Vulnerability Discovery in the Cloud
Download as PPTX, PDF1 like356 views
In the era of cloud generation, the constant activity around workloads and containers create more vulnerabilities than an organization can keep up with. Using legacy security vendors doesn't set you up for success in the cloud. You’re likely spending undue hours chasing, triaging and patching a countless stream of cloud vulnerabilities with little prioritization. Join us for this live webinar as we detail how to streamline host and container vulnerability workflows for your software teams wanting to build fast in the cloud. We'll be covering how to: Get visibility into active packages and associated vulnerabilities Reduce false positives by 98% Reduce investigation time by 30% Spot a legacy vendor looking to do some cloud washing
Ad
More Related Content
What's hot (20)
Similar to Vulnerability Discovery in the Cloud (20)
Ad
More from DevOps.com (20)
Ad
Recently uploaded (20)
Vulnerability Discovery in the Cloud
- 1. The Future of Active Host Vulnerability Monitoring
- 2. Speakers Sean Valois Senior Sales Engineer at Lacework Sean has extensive experience in technical account management, general computer and network security, and has significant time working in vulnerability management. Pat Haley Senior Sales Engineer at Lacework Pat has a background primarily in customer facing, technical roles helping organizations better secure their environment. His time also includes significant experience in vulnerability management.
- 3. Agenda 0 1 2 3 About Lacework & Who is this for? The Lacework Platform Containers vs Hosts “What should be fixed?” Telemetry Active packages & Ephemeral Infrastructure Shift Left? Pre-Deployment Checks How to deal with constant change. Alerts
- 4. The Cloud Changes Constantly by Design NEW: Engineers x Cloud Accounts x Microservices x APIs x Scaling Compute = Constant Change UNCHANGED: Finite security talent & compliance requirements Engineer Developers Testers Analyst Security Compliance DBA IT Ops Containers Auto-scaling Compute Instances Acct N*Dev Acct N*Test Acct Prod CI/CD Pipelines ..? Microservices Amazon RDS Amazon S3 Amazon DynamoDB Amazon Kinesis Amazon’s Next Thing APIs Kubernetes Clusters Culture, Org, & Incentives Applications Architecture & Code Cloud Activity User and Entity Actions & Config Infrastructure Hosts, Containers, & K8s You Config Cloud Service Provider Service Integrity & Innovation Agents Agents APIs Not Your Security Problem Humans
- 5. Security Context is Buried In Meantime to WTF Finance: “Can you explain?” Event triage Alert triggers Write/refine/ tune rules Query 2nd level investigations Should I be panicked? “Alerts as data” Alert correlation Apply algo/ML to Raw security data Query 1st level investigations Suppress Alerts CIRCLE OF SECURITY DATA TOIL Event analysis WHO? WHAT? WHEN? WHY? HOW?
- 6. Lacework Toils So You Don’t Have To MACHINES MAP ACTIVITY MACHINES ANALYZE ACTIVITIES HUMANS TAKE ACTIONS
- 7. Lacework Grows With Your Needs Compliance, API, process, and vulnerability metadata Workload / Container Raw Security Data User & App Activity Mapping Behavioral Analysis of Activity Maps Over Time Anomaly Detection With Full Context Security Analytics Container & Host Registry Vulnerability APIs Host intrusion detection (IDS) Container and Kubernetes Security Compliance reporting & audit Cloud Activity & App Anomalies File integrity monitoring (FIM) Host Vulnerability Telemetry Data Exchange Security Data Lake CONTAINER REGISTRIES On-prem API DATA: Cloud Activity & Configurations CVE & Threat Data
- 8. What We’re Talking About Today Compliance, API, process, and vulnerability metadata Workload / Container Raw Security Data User & App Activity Mapping Behavioral Analysis of Activity Maps Over Time Anomaly Detection With Full Context Security Analytics Container & Host Registry Vulnerability APIs Host intrusion detection (IDS) Container and Kubernetes Security Compliance reporting & audit Cloud Activity & App Anomalies File integrity monitoring (FIM) Host Vulnerability Telemetry Data Exchange Security Data Lake CONTAINER REGISTRIES On-prem API DATA: Cloud Activity & Configurations CVE & Threat Data
