A holistic approach to managing cyber assets and extending your security posture
John Richards, Paladin Cloud’s Head of Developer Relations, gave an On-Demand Webinar for CNCF.
The slide deck is available if you would like to follow along.
Transcript:
Welcome to this talk, a holistic approach to managing cyber assets and extending your security posture.
Hello! I’m John Richards, the head of developer relations at Paladin Cloud, an open-source security-as-code platform.
Here are a few facts about me.
In addition to a love of discussing tech and security, I have four cats and am always down for board games or escape rooms.
Ok, enough about me; let’s discuss why we’re here today.
Here’s the agenda:
- Digital Transformation
- Shared Cloud Responsibility
- Attack Surface
- Cloud Management
- Security Efficacy
- OSS Tooling Demo
“A Holistic approach to managing cyber assets and extending your security posture.”
That’s a mouthful, so let’s break it down into three parts.
- A Holistic Approach
- Characterized by the belief that the parts of something are interconnected and can be explained only by reference to the whole.
- What does this mean in the context of Cyber Assets? First, looking at only one asset or facet can be deceiving.
- For example, I was looking to fix an S3 bucket that reported a port exposed to the public. But when I dug deeper, I realized it was unused. So the real solution was to remove the entire asset.
- Similarly, attackers are looking at more than compromising a single asset, but rather how to use a single compromised asset to move laterally into other parts of an organization’s infrastructure.
- Managing Cyber Assets
- NIST: The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes.
- This is a short sentence but a broad list! We’ll talk more about this, but it’s safe to say that this list includes all data, access management, computing, applications, and infrastructure.
- Basically everything
- Extending Security Posture
- NIST: “The security status of an enterprise’s networks, information, and systems based on information security resources… and capabilities in place to manage the defense of the enterprise and to react as the situation changes.”
- Do you see that dot dot dot(…) after security resources? I removed the example list to fit on the slide, but it was functionally the list from cyber assets.
- Security isn’t static, as the threats and risks around it constantly evolve.
- We’ll explore understanding what that looks like and why we must ensure it covers those cyber assets above.
How did we get here?
Moving to the cloud brings many benefits to organizations.
Digital transformation, or moving to the cloud, allows organizations greater scalability and flexibility, which helps organizations respond quickly to changing business needs.
The specifics vary by organization, but they fall into three big buckets we’ll discuss later: operations, security, and cost.
However, as organizations move more of their operations to the cloud, it is crucial that their security posture is maintained and that cyber assets are appropriately managed and secured. A holistic approach to security ensures that all aspects of an organization’s cloud environment are monitored and protected against potential threats.
Let’s start with this concept of digital transformation. Digital transformation has been going on for a while.
Developers needed computing resources for their applications; in the past, that was all built locally. So we had all this on-premise infrastructure, and that meant requesting an operations team to handle requisitioning and provisioning the assets needed by the teams developing applications.
When we talk about efficiency in the cloud, a lot of that is DevOps, the ability for developers to spin up environments on demand quickly. As cloud computing becomes available, the efficiency and cost saving of not needing a whole ops team become more and more attractive.
Organizations began to realize the value of digital transformation but now needed to figure out how to accomplish that.
There are three main ways to tackle digital transformation.
- Lift & Shift (Migration): Moving existing applications to the cloud with minimal changes. Use this strategy when the goal is to reduce costs, increase scalability, or are under a time crunch.
- Re-architecture: Involves reimagining existing applications to take advantage of cloud-native features. Use this strategy when the goal is to improve performance, scalability, and flexibility.
- Cloud-native: Involves building new applications from the ground up using cloud-native technologies and architectures. Use strategy when the goal is to achieve maximum scalability, performance, and flexibility and have the capacity to begin building new applications.
Some organizations hybrid their approach taking different strategies for different applications. Choosing which one is correct for an organization should be based on their goals for why they are moving.
