Discover how to manage cloud permissions and configurations, detect threats in the cloud, and apply a unified approach for cloud and container threat detection.
Managing cloud permissions and configurations
As organizations mature in the cloud, the number of cloud services their teams use and identity permissions that need to be managed grow exponentially. Many people refer to these services teams used to build and deliver applications as assets or resources. Configuring cloud assets, roles, and permissions doesn’t take long to become tedious, time consuming, and error prone.
Misconfigurations of assets and over-privileged identities increase the risk of security incidents and are the leading causes of security incidents, so make sure that you diligently manage these.
IT organizations usually don’t start with full control or even visibility over how their cloud assets are configured and which permissions were granted to identities in the cloud. Many cloud users manually configure cloud services as needed, like Simple Storage Service (S3) buckets, leaving IT out of the loop and potentially also leaving the company exposed to risky conditions. Other concerns include accounts of former employees, one-time users, and guest accounts that are left active, and also user identities with unused or unnecessary permissions.
Discovering cloud assets and configuration
Staying on top of existing cloud assets and their configurations can be challenging if done manually. IT sometimes misses the actual number by an order of magnitude. To keep up with the cloud’s constant state of change, scale, and complexity, a programmatic approach is required. Manual processes, besides leaving blind spots, also increase the risk of missing an exposed asset with weak security controls configuration.
Misconfigurations could be the result of both unintentional (legitimate users) and malicious (attacker) actions. Regardless of the nature of the actor, paying attention to security posture by checking the status of dynamic cloud configurations is practically a requirement for cloud environments.
Cloud Security Posture Management (CSPM) solutions offer cloud configuration management capabilities. For industry best practices, visit the Center for Internet Security (CIS) and review the CIS Benchmarks. This resource provides you with checklists for all major clouds.
Identifying overprivileged users
Overprivileged entitlement of human and non-human identities (applications, services, containers, and so on) is a top cause of data breaches. Applying the principle of least privilege — the concept of providing no more permissions than necessary to perform required actions — is a wise, but difficult, concept to implement. Cloud providers actually make permissions granular, which in theory would lead to least-privilege policies. However, the reality is much more complex.
In practice, permissions aren’t assigned in a precise manner. Often, existing rules are reused, noting only if the permissions are broad enough to avoid disruption. In modern organizations, nothing should get in the way of speed and performance — not even security. So, developers and IT often err on the side of excess. Manual fine-tuning would be excessively time consuming and still not precise.
Inactive identities are also a permissions threat. These identities often get left off because organizations simply lose track and lack the ability to be alerted to this inactivity.
Cloud Infrastructure Entitlements Management (CIEM) is a key tool to have in your cloud security toolbox. Look for solutions that can discover excessive permissions across active and inactive cloud identities and provide guided remediation to implement the least-privilege principle.
Monitoring cloud security controls and detecting threats in the cloud
Threats can be seen as the activities of cybercriminals, such as phishing, data exfiltration, cryptomining, distributed denial of service (DDoS) attacks, and so on. Cloud threats today are elaborate and complex and have become completely out of the reach of traditional, siloed security solutions that use coarse, out-of- context, and non-real-time data. To detect and contain attacks effectively, you need real-time visibility of the full spectrum of malicious activities applied in the attack. This includes monitoring cloud security controls, for instance, detecting configuration changes that increase risk. For more information on today’s global knowledge-base of adversaries’ tactics, techniques, and procedures, visit attack.mitre.org.
The good news is that adversaries leave a trail of their actions in some form of recorded events. One way to detect threats in the cloud is to monitor cloud audit logs for anomalous activities and malicious actions, such as unexpected configuration changes and permission escalations.
Threat risk doesn’t always result from malicious activity. Cloud configurations are changing constantly and must be monitored for impact to risk. When developers make configuration or permission changes as they debug or deploy applications, they may not consider the additional risk this adds to the organization, so cloud and security teams must continually evaluate configurations against best practices and their organizations policies.
Some organizations analyze activity logs out-of-band in scheduled pull intervals, or send their logs to a security information and event management (SIEM) system and then scan for threats, but these approaches have disadvantages:
- They aren’t real time, which imposes a delay in the detection of a risky configuration or an intruder.
