Globally, IT experts recognise security as the most significant barrier to cloud adoption, in part because many of the ways of securing traditional IT environments are not always applicable to cloud-native infrastructure. As a result, security teams may find themselves behind the curve and struggling to keep up with the ambitious digital transformation programs set by their senior leadership teams.
As technology evolves and threats change rapidly, organizations that stay abreast of the latest developments, trends, and industry standards tend to have fewer security risks than those that don’t. Failure to do so can lead to data breaches, compliance violations and increased costs. From creating a security culture to implementing innovative solutions, it’s clear a new approach to security is required; one that is more automated and based on best practices that consider the following:
Speed vs security
Finding the right balance between security and speed can be difficult, especially when trying to keep pace with your organization’s cloud migration and digital transformation strategy. Securing your continuous integration and delivery (CI/CD) pipeline can be challenging if visibility, governance and compliance lack across your IT environment.
Ensuring errors and missteps are detected and minimised requires a consistent set of processes, people, and tools. By putting challenges into logical groups, you can address each one more effectively.
For example, the first stage of the CI/CD pipeline is vulnerable to human error. Adopting the DevSecOps model adds security to the DevOps working processes as a continuous activity, allowing security policies to be defined and enforced at every pipeline stage — including development and testing environments. Although, moving away from traditional processes requires strong foundations to transform and change.
Operationalising cyber security
As the number of workloads in the cloud increases, security challenges can sometimes fall between the gaps and outside of traditional processes, increasing additional risk from a technical and operational perspective. When everyone understands cybersecurity processes, their importance and why it’s necessary, they’ll take action. Holding people and business units accountable for their efforts lets you measure your cyber security programs’ effectiveness to discover any necessary improvements. This will result in better decision-making and measurable risk reduction; not to mention greater understanding and awareness of security across your organization.
Begin by understanding where and how security gaps are being created. Once you’ve identified these gaps, prioritise them based on business impact and the likelihood of occurrence. Ask your peers; in the event of a breach, what data would you be most concerned about if hackers applied ransomware to it? With this information in hand, it becomes easier to identify the appropriate controls and solutions to help identify your organization’s cyber maturity.
Knowledge sharing
Encouraging knowledge sharing is a great way to help address the skills gap. The more we share our experiences, the easier it is to improve processes and procedures to reduce the risk of mistakes reoccurring. But how do you make sure you get it right?
Join Alex Noble, cloud security lead and Jason Hart, chief technology officer EMEA, for our Lunch and Learn Series: Stay ahead of the curve. During these exclusive, interactive virtual sessions, we will explore emerging best practices driven by new technologies and evolving business models. Don’t miss your chance to connect with local peers and team members over a complimentary virtual lunch.
Today almost all cloud users, roles, and identities are overly permissive. This leads to repeated headlines and forensic reports of attackers leveraging weak identity postures to gain a foothold, and then moving laterally within an organization’s modern cloud environment.
This has become a prevalent theme in securing the cloud, where identity and access management (IAM) plays a much larger role in governing access than in traditional infrastructure. However, the cloud was built for innovation and speed, with little consideration as to whether the access that has been granted is appropriate. The end result is an ever-growing interconnected attack surface that desperately needs to be tailored down.
To govern and minimize IAM risk in the cloud, organizations need to adopt the principle of least privilege access (LPA). Rapid7 is pleased to announce the release of LPA Policy Remediation as part of its InsightCloudSec product line. If you’re not familiar, InsightCloudSec is a fully-integrated cloud-native security platform (CNSP) that enables organizations to drive cloud security forward through continuous security and compliance. The platform provides real-time visibility into everything running across your cloud environment(s), detecting and prioritizing risk signals (including those associated with IAM policies), privileges, and entitlements, and provides native automation to return resources to a state of good whenever compliance drift is identified.
With the release of LPA Policy Generation, InsightCloudSec enables customers to take action when overly permissive roles or unused access is detected, automatically modifying the existing policy to align actual usage with granted permissions. Any actions that aren’t utilized over a 90-day period will be excluded from the new policy.
Permissions can’t become a point of friction for developers
In today’s world of continuous, fast-paced innovation, being able to move quickly and without friction is a key ingredient to delivering for customers and remaining competitive within our industries. Therefore, developers are often granted “godlike” access to leverage cloud services and build applications, in an effort to eliminate the potential that they will hit a roadblock later on. Peeling that back is a daunting task.
So how do you do that? Adopt the Principle of least privilege access, which recommends that a user should be given only those privileges needed for them to perform their function or task. If a user does not need a specific permission, the user should not have that permission.
Identity LPA requires dynamic assessment
The first step to executing on this initiative of LPA is to provide evidence to your dev teams that there is a problem to be solved. When first collaborating with your development partners, having a clear report of what permissions users have leveraged and what they have not can help move the discussion forward. If “Sam” has not used [insert permission] in the past 90 days, then does Sam really need this permission?
InsightCloudSec tracks permission usage and provides reporting over time of all your clouds, and is a handy tool to commence the discussion, laying the groundwork for continuous evaluation of the delta between used and unused permissions. This is critical, because while unused permissions may seem benign at first glance, they play a significant role in expanding your organization’s attack surface.
Effective cloud IAM requires prioritization
The continuous evaluation of cloud user activity compared to the permissions they have been previously granted will give security teams visibility into what permissions are going unused, as well as permissions that have been inappropriately escalated. This then provides a triggering point to investigate and ultimately enforce the principle of least privilege.
InsightCloudSec can proactively alert you to overly permissive access. This way security teams are able to continuously establish controls, and also respond to risk in real time based on suspicious activity or compliance drift.
Like with most security problems, prioritization is a key element to success. InsightCloudSec helps security teams prioritize which users to focus on by identifying which unused permissions pose the greatest risk based on business context. Not all permissions issues are equal from a risk perspective. For example, being able to escalate your privileges, exfiltrate data, or make modifications to security groups are privileged actions, and are often leveraged by threat actors when conducting an attack.
Taking action
Ultimately, you want to modify the policy of the user to match the user’s actual needs and access patterns. To ensure the insights derived from dynamically monitoring cloud access patterns and permissions are actionable, InsightCloudSec provides comprehensive reporting capabilities (JSON, report exports, etc.) that help streamline the response process to harden your IAM risk posture.
In an upcoming release, customers will be able to set up automation via “bots” to take immediate action on those insights. This will streamline remediation even further by reducing dependency on manual intervention, and in turn reduces the likelihood of human error.
When done right, LPA significantly reduces cloud risk
When done right, establishing and enforcing least-privilege access enables security teams to identify unused permissions and overly permissive roles and report them to your development teams. This is a key step in providing evidence of the opportunity to reduce an organization’s attack surface and risk posture. Minimizing the number of users that have been granted high-risk permissions to the ones that truly need them helps to reduce the blast radius in the event of a breach.
InsightCloudSec’s LPA Policy Remediation module is available today and leverages all your other cloud data for context and risk prioritization. If you’re interested in learning more about InsightCloudSec, and seeing how the solution can help your team detect and mitigate risk in your cloud environments, be sure to register for our bi-weekly demo series, which goes live every other Wednesday at 1pm EST.
With Google Cloud Next happening this week, there’s been some recent water cooler talk – okay, informal, ad hoc Zoom calls – where discussions about what makes Google Cloud Platform (GCP) unique when it comes to security. A few specific differences have popped up here and there (default data encryption, the way IAM is handled, etc.), but, generally speaking, many of the principles that apply to all other cloud providers apply to GCP environments.
For one, due to the speed and scale of these environments, it’s simultaneously very difficult and extremely critical to maintain an up-to-date inventory of the state of all resources in your environment. This means constantly monitoring your environment for resources being created, deleted, or modified in as close to real time as possible.
And in an effort to avoid ambiguity or hide behind marketing buzz terms, when I’m referring to “real time” here, I’m talking about sub 5-minute intervals based on activity happening in the environment. This is not to be confused with “near real time” approaches some vendors tout, which, in reality, still only pulls in data once or twice a day based on a static schedule.
In GCP, like in AWS, Azure, and all other cloud environments, simply getting a snapshot once a day to identify misconfigurations, vulnerabilities, or suspicious behaviors like you might with an on-prem data center just isn’t a scalable strategy. It’s a common cliche, but the ephemeral nature and rate of change in public cloud environments makes that kind of scanning strategy extremely ineffective when it comes to monitoring, analyzing, and eliminating actual risk in a cloud environment.
Let me lay out a couple examples where this kind of real-time monitoring can provide significant, potentially necessary, value to security teams working to make their cloud risk management programs more effective.
Identification of high-risk resources
As an example, say a developer is in a GCP project associated with your company’s revenue-generating application and they spin up a Cloud Storage instance that is, whether mistakenly or maliciously, open to the public internet.
If your security team is reliant on a scan to happen 12 hours later to get visibility into this activity, your organization will constantly be left open to significant risk. Take away the hyperbole here and assume it’s a much smaller risk or compliance violation. Even in that situation, your team is still working from behind and, presumably, almost always facing some level of stress about what issues are out there in the environment that they won’t know about for another 12-18 hours.
Worst of all, with this type of scanning you’re generally just getting a point-in-time snapshot of the environment and usually don’t know who made the change or how long ago it happened. This makes it much more difficult and time consuming for your team to actually assess the risk or get their hands on the right information to make an informed decision about how the situation should be addressed.
When a team is working with real-time data, however, they can be much more diligent and confident that they’re prioritizing the right issues at any given moment, with all the necessary context about who made the change and when it occurred. This not only helps teams stay ahead of issues and reduce the risk of a breach in their environment, but also helps keep individuals and teams feeling positive about the impact that the program is having on the organization.
Delayed remediation workflows
Building off of the previous example, it’s not only that teams can’t respond to risk they haven’t been notified of, it’s also that any automated response workflows your team may have built out to be more efficient are significantly less effective when they’re triggered by hours-old data. A 12-hour delay in an automation workflow all but eliminates the value of the automation itself, and it can actually cause headaches and confusion that detract from your team’s efficiency, rather than improving it (more on this in the next example).
In contrast, if you’re able to detect risky changes to your environment as they happen, you can automatically respond to that issue as it happens. In the case of this all being a mistake caused by a developer working a little too quickly, you’re able to automatically notify them of their error within a matter of minutes, likely while they’re still working within that project. Giving your development team this kind of feedback in the moment, rather than forcing them to context switch and go back into the project to fix the error a day later, is an excellent way to build stronger relationships and rapport with that team.