At a previous employer, our digital transformation from on-premises architecture to the cloud was primarily to modernize our IT infrastructure, increase efficiency, and reduce costs. We took the lift and shift route, which worked to reduce costs and increase scalability, but since we recreated our same processes in the cloud, we didn’t gain much performance and flexibility. However, since we were now on the cloud, we had those options open to us in the future if we wanted to invest in them.
Organizations move to the cloud for many reasons, but they usually boil down to one of these.
- Time to Value – Speed and efficiency are big motivators; we already discussed how the change in the operations model could provide faster value by removing extra steps.
- Elasticity – Scalability is enormous. Being ready for and available for crucial moments. Where I worked previously, we hosted the presidential debates. Those would cause huge spikes in traffic, so we needed to scale up to handle the load. But we didn’t need that all the time, so the cloud’s scalability was a huge draw for us.
- Innovation – Using new cloud services can allow teams to create things that seemed impossible to implement in a non-cloud environment.
- Cost – Moving to the cloud can reduce the need for human and machine resources, resulting in cost savings. This can be very appealing. But, remember, digital transformation isn’t a magic wand. Done poorly, teams may find themselves spending even more money and finding those humans were providing value in places automation can’t. The risk of going backward from “Done poorly” applies to all of these, especially the next one.
- Security – By offloading security to the cloud provider, overall security can be increased. The cloud also brings its swath of security concerns.
Let’s look at what that Security responsibility split looks like
Here’s an example from AWS, but of course, GCP, Azure, and other cloud providers have very similar approaches, where certain security aspects are offloaded to the cloud Provider, and other elements are still owned by the customer.
AWS talks about this in terms of responsibility for
security “of” the cloud and responsibility for
security “in” the cloud.
I once woke from a sound sleep to a rustling sound while spending the night alone in a hotel room. I freaked out! Then I realized the source; I had accidentally left the door to a shared patio open m, and a breeze was rustling some papers I had left out. While the hotel had provided security OF my room, there was a lock on the door; I had failed to handle security IN my room by leaving it wide open. Thankfully nothing happened, but it was a vivid reminder of my role in my security.
Being on the cloud opens up all kinds of new threat vectors. AWS gives some broad examples of what you need to secure, but this list is just a start.
That fantastic time to first value from dynamic cloud environments means it is also really easy to misconfigure or lose track of things.
The data shows that Enterprises are struggling with managing security and compliance inside of the cloud. Gartner reported that nearly all successful attacks on cloud services result from customer misconfiguration.
They estimate enterprises could avoid 80% of misconfigurations by adopting security posture management over their clouds.
CISOs and security teams have a lot to deal with, but these are the top ones we hear right now.
- Identify threat vectors in the cloud to mitigate risks & prevent data breaches.
- Ensure protection over sensitive data
- Focus on threat intelligence, risk assessments
- Proactively monitor cloud risks with automation to ensure compliance
How can organizations get a handle on this? The first step is for them to begin to understand their attack Surface.
Understanding your attack service starts with a thorough and complete cyber asset inventory.
An inventory has been a fairly common practice with physical assets, but the cloud changed everything. Think about the definitions we discussed at the start. What is a cyber asset? “NIST: The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes”
It’s really everything. It’s configuration. It’s your databases, your Api’s, your clusters, your security groups, your accounts; Everything in the cloud becomes a cyber asset.
Your attack surface has changed from a perimeter, like a castle wall with a moat, to a living life-form.
Our attack surface is now like a coral reef that is constantly changing, growing, and shifting; it’s an ecosystem.
In the past, the attack surface was a static entity. You were able to build a wall around it, add in a moat, and keep the bad folks out. As long as nothing got past your perimeter, you were confident you hadn’t been breached. At its most rigorous, this idea of air gap security worked exceptionally well; but now the internet connects everything. We’ve moved to this new dynamic world, and that brings all kinds of unknown risks. We no longer have a wall. The moat is gone. Our perimeter is tens of thousands of entry points into our inter-sanctum. We have the capabilities for developers to spin up entire stacks at once, each with its own whole level of complexity and security concerns. We’re also dealing with high-tech threat actors and nation-states making security attacks at a scale that we’ve not seen before.
