducing Risk In The Cloud with Agentless Vulnerability Management

In order to gain visibility into vulnerabilities in their public cloud environments, many organizations still rely on agent or network-based scanning technology that was initially built for traditional infrastructure and endpoints.

These methods often struggle to keep up with the speed of change and scale of complex, and constantly changing cloud environments, forcing infrastructure teams to constantly play catch up and avoid significant blindspots caused by unprotected workloads.

Vulnerability management in the cloud starts with continuous discovery of the container images and host workloads that may contain them and the supporting resources that control how they are launched.  The assessment step produces  long lists of vulnerabilities that can lack the necessary context to help prioritize and accurately route the issue to the correct owners for remediation.

Getting Better Visibility and Control

Rapid7’s InsightCloudSec now addresses all these challenges and provides agentless vulnerability assessment capabilities for cloud-based container workloads and hosts.  Building on InsightCloudSec’s industry leading cloud resource discovery technology, we’ve unleashed the latest generation agentless methods for assessing vulnerabilities on Containers using side-scanning and on Hosts using image snapshotting.  Combined, this fully enables security teams to quickly identify where the vulnerabilities exist across their cloud infrastructure, what resources are responsible for managing the dynamic workloads that launch them, and the tools to manage response prioritization and remediation.

InsightCloudSec’s vulnerability management  capabilities are  purpose-built for cloud-native environments and leverage Rapid7’s proven vulnerability management expertise and intelligence.  Our agentless approach  reduces the unnecessary overhead of agent management on highly ephemeral cloud resources.

Vulnerability Management with Rapid7’s InsightCloudSec

Vulnerability management with InsightCloudSec focuses on container and host-based workloads found in production environments, where the risk of exploitation is the highest. The solution leverages event-driven detection capabilities, allowing teams to maintain an up-to-the-minute inventory of all resources in production. This in turn minimizes blind spots and allows for more trustworthy reporting.

The solution automatically analyzes new container images and host instances upon deployment and provides detailed intelligence and remediation guidance for known vulnerabilities. InsightCloudSec then periodically revalidates running hosts against the newest vulnerability data to detect and protect against drift.

Our comprehensive vulnerability detection spans operating systems, installed software packages, network services, and open-source software libraries and packages typically used as dependencies in these environments, providing customers with the broadest coverage available in the market.

Agentless Container and Host Workload Assessment

With agentless Vulnerability assessment, security teams gain robust, continuous visibility into what vulnerabilities exist in their cloud environment, without having to include an agent in their container and host golden images. We discover new container images and host instances in near-real-time and immediately gather the information necessary to perform the assessment without waiting for a scheduled scan window or impacting the performance of the live workloads.  

When new container images are detected in the monitored registries, InsightCloudSec performs a side-scan on them to index the inventory of operating system and installed software packages as well as any other dependent libraries that exist on which we can detect vulnerabilities.

In the same way, once a new running host (VM) instance is detected, InsightCloudSec fetches the workload’s runtime storage layer using remote harvesting and automated snapshot triggering to gather the data required for vulnerability assessment.

By combining workloads metadata gathered from cloud provider APIs with container and host vulnerability data, we are able to provide contextualized vulnerability reports and deep visibility of where they exist in cloud environments, allowing security teams to respond to those impacting the most critical applications and cloud accounts.

Conclusion

Rapid7 and InsightCloudSec strive to help security and operation teams apply proper processes and procedures across the deployment pipeline, allowing them to quickly respond to vulnerabilities of any sort and severity.

With an accurate assessment of detected vulnerabilities and intelligent, automated routing for faster remediation, our solution empowers teams to have a robust and continuous visibility into vulnerabilities that exist in their cloud environments.

Want to learn more? Click here.

2022 Canadian Centre for Cyber Security Assessment Summary report available with 12 additional services

Post Syndicated from Naranjan Goklani original https://aws.amazon.com/blogs/security/2022-canadian-centre-for-cyber-security-assessment-summary-report-available-with-12-additional-services/

We are pleased to announce the availability of the 2022 Canadian Centre for Cyber Security (CCCS) assessment summary report for Amazon Web Services (AWS). This assessment will bring the total to 132 AWS services and features assessed in the Canada (Central) AWS Region, including 12 additional AWS services. A copy of the summary assessment report is available for review and download on demand through AWS Artifact.