In the more rare case that this is indeed a malicious internal or external actor, enabling your automated remediation workflows to kick into gear within seconds and potentially stop the behavior could mean the difference between a minor incident and a breach requiring public disclosure from your organization.
Minimizing false positives and cross-team friction
Speaking of relationships with the development team (sorry, #DevSecOps), I can almost guarantee that working with data from scans or snapshots that occur every 12 or 24 hours in your cloud will cause friction between your two teams. Whether it’s tied to manual identification of risky resources or automated workflows notifying them of a non-compliant asset, working with stale data will inevitably lead to false positives that will both annoy and distract your already overburdened development team.
Take the example highlighted above, but instead, let’s say the developer actually spun up that Cloud Storage instance for a short amount of time in a dev instance with no actual customer data as part of a testing exercise. By the time your team gets visibility into this and either reaches out manually or has some automated notification sent to the developer, that instance could have already been deleted for hours. Now your team is looking at one set of old data and seeing an issue, meanwhile the developer is insisting that the storage container doesn’t even exist anymore. As mentioned above, this is going to cause headaches and frustration for both parties, and cause your team to lose credibility with the dev team.
At this point, you can probably guess where this is going next. With real-time monitoring in your environment this situation can be avoided altogether because your team will be looking at the same up-to-date information, and your team will be able to see that the storage container was shut down or removed from the project rather than spending time chasing down a false positive.
In this episode of Security Nation, Jen and Tod chat with Chris Levendis of MITRE and Lisa Olson of Microsoft about assigning CVE IDs for vulnerabilities affecting cloud solutions. They recount their experiences working with the CVE board to establish guidelines for disclosing cloud vulnerabilities and talk through some of the challenges in understanding responsibility for mitigating and managing risks in the cloud.
Stick around for our Rapid Rundown, where Tod and Jen talk about a helpful new feature in iOS 16 that allows users to tell their devices to forget certain Wi-Fi networks, as well as RFC 9293, the newly dropped transmission control protocol (TCP) that obsoletes RFC 793.
Chris Levendis
Chris Levendis is a Principal Systems Engineer in the Cybersecurity Operations & Integration department in the Center for Securing the Homeland at MITRE. He has supported various DHS missions since 2004, including infrastructure protection and cybersecurity. Currently, in support of the Cybersecurity and Infrastructure Security Agency (CISA), Chris leads the Homeland Security Systems Engineering and Development Institute’s (HSSEDI) work for Threat Hunting, Office of the Chief Technology Officer (OCTO), Common Vulnerabilities and Exposures (CVE), Common Weakness Enumeration (CWE), and Common Attack Pattern Enumeration and Classification (CAPEC).
Lisa Olson
Lisa Olson has been in the business of developing technology and products to manage complex networks and network devices since the 1980s. She started her career working as a software engineer for IBM and has gone on to management positions for large companies including Boeing and Jupiter/Media Metrix.
For the last 10 years, Lisa has immersed herself in cybersecurity by managing Microsoft’s monthly Security Update releases (aka Patch Tuesday). Under her leadership, Patch Tuesday has undergone digital transformation from a primarily manual labor-intensive production of security bulletins for a relatively small number of products, to a highly automated all-electronic environment supporting hundreds of products including Microsoft’s Azure via a database and APIs. The Security Update Guide is published by Lisa’s team every month and provides information about Microsoft’s CVE list.
Show notes
Interview links
Check out the CVE blog post on handling cloud vulnerabilities.
Read the update on the recently released RFC 9293.
Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.
Want More Inspiring Stories From the Security Community?
The first programming language I learned in my childhood was Pascal. I was 12 years old at the time, and I quickly developed a passion for technology.
From a young age, I always knew I wanted to learn engineering and computer science. I wanted to solve big design and architecture problems while building new products that would influence the many people using software every day. The idea that we can use technology to build better tools inspires me, and I get excited about finding ways to help people work more efficiently.
Cybersecurity is such an interesting field because of the unique challenges and complexities associated with it. With my prior knowledge and background in security fundamentals and algorithms, joining Rapid7 felt like an exciting opportunity to grow my career.
An approachable start to a new challenge
Starting a role in a new industry can feel overwhelming, but Rapid7 has provided me the tools to make it a successful transition.
I joined Rapid7 as a Principal Engineer within our Cloud Security team. When I joined, I had some background in cybersecurity and security. Upon joining, I was immediately supported with the training programs and learning materials that helped me get up to speed and understand the business in more detail.
As a new hire, I had an excellent onboarding experience. The onboarding program gave me the chance to experience the unique culture and values of Rapid7, while also learning more about our industry, products, and the evolving needs of our customers. With the right tools, programs, and culture, I felt supported from day 1 to begin learning and immerse myself into the business and culture.
What sets Rapid7 apart
There are a lot of things that make Rapid7 unique as an employer. The people who work here are incredibly smart and kind, and the company places emphasis on learning and development, which shows they care about their people. It’s important for me to be in an environment where the business and leaders support their teams and care about giving them the right resources and tools they need to do the job, while also growing their own skills and knowledge. In engineering, the team gets access to the tools and tech stack requirements needed to fulfill our work.
Since I joined the company, I have experienced the reward of seeing the direct impact of my work. Being able to work autonomously to get the job done while having opportunities to mentor and coach others around me has been extremely rewarding. I love having the freedom to be creative, learn, and innovate new solutions. As I continue to grow within my career, I look forward to my next step in achieving my MSC degree in computer science. Being in an organization where I am creating products from scratch and using a cutting-edge tech stack helps contribute toward this goal.
I’ve learned a lot by taking a new step in my career and moving to a cloud security company. For those who are looking to do the same, I have a few pieces of advice to help you be successful:
Have an attitude of learning and growth.
There are many certifications you can get that will help introduce you to cloud technology. Check out certifications for GCP, AWS, and Azure to get comfortable.
Research and explore advanced concepts of security, encryption, and attack models. There is a lot of exciting activity happening in cybersecurity, and learning more about the industry can fuel your interest and help you understand the importance and impact your work in this field can have.
This is the latest post in our blog series on shifting left in cloud security. In our last post, we kicked off the series with a high-level overview about Rapid7’s approach to shifting cloud security into the application development lifecycle. For this post, we’ll dive into a key aspect of our approach: integrating cloud security with developer and DevOps tooling.
Incentivizing adoption by reducing friction
When integrating security into any part of the development lifecycle there are some important factors to consider, including the security tools you’ll integrate, the processes you’ll ask developers to follow, and how aggressively you intend to enforce certain policies. When making these decisions, it’s important to consider the goals of adopting DevOps practices and infrastructure as code (IaC) respectively: to improve the velocity of application development and delivery, and to empower development teams to provision cloud infrastructure resources on a self-service basis.
Infusing security into these goals requires guardrails and routine checks to make sure the need for speed doesn’t create vulnerabilities or potentially exploitable misconfigurations. For IaC development, this is accomplished by having individual developers scan templates and plans as early as possible, and at key points in the CI/CD pipeline, before they’re considered for use in staging or production deployment. This is much easier said than done, as it relies on organizational buy-in, particularly from the developers who are typically laser-focused on bringing new products and features to market as fast as possible with the highest quality possible.
As with anything that relies on multiple teams collaborating in a process, the goal is to make it as easy as possible to adopt and demonstrate tangible value to all involved. Shifting security left into the software development lifecycle (SDLC) via developers and CI/CD tool integrations is a perfect application of this. One common example is allowing developers to execute scans on IaC templates or plans prior to a push or pull request, using a local command-line interface (CLI) tool.
The comfort of the CLI
In this context, a CLI tool allows a developer to interact with IaC security scanning features via a terminal prompt for familiarity and convenience. This comfortable experience will encourage adoption by using the CLI rather than engaging with a security product interface or API directly. In late 2021, we released our first CLI tool to initiate IaC scans in InsightCloudSec (ICS): mimics.
mimics has many intended uses that will expand over the time, but for now, the primary goals are:
Enabling developers to execute on-demand security scans of their IaC plans and templates with results delivered directly in the CLI, thereby shortening the discovery and feedback loop for security and compliance issues to the point of immediate remediation
Enabling DevOps teams to easily integrate IaC security scans at any point in the CI/CD workflow, thereby standardizing the process and enforcing security compliance checks and remediation as needed before progressing to the next integration or deployment step
In all cases, the mimics CLI simplifies integration and doesn’t require more costly script-based integration with the ICS API. In some cases, unique IaC security capabilities are exclusively available via mimics.
Introducing GitHub Actions integration
InsightCloudSec recently launched a GitHub Action to facilitate a bidirectional integration with our IaC scanning feature. Our goal is to streamline the incorporation of IaC security scans into your cloud application CI/CD process governed by GitHub. If you’re not familiar with GitHub Actions, they allow you to automate, customize, and execute workflow steps, including security and compliance checks. In doing so, users can discover, create, and share Actions with other community members.
A great use of the mimics CLI is to integrate with GitHub using our Action to trigger an ICS IaC scan at defined points in your workflow. Upon completion of the scan, you’ll receive an overall pass/fail result in reply, as well as detailed findings, if any, in SARIF format for display in the GitHub Advanced Security module as security alerts. If you don’t subscribe to the GitHub Advance Security module, you can still trigger IaC security scans and receive an overall pass/fail result to govern the workflow step, plus a detailed findings report in one of various readable formats.
More DevOps tool integrations on the way
As you can see, Rapid7’s InsightCloudSec is meeting developers and DevOps teams where they are today and expanding in the near future. We want to make integrating security controls by development teams easier. And we aren’t stopping there. We have a deep roadmap of additional integrations that will be coming soon. However, it’s important to note that you’re not limited by our formal integrations. The mimics CLI makes your custom integrations a snap, and we have examples in our product documents.
We understand the profound impact shifting security left can have on organizational buy-in, overall team efficiency, and of course, cloud security outcomes. Keep an eye out for upcoming enhancements that will further help you seamlessly integrate security throughout the entire SDLC.
If you’re interested in learning more about how InsightCloudSec helps your team get contextualized insight into your cloud security and risk posture, be sure to check out our bi-weekly demo seriesGaining Layered Context in Cloud Security, which goes live every other Wednesday at 1pm EST.