Our attack surface is no longer static, it is a living entity, and we have to realize we will never go back, and that has meant a move to defense in depth, implementing network security via stacks of controls. All kinds of security tools are being used now. As this proliferation of tools comes online to monitor all of our assets, we find out that we now need a way to monitor and consolidate the data from those tools. Otherwise, teams become overwhelmed by so many tools and data sources coming at them. Overwhelmed teams bulk at adoption and resist improvements to security. Digital Transformation is just as much about a culture shift as a technology shift. So how do you facilitate cultural and technological change?
Create a group dedicated to Cyber Asset Management.
Time and again, we see that successfully managing cyber assets involves a self-governing group forming in the middle of an organization. The group goes by different names “the cloud center of excellence”, “DevSecOps”, “cloud governance team,” or something else that aligns with the organization’s culture. The name isn’t what’s important, it’s the impact it brings. This group focuses on the 3 key things to governing in the cloud: Operation – Cost – Security. They consolidate best practices from internal and external sources and proliferate that to the rest of the organization.
Operation is defining how teams carry out day-to-day activities within the cloud. What they can and can’t do.’
Cost is about using organizational resources efficiently. How do you make sure groups aren’t throwing money way? In my personal cloud, I forgot to do cleanup after a project and made the mistake equivalent of “leaving the water running while on vacation” to come find a massive bill at the end of the month. Proper cloud hygiene and optimizing for discounts or credits can save organizations large amounts of money.
Security – making sure to minimize risk and protect against threats.
This group is answering the question of, “what does a healthy cloud model look like?”
To answer what healthy looks like requires understanding what the organization wants to do, and how it should operate within the cloud. At any organization large enough to need a cyber asset management group, this isn’t something that is done in a day or even a week.
They need to consider their transition strategy. For example, their goal might be to move to a completely federated workspace in the cloud. If so that will be a factor in the policies they need to have.
This group must tackle the challenge that Important security concepts are often far more aspirational than prescriptive.
Consider the United States government’s executive order on security and implementing things like Zero-Trust and Software bill of materials. It calls for plans for making those happen rather than defining their implementation. It doesn’t mean these concepts aren’t real, but we as a community of practitioners aren’t yet sure what the best way to do all these things is.
Similarly, organizations are faced with defining their plans to get to Zero-Trust. How will they ensure they are implementing least privileged access? Can they be sure users only have access to what they need? It means already assuming networks have been compromised because we no longer trust the idea of a castle wall perimeter keeping attackers out.
Organizations like CNCF and OSSF are crucial to the security ecosystem of the web.
They help shape these aspirational goals, define best practices, and give direction to teams looking to implement these practices.
Realize, this is really hard to do. The Cyber Asset Management team needs support to succeed. When implementing Cyber Asset Management, teams need to have the time to do it right, they need to have support from leadership to implement hard choices, And they need to have developer buy-in.
To make that cultural shift happen, they need to be sure developers are included in security conversations. Developers tend to have a large amount of operational power in the cloud, to spin up the assets they need to work.
Teams can often go to the cloud provider and spin up an entire environment or even provision out a whole Kubernetes cluster. It’s not unheard of for teams to then move on, and those assets get left behind, creating operational, cost, and security problems. Therefore, Developer engagement is critical to implementing Cyber Asset Management and extending your security posture.
The good news is most developers want to be secure; Sometimes they just need someone to give them the okay to work on it. It’s also complex; teams often need to be informed on how they can begin tackling such a daunting task.
There are so many tools and platforms out there. It gets overwhelming. There are many cloud providers, and teams are often running multi-cloud. We have vulnerability scanners, Identity management, code scanners, Kubernetes management, asset management, database management, data compliance, and large numbers of SaaS suites.
A 2020 Blissfully survey found that medium organization average 185 SaaS tools.