The full list of services in scope for the CCCS assessment is available on the AWS Services in Scope page. The 12 new services are:

The CCCS is Canada’s authoritative source of cyber security expert guidance for the Canadian government, industry, and the general public. Public and commercial sector organizations across Canada rely on CCCS’s rigorous Cloud Service Provider (CSP) IT Security (ITS) assessment in their decisions to use cloud services. In addition, CCCS’s ITS assessment process is a mandatory requirement for AWS to provide cloud services to Canadian federal government departments and agencies.

The CCCS Cloud Service Provider Information Technology Security Assessment Process determines if the Government of Canada (GC) ITS requirements for the CCCS Medium cloud security profile (previously referred to as GC’s Protected B/Medium Integrity/Medium Availability [PBMM] profile) are met as described in ITSG-33 (IT security risk management: A lifecycle approach). As of November 2022, 132 AWS services in the Canada (Central) Region have been assessed by the CCCS and meet the requirements for the CCCS Medium cloud security profile. Meeting the CCCS Medium cloud security profile is required to host workloads that are classified up to and including the medium categorization. On a periodic basis, CCCS assesses new or previously unassessed services and reassesses the AWS services that were previously assessed to verify that they continue to meet the GC’s requirements. CCCS prioritizes the assessment of new AWS services based on their availability in Canada, and on customer demand for the AWS services. The full list of AWS services that have been assessed by CCCS is available on our Services in Scope for CCCS Assessment page.

To learn more about the CCCS assessment or our other compliance and security programs, visit AWS Compliance Programs. As always, we value your feedback and questions; you can reach out to the AWS Compliance team through the Contact Us page.

If you have feedback about this post, submit comments in the Comments section below. Want more AWS Security news? Follow us on Twitter.

Naranjan Goklani

Naranjan Goklani

Naranjan is a Security Audit Manager at AWS, based in Toronto (Canada). He leads audits, attestations, certifications, and assessments across North America and Europe. Naranjan has more than 13 years of experience in risk management, security assurance, and performing technology audits. Naranjan previously worked in one of the Big 4 accounting firms and supported clients from the financial services, technology, retail, ecommerce, and utilities industries.

Aligning to AWS Foundational Security Best Practices With InsightCloudSec

Post Syndicated from Ryan Blanchard original https://blog.rapid7.com/2022/11/22/aligning-to-aws-foundational-security-best-practices-with-insightcloudsec/

Aligning to AWS Foundational Security Best Practices With InsightCloudSec

Written by Ryan Blanchard and James Alaniz

When an organization is moving their IT infrastructure to the cloud or expanding with net-new investment, one of the hardest tasks for the security team is to identify and establish the proper security policies and controls to keep their cloud environments secure and the applications and sensitive data they host safe.

This can be a challenge, particularly when teams lack the relevant experience and expertise to define such controls themselves, often looking to peers and the cloud service providers themselves for guidance. The good news for folks in this position is that the cloud providers have answered the call by providing curated sets of security controls, including recommended resource configurations and access policies to provide some clarity. In the case of AWS, this takes the form of the AWS Foundational Security Best Practices.

What are AWS Foundational Security Best Practices?

The AWS Foundational Security Best Practices standard is a set of controls intended as a framework for security teams to establish effective cloud security standards for their organization. This standard provides actionable and prescriptive guidance on how to improve and maintain your organization’s security posture, with controls spanning a wide variety of AWS services.

If you’re an organization that is just getting going in the cloud and has landed on AWS as your platform of choice, this standard is undoubtedly a really good place to start.

Enforcing AWS Foundational Security Best Practices can be a challenge

So, you’ve now been armed with a foundational guide to establishing a strong security posture for your cloud. Simple, right? Well, it’s important to be aware before you get going that actually implementing and operationalizing these best practices can be easier said than done. This is especially true if you’re working with a large, enterprise-scale environment.

One of the things that make it challenging to manage compliance with these best practices (or any compliance framework, for that matter) is the fact that the cloud is increasingly distributed, both from a physical perspective and in terms of adoption, access, and usage. This makes it hard to track and manage access permissions across your various business units, and also makes it difficult to understand how individual teams and users are doing in complying with organizational policies and standards.