Cloud complexity is now a well-documented and widely felt phenomenon across technology teams — IT, development, and security alike. Multi-cloud architectures have become the norm, with 89% of organizations embracing a strategy that involves multiple cloud vendors. Not only are companies managing greater amounts of data than ever before, they’re also spread across an ever-increasing array of cloud services, applications, and devices.
Securing all this information and preventing data loss in a multi-cloud environment would be a tall task for any security team. Add to the mix an increasingly heightened threat landscape and an ongoing cybersecurity skills shortage, and the challenge becomes even greater.
Rapid7, Mimecast, and Netskope recently published a joint white paper outlining best practices for cloud data protection and pinpointing some key resources that organizations can leverage in this effort. Here are three key concepts the paper highlights.
1. Embrace AI
Artificial intelligence (AI) and machine learning are well-known technologies at this point, but their potential is only just beginning to be tapped when it comes to helping security teams become more efficient and more effective.
Machine learning won’t ever replace the trained eye and keen insight of a veteran cybersecurity analyst — but AI-based tools can take on some of the repetitive and time-consuming tasks that security pros face, allowing analysts to increase productivity and focus on the alerts and issues that matter most. The goal is human-machine collaboration, with AI augmenting and boosting the capabilities of the analyst.
2. Utilize automation
Automation and AI work together as a one-two punch of process improvement for security. If an AI-based tool detects an anomalous event, automation allows you to set up actions that can take place in response to that suspicious activity. This can help get the ball rolling faster on mitigating security issues — and speed is the name of the game when it comes to keeping out attackers.
In the context of a cloud security platform, built-in automation and remediation tools let you create bots that can carry out certain tasks, specified by:
Scope: What resources the bot should evaluate — i.e., specific cloud resource groups, or certain types of resources contained in those groups
Filters: The conditions in which a bot should act — e.g., what tags the resource has, or whether the ports are open
Actions: What task you want the bot to carry out — e.g., delete a resource, start or stop an instance, or send an email with key information about the resource in question
3. Leverage integrations
AI and automation can help drive efficiencies — but with a multitude of cloud services in play, there’s a risk that these automated actions proliferate and become unwieldy, making it tough for security teams to reap the full benefits. This is where integrations become critical: They allow teams to coordinate actions quickly and seamlessly across multiple vendor systems.
Integrations make it easier to create a holistic security environment formed by a consistent set of controls, rather than a patchwork of best practices. For example, if you have an integration that links your email security gateway to your security information and event management (SIEM) tool, you can create an alert when a user receives an email containing suspected ransomware or malware, and take automated remediation actions instantly. Or if your security service edge (SSE) platform detects a serious data exfiltration risk, you can build a customized workflow in your security orchestration, automation, and response (SOAR) to quarantine that resource or take it offline.
Dive deeper on cloud data protection
Keeping data secure in the cloud comes with its share of challenges, but integrations that leverage AI-based analytics and automated workflows can help you ensure you know where your data is, what security controls are in place, and what threats there might be in your environment.
AWS re:Inforce returned to Boston, MA, in July after 2 years, and we were so glad to be back in person with customers. The conference featured over 250 sessions and hands-on labs, 100 AWS partner sponsors, and over 6,000 attendees over 2 days. If you weren’t able to join us in person, or just want to revisit some of the themes, this blog post is for you. It summarizes all the key announcements and points to where you can watch the event keynote, sessions, and partner lightning talks on demand.
Key announcements
Here are some of the announcements that we made at AWS re:Inforce 2022.
Free MFA token ordering portal – We’ve made our free multi-factor authentication (MFA) security key program easier. We now have an ordering portal in the AWS Management Console where eligible customers can order their token. In response to customer demand, we’ve streamlined the ordering process, especially for linked accounts. At this time, only US-based AWS account root users who have spent more than $100 each month over the past 3 months are eligible to place an order.
IAM Roles Anywhere – This new feature extends the capabilities of AWS Identity and Access Management (IAM) roles to workloads outside of AWS. You can use IAM Roles Anywhere to provide a secure way for on-premises servers, containers, or applications to obtain temporary AWS credentials and remove the need for creating and managing long-term AWS credentials.
AWS Marketplace Vendor Insights – This new feature helps simplify third-party software risk assessments by compiling security and compliance information in a unified dashboard.
AWS Cloud Audit Academy – PCI DSS on AWS – Cloud Audit Academy (CAA) PCI DSS on AWS is the third course in the AWS security auditing learning path. This path is designed for those who are in auditing, risk, and compliance roles and who are involved in assessing regulated workloads in the cloud.
New workshop – Threat modeling the right way for builders – This workshop introduces you to the background of threat modeling and why to do it, as well as some of the tools and techniques for modeling systems, identifying threats, and selecting mitigations.
Enable secure communication with end-to-end encryption with AWS Wickr, and collaborate on calls with confidence. AWS Wickr encrypts messages, calls, and files with a proprietary, 256-bit end-to-end encryption protocol. No one but intended recipients can decrypt them, reducing the risk of person-in-the-middle attacks.
Watch on demand
You can also watch these talks and learning sessions on demand.
Keynotes and leadership sessions
Watch the AWS re:Inforce 2022 keynote where Amazon Chief Security Officer Stephen Schmidt, AWS Chief Information Security Officer CJ Moses, Vice President of AWS Platform Kurt Kufeld, and MongoDB Chief Information Security Officer Lena Smart share the latest innovations in cloud security from AWS and what you can do to foster a culture of security in your business. Additionally, you can review all the leadership sessions to learn best practices for managing security, compliance, identity, and privacy in the cloud.
Breakout sessions and partner lightning talks
Data Protection and Privacy track – See how AWS, customers, and partners work together to protect data. Learn about trends in data management, cryptography, data security, data privacy, encryption, and key rotation and storage.
Governance, Risk, and Compliance track – Dive into the latest hot topics in governance and compliance for security practitioners, and discover how to automate compliance tools and services for operational use.
Identity and Access Management track – Hear from AWS, customers, and partners on how to use AWS Identity Services to manage identities, resources, and permissions securely and at scale. Learn how to configure fine-grained access controls for your employees, applications, and devices and deploy permission guardrails across your organization.
Network and Infrastructure Security track – Gain practical expertise on the services, tools, and products that AWS, customers, and partners use to protect the usability and integrity of their networks and data.
Threat Detection and Incident Response track – Learn how AWS, customers, and partners get the visibility they need to improve their security posture, reduce the risk profile of their environments, identify issues before they impact business, and implement incident response best practices.
Session presentation downloads are also available on our AWS Event Contents page. Consider joining us for more in-person security learning opportunities by registering for AWS re:Invent 2022, which will be held November 28 through December 2 in Las Vegas. We look forward to seeing you there!
If you’d like to discuss how these new announcements can help your organization improve its security posture, AWS is here to help. Contact your AWS account team today.
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.
Want more AWS Security news? Follow us on Twitter.
Streaming is king in the media and entertainment industry. According to the Motion Picture Association’s Theatrical and Home Entertainment Market Environment Report, the global number of streaming subscribers grew to 1.3 billion in 2021. Consumer demand for immediate digital delivery is skyrocketing. Producing high-quality content at scale is a challenge media companies must step up to on a daily basis. One thing is for sure: Meeting these expectations would be unmanageable left to human hands alone.
Fortunately, cloud adoption has enabled entertainment companies to meet mounting customer and business needs more efficiently. With the high-speed workflow and delivery processes that the cloud enables, distributing direct-to-consumer is now the industry standard.
As media and entertainment companies grow their cloud footprints, they’re also opening themselves up to vulnerabilities threat actors can exploit — and the potential consequences can be financially devastating.
Balancing cloud security with production speed
In 2021, a Twitch data breach showed the impact cyberattacks can have on intellectual property at media and entertainment companies. Attackers stole 128 gigabytes of data from the popular streaming site and posted the collection on 4chan. The released torrent file contained:
The history of Twitch’s source code
Programs Twitch used to test its own vulnerabilities
Proprietary software development kits
An unreleased online games store intended to compete with Steam
Amazon Game Studios’ next title
Ouch. In mere moments, the attackers stole a ton of sensitive IP and a key security strategy. How did attackers manage this? By exploiting a single misconfigured server.
Yet, media and entertainment businesses can’t afford to slow down their adoption and usage of public cloud infrastructure if they hope to remain relevant. Consumers demand timely content, whether it’s the latest midnight album drop from Taylor Swift or breaking news on the war in Ukraine.
Media and entertainment organizations must mature their cloud security postures alongside their content delivery and production processes to maintain momentum while protecting their most valuable resources: intellectual property, content, and customer data.
We’ve outlined three key cloud security strategies media and entertainment companies can follow to secure their data in the cloud.
1. Expand and consolidate visibility
You can’t protect what you can’t see. There are myriad production, technical, and creative teams working on a host of projects at a media and entertainment company – and they all interact with cloud and container environments throughout their workflow. This opens the door for potential misconfigurations (and then breaches) if these environments aren’t carefully tracked, secured, or even known about.
Here are some key considerations to make:
Do you know exactly what platforms are being used across your organization?
Do you know how they are being used and whether they are secure?
Most enterprises lack visibility into all the cloud and container environments their teams use throughout each step of their digital supply chain. Implementing a system to continuously monitor all cloud and container services gives you better insight into associated risks. Putting these processes into place will enable you to tightly monitor – and therefore protect – your growing cloud footprint.
Cloud, container, and other infrastructure misconfigurations are a major area of concern for most security teams. More than 30% of the data breaches studied in our 2022 Cloud Misconfigurations Report were caused by relaxed security settings and misconfigurations in the cloud. These misconfigurations are alarmingly common across industries and can cause critical exposures, as evidenced in the following example:
In 2021, a server misconfiguration on Sky.com (a UK-based media company) revealed access credentials to a production-level database and IP addresses to development endpoints. This meant that anyone with those released credentials or addresses could easily access a mountain of proprietary data from the Comcast subsidiary.
One way to avoid these types of breaches is to prevent misconfigurations in your Infrastructure as Code (IaC) templates. Scanning IaC templates, such as Terraform, reduces the likelihood of cloud misconfigurations by ensuring that any templates that are built and deployed are already vetted against the same security and compliance checks as your production cloud infrastructure and services.