- 9. Lacework Works With What You Have Compliance, API, process, and vulnerability metadata Workload / Container Raw Security Data User & App Activity Mapping Behavioral Analysis of Activity Maps Over Time Anomaly Detection With Full Context Security Analytics Container & Host Registry Vulnerability APIs Host intrusion detection (IDS) Container and Kubernetes Security Compliance reporting & audit Cloud Activity & App Anomalies File integrity monitoring (FIM) Host Vulnerability Telemetry Data Exchange Security Data Lake CONTAINER REGISTRIES On-prem API DATA: Cloud Activity & Configurations ALERTING / TICKETING / PERFORMANCE AUTOMATION & PIPELINES SECURITY INFO EVENT MANAGEMENT APP. CODE SEC. CASB SSO NETWORK/ ENDPOINTS CVE & Threat Data
- 10. Q: Who is this for (today)? A: Linux hosts scaling in the cloud • Nightly builds? • Lots of host images? • Hosts and Containers? • Ephemeral and Immutable Infrastructure? • Threat detection & Service Relationship Visibility? Vulnerability insight that fits the modern software team workflows. No Vulnerability Program HELP Consolidate tooling & agents, streamline workflows, and stop building DIY tooling. In-the-cloud Linux *Product* Vulnerability Program Existing Vuln Assessment & Prioritization Tools + DIY DATA SCIENCE Enterprise-Wide Vulnerability Compliance Programs
- 11. Vulnerabilities: Containers Versus Hosts Indispensable compute Pets are patched when updates are needed. Examples: • Load balancers • Database systems Fix while running Disposable compute Cattle are rebuilt and replaced when updates are needed Examples: • Scaling for compute • Failover for blue / green deploys Fix base image or while running HOST: PETS HOST: CATTLE Disposable compute Container images are rebuilt when updates are needed (not patched) Examples: • Every container Fix base image in registry CONTAINERS
- 12. Building Infra & Scan Schedules vs Installing Agent OLD: SETUP VULNERABILITY INFRASTRUCTURE Infrastructure Requirements • Scope infrastructure • and acquire infrastructure • and deploy infrastructure • and…. • and... • and deploy dedicated agents • and... • Schedule scans NEW: DEPLOY AN AGENT WITH ANY INFRA AUTOMATION TOOL… THEN COFFEE What Does The Agent Do For Vulnerability Telemetry? • OS and OS version • Enumerates package manager inventory • Sends the data to Lacework For threat detection, the agent also collects DNS and Application Process Data.
- 13. 1. What should be fixed in prod? 2. Can we develop on better host images? 3. How do I deal with constant change? Three Questions Everyone Asks About Cloud Host Vulnerabilities
- 14. #1 - What to fix? What telemetry do you need to find the vulnerabilities that actually matter?
- 15. Terms and Definitions – Machine Status Purpose is to declutter ephemeral hosts from the user view. Source of data is the Agent heartbeat. Host has been live in the last 1-2 hours from current time ONLINE Host has not been live in the last 1-2 hours from current time OFFLINE Both online and offline hosts ALL
- 16. Lots of Hosts...Filtered By Online Within The Last 30 Days
- 17. Terms and Definitions – Vulnerability Assessment Vulnerability assessment for a distinct machine occurs in two forms Vulnerability states are continuously tracked for host lifecycle INITIAL ASSESSMENT = First assessment when an agent first registers a host to the Lacework platform, typically first hour. CONTINUOUS ASSESSMENT = Scheduled assessment that occurs every 24 hours for all hosts that transported data in the last 24 hour window. (Host was active long enough to transport).
- 18. … Filtered By Severity of Vulnerability
- 19. ...and by image (or any tag or attribute like ‘external IP’)
- 20. Terms and Definitions – Package Status Data source is agent process details collected continuously. Uniquely identifies the dormant and active risk of vulnerabilities based on process in use. ACTIVE = In the last 24 hour period we have seen this package in use. In use means a process launch. <empty state> = We can not guarantee an inactive state.