Further complicating the matter is the reality that not all of these best practices are necessarily right for your business. There could be any number of reasons that your entire cloud environment, or even specific resources, workloads, or accounts, should be exempt from certain policies — or even subject to additional controls that aren’t captured in the AWS Foundational Security Best Practices, often for regulatory purposes.

This means you’ll want a security solution that has the ability to not just slice, dice, and report on compliance at the organization and account levels, but also lets you customize the policy sets based on what makes sense for you and your business needs. If not, you’re going to be at risk of constantly dealing with false positives and spending time working through which compliance issues need your teams’ attention.

Highlights from the AWS Foundational Security Best Practices Compliance Pack

There are hundreds of controls in the AWS Foundational Security Best Practices, and each of them have been included for good reason. In this interest of time this post won’t detail all of them, but will instead present a few highlights of controls to address issues that unfortunately pop up far too often.

KMS.3 — AWS KMS Keys should not be unintentionally deleted

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the cryptographic keys used to encrypt and protect your data. It’s possible for keys to be inadvertently deleted. This can be problematic, because once keys are deleted they can never be recovered, and the data encrypted under that key is also permanently unrecoverable. When a KMS key is scheduled for deletion, a mandatory waiting period is enforced to allow time to correct an error or reverse the decision to delete. To help avoid unintentional deletion of KMS keys, the scheduled deletion can be canceled at any point during the waiting period and the KMS key will not be deleted.

Related InsightCloudSec Check: “Encryption Key with Pending Deletion”

[S3.1] — S3 Block Public Access setting should be enabled

As you’d expect, this check focuses on identifying S3 buckets that are available to the public internet. One of the first things you’ll want to be sure of is that you’re not leaving your sensitive data open to anyone with internet access. You might be surprised how often this happens.

Related InsightCloudSec Check: “Storage Container Exposed to the Public”

CloudFront.1 — CloudFront distributions should have origin access identity enabled

While you typically access content from CloudFront by requesting the specific object — or objects — you’re looking for, it is possible for someone to request the root URL instead. To avoid this, AWS allows you to configure CloudFront to return a “default root object” when a request for the root URL is made. This is critical, because failing to define a default root object passes requests to your origin server. If you are using an S3 bucket as your origin, the user would gain access to a complete list of the contents of your bucket.

Related InsightCloudSec Check: “Content Delivery Network Without Default Root Object”

Lambda.1 — Lambda function policies should prohibit public access

Like in the control highlighted earlier about publicly accessible S3 buckets, it’s also possible for Lambda to be configured in such a way that enables public users to access or invoke them. You’ll want to keep an eye out and make sure you’re not inadvertently giving people outside of your organization access and control of your functions.

Related InsightCloudSec Check: “Serverless Function Exposed to the Public”

CodeBuild.5 — CodeBuild project environments should not have privileged mode enabled

Docker containers prohibit access to any devices by default unless they have privileged mode enabled, which grants a build project’s Docker container access to all devices and the ability to manage objects such as images, containers, networks, and volumes. Unless the build project is used to build Docker images, to avoid unintended access or deletion of critical resources, this should never be used.

Related InsightCloudSec Check: “Build Project With Privileged Mode Enabled”

Continuously enforce AWS Foundational Security Best Practices with InsightCloudSec

InsightCloudSec allows security teams to establish and continuously measure compliance against organizational policies, whether they’re based on service provider best practices like those provided by AWS or tailored to specific business needs. This is accomplished through the use of compliance packs. A compliance pack within InsightCloudSec is a set of checks that can be used to continuously assess your cloud environments for compliance with a given regulatory framework or industry or provider best practices. The platform comes out of the box with 30+ compliance packs, including a dedicated pack for the AWS Foundational Security Best Practices.

InsightCloudSec continuously assesses your entire AWS environment for compliance with AWS’s recommendations, and detects non-compliant resources within minutes after they are created or an unapproved change is made. If you so choose, you can make use of the platform’s native, no-code automation to remediate the issue — either via deletion or by adjusting the configuration or permissions — without any human intervention.

If you’re interested in learning more about how InsightCloudSec helps continuously and automatically enforce cloud security standards, be sure to check out our bi-weekly demo series that goes live every other Wednesday at 1pm EST!