By leveraging IaC scanning that provides fast, context-rich results to resource owners, media and entertainment organizations can build a stronger security foundation while reducing friction across DevOps and security teams and cutting down on the number of 11th-hour fixes. Solving problems in the CI/CD pipeline improves efficiency by correcting issues once rather than fixing them over and over again at runtime.
As the saying goes, a chain is only as strong as its weakest link. Cloud security practices won’t be as effective or efficient if an organization’s workforce doesn’t understand and value secure processes. A culture of collaboration between DevOps and security is a good start, but the entire organization must understand and uphold security best practices.
Fostering a culture that prioritizes the protection of digital content empowers all parts of (and people in) your supply chain to work with secure practices front-of-mind.
What’s the tell-tale sign that you’ve created a culture of security? When all employees, no matter their department or role, see it as simply another part of their job. This is obviously not to say that you need to turn all employees, or even developers, into security experts, but they should understand how security influences their role and the negative consequences to the business if security recommendations are avoided or ignored.
Media and entertainment companies can’t afford to slow down if they hope to meet consumer demands. They can’t afford to neglect security, either, if they want to maintain consumer trust.
Remember, the ultimate offense is a strong defense. Building security into your cloud infrastructure processes from the beginning dramatically decreases the odds that an attacker will find a chink in your armor. Moreover, identifying and remediating security issues sooner plays a critical role in protecting consumer data and your intellectual property and other media investments.
Want to learn more about how media and entertainment companies can strengthen their cloud security postures?
This year’s AWS re:Inforce conference brought together a wide range of organizations that are shaping the future of the cloud. Last week in Boston, cloud service providers (CSPs), security vendors, and other leading organizations gathered to discuss how we can go about building cloud environments that are both safe and scalable, driving innovation without sacrificing security.
This array of attendees looks a lot like the cloud landscape itself. Multicloud architectures are now the norm, and organizations have begun to search for ways to bring their lengthening lists of vendors together, so they can gain a more cohesive picture of what’s going on in their environment. It’s a challenge, to be sure — but also an opportunity.
These themes came to the forefront in one of Rapid7’s on-demand booth presentations at AWS re:Inforce, “Speeding Up Your Adoption of CSP Innovation.” In this talk, Chris DeRamus, VP of Technology – Cloud Security at Rapid7, sat down with Merritt Baer — Principal, Office of the CISO at AWS — and Nick Bialek — Lead Cloud Security Engineer at Northwestern Mutual — to discuss how organizations can create processes and partnerships that help them quickly and securely utilize new services that CSPs roll out. Here’s a closer look at what they had to say.
Building a framework
The first step in any security program is drawing a line for what is and isn’t acceptable — and for many organizations, compliance frameworks are a key part of setting that baseline. This holds true for cloud environments, especially in highly regulated industries like finance and healthcare. But as Merritt pointed out, what that framework looks like varies based on the organization.
“It depends on the shop in terms of what they embrace and how that works for them,” she said. Benchmarks like CIS and NIST can be a helpful starting point in moving toward “continuous compliance,” she noted, as you make decisions about your cloud architecture, but the journey doesn’t end there.
For example, Nick said he and his team at Northwestern Mutual use popular compliance benchmarks as a foundation, leveraging curated packs within InsightCloudSec to give them fast access to the most common compliance controls. But from there, they use multiple frameworks to craft their own rigorous internal standards, giving them the best of all worlds.
The key is to be able to leverage detective controls that can find noncompliant resources across your environment so you can take automated actions to remediate — and to be able to do all this from a single vantage point. For Nick’s team, that is InsightCloudSec, which provides them a “single engine to determine compliance with a single set of security controls, which is very powerful,” he said.
Evaluating new services
Consolidating your view of the cloud environment is critical — but when you want to bring on a new service and quickly evaluate it for risk, Merritt and Nick agreed on the importance of embracing collaboration and multiplicity. When it’s working well, a multicloud approach can allow this evaluation process to happen much more quickly and efficiently than a single organization working on their own.
“We see success when customers are embracing this deliberate multi-account architecture,” Merritt said of her experience working with AWS users.
At Northwest Mutual, Nick and his team use a group evaluation approach when onboarding a new cloud service. They’ll start the process with the provider, such as AWS, then ask Rapid7 to evaluate the service for risks. Finally, the Northwest Mutual team will do an assessment that pays close attention to the factors that matter most to them, like disaster recovery and identity and access management.
This model helps Nick and his team realize the benefits of the cloud. They want to be able to consume new services quickly so they can innovate at scale, but their team alone can’t keep up the work needed to fully vet each new resource for risks. They need a partner that can help them keep pace with the speed and elasticity of the cloud.
“You need someone who can move fast with you,” Nick said.
Automating at scale
Another key component of operating quickly and at scale is automation. “Reducing toil and manual work,” as Nick put it, is essential in the context of fast-moving and complex cloud environments.
“The only way to do anything at scale is to leverage automation,” Merritt insisted. Shifting security left means weaving it into all decisions about IT architecture and application development — and that means innovation and security are no longer separate ideas, but simultaneous parts of the same process. When security needs to keep pace with development, being able to detect configuration drift and remediate it with automated actions can be the difference between success and stalling out.
Plus, who actually likes repetitive, manual tasks anyway?
“You can really put a lot of emphasis on narrowing that gray area of human decision-making down to decisions that are truly novel or high-stakes,” Merritt said.
This leveling-up of decision-making is the real opportunity for security in the age of cloud, Merritt believes. Security teams get to be freed from their former role as “the shop of no” and instead work as innovators to creatively solve next-generation problems. Instead of putting up barriers, security in the age of cloud means laying down new roads — and it’s collaboration across internal teams and with external vendors that makes this new model possible.
There’s no shortage of buzzwords in the tech world. Some are purely marketing spin. But others are colloquial ways for the industry to talk about complex topics that have a massive impact on how organizations and teams drive innovation and work more efficiently. Here at Rapid7, we believe the “shift left” movement very much falls in the latter category.
Because we see shifting left as so critical to an effective cloud security strategy, we’re kicking off a new blog series covering how organizations can seamlessly incorporate security best practices and technologies into their existing DevOps workflows — and, of course, how InsightCloudSec and the brilliant team here at Rapid7 can help.
What does “shift left” actually mean?
For those who might not be familiar with the term, “shift left” can be used interchangeably with DevOps methodologies. The idea is to “shift” tasks that have typically been performed by centralized and dedicated operations teams earlier in the software development life cycle (SDLC). In the case of security, this means weaving security guardrails and checks into development, fixing problems at the source rather than waiting to do so upon deployment or production.
Historically, security was centered around applying checks and scanning for known vulnerabilities after software was built as part of the test and release processes. While this is an important step in the cycle, there are many instances in which this is too late to begin thinking about the integrity of your software and supporting infrastructure — particularly as organizations adopt DevOps practices, resources are increasingly provisioned declaratively, and the development cycle becomes a more iterative, continuous process.
Our philosophy on shift left
One of the most commonly cited concerns we hear from organizations attempting to shift left is the potential to create a bottleneck in development, as developers need to complete additional steps to clear compliance and security hurdles. This is a crucial consideration, given that accelerating software development and increasing efficiency is often the driving force behind adopting DevOps practices in the first place. Security must catch up to the pace of development, not slow it down.
Shift left is very much about decentralizing security to match the speed and scale of the cloud, and when done poorly, it can erode trust and be viewed as a gating factor to releasing high-quality code. This is what drives Rapid7’s fundamental belief that in order to effectively shift security left, you need to avoid adding friction into the process, and instead embrace the developer experience and meet devs where they are today.
How do you accomplish this? Here’s a few core concepts that we here at Rapid7 endorse:
Provide real-time feedback with clear remediation guidance
The main goal of DevOps is to accelerate the pace of software development and improve operating efficiency. In order to accomplish this without compromising quality and security, you must make sure that insights derived from your tooling are actionable and made available to the relevant stakeholders in real time. For instance, if an issue is detected in an IaC template, the developer should be immediately notified and provided with step-by-step guidance on how to fix the issue directly in the template itself.
Establish clear and consistent security and compliance standards
It’s important for an organization to have a clear and consistent definition of what “good” looks like. A well-centered definition of security and compliance controls helps establish a common standard for the entire organization, making measurement of compliance and risk easier to establish and report. Working from a single, centrally managed policy set makes it that much easier to ensure that teams are building compliant workloads from the start, and you can limit the time wasted repeatedly fixing issues after they reach production. A common standard for security that everyone is accountable for also establishes trust with the development community.
Integrate seamlessly with existing tool chains and processes
When adding any tools or additional steps into the development life cycle, it is critically important to integrate them with existing tools and processes to avoid adding friction and creating bottlenecks. This means that your security tools must be compatible with existing CI/CD tools (e.g., GitHub, Jenkins, Puppet, etc.) to make the process of scanning resources and remediating issues seamless, and to enable developers to complete their tasks without ever leaving the tools they are most comfortable working with.
Enable automation by shifting security left
Automation can be a powerful tool for teams managing sprawling and complex cloud environments. Shifting security left with IaC scanning allows you to catch faulty source templates before they’re ever used, allowing teams to leverage automation to deploy their cloud infrastructure resources with the confidence that they will align to organizational security standards.
Shifting cloud security left with IaC scanning
Infrastructure as code (IaC) refers to the ability to provision cloud infrastructure resources declaratively, by writing code in the same development environments used to write the software it is intended to support. IaC is a critical component of shifting left, as it empowers developers to write, test, and release software and infrastructure resources programmatically in a highly integrated process. This is typically done through pre-configured templates based on policies determined by operations teams, making development a shared and reproducible process.
When it comes to IaC security, we’re primarily talking about integrating the process of checking IaC templates to be sure that they won’t result in non-compliant infrastructure. But it shouldn’t stop there. In a perfect world, the IaC scanning tool will identify why a given template will be non-compliant, but it should also tell you how to fix it (bonus points if it can fix the problem for you!).
IaC scanning with InsightCloudSec
By this point, it should be clear that we here at Rapid7 strongly believe in incorporating security and compliance as early as possible in the development process, but we know this can be a daunting task. That’s why we built powerful capabilities into the InsightCloudSec platform to make integrating IaC scanning into your development workflows as easy and seamless as possible.