We do need lots of tools, but throwing teams a whole bunch of different tools becomes overwhelming. It creates friction, and that resistance causes teams to start pushing back, delaying overall progress. By including developers in the process and providing the right information they need, they can become allies instead of roadblocks
How do we get to the “right information?” Let’s come back to our definitions again. We are looking for a holistic approach. All these cyber assets are interconnected, and we need a way to deal with them individually and collectively. And by “deal with them,” I mean we need to extend our security posture over them.
To do so,
we need a policy management plane so our Cyber Asset Management policies can holistically apply to all of our cyber assets.
We start by defining all of our cyber assets. Then we take the Cyber Asset Management policies our cloud team created and apply those across all our assets. Once that’s in place, we then automate the monitoring of those assets against our security posture so we can know the state of our cloud in real time.
The end goal is to observe and automate everything. With that in place, we can now look at our cloud and understand our attack surface. In addition, we can visualize how it is changing over time and understand the trends of our compliance.
That brings us to a concept called security efficacy.
Efficacy is the ability to produce a desired or intended result.
Let me give an example of what I mean by efficacy; I worked with an organization that adopted Qualys to do scanning on their compute instances.
They were getting good results back from their scans. They thought, ”Yay, we are secure.” Come to find out, as they began identifying all their cyber assets, there were a bunch of instances they hadn’t been aware of, and those weren’t being scanned. There was nothing wrong with the tool they chose, but the actual efficacy of that tool was far lower than they realized because they didn’t know their attack surface.
This idea of security efficacy is about getting the most out of the tools available. If we don’t have a cyber asset inventory, then we don’t have a way to verify we are taking a holistic approach. We then think we’re fully protected when we aren’t. Is our efficacy at 99%, 90% or 50%?
The news is filled with organizations with compromised assets they didn’t even know existed. This is because they were unaware of the full extent of their attack surface. Enterprises must have coverage across all their cyber assets.
The other aspect of efficacy is around time. How long are vulnerable assets sitting around? Does your Cyber Asset Management cover how long teams have to address critical issues? Is this measured in terms of hours or weeks? For example, if it takes three weeks to fix a publicly exposed asset on average, your security efficacy will be much lower than a team that addresses those within 24 hours.
Having scanning and monitoring is a step forward, but security efficacy is about understanding the effectiveness of those tools and policies. Tracking the efficacy of your security posture lets you be certain it extends over your entire attack surface.
Let’s wrap up with a review.
First, we discussed a holistic approach to managing cyber assets and extending your security posture.
We broke that down into three parts: a holistic approach, managing cyber assets, and extending security posture.
We examined how and why organizations adopt digital transformation and move to the cloud.
Then we covered how security is a responsibility shared with the cloud provider.
Moving to the cloud forever changed our attack surfaces. We have left the static castles of the past and must now secure the dynamic morphing ecosystems of modern clouds.
To deal with this new shifting reality, Organizations must understand their attack surface by identifying their cyber assets, creating holistic Cyber Asset Management policies, and then extending their security posture by automating and reporting on the efficacy of those policies.
As promised,
Here is a quick demo of Paladin Cloud
Paladin Cloud is a free open-source security-as-code platform that’s working to address these challenges. Let’s take a look at how it enables teams to manage their cyber assets.
Paladin Cloud scans your cloud infrastructure locating assets on any accounts you give it. For this demo we’ll use data from our 3 cloud providers, pulling in assets across AWS, Azure, and GCP.
Paladin Cloud has over 400 policies built-in and allows you to write custom policies for your specific organization.
Anytime an asset fails to follow one of those policies, that creates a violation.
We can see our demo accounts have just over 300 assets.
Here we can see a breakdown of our assets by criticality.
and here in the dashboard we can see a breakdown of all of our violations.
first off they’re sorted by criticality so we know what to focus on. we could see that we have 79 critical violations these are the ones that need to be addressed first. Now we get information about those so we can see that even though there’s 79 critical violations those are across just 20 policies so we’ll want to look at those policies to understand if we can get some quick wins here by locating which ones have the most violations and resolving those. We can see that that runs across 43 assets, so kind of in general each one of these assets it has two different critical violations. After that we have the average time it takes for our team to remediate these violations as they come in. We can see here we have two days to remediate critical violations. we then have our high, medium, and low violations. Working to resolve all of those.