Better Cloud Security Shouldn’t Require Bigger Budgets

Post Syndicated from Aaron Wells original https://blog.rapid7.com/2022/11/17/better-cloud-security-shouldnt-require-bigger-budgets/

Stretching what you’re given

Better Cloud Security Shouldn’t Require Bigger Budgets

How can you do more when you’re constantly being given the same or less? When security budgets don’t match the pace of the cloud operations they’re tasked with securing, the only thing to do is become an expert in the stretch. It’s hard, and you might currently be under increasing stress to pull it all off.

While total overall budgets will indeed decrease, Gartner recently forecast that spending on cybersecurity and risk management would increase by 11.3% in 2023, driven in large part by a shift to cloud platforms. And what was a big factor in the increase in cloud adoption? You guessed it: the switch to remote or hybrid work models during the height of pandemic mitigation measures. These days you might have more to back up your argument for an increase in funding.

In the 2020 scramble to keep people safe by urging them to both stay home and stay employed, workforces quickly became virtual, more distributed, and incredibly reliant on cloud platforms to enable connectivity to each other. Businesses that might have dipped their toes in pre-pandemic are now taking the full cloud plunge post-pandemic.

The promise of the cloud is an interesting point to discuss. It can be cheaper to scale into the cloud, but depending on how it’s done and in what industry, it might actually require a bigger piece of the budget. But it can still be empowering and flexible. In other words, budgets will most likely keep increasing for cloud adoption. With all that said, if you’re still having trouble acquiring more budget for security, what should you do?

Finding the right fit

We’re not talking about a doomsday scenario where you’ll never see another increase in your budget. Cybersecurity and cloud security are top-of-mind topics for companies and nations around the world. However, solutions have evolved to address security organizations’ budgetary concerns. And there are reputable providers who have created offerings that can do more without asking more of your budget. This more-with-less scenario has the potential to satisfy across the board by helping you to:

  • Focus on use cases – What kind of cloud security do you need? Needlessly spending money on solutions you don’t need is tantamount to criminal behavior in the current global economic crisis. Make sure you know exactly what you need to protect, how far your perimeters extend, and the general types of available security (CSPM, CWPP, etc.). InsightCloudSec from Rapid7 is a unified platform that incorporates multiple use cases and types of cloud security.  
  • Extrapolate potential costs and prove security’s worth – Once you know what you need and the type(s) of solutions that can address it, it’s a good idea to partner with whomever controls your security budgets. Because it’s less about the costs or subscription fees you see today and more about extrapolating cost savings as cloud environments, data transfer, storage, and other aspects of that adoption grow. Then you’ll know how much or little you’ll need to engage in budget-stretching heroics.
  • Pinpoint under-one-umbrella solutions – Do you want to deal with one vendor or multiple? In the latter scenario, keep in mind the multiple support teams you’ll juggle as well as the different platforms on which those solutions will operate. There is no one-size-fits-all solution, but there are vendors that can provide a suite of broad-range capabilities so you have one point of contact and can better operationalize your cloud security.

About that whole “proving security’s worth” thing…

In this day and age, you really shouldn’t have to prove your organization’s worth. But you most likely feel that way every time you have to fight for a bigger piece of the budgetary pie. Sure, you can engage in stretching heroics, but should you have to engage in those heroics day in and day out, for years on end? Hopefully not now, when ransomware is still all the rage and nation-state-sponsored attacks are becoming more legitimate business in many parts of the world.  

Timing is everything, however, and now – at the end of the year – would be the time to pull off some of those heroics and make your case for more budget. This will enable your exploration into a solution that can do more for less. InsightCloudSec from Rapid7 is a cloud risk and compliance management platform that enables organizations to securely accelerate cloud adoption with continuous security and compliance throughout the entire software development lifecycle (SDLC).

It provides a comprehensive solution to manage and mitigate risk across even the most complex cloud environments. The platform detects risk signals in real-time and in complete context, allowing your teams to focus on the issues that present the most risk to your business based on potential impact and likelihood of exploitation.

And speaking of making things easier

Whatever your ultimate cloud security needs are, you can now learn more about tactics to help you make your case for more – or any – cloud security at your company. Plus, get a handy checklist to use when looking into a potential solution. Get started now with the 2022 edition of The Complete Cloud Security Buyer’s Guide from Rapid7. You can also read the previous entry in this blog series here.

