11 reasons why Cloud Security Posture Management is important ?
Cloud Security Posture Management (CSPM) is a much needed tool for enterprises focussed on cloud security. I’ve list out below top 10 key aspects :-
- UEBA/Threat Detection with Machine Learning
- Cloud Resources Misconfiguration
- Multi Cloud Security (AWS/Azure/GCP etc.)
- Cloud Asset Management/Graph visualization
- Real Time Security Incident Alerts
- Compliance Framework and remediate risks
- Query your cloud environment
- Security Orchestration, Automate and Response (SOAR)
- Data Exfiltration
- VPC Flow Logs Analysis
- Container Scanning (Static and Dynamic Scan)
UEBA/Threat Detection with Machine Learning →
One of the major concern nowadays is that when someone leaves the company then do we rotate secrets OR even rotate secrets on timely basis (every 45–90 days) OR how do we know if credentials are already compromised ?
All these API activity records are in cloudtrail/Activity Logs and once we start ingesting these logs in CSPM tool we can check all anomalies. UEBA engine monitor logs from various sources (cloudtrail/config/guardduty/flow-logs) and establish a baseline of normal activity.
It feeds data to machine learning platform and can alert SOC i.e. unusual behaviour whether it’s new Source IP location/AWS service/Device used Or outside of user typical work hours. This can help detect us insider threats and user entity accounts compromise.
Cloud Resources Misconfiguration →
One of the important role of CSPM tool is to find out all the misconfigurations in the cloud. As per best security practices ; we should not make resources public / encrypt data at rest and transit/ use and allow secure ports (ingress/egress).
Few use cases; E.g. :- We can create policies/alerts in CSPM if RDS is configured with public access OR S3 buckets public access block is disabled OR Security groups wide open with all ports/protocols/IPv4 address (0.0.0.0/0) and so on..
Multi Cloud Security→
Centralised security dashboard for multi cloud accounts with inventory and compliance status is desirable. You can also write a program on top of these CSPM tools to create custom dashboards.
You can also enable your vulnerability management tool to export results to CSPM dashboards and other counts such as number of ec2/RDS instances (exposed to internet)/public S3 buckets/ VPC without flow logs etc.
Cloud Asset Management/Graph visualization→
We do have mutable infrastructure in cloud as we leverage spot ec2 instances/ECS jobs/Lambda that runs over a short period of time to run batch/on-demand jobs. This is beneficial in terms of cost but there is always a set of immutable infra (non-batch) as well.
It’s good to have multi-cloud Infrastructure inventory dashboard at one place such total number of VPC’s/Ec2/RDS etc. Export reports such as Instance types so we can leverage it for RI’s.
We can also create inventory related to services which are exposed publicly (RDS/EC2/ELB/S3 etc.) via query or CSPM API. You can also create graphs of the current setup in your account.
Real Time Security Incident Alerts →
We do need real time security incidents. E.g -> AWS Root account login. This indicates an account compromise and should be reported as soon as possible. These events can trigger via your CSPM tool and page SOC team.
Other example: Setup alerts for Cross account IAM role with third party Account ID whitelisted (IAM) and so on…
SOC team needs to take action on all high priority security incidents. All info can be backtracked via CSPM tool/Cloudtrail such as IP Info/Location/Browser-Info etc.
Compliance Framework and remediate risks →
It’s best practice to adopt Compliance Framework for risk assessment/remediation. Few of popular frameworks are : CIS/NIST/PCIDSS. CSPM tool provides all compliance related policies that can measure your current security posture.
We should be able to create Custom Compliance Frameworks as per Organisation needs. This is much needed as we can select critical policies and use them in custom compliance to make sure we are on right path on securing critical services.
Query your cloud environment →
We should be able to query our cloud environment using resource query language. Imagine you have a database of all Cloud services running in mysql and you can run a simple query to fetch resource info. E.g:- VPC/ VPC peerings/Ec2/RDS etc.
You can list all resources with query or CSPM API. Same can be done for guardduty alerts and VPC Flow logs analysis.
Security Orchestration, Automate and Response (SOAR) →
Security Orchestration can be done via CSPM tools with write IAM access to Cloud accounts. Example :- If CSPM finds out that an Ec2 in VPC is trying to connect a malware/mining resource via NAT Gateway then it should be able to add a NACL rule to block that IP address i.e. Automate Incident Response with Playbook.
These orchestration are needed for critical threats mitigation and should be aligned with application teams to make sure they know about this change and can circumvent potential security issues in real-time.
Data Exfiltration →
It’s important to track data exfiltration. E.g. :- If any user shares an EBS volume or RDS Snapshot with external AWS Account (i.e. not part of your AWS Organisation) then our CSPM tool should be able to detect and alert this change. Any account ID (i.e. not part of your Organisation) in RDS snapshots sharing/ VPC Peerings/ Cross account IAM roles should be checked/investigated.
VPC Flow Logs Analysis →
VPC Flow logs can be ingested in CSPM tools and it can help with threat detections based on network traffic flow analysis. CSPM tools continuously monitor all ingress/egress connections and raise alerts based on IP Reputation/Ports communication and bad actors/Port Scans etc.
These tools are also helpful to design your exact ingress/egress destination IP’s/Ports i.e. Security Groups. Other use cases are to check top source/destination IP addresses/Ports communicating with your VPC and diagnose security related exposures.
Container Scanning (Static and Dynamic Scan) →
It’s a good security practice to perform container analysis tools before deployment (Static scan) and after deployment (Dynamic scan). You can leverage AWS Inspector for ECR repo/container scanning and integrate third party tools (Falco/Aqua etc.) to perform deep scanning.
** One can also start with AWS Security Hub OR Microsoft Azure Sentinel that covers few scenarios and automate with custom scripts using cross account lambda and trigger function via cloudtrail events.