Down here, we can see a breakdown of our total violations mapped out by severity. We can even look at the trends to understand how we’re doing over time and see if our numbers are improving. Now the different policies that we have are broken down into four categories there’s the security, which makes up the majority of our policies, but we also have policies in here around cost, saving money, operational policies, and then tagging.
Tagging is so important to understanding your cyber assets that it gets its own category and its own whole section in the UI that we’ll look at here in a couple minutes. Below that we could see the asset graph. This charts are total assets over time. This can be really helpful for understanding what your usage looks like. Do you have regular peaks and valleys? It’s also important for identifying anomalies and understanding what’s going on if you have a large drop or a large gain in assets. It’s important to know why that’s happening. It can help you do early detection of a possible breach or at least understand what your teams are doing as they’re removing or creating new assets in your environment.
Then we can get to our policy compliance overview this lists out all of our different violations by policy and tells us how many we have of each one. This is helpful when you’re trying to prioritize what what to work on. We could see our policy with the most violations is assigning mandatory tags. We’ve got a lot of work to do on tagging. We could start in here tagging things to bring this down. We might also want to look at policy by severity. We could see Deny Public Access is the critical policy that has the most violations. Another great spot for our teams to begin working.
These violation, we can dig into those. We saw we have 400 different violations. These violations, we can filter those. This is a large list, but we can come up here and filter those as needed. By the account, by severity. So let’s say we want to look just at all of our critical ones, so we can just look at those. Let’s look for ec2. We see some of those. So we can pull up just the items specific for that. Let’s dig into one of these. We’ll click in here.
So, from that list we can now dig into the specific violation. Here we can see the status is open let’s say this needed to be open for a certain amount of time. We might request an exemption, so an exemption can get added in here. I’m in the role of an admin so I can add them. If you’re a user you can only request it and have to have an admin approve that. We can see this is critical. What it is on, an ec2 instance. Importantly we have information for the specific resource here. We can look at the policy itself and that can give us some ways to remediate it. But, let’s say we’re starting to remediate this, we might dig down into this specific resource.
So, by doing this, that brings us to our assets and now we’re looking at the details for this specific ec2 instance. We get an idea of its overall compliance so we can see we’re actually doing pretty well on here except for this one very important critical item that needs to be addressed. Information over here on on where this exists. We could use that information to go in, locate this, and resolve this issue.
While we’re looking at specific assets we can look at our distribution so this gives us a heat map of all of our different assets that we. This can be really helpful to understand the proportion and how you’re using all of your different Assets in the cloud. We’ve had people come in install this, and one group found that they had tens of thousands of AMIs that they didn’t know about. As they began cleaning up those, and cleaning up their snapshots, they ended up saving over a million dollars by better understanding what their Cloud looked like. They didn’t know that all these assets were sitting out there. So understanding the layout of your your attack surface, understanding what that looks like, can be important to saving money, but also, being more secure.
Then we have the tagging section. Even if you’ve got all these different cyber assets added in here, knowing what they do is important. If they aren’t tagged, well you can just have them sitting there and not knowing the purpose, or how to handle those. So, we really want tagging to be a first-class citizen. We can see that in this, we could check our total tag compliance. We can even see our mandatory tags for our organization over here and how we’re following those. We can look at different specific asset types and dig into those. Which ones are tagged and not, and work to remediate those. Now hopefully, this has been helpful for you to understand how a team can come in here and better understand their total cyber assets. Be able to manage those and how the automation can allow them to extend their security posture over that whole attack surface.
If that interests you, check out our repository and give us a star. We’d love to hear your feedback via our Community channels. You can also contact me directly on Twitter or LinkedIn.
Thank you so much for your time today