- 22. Terms and Definitions – Vulnerability Lifecycle Active; unmitigated, potentially exploitable software vulnerability detection within the environment Inactive; previously discovered potentially exploitable software vulnerability detection that was not detected in the last assessment Exception; previously discovered potentially exploitable software vulnerability detection that was detected in the last assessment and deemed as not applicable NEW, ACTIVE, REOPENED FIXED SUPPRESSED (future – not in this release)
- 23. API – All CVEs GET vulnerabilities/host
- 24. API – All machines with a specific CVE GET host/cveId/{CVE-ID}
- 25. API – Assessment for a specific machine GET host/machineId/{id}
- 26. Daily Evaluation Daily Evaluation Daily Evaluation Continuous Assessments DEPLOYMENT TYPE HOST LIFETIME FIRST ASSESSMENT NEXT DAY Host Supported OS1 Host alive for >= ~2 hours First Evaluation Daily Evaluation Host Yes >= 2 hours Container No < 2 hours
- 27. #2 Can we shift left and deploy on better host images?
- 28. Host Lifecycle DEVELOPER OPS BUILDS GOLDEN IMAGE QA / PROD Build application test environment Checkout host image from registry Add application required packages Install application Run tests Update repo with test results Job to build new host image Install packages, configs, agents Run Tests Query Lacework API Discover CVEs Query Lacework API Discover CVEs Discover CVEs Promote to registry Deploy to environment Scheduled agent scan runs
- 29. <= 10 request in last hour Payload valid API: On Demand Assessment – DevOps Use Case PREFLIGHT CHECKS IN CI/CD CONDITIONAL OR CATALOGUED DEPLOY POST to blocking API PAYLOAD • CVE-ID − Packages − Metadata − CVSS scores − First seen • Summary − Total vulns − Evaluation time • ... PAYLOAD • OS Distro – e.g., ubuntu, debian, fedora − Version – e.g, 18.04, 27 • YUM / APT package list − Package name − Package version Rate limited – HTTP Error code Relevant HTTP Error code Stateless response
- 30. API – Shift Left POST /scan
- 31. Example of /scan with HashiCorp Packer and Lacework Create inventory shell script. Build an AMI with HashiCorp packer. Packer uploads and executes inventory script. Outputs are saved. Vulnerabilities are discovered pre-deployment.
- 32. #3 How do we deal with constant changes and mistakes?
- 33. Alert Scenario Options NEW CVE PUBLISHED KNOWN CVE DEPLOYED CVE SEVERITY CHANGE PATCH STATUS CHANGE within a defined severity level among monitored hosts within a defined severity level among monitored hosts within monitored hosts within monitored hosts No fix available Fixable
- 34. All your infrastructure security alerts in one place
- 35. Alerts That Don’t Suck - Why, What, When, How
- 36. The Future of Vulnerability Telemetry is Here
- 37. Lacework Vulnerability Workflows are Different Today’s Vulnerability Tools • Compliance focused • Struggle with ephemeral cloud scaling • Teams of people building vulnerability data • Containers = build-time only • Focus on vulnerability existence in inventory • No visibility into vulnerable package use Lacework Host & Container Vulnerability Workflows • Focused on security efficacy • Built for ephemeral cloud scaling • Built for devops workflows • Live view into package execution
- 38. Wrap-Up 0 1 2 3 Lacework Can Grow With You The Lacework Platform Containers, Hosts, Cloud Activity The telemetry to find risks is easy to use. Active packages & Ephemeral Infrastructure Hosts can shift left too! Pre-Deployment Checks Alerts can keep you focused on your business. Alerts
- 39. Questions?
- 40. Thank you for Joining the Cloud Generation
- 41. Popular Scenarios Pre-Flight Checks Operational Efficiency: Avoid putting known vulns into production. Which active CVE’s Exist Get a list of CVEs that are present All machines with a CVE Rapid scan to find a particular CVE across an environment Health check on a specific machine Visibility of vulnerabilities on a particular instance Interrupt vulnerabilities at earliest part of the development lifecycle (SDLC early intervention) Dumb list versus list with context specific to your environment. (Vulnerabilities versus vulnerable) Oh noes a brand new CVE is on the front page of Hacker News! What’s the state of my super important app?
- 42. “I’ve been involved in vulnerability mitigation for 20 years. Lacework is the best tool I’ve ever seen. It resolves many problems and has clean telemetry.”
- 43. Type of API Call Cloud Accounts GeoIP Cloud Service Regions Principal