Rapid7 and HashiCorp Partner to Secure Terraform-based Cloud Infrastructure Deployments

Post Syndicated from Clint Merrill original https://blog.rapid7.com/2022/11/17/rapid7-and-hashicorp-partner-to-secure-terraform-based-cloud-infrastructure-deployments/

Rapid7 and HashiCorp Partner to Secure Terraform-based Cloud Infrastructure Deployments

Welcome to the latest installment in our cloud security “shift-left” blog series. In our last post, we covered the importance of integrating cloud infrastructure security assessments into DevOps tools and enabling Infrastructure as Code (IaC) developers. This time, we’re focusing on Rapid7’s recent partnership with Hashicorp, ongoing support for scanning Terraform plans with our IaC security feature, and the recently released integration with Terraform Cloud & Enterprise run tasks.

HashiCorp Terraform and InsightCloudSec are a powerful combination

Rapid7 and HashiCorp Partner to Secure Terraform-based Cloud Infrastructure Deployments

There are countless reasons to adopt cloud infrastructure: hosting applications, compute workloads, data storage, virtual networking, governing identity and access control, and many other use-cases. We are spoiled for choice with the vast array of cloud resources and services designed to perform specific tasks, but each one requires specialized knowledge to configure it securely and interact with other resources. Additionally, resilient cloud applications typically leverage best-in-class features from multiple cloud service providers (CSPs) who compete with innovation, unique features and cost optimization. The more distributed your cloud resources are across providers, the more powerful it is to define them via IaC with a tool that can deploy to any provider.

HashiCorp Terraform is a widely-used open-source IaC tool, especially for supporting multi-cloud deployments. InsightCloudSec has the ability to scan Terraform plans destined for accounts in AWS, Azure or GCP. Rapid7 supports the key resource types for each of the three major cloud providers, and we are constantly expanding our coverage based on usage trends or as needed by our customers.

A major benefit of using InsightCloudSec for IaC security and compliance scans is that you can use the same Insight Compliance Pack for assessing runtime environments and IaC, rather than correlating policy definitions across different tools. This reduces the overhead of maintaining multiple policies and the associated rules across different tools and languages which can easily drift apart. We call this “One Policy”.

Terraform allows users to develop immutable cloud resource definitions as code in a common language for deployment to multiple cloud providers. When paired with InsightCloudSec, resource definitions can be assessed with a single set of security policies applied to both development and runtime environments—creating an optimized experience that delivers efficiency and convenience. To further power this union, Rapid7 has partnered with HashiCorp to develop a formal integration between Terraform Cloud and InsightCloudSec (ICS).

New integrations with HashiCorp Terraform Cloud and Terraform Enterprise run tasks

IaC developers create Terraform configurations using HashiCorp configuration language (HCL) and commit them to a source code repository such as Git. The Terraform configuration and the current infrastructure state are evaluated to generate a deployment plan—a preview of changes that will be made in the destination cloud account(s). By linking HCL configurations to collections of resources defined as workspaces in Terraform Cloud, deployment plans are generated and await approval to apply them. At this point, run tasks are used to invoke analysis of the plan, including security and compliance checks in external tools to inform or gate the approval step. This process can be managed through workflows on one of many supported CI/CD platforms; however, HashiCorp developed Terraform Cloud and Enterprise to govern, optimize and secure the process.

DevOps teams using Terraform Cloud to govern cloud infrastructure deployments can securely and reliably trigger a security and compliance assessment of a Terraform plan in ICS using a run task. We’ve worked with the team at HashiCorp to streamline the process of linking a run task to an IaC Configuration in ICS which defines the security policy (Insight Compliance Pack) that will be used to assess the Terraform plan.

Rapid7 and HashiCorp Partner to Secure Terraform-based Cloud Infrastructure Deployments

This investment is the latest step in our strategy at Rapid7 to directly support DevOps teams to apply IaC security using the tool of their choice. Terraform Cloud was at the top of our list for a formal integration given its prevalent use in the cloud infrastructure and application development community.

Ready to get started?