With IaC scanning in InsightCloudSec, your teams can identify and evaluate risk before infrastructure is ever built, stopping non-compliant or misconfigured resources from ever reaching production, and improving efficiency by fixing problems at the source once and for all, rather than repeatedly addressing them in runtime. With out-of-the-box support for popular IaC tools like Terraform and CloudFormation, InsightCloudSec provides teams with a common understanding of good that is consistent throughout the entire development life cycle.
Shifting security left requires consistency
Consistency is critical when shifting left, because if you’re scanning IaC templates with checks against policies that differ from those being applied in production, there’s a high likelihood that after some — likely short — period of time, those policy sets are going to drift, leading to missed vulnerabilities, misconfigurations, and/or non-compliant workloads. That may not seem like the end of the world, but it creates real problems for communicating issues across teams and increases the risk of inconsistent application of policies. When you lack consistency, it creates confusion among your stakeholders and erodes confidence in the effectiveness of your security program.
To address this, InsightCloudSec applies the same exact set of configuration standards and security policies across your entire CI/CD pipeline and even across your various cloud platforms (if your organization is one of the many that employ a hybrid cloud strategy). That means teams using IaC templates to provision infrastructure resources for their cloud-native applications can be confident they are deploying workloads that are in line with existing compliance and security standards — without having to apply a distinct set of checks, or cross-reference them with those being used in production environments.
Sounds amazing, right?! There’s a whole lot more that InsightCloudSec has to offer cloud security teams that we don’t have time to cover in this post, so follow this link if you’d like to learn more.
The summer of conferences rolls on for the cybersecurity and tech community — and for us, the excitement of being able to gather in person after two-plus years still hasn’t worn off. RSA was the perfect kick-off to a renewed season of security together, and we couldn’t have been happier that our second big stop on the journey, AWS re:Inforce, took place right in our own backyard in Boston, Massachusetts — home not only to the Rapid7 headquarters but also a strong and vibrant community of cloud, security, and other technology pros.
We asked three of our team members who attended the event — Peter Scott, VP Strategic Enablement – Cloud Security; Ryan Blanchard, Product Marketing Manager – InsightCloudSec; and Megan Connolly, Senior Security Solutions Engineer — to answer a few questions and give us their experience from AWS re:Inforce 2022. Here’s what they had to say.
What was your most memorable moment from AWS re:Inforce this year?
What was your biggest takeaway from the conference? How will it shape the way you think about cloud and cloud security practices in the months to come?
Thanks to everyone who came to say hello and talk cloud with us at AWS re:Inforce. We hope to see the rest of you in just under two weeks at Black Hat 2022 in Las Vegas!
This year’s AWS re:Inforce conference in Boston has been jam-packed with thrilling speakers, deep insights on all things cloud, and some much-needed in-person collaboration from all walks of the technology community. It also coincides with some exciting announcements from AWS — and we’re honored to be a part of two of them. Here’s a look at how Rapid7 is building on our existing partnership with Amazon Web Services to help organizations securely advance in today’s cloud-native business landscape.
InsightIDR awarded AWS Security Competency
For seven years, AWS has issued security competencies to partners who have a proven track record of helping customers secure their AWS environments. Today at re:Inforce, AWS re-launched their Security Competency program, so that it better aligns with customers’ constantly evolving security challenges. Rapid7 is proud to be included in this re-launch, having obtained a security competency under the new criteria for its InsightIDR solution in the Threat Detection and Response category. This is Rapid7’s second AWS security competency and fourth AWS competency.
This designation recognizes that InsightIDR has demonstrated and successfully met AWS’s technical and quality requirements for providing customers with a deep level of software expertise in security incident and event management (SIEM), helping them achieve their cloud security goals.
InsightIDR integrates with a number of AWS services, including CloudTrail, GuardDuty, S3, VPC Traffic Mirroring, and SQS. InsightIDR’s UEBA feature includes dedicated AWS detections. The Insight Agent can be installed on EC2 instances for continuous monitoring. InsightIDR also features an out-of-the-box honeypot purpose-built for AWS environments. Taken together, these integrations and features give AWS customers the threat detection and response capabilities they need, all in a SaaS solution that can be deployed in a matter of weeks.
Adding another competency to Rapid7’s repertoire reaffirms our commitment to giving organizations the tools they need to innovate securely in a cloud-first world.
Rapid7 named a launch partner for AWS GuardDuty Malware Protection
Malware Protection is the new malware detection capability AWS has added to their GuardDuty service — and we’re honored to join them as a launch partner, with two products that support this new GuardDuty functionality.
GuardDuty is AWS’s threat detection service. It monitors AWS environments for suspicious behavior. Malware Protection introduces a new type of detection capability to GuardDuty. When GuardDuty fires an alert that’s related to an Amazon Elastic Cloud Compute (EC2) instance or a container running on EC2, Malware Protection will automatically run a scan on the instance in question and detect malware using machine learning and threat intelligence. When trojans, worms, rootkits, crypto miners, or other forms of malware are detected, they appear as new findings in GuardDuty, so security teams can take the right remediation actions.
Rapid7 customers can ingest GuardDuty findings (including the new malware detections) into InsightIDR and InsightCloudSec. In InsightIDR, each type of GuardDuty finding can be treated as a notable behavior or as an alert which will automatically trigger a new investigation. This allows security teams to know the instant suspicious activity is detected in their AWS environment and react accordingly. Should an investigation be triggered, teams can use InsightIDR’s native automation capabilities to enrich the data from GuardDuty, quarantine a user, and more. In the case where GuardDuty detects malware, teams can pull additional data from the Insight agent and even terminate malicious processes. In addition, customers can use InsightIDR’s Dashboards capability to keep an eye on GuardDuty and spot trends in the findings.
InsightCloudSec customers can likewise build automated bots that automatically react to GuardDuty findings. When GuardDuty has detected malware, a customer might configure a bot that terminates the infected instance. Alternatively, a customer might choose to reconfigure the instance’s security group to effectively isolate it while the team investigates. The options are practically endless.
Rapid7 and AWS continue to deepen partnership to protect your cloud workloads
AWS re:Inforce 2022 provides a welcome opportunity for the community to come together and share insights about managing and securing cloud environments, and we can’t think of better timing to announce these two areas of partnership with AWS. Click here to learn more about what we’re up to at this year’s AWS re:Inforce conference in Boston.
AWS re:Inforce 2022 starts tomorrow — Tuesday, July 26th — and we couldn’t be more excited to gather with the tech, cloud, and security communities in our home city of Boston. Here’s a sneak peek of the highlights to come at re:Inforce and what we’re looking forward to the most this Tuesday and Wednesday.
Expert insights at the Rapid7 booth
After two and half years of limited in-person gatherings, we have kind of a lot to say. That’s why we’re making the Rapid7 booth at AWS re:Inforce a hub for learning and sharing from our cybersecurity experts. Stop by and learn how our team members are tackling a range of topics in cloud and security overall, including:
Adapting Your VM Program for Cloud-Native Environments — Jimmy Green, VP of Software Engineering for Cloud, will walk through some of the key considerations when building a fully cloud-first approach to vulnerability management.
Speeding Up Your Adoption of CSP Innovation — Chris DeRamus, VP of Technology – Cloud, will detail how Rapid7 evaluates cloud service providers (CSPs) for risk in order to promote faster, more secure adoption.
Context Is King: The Future of Cloud Security Operations — Peter Scott, VP of Strategic Engagement for Cloud Security, will discuss why obtaining context around security data is key to managing complexity in cloud environments.
Hybrid Is Here: Is Your SOC Ready? — Megan Connolly, Senior Security Solutions Engineer, will highlight the role that extended detection and response (XDR) technology can play in helping SOCs move toward a cloud-first model.
InsightCloudSec Demo — Joe Brumbley, Cloud Security Solutions Engineer, and Sean Healy, Senior Domain Engineer – Enterprise Cloud Security, will show InsightCloudSec in action, taking you through the different use cases and features that enable integrated security for multi-cloud environments.
Sharing how we walk the walk
At Rapid7, we’re laser-focused on helping companies accelerate in the cloud without compromising security. Our technology and expertise help security teams bring that vision to life — and they form the foundation for how we secure our own cloud infrastructure, too.
In the AWS re:Inforce featured session, “Walking the Walk: AWS Security at Rapid7,” Ulrich Dangle (Director, Software Engineering – Platform) and Lauren Clausen Fenton (Manager, Software Engineering – Platform) will share their firsthand experiences developing, scaling, and operationalizing a cloud security program at Rapid7. They’ll talk about how they manage to reduce risk while supporting Rapid7’s business goals, as well as the needs of our fast-moving DevOps team.
Join us on Tuesday, July 26th, at 11:40 AM, or Wednesday, July 27th, at 10:05 AM to learn how our security team is working around-the-clock to keep our large cloud environment secure and compliant, with standardized configurations and a tried-and-true threat response playbook.
Conversations over cloudy beers
It’s no secret that great craft beer is an integral part of tech culture — so where better to talk about all things cloud than a Boston brewery known for the cloudy appearance of its hazy New England IPAs?
On Tuesday, July 26th, from 5:15 PM to 8 PM, we’ll be at Rapid7 Reception at Trillium Fort Point, right in the heart of the Seaport District. It’s a perfect chance to network with your fellow protectors and meet some of our Rapid7 security experts over a double dry-hopped pale ale or a nitro milk stout. (If beer’s not your thing, not to worry — we’ll have wine and seltzer, too.)
If that wasn’t enough…
Last but not least, we’re giving away a vacation of your choice valued at $5,000! The more you engage with us at re:Inforce, the more chances you have to win. You’ll be entered in the drawing when you stop by to see us at Booth 206 to receive a demo or watch a presentation, or when you attend the Rapid7 Reception at Trillium Fort Point.
The shift towards cloud and cloud-native application architectures represents an evolutionary step forward from older paradigms. The adoption of containers, Kubernetes, and serverless functions, along with the use of cloud-based infrastructure, introduces a new set of risks and security challenges — as well as new opportunities. These go well beyond application security and security posture management, spanning from the build phase all the way to the application run phase.
Three areas for cloud-native security
One particular area of focus for security defenses is actively security monitoring cloud-based applications and cloud workloads, often referred to as runtime security.
We can break down cloud-based runtime security into three main categories:
1. Cloud environment security
The cloud environment is where we provision the infrastructure and services to run our applications. Running applications often involves provisioning computing resources, networking, storage resources, and access credentials to external elements such as data, external services, or secrets. This is the foundation that our cloud applications are built on, and is a critical first step in ensuring their integrity.