- In the case of pull intervals, in addition to not achieving real time detection, it may miss a full sequence of malicious events.
- SIEM tools are more suitable for forensics analysis, not for real-time detection.
- Copying the huge volume of activity logs outside the cloud is costly and complex to manage and is a potential compliance violation in certain industries.
A more effective and efficient way to detect cloud activity threats is to apply stream detection. As the cloud audit records are generated, they’re analyzed against defined runtime policies. If a suspicious action is detected, a security event is triggered in real time. Only the security event data is sent out, not all logged records. Also, each newly recorded log is analyzed against the conditions of the detection rules, not the entire audit logs storage.
With stream detection, you can detect in real time signs of cloud threats, such as the following examples:
- Turn-off of activity audit and logging services.
- Change of user roles to add over permissive policies.
- Make a S3 bucket public.
- Access to S3 buckets from unusual accounts.
- Change to weak or no encryption of data at rest or in transit.
- Change to weak password settings such as no multi-factor authentication (MFA) or no password rotation.
- Change to inappropriate firewall rules or network access controls.
- Creation of application programming interface (API) accounts with anonymous or unauthorized access.
Adopting a unified threat detection approach
Today’s universe of cyber threats is complex. Tampering with cloud security controls, configurations, and permissions can just be a tactical step in an attack scenario that starts with the exploitation of a vulnerability in a workload, and being stealthy is the modus operandi. Adversaries adopt evasion techniques to get around legacy tools’ defenses and also take advantage of visibility gaps left by siloed solutions.
To detect and stop cyber threats in any environment, the first step is to see them. Trying to piece together data from siloed solutions slows down detection, and you may even miss the threat. If you don’t see the threat, you can’t stop it from spreading. As malicious activities could be happening in your applications, containers, Kubernetes, and cloud assets, servers and serverless platforms, a unified approach to threat detection is critical.
Single event store
In a unified approach, all detected events are in a single event store, enabling a sequenced event timeline that shows the attack in evolution. Siloed data slows down detection and may also be completely unsuitable to detect subtle and malicious aspects of a single action. When you use siloed security tools, you only see each activity in isolation, never putting together the complete attack. In sophisticated attacks where multiple systems are infected with malicious artifacts, like backdoors and malware files, without complete visibility of the attack components and blast radius, it could take months to completely remove the attacker from the environment.
A centralized view, revealing attackers’ sequence of steps from initial access through lateral movement and malicious actions across cloud and container environments, empowers security teams with the necessary information for immediate containment and removal of malicious artifacts.
Unified policy language
Detection policies can be set consistently across your cloud environment. Different policy languages add a learning curve and semantic gaps and may introduce parsing and translation loss when evaluating events. A single policy engine to detect threats across cloud and containers increases efficiency of security teams’ workflows, which not only makes policy management easier but also reduces mean time-to-remediate (MTTR) incidents.
Security demands validation and transparency, so you want to avoid proprietary solutions. Proprietary tools are usually controlled by a single organization, and innovation is constrained by their resources and priorities. Solutions based on open-source standards usually have a primary contributing organization, supplemented by a community of motivated users and contributors that bring additional ideas and features. Open source also enables a more dynamic environment for providing feedback, reporting and fixing issues, and contributing with improvements. Technology ecosystems also grow much faster around open-source projects because having a community-based standard protects investments made in developing integrations. The synergies found in open source drive the collaboration, validation, and speed of innovation that are fundamental to combat modern cyber threats.
Just having security solutions in place isn’t enough; you need the confidence that they’re effective, can sustain protection against the full range of attacks, and continue to evolve to contain new threats at the same speed as the cybercrime world is evolving.
For cloud threat detection consider Falco. Falco, created by Sysdig, is the open-source standard for continuous risk and threat detection across Kubernetes, containers, and cloud. Falco acts as your security camera that continuously detects unexpected behavior, configuration changes, intrusions, and data theft in real time. Sysdig donated Falco to the Cloud Native Computing Foundation (CNCF), the vendor-neutral home for many open-source projects.
Want to learn more about cloud security?
Check out our “Securing Containers & Cloud” ebook, and discover topics like Infrastructure as Code (IaC), responding to threats, keeping your containers and cloud compliant, and more!