Configuring the new integrations with Terraform is a straightforward process, but let’s walk through it at a high level. Assuming you’ve configured your Terraform Cloud or Enterprise environment with workspaces to generate plans, we’ll show you how to link a Run Task to an IaC Configuration in ICS. Detailed instructions are available in the ICS Product Documentation.

Visit the Infrastructure as Code landing page and select the Configurations tab at the top. Any existing Configuration defined to support scanning Terraform plans can be linked to a run task.  Click the Action menu and select the “TFC/E Run Task Integrations” option.

Rapid7 and HashiCorp Partner to Secure Terraform-based Cloud Infrastructure Deployments

From there, you’ll generate an unique Endpoint URL and HMAC key used during the creation of the run task in Terraform Cloud to securely bind the two systems.

Rapid7 and HashiCorp Partner to Secure Terraform-based Cloud Infrastructure Deployments

Next, switch to the Terraform Cloud / Enterprise organization settings interface and create a run task. Copy/paste the Endpoint URL and HMAC key provided to you in ICS.

Rapid7 and HashiCorp Partner to Secure Terraform-based Cloud Infrastructure Deployments

After the run task is successfully created, you will need to associate it with a workspace before generating a plan and triggering it to test the end-to-end process.

During the run task execution, you’ll notice active communication between the two systems monitoring the state of the scan job in ICS and reporting back a final state as Passed, Failed, or Error (indicating the scan job didn’t successfully complete).

We’ve made this integration process simple and accessible to DevOps teams via ICS and Terraform Cloud without any custom API integration required. You can ensure IaC security and compliance scans in ICS are routinely applied to the approval step before Terraform plans are applied to a destination cloud environment.

Our DevOps-focused cloud security investment continues

Rapid7’s InsightCloudSec is proud to partner with HashiCorp to help fulfill the joint mission of making cloud infrastructure and application development and maintenance low cost, code-driven, repeatable, scalable and secure.

For more information , please visit HashiCorp’s partnership page.

Our next blog in the “shift-left” series will include an announcement and overview of a significant upgrade we’re making to our IaC scanning engine and the underlying technology we use to identify issues, pinpoint the location of the problem in code, and provide ‘Actionable Results’ to assist developers with remediation.

Cloud Security: Buyer Be Critical

Post Syndicated from Aaron Wells original https://blog.rapid7.com/2022/11/10/cloud-security-buyer-be-critical/

Tailoring solutions to challenges

Cloud Security: Buyer Be Critical

It takes a toolbox with different, well, tools to secure an ever-expanding operational perimeter in the cloud. Think about what’s under the general daily purview of cloud security teams: preventing misconfigurations, taming threats and vulnerabilities, and so much more. Now, apply that to different high-risk industries around the globe that must build and tailor cloud security solutions to their unique challenges. For instance:

  • Financial Services: It can be difficult trying to leverage the benefits of digital transformation while attempting to modernize decades of tradition in an old-school industry. Mobile banking/financial services, for instance, has been the one of the largest industry shifts over the past decade and has accelerated cloud adoption in the sector. Thus, security must keep pace with the service’s rapid growth. The desire to operationalize on-premises and cloud practices is typically strong in this industry, but must also take into account client trust in a financial-services partner to protect that client’s bottom line.    
  • Healthcare: With the growing normalization of telehealth services across the spectrum of medical providers, it’s more critical than ever to secure patient health information (PHI) while adhering to regulatory standards like HIPAA. The need for speed and innovation in medicine is critical, so scaling communication and technology operations into the cloud can be incredibly beneficial. However, providers are also continually challenged with securing PHI within new technologies at speed and scale without slowing innovation.    
  • Automotive: With the modernization of engines, software, and connectivity, the need for passenger safety is more important than ever. As more automobile controls are conveniently accessible through cloud-based controls, cyberattacks have correspondingly increased. Ensuring security checks are implemented in the production and design of a new vehicle while also pushing software updates throughout the ownership lifecycle of that vehicle is critical to manufacturer integrity and passenger safety.

Expansive perimeters

Within and throughout these different use cases and industries are specific budgetary constraints that have prompted organizations to scale cloud operations at unprecedented speeds – no doubt accelerated in large part by the pandemic as it was in its early stages a couple of years ago. Do companies want to go back to not saving money? Certainly not. That means attackers are as ready as they’ll ever be to try and break expanding cloud perimeters.