2. Workload and workload orchestration security
Operating modern cloud-native applications often means leveraging a container orchestration platform. In recent years, Kubernetes has been the go-to application server vehicle. Leveraging application server infrastructure like Kubernetes requires attention from a risk and threat perspective. For example, Kubernetes credentials theft, or credential compromise as a result of application breach, can be detected through continuously analyzing the Kubernetes audit log. Another example would be the detection of malware that exploit inherent weaknesses in DNS protocol through network security analysis of the workload (Pod) communications.
3. Application security
If the cloud environment is our workload vehicle where we operate and run our workloads, and containerized workloads are our application vehicle, then OS processes are where our application logic runs. Cloud functions are another example of normally short-lived processes that carry our application logic. Protecting applications is a long-standing challenge on its own. This includes application API security, memory protection, data protection, network isolation, and control, and can be achieved using multiple techniques — some of which are only practically possible through the use of security agents.
Security agents defined
Security agents represent a specialized software deployed on an application workload or application endpoint to perform specific security functions, such as network monitoring, process-level monitoring, memory monitoring, file system monitoring, system API call monitoring, and memory monitoring. They may be involved in preventive actions, detection actions, or security forensics data collection actions.
For example, we can deploy security agents to virtual machines (cloud instances) and provide host-level security. We can use security agents for containerized environments like Kubernetes, where one security agent monitors and secures Kubernetes Pods, as well as the Kubernetes node itself. We can also have embedded security agents that monitor and secure serverless functions such as Lambda, or even security agents that provide process-level security and API-level security.
Agentless security is an approach that leverages security signals obtained via cloud APIs, such as network flows, DNS flows, cloud API access audit logs, or application API access logs. Collecting data from those security signals incurs a lower operational cost than agent-based security, but it can come with some limitations. For instance, in application security, the agentless approach has fewer security signals to analyze, and may not support some threat detection techniques such as process system call analysis.
Should I use agents to secure my cloud applications?
So should you be using agents, or not? The answer really boils down to how wide and deep a detection and protection fabric you want to cast, and how many skilled personnel are available to deploy and operate various security controls and respond to security incidents.
Agents provide a greater level of detail, and are generally your best bet when it comes to preemptive prevention of fine-grained policy-based controls such as network segmentation. However, they also require additional effort and overhead to manage the agents themselves with regular updates and configurations.
The agentless approach is excellent at correlating, segmenting, and analyzing data from various workloads, as it does not rely on sharing resources with the monitored workloads. That said, you’re going to sacrifice depth of coverage at certain layers of the stack as a trade-off to relatively lower operational overhead, because agentless approaches rely on cloud provider APIs, which are less granular than what host/workload or process-level agents can collect.
So to achieve comprehensive security and balance operational overhead, the recommendation is typically to leverage both technologies.
You’ll likely want to use an agentless approach to get fast and wide coverage of both risks and threats, or in places where agents can not be deployed, such as a hosted container environment like AWS Fargate or Cloud Functions. Another example would be to assess software vulnerability and detect persistent malware — which can be achieved using both technologies, but with different levels of time until detection.
Conversely, agents can be used in environments like Kubernetes where the operational overhead is relatively low, and the containerized workload granularity requires fine-grained and deeper security controls.
The decision of where to use an agent-based approach depends on what you’re trying to secure. If you’re looking to get real-time visibility into all of your cloud resources and workloads, establish a single source of “good” across your multiple cloud platforms, prioritize risk across your environments, and measure compliance against organizational and industry standards and best practices, an agentless approach like InsightCloudSec is a great choice.
The cloud giveth, and the cloud taketh away. It giveth development teams the speed and scale to get applications into production and deployment faster than ever; it taketh away security teams’ comfort that they know exactly what’s going on in their environment.
Much has been said about the inherently slippery and hard-to-pin-down nature of the cloud in recent months — who thought the word “ephemeral” would appear in as much technology content as it has in 2022? The conversation has grown more critical as high-impact open-source vulnerabilities have proliferated just as fast as multi-cloud architectures have become the standard operating model in IT.
In this context, achieving cross-environment visibility — i.e., the very thing the cloud makes difficult — has become more critical than ever. While it may seem like an uphill battle, one we’re fighting against the very nature of the cloud, there are some strategies that can help in the effort. Here are four ways to put visibility at the center of your cloud security approach and understand what’s going on in your environment with greater clarity.
1. Take an inventory
Multi-cloud environments are now the dominant model, with 89% of organizations using this approach. As distributed architectures become the norm and the number of cloud providers in play at any given organization continues to climb, it becomes difficult to understand exactly what services are in use at any given time. This is where the problem of cloud visibility really starts — “What services are actually in our environment?” becomes a complex question to answer.
Parting the clouds of confusion and gaining visibility begins with getting a complete asset inventory, so you can understand what components are in your environment and clearly evaluate the risk associated with them.
That’s why it’s critical that your cloud security solution can provide a single, standardized asset inventory across all cloud service providers. This capability provides the foundation for many of the subsequent steps that help promote visibility for security teams, including consolidating policy management and spotting cloud misconfigurations.
2. Monitor from one vantage point, not many
With a cohesive inventory of all cloud assets in place, the next step is to monitor the environment — and as you might have guessed, monitoring from a centralized hub is another key way to promote big-picture visibility. But with multiple cloud providers and SaaS solutions, each with their own data and dashboards, actually achieving that consolidated view is easier said than done.
A cloud security tool that provides centralized monitoring can let you see the full picture of activity across a multi-cloud environment. This level of clarity will help you evaluate risks not just at the level of an individual cloud service but holistically, in the environment as a whole. And with developers working in a variety of platforms to innovate and iterate as quickly as possible, centralized monitoring also helps you quickly identify and remediate any issues that arise during development, such as unwanted configurations or compliance issues.
3. Prioritize risks through analytics
Alert fatigue is one of the biggest contributors to the noisiness that inundates security teams. Security operations center (SOC) analysts know this all too well when they’re faced with huge volumes of alerts from a security incident and event management (SIEM) solution. Especially when there’s a continued shortage of cybersecurity talent, there just aren’t enough hours in the day to chase down every alert.
A similar effect can take hold when monitoring cloud environments for risks and vulnerabilities. With increased complexity thanks to a growing number of services and a multitude of endpoints, how do you know what risks to prioritize and tackle first?
Analytics can help shed light on this often-cloudy picture, utilizing algorithms to set a baseline for “normal” activity, spot anomalies, and prioritize them based on severity. It’s one way to gain context into the data without actually being able to get the whole story as quickly as you need it. Some cloud security solutions provide these insights through integrations with cloud service provider (CSP) tools like Amazon GuardDuty, which continuously monitors for malicious activity in AWS environments.
4. Embrace automation
The first three steps are all about how security teams can collect and interpret data to more fully understand their cloud environments — but data is only as good as what you do with it. That’s where automation comes in: It helps standardize the remediation steps that occur after a security risk is identified.
Automation is often thought of as a means to increase speed and efficiency — and that’s certainly true. Being able to automatically set specific remediation actions in motion when a threat is detected can help reduce the time and effort it takes to mitigate the issue and reduce its potential impact. But automation can also be a key toward improving visibility.
When you’re looking back at a now-resolved security issue, understanding the timeline and sequence of events often becomes a hazy picture, especially when your team is working with increased urgency and speed. If you’ve set up automated actions as a standardized part of the remediation process, you won’t need to ask as many questions about what mitigation steps were taken, when, and who authorized them. There will surely be a large human element involved in mitigating cloud security issues, but automation can help provide structure and repeatability to the effort, streamlining the effort and reducing the number of places where confusion can creep in.
How are you handling cloud visibility challenges?
How to secure cloud environments effectively is an ongoing, dynamic conversation, and new difficulties surely lie ahead — but when security practitioners face challenges, they tend (rightly) to turn to their best and most reliable resource: each other.
What kinds of challenges is your team facing when it comes to achieving visibility in the cloud? Come chat with us at AWS re:Inforce on July 26-27, 2022 — we want to hear how you’re tackling these issues as you work toward fully cloud-native security.
Identity and access management (IAM) is one of the most critical tools for today’s cloud-centric environment. Businesses’ IT architectures have become more highly distributed than ever, and users need to access a growing suite of cloud services on demand. Determining the identities of users and resources, and what services each user needs access to, is critical to cloud-native security. It provides the basis for enforcing the principle of least privilege, which aims to minimize risk by giving each user the lowest level of access they need without limiting their job effectiveness or reducing productivity.
But getting an IAM solution up and running comes with its own headaches and stresses — especially in the context of complex cloud environments. Here are three of the main challenges that security teams face when implementing a cloud IAM solution, as well as some strategies to help tackle them.
1. Onboarding without errors
The first step is always the hardest, right? Getting your entire team onboarded with the correct level of access is the earliest snag many organizations hit with IAM.
Obviously, large enterprises with huge numbers of employees will likely feel this pinch more than others. But with cloud complexity now fully entrenched at even small and mid-sized organizations, making sure each team member has the correct level of access to the right applications on day one can seem like an overwhelming task, no matter how large your team. The stakes of a misstep here are high: Improperly configuring user access not only introduces risk, it can also slow down employees in their critical tasks — hindering the business’s ability to provide value for customers.
One of the keys to success here is having a tool that makes it easy to adhere to the principle of least-privileged access. Role-based access controls, for example, help assign user rights in an automated way based on the team member’s job function and department. This can help take some pressure off the security team to stay up-to-the-minute on every employee’s access and allows necessary changes to be made faster.
That’s a whole lot of solutions to integrate with your IAM platform — and if every user currently has a separate, distinct identity when they sign on to each application, the numbers grow exponentially. When implementing IAM, network administrators need to take full stock of all cloud services in play, as well as ensure any new services that teams subsequently bring on board are integrated with IAM. At large, growing companies where things move quickly, that can mean provisioning several new services per week or per month.
To help alleviate these issues and reduce complexity, it’s critical to integrate your IAM platform with a single sign-on (SSO) tool that allows users to access SaaS applications with a single identity, linked to a central directory. While there are still quite a number of integrations necessary to make this happen, the one-two punch of IAM and SSO provides much-needed structure to that complex picture. It also helps out the end user, providing them the convenience of only needing one sign-on identity to access all their critical applications.