With your company’s reputation at risk, it’s more critical than ever that security keeps pace with those expanding perimeters, particularly at a time of global financial crisis for many companies as they emerge from the pandemic. Whether a company is looking for a partner to alleviate financial strain in a potential merger situation or seeking an outright buyer, the security of the merged or acquired company’s cloud-hosted operations – particularly vulnerable to attackers during a time of change – is paramount.

High-profile recent examples of the above include Discovery, Inc.’s purchase of WarnerMedia, Elon Musk’s acquisition of Twitter, and Microsoft’s acquisition of Activision Blizzard. These are tectonic shifts for all companies involved, of a sort that can leave cloud security extremely vulnerable at certain points in the process. And the higher-profile the company, the more attractive it can be to an attacker.

Evaluating solutions at speed and scale

So, you’re seeking a strongly effective solution. But, the cloud security vendor space can be confusing. One provider defines cloud security a certain way and another defines it a separate way, and their offerings differ accordingly. Between CASB, SaaS Security, CSPM, and CWPP solutions, there’s a lot to learn. Are any of these right for your cloud operations? There is no one-size-fits-all solution, but you may find a suite of tools that can best work for your specific use case(s).

There are any number of cloud security guides, whitepapers, research, and more that can help you evaluate solutions available from reputable providers. The latest edition of The Complete Cloud Security Buyer’s Guide is a timely and discerning dive into different types of cloud security and the use cases to which they align. Get help with the process of evaluating vendors, while taking into account the need for speed in deploying effective security that protects ever-expanding operational perimeters in the cloud.

Explore how to make the best case for more – or any – cloud security at your company, plus get a handy checklist to use when looking into a potential solution. Get started now with the 2022 edition of The Complete Cloud Security Buyer’s Guide from Rapid7.

Common questions when evolving your VM program

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/11/02/common-questions-when-evolving-your-vm-program/

Common questions when evolving your VM program

Authored by Natalie Hurd

Perhaps your organization is in the beginning stages of planning a digital transformation, and it’s time to start considering how the security team will adapt. Or maybe your digital transformation is well underway, and the security team is struggling to keep up with the pace of change. Either way, you’ve likely realized that the approach you’ve used with traditional infrastructure will need to evolve as you think about managing risk in your modern ecosystem. After all, a cloud instance running Kubernetes clusters to support application development is quite different from an on-premise Exchange server!

A recent webinar led by two of Rapid7’s leaders, Peter Scott (VP, Product Marketing) and Cindy Stanton (SVP, Product and Customer Marketing), explored the specific challenges of managing the evolution of risk across traditional and cloud environments. The challenges may be plentiful, but the strategies for success are just as numerous!

Over the course of several years, Rapid7 has helped many customers evolve their security programs in order to keep pace with the evolution of technology, and Peter and Cindy have noticed some themes of what tends to make these organizations successful. They advise working with your team & other stakeholders to find answers to the following questions:

  • What sorts of resources does your organization run in the cloud, and who owns them?
  • What does “good” look like when securing your cloud assets, and how will you measure success?
  • Which standards and frameworks is your company subject to, compliance or otherwise?

Gathering answers to these questions as early as possible will not only aid in the efficacy of your security program, it will also help to establish strong relationships & understanding amongst key stakeholders.

Establishing Ownership



Common questions when evolving your VM program

Proactively identifying teams and individuals that own the assets in your environment will go a long way towards ensuring speed of resolution when risk is present. Peter strongly suggests working with your organization’s Product or Project Development teams to figure out who owns what and get it documented. This way, when you see a misconfiguration, vulnerability or threat that needs to be dealt with, you know exactly who to talk to to get it resolved, saving important time.

The owners that you identify will not only have a hand to play in fixing problems, they can help make the necessary changes to “shift left” and prevent problems in the first place. The sooner you can identify these stakeholders and build relationships with them, the more successful you’ll be in the long run.

Defining “Good” and Tracking Achievement



Common questions when evolving your VM program

Since we’ve established that securing traditional environments is not the same as securing modern environments, we can also agree that the definition of success may not be the same either! After you’ve established ownership, Cindy notes that it’s also important to define what “good” looks like, and how you plan to measure & report on it. Once you’ve created a definition of “good” within your immediate team, it’s also important to socialize that with stakeholders across your organization and track progress towards achieving that state. Tracking & sharing progress is valuable whether your organization meets, exceeds or falls short of your goals; celebrating the wins is just as important as seeking to understand the losses!