3. Maintaining and auditing identities
In cloud computing as in life, change is the only constant. Not only are organizations onboarding new cloud services all the time, but they also see employees leave, change roles, switch offices, and transition to fully remote work. Any of these actions may bring about some needed adjustment in a team member’s access permissions.
IAM can’t be a set-it-and-forget-it solution. Improperly provisioning and deprovisioning users — i.e., granting access where it may not be needed, or failing to remove access when an employee leaves or switches teams — can lead to major gaps in an organization’s risk profile. It can allow the proliferation of so-called “zombie accounts,” identities that still exist for users who are inactive. It can also result in an excess of admin accounts, giving users the highest level of access even if they may not need it.
Automation is one of the best tools to help security teams circumvent issues associated with out-of-date identities and improper access provisioning. If you have rules set up for reducing or removing access privileges when an employee leaves, for example, you can get ahead of the problem before it grows. Behavioral analytics can also be immensely helpful in spotting dormant accounts or removing access to applications and services that haven’t been used for a prolonged period of time. It can also help identify unusual user actions, which could indicate an account has been provisioned incorrectly.
What cloud IAM issues are you facing?
Complexity is the tradeoff of the flexibility and scale that cloud architectures offer — which makes it all the more important to streamline wherever possible. Having a unified solution that provides IAM alongside the other key elements of cloud security can save security teams a lot of time and stress, helping them identify and remediate risks more quickly.
What kinds of IAM challenges is your team facing? Come chat with us at AWS re:Inforce on July 26-27, 2022 — we want to hear how you’re tackling IAM as you work toward fully cloud-native security.
There has been an unprecedented acceleration in the shift to the cloud as a result of the COVID-19 pandemic. McKinsey experts estimate companies have moved to the cloud “24 times faster […] than they thought” over the past two years. As organizations move quickly to scale, drive innovation, and revamp the way they engage with their consumers by moving to the public cloud, there is an increasing need for a security strategy that aligns with the varied states of organizations’ maturity in their usage and adoption of the cloud.
Modern cloud environments are complex and require multiple areas of focus, including security, application modernization, reduction of infrastructure overhead, accelerating software delivery, maintaining compliance, and countless more. All of these are critical to realizing the end goals of cloud adoption: increased speed, flexibility, and performance. Rapid cloud adoption without the appropriate visibility and automated security controls will lead to imminent exposure and vulnerability.
Whose responsibility is cloud security?
When it comes to cloud environments, security and compliance are a shared responsibility between the cloud service provider (CSP) and the customer’s internal security team. In the typical shared responsibility model, cloud providers are responsible for the security OF the cloud. This essentially means they are on the hook to make sure the actual underlying resources you’re using – such as a storage bucket or a compute instance – or the physical hardware sitting in their data centers aren’t a security threat.
So, if the provider is responsible for security of the cloud itself, what falls to the customer? Customers are responsible for security IN the cloud, meaning they are responsible for making sure their own data – and their customers’ data – is properly secured. Generally speaking, this means keeping track of how various resources and services are configured properly; identifying and remediating exploitable vulnerabilities; managing identity and access management (IAM) policies to maintain least privilege access; and utilizing encryption for data, whether it’s at rest, in transit, or even in use.
So why is it that such a large majority of breaches are the fault of the customer if the responsibility is shared? There are a few drivers behind this, but it’s primarily because the goal of most bad actors is to gain access to sensitive and potentially lucrative customer data, which falls outside of the responsibility of the cloud provider.
I know what you’re thinking: “The answer is simple – just don’t leave a cloud resource housing sensitive data exposed to the public internet.” That’s, of course, the intent of any well-meaning engineer. That said, mistakes are unfortunately quite common. As engineers and developers work at light speed to bring new products to market, it can be very easy for security and compliance to fall through the cracks, especially as powerful new cloud capabilities enable infrastructure to be implemented with the click of a mouse.
This is consistent with our own research in our 2022 Cloud Misconfigurations Report, in which we found the most commonly breached resources were those that were secure and private by default, such as a storage bucket. This suggests human error played a pivotal role in leaving data exposed.
Prioritizing risk requires a unified approach to cloud security
The scale and complexity of modern cloud environments make it impossible to respond to every alert and potential issue that arises. So, what can you and your team do to make sure you’re not vulnerable to attack?
The key is context.
It is imperative for organizations to think of cloud security holistically so that they can understand their true risk exposure. Organizations need to be able to easily prioritize the issues that are the most critical to fix right away from the flood of alerts and incidents that are calling for their teams’ attention.
The question that needs answering seems simple, yet can be quite complex: “What are the biggest threats to my cloud environment today, and how do I mitigate them?” As mentioned earlier, it is not sufficient anymore to look at an issue through a single lens. Without a unified approach to cloud security, you could be leaving your organization and the systems it relies on in jeopardy.
This means examining not just the risks associated with a workload itself, but a holistic mapping of all resource interdependencies across your environment to understand how one compromised resource may impact others. It means taking into consideration whether or not a given resource is connected to the public internet, or whether there is potential for improper access to potentially sensitive information. There is also business context that needs to be taken into account, where an understanding of resource ownership and accountability can highlight relevant stakeholders that need to be looped in for remediation or audits and provide color as to potential business impact.
See? Simple – yet complex.
Extend this concept across millions of resources spanning hundreds of cloud environments, architectures, and technologies, and you have the complexity of cloud security today. It is therefore a non-negotiable starting point to have a consolidated, weighted, and standardized view of risk to one’s cloud estate. This can only be accomplished by gathering and analyzing all of the relevant data in a single solution that helps you see the full context – and passing that context along to other teams like DevOps – so that organizations can start being more strategic about prioritizing and remediating risks in their environment.
While there are many cloud security tools and vendors that focus on various aspects of cloud security, such as misconfigurations, vulnerabilities, access permissions, and exposure to the internet, very few offer a holistic understanding of all of the above combined to provide a “true” understanding of risk.
A holistic approach to cloud security with InsightCloudSec
Maintaining visibility can only get you so far from a security perspective. Given the sheer volume of monitored resources, chances are without an effective strategy to prioritize the flood of alerts cloud environments produce, your teams won’t know where to start.
The cloud is here to stay, and it is ever-changing. As cloud security and technologies evolve, so do attempts by bad actors to breach it. It is crucial for organizations to invest in best practices and automated cloud security throughout the development lifecycle. Cloud architectures and initiatives must be built on solid risk detection, prioritization and management processes, and platforms that provide seamless and real-time visibility into the true risk posture of the organization.
Increasingly, organizations want to focus their efforts on activities that increase their bottom line and competitive advantage. They simply don’t have the time to sift through multiple lines of code, teams, and repositories to understand the breadth and depth of risks associated with their cloud estate. Cloud security has to be looked at holistically to understand its true impact and threat to the organization.
That’s the difference with InsightCloudSec. We go beyond providing visibility to help organizations uncover the most critical threats facing their cloud ecosystem and provide guidance toward prioritization and response based on the true, holistic risk across multiple security domains. With a higher signal-to-noise ratio, development teams will be able to detect, understand, prevent, prioritize, and respond to threats better and faster, enabling them to build safely and efficiently in a multi-cloud environment.
Interested in learning more? Don’t hesitate to request a free demo!
Register now with discount code SALXTDVaB7y to get $150 off your full conference pass to AWS re:Inforce. For a limited time only and while supplies last.
Today we’re going to highlight just some of the sessions focused on threat detection and incident response that are planned for AWS re:Inforce 2022. AWS re:Inforce is a learning conference focused on security, compliance, identity, and privacy. The event features access to hundreds of technical and business sessions, an AWS Partner expo hall, a keynote featuring AWS Security leadership, and more. AWS re:Inforce 2022 will take place in-person in Boston, MA on July 26-27.
AWS re:Inforce organizes content across multiple themed tracks: identity and access management; threat detection and incident response; governance, risk, and compliance; networking and infrastructure security; and data protection and privacy. This post highlights some of the breakout sessions, chalk talks, builders’ sessions, and workshops planned for the threat detection and incident response track. For additional sessions and descriptions, see the re:Inforce 2022 catalog preview. For other highlights, see our sneak peek at the identity and access management sessions and sneak peek at the data protection and privacy sessions.
Breakout sessions
These are lecture-style presentations that cover topics at all levels and delivered by AWS experts, builders, customers, and partners. Breakout sessions typically include 10–15 minutes of Q&A at the end.
TDR201: Running effective security incident response simulations Security incidents provide learning opportunities for improving your security posture and incident response processes. Ideally you want to learn these lessons before having a security incident. In this session, walk through the process of running and moderating effective incident response simulations with your organization’s playbooks. Learn how to create realistic real-world scenarios, methods for collecting valuable learnings and feeding them back into implementation, and documenting correction-of-error proceedings to improve processes. This session provides knowledge that can help you begin checking your organization’s incident response process, procedures, communication paths, and documentation.
TDR202: What’s new with AWS threat detection services AWS threat detection teams continue to innovate and improve the foundational security services for proactive and early detection of security events and posture management. Keeping up with the latest capabilities can improve your security posture, raise your security operations efficiency, and reduce your mean time to remediation (MTTR). In this session, learn about recent launches that can be used independently or integrated together for different use cases. Services covered in this session include Amazon GuardDuty, Amazon Detective, Amazon Inspector, Amazon Macie, and centralized cloud security posture assessment with AWS Security Hub.
TDR301: A proactive approach to zero-days: Lessons learned from Log4j In the run-up to the 2021 holiday season, many companies were hit by security vulnerabilities in the widespread Java logging framework, Apache Log4j. Organizations were in a reactionary position, trying to answer questions like: How do we figure out if this is in our environment? How do we remediate across our environment? How do we protect our environment? In this session, learn about proactive measures that you should implement now to better prepare for future zero-day vulnerabilities.
TDR303: Zoom’s journey to hyperscale threat detection and incident response Zoom, a leader in modern enterprise video communications, experienced hyperscale growth during the pandemic. Their customer base expanded by 30x and their daily security logs went from being measured in gigabytes to terabytes. In this session, Zoom shares how their security team supported this breakneck growth by evolving to a centralized infrastructure, updating their governance process, and consolidating to a single pane of glass for a more rapid response to security concerns. Solutions used to accomplish their goals include Splunk, AWS Security Hub, Amazon GuardDuty, Amazon CloudWatch, Amazon S3, and others.