Aligning to Standards and Frameworks



Common questions when evolving your VM program

Every industry comes with its own set of compliance and regulatory standards that must be adhered to, and it’s important to understand how security fits in. Your team can use these frameworks as a North Star of sorts when considering how to secure your environment, and the cloud aspects of your environment are no exception. Ben Austin, the moderator of the webinar, provides some perspective on the utility of compliance as a method for demonstrating progress in risk reduction. If your assets are more compliant today than they were 3 months ago, that’s a win for every stakeholder involved. If assets are getting less compliant, then you can work with your already-identified asset owners to make a plan to turn the ship around, and contextualize the importance of remaining compliant with them.

Check out our two previous blogs in the series to learn more about Addressing the Evolving Attack Surface and Adapting your VM Program to Regain Control, and watch the full webinar replay any time!

Adapting existing VM programs to regain control

Post Syndicated from Ryan Blanchard original https://blog.rapid7.com/2022/10/24/adapting-existing-vm-programs-to-regain-control/

Adapting existing VM programs to regain control

Stop me if you’ve heard this before. The scale, speed and complexity of cloud environments — particularly when you introduce containers and microservices — has made the lives of security professionals immensely harder. While it may seem trite, the reason we keep hearing this refrain is because, unfortunately, it’s true. In case you missed it, we discussed how cloud adoption creates a rapidly expanding attack surface in our last post.

One could argue that no subgroup of security professionals is feeling this pain more than the VM team. From elevated expectations, processes, and tooling to pressured budgets, the scale and complexity has made identifying and addressing vulnerabilities in cloud applications and the infrastructure that supports them a seemingly impossible task. During a recent webinar, Rapid7’s Cindy Stanton (SVP, Product and Customer Marketing) and Peter Scott (VP, Product Marketing) dove into this very subject.

Cindy starts off this section by unpacking why modern cloud environments require a fundamentally different approach to implementing and executing a vulnerability management program. The highly ephemeral nature of cloud resources with upwards of 20% of your infrastructure being spun down and replaced on a daily basis makes maintaining continuous and real-time visibility non-negotiable. Teams are also being tasked with managing exponentially larger environments, often consisting of 10s of thousands of instances at any given moment.



Adapting existing VM programs to regain control

To make matters worse, it doesn’t stop at the technical hurdles. Cindy breaks down how ownership of resources and responsibilities related to addressing vulnerabilities once they’re identified has shifted. With traditional approaches it was typical to have a centralized group (typically IT) that owned and was ultimately responsible for the integrity of all resources. Today, the self-serve and democratized nature of cloud environments has created a dynamic in which it can be extremely difficult to track and identify who owns what resource or workload and who is ultimately responsible to remediate an issue when one arises.



Adapting existing VM programs to regain control

Cindy goes on to outline how drastically remediation processes need to shift when dealing with immutable infrastructure (i.e. containers) and how that also requires a shift in mindset. Instead of playing a game of whack-a-mole in production workloads trying to address vulnerabilities, the use of containers introduces a fundamentally new approach centered around making patches and updates to base images — often referred to as golden images — and then building new workloads from scratch based off of the hardened image rather than updating and retaining the existing workload. As Cindy so eloquently puts it, “the ‘what’ I have to do is relatively unchanged, but the ‘how’ really has to shift to adjust to this different environment.”



Adapting existing VM programs to regain control

Peter follows up Cindy’s assessment of how cloud impacts and forces a fundamentally different approach to VM programs by providing some recommendations and best practices to adapt your program to this new paradigm as well as how to operationalize cloud vulnerability management across your organization. We’ll cover these best practices in our next blog in this series, including shifting your VM program left to catch vulnerabilities earlier on in the development process. We will also discuss enforcing proper tagging strategies and the use of automation to eliminate repetitive tasks and accelerate remediation times. If you’re interested in learning more about Rapid7’s InsightCloudSec solution be sure to check out our bi-weekly demo, which goes live every other Wednesday at 1pm EST. Of course, you can always watch the complete replay of this webinar anytime as well!