Builders’ sessions
These are small-group sessions led by an AWS expert who guides you as you build the service or product on your own laptop.
TDR351: Using Kubernetes audit logs for incident response automation In this hands-on builders’ session, learn how to use Amazon CloudWatch and Amazon GuardDuty to effectively monitor Kubernetes audit logs—part of the Amazon EKS control plane logs—to alert on suspicious events, such as an increase in 403 Forbidden or 401 Unauthorized Error logs. Also learn how to automate example incident responses for streamlining workflow and remediation.
TDR352: How to mitigate the risk of ransomware in your AWS environment Join this hands-on builders’ session to learn how to mitigate the risk from ransomware in your AWS environment using the NIST Cybersecurity Framework (CSF). Choose your own path to learn how to protect, detect, respond, and recover from a ransomware event using key AWS security and management services. Use Amazon Inspector to detect vulnerabilities, Amazon GuardDuty to detect anomalous activity, and AWS Backup to automate recovery. This session is beneficial for security engineers, security architects, and anyone responsible for implementing security controls in their AWS environment.
Chalk talks
Highly interactive sessions with a small audience. Experts lead you through problems and solutions on a digital whiteboard as the discussion unfolds.
TDR231: Automated vulnerability management and remediation for Amazon EC2 In this chalk talk, learn about vulnerability management strategies for Amazon EC2 instances on AWS at scale. Discover the role of services like Amazon Inspector, AWS Systems Manager, and AWS Security Hub in vulnerability management and mechanisms to perform proactive and reactive remediations of findings that Amazon Inspector generates. Also learn considerations for managing vulnerabilities across multiple AWS accounts and Regions in an AWS Organizations environment.
TDR332: Response preparation with ransomware tabletop exercises Many organizations do not validate their critical processes prior to an event such as a ransomware attack. Through a security tabletop exercise, customers can use simulations to provide a realistic training experience for organizations to test their security resilience and mitigate risk. In this chalk talk, learn about Amazon Managed Services (AMS) best practices through a live, interactive tabletop exercise to demonstrate how to execute a simulation of a ransomware scenario. Attendees will leave with a deeper understanding of incident response preparation and how to use AWS security tools to better respond to ransomware events.
Workshops
These are interactive learning sessions where you work in small teams to solve problems using AWS Cloud security services. Come prepared with your laptop and a willingness to learn!
TDR271: Detecting and remediating security threats with Amazon GuardDuty This workshop walks through scenarios covering threat detection and remediation using Amazon GuardDuty, a managed threat detection service. The scenarios simulate an incident that spans multiple threat vectors, representing a sample of threats related to Amazon EC2, AWS IAM, Amazon S3, and Amazon EKS, that GuardDuty is able to detect. Learn how to view and analyze GuardDuty findings, send alerts based on the findings, and remediate findings.
TDR371: Building an AWS incident response runbook using Jupyter notebooks This workshop guides you through building an incident response runbook for your AWS environment using Jupyter notebooks. Walk through an easy-to-follow sample incident using a ready-to-use runbook. Then add new programmatic steps and documentation to the Jupyter notebook, helping you discover and respond to incidents.
TDR372: Detecting and managing vulnerabilities with Amazon Inspector Join this workshop to get hands-on experience using Amazon Inspector to scan Amazon EC2 instances and container images residing in Amazon Elastic Container Registry (Amazon ECR) for software vulnerabilities. Learn how to manage findings by creating prioritization and suppression rules, and learn how to understand the details found in example findings.
TDR373: Industrial IoT hands-on threat detection Modern organizations understand that enterprise and industrial IoT (IIoT) yields significant business benefits. However, unaddressed security concerns can expose vulnerabilities and slow down companies looking to accelerate digital transformation by connecting production systems to the cloud. In this workshop, use a case study to detect and remediate a compromised device in a factory using security monitoring and incident response techniques. Use an AWS multilayered security approach and top ten IIoT security golden rules to improve the security posture in the factory.
TDR374: You’ve received an Amazon GuardDuty EC2 finding: What’s next? You’ve received an Amazon GuardDuty finding drawing your attention to a possibly compromised Amazon EC2 instance. How do you respond? In part one of this workshop, perform an Amazon EC2 incident response using proven processes and techniques for effective investigation, analysis, and lessons learned. Use the AWS CLI to walk step-by-step through a prescriptive methodology for responding to a compromised Amazon EC2 instance that helps effectively preserve all available data and artifacts for investigations. In part two, implement a solution that automates the response and forensics process within an AWS account, so that you can use the lessons learned in your own AWS environments.
If any of the sessions look interesting, consider joining us by registering for re:Inforce 2022. Use code SALXTDVaB7y to save $150 off the price of registration. For a limited time only and while supplies last. Also stay tuned for additional sessions being added to the catalog soon. We look forward to seeing you in Boston!
Building applications in the cloud has been great for development speed and scalability, but it can sometimes feel more like a sustained migraine for security teams. How do you keep your cloud applications safe without resorting to a dizzying patchwork of overlapping tools and dispersed services?
Gartner® research on “Innovation Insight for Cloud-Native Application Protection Platforms” breaks down the core capabilities required to effectively reduce risk in your cloud environment, and how they might come together into a single solution or ecosystem to relieve your security headaches.
You can read the full report here. But if you’re tight for time, or just want to get a preview first, we’ve got you covered in this post.
At a high level, here’s what Gartner found in its research into cloud-native application protection platforms (CNAPP):
“To support [digital] initiatives, developers have embraced cloud-native application development, typically combining microservices-based architectures built using containers, assembled in DevOps-style development pipelines, deployed into programmatic cloud infrastructure and orchestrated at runtime using Kubernetes and maintained with an immutable infrastructure mindset. This shift creates significant challenges in securing these applications.”
“The unique characteristics of cloud-native applications makes them impossible to secure without a complex set of overlapping tools spanning development and production,” including infrastructure as code (IaC) scanning, cloud workload protection platforms (CWPP), cloud infrastructure entitlement management (CIEM), cloud security posture management (CSPM), and container management.
“Understanding and addressing the real risk of cloud-native applications requires advanced analytics combining siloed views of application risk, open-source component risk, cloud infrastructure risk, and runtime workload risk.”
Gartner also has a few recommendations for how to handle this new security paradigm:
“Implement an integrated security approach that covers the entire life cycle of cloud-native applications, starting in development and extending into production.”
“Integrate security into the developer’s toolchain so that security testing is automated as code is created and moves through the development pipeline, reducing the friction of adoption.”
“[Security and risk management] leaders should evaluate emerging cloud-native application protection platforms that provide a complete life cycle approach for security.”
Basically, securing app development in the cloud effectively is going to require tools that let you consolidate core security functions, get a clear view of your environment (and the risks it may contain), and empower your developers to incorporate security into the security pipeline.
So, what’s our take?
CNAPP represents the next evolution of cloud security through the unification of previously siloed feature sets or solutions. In previous years, just having tools that did one or more of these core functions provided by separate vendors was “good enough.” But over time, as cloud security programs across enterprises continued to scale and mature, it became clear that the dispersed nature of these tools made it extremely difficult, if not impossible, to get a true understanding of risk across complex cloud environments and make meaningful progress in operationalizing cloud security.
CNAPP is essentially a mindset that can save organizations from having to deploy a new set of technologies. It’s the idea that teams need a consolidated view of the different risks in their environment at the infrastructure, workload, orchestration, or API level, as well as unified workflows and automation capabilities to effectively mitigate those risks.
The reality today, however, is that very few vendors can actually live up to the high bar that Gartner has set with CNAPP. The capabilities shown on the diagram above are extremely wide-ranging and span across multiple teams (DevSecOps and more) within an organization.
CNAPP is about more than just identifying a shopping list of capabilities that your security team needs. When considering how to build out a program to protect cloud-native applications, security teams should focus on driving toward a set of outcomes they hope to achieve. Gartner doesn’t define these outcomes in their CNAPP report, but based on our experience working with some of the most sophisticated cloud and application security teams in the world, some of those desired outcomes may include:
An up-to-date, easily maintainable inventory of all infrastructure, workloads, and apps that make up your organization’s entire cloud footprint
Centralized reporting on risk across the full application stack, including open-source and third-party components
Ongoing, real-time monitoring of suspicious or malicious activity at both the application and infrastructure levels
Integration into the development team’s CI/CD pipeline in order to prevent risks at scale before code is deployed
Automated workflows, both for notification and remediation, to detect and respond to threats as quickly as possible, with minimal human intervention
Each team’s list of outcomes will vary slightly depending on operational maturity, compliance requirements, size and complexity of the cloud environment, and what types of applications they are protecting. Keeping these five outcomes top of mind while evaluating solutions will help your team build from a solid foundation and avoid simply checking boxes off a long list of capabilities.
CNAPP may be a mindset shift first and foremost – but at the end of the day, the capabilities needed to achieve this more holistic approach to cloud and application security have to live somewhere within your technology stack. A unified platform that supports all these needs can help break down unnecessary silos and make it easier to contextualize your security data across the entire cloud infrastructure.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Gartner, Innovation Insight for Cloud-Native Application Protection Programs, by Neil MacDonald, Charlie Winckless, 25 August 2021
By continuing to use the site, you agree to the use of cookies. more information
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.
![[Security Nation] Chris Levendis and Lisa Olson on Cloud CVEs](https://blog.rapid7.com/content/images/2022/09/security_nation_logo.jpg){kind=logo}
![[Security Nation] Chris Levendis and Lisa Olson on Cloud CVEs](https://blog.rapid7.com/content/images/2022/09/image2-2.png)
![[Security Nation] Chris Levendis and Lisa Olson on Cloud CVEs](https://blog.rapid7.com/content/images/2022/09/image1.jpg)
![[VIDEO] An Inside Look at AWS re:Inforce 2022 From the Rapid7 Team](https://blog.rapid7.com/content/images/2022/07/aws-experience-video.jpg)
![[VIDEO] An Inside Look at AWS re:Inforce 2022 From the Rapid7 Team](https://play.vidyard.com/6hfyFPDQMUmPuNW4fARLWD.jpg)
![[VIDEO] An Inside Look at AWS re:Inforce 2022 From the Rapid7 Team](https://play.vidyard.com/UH5i67HA1cChhyxVQy8Uku.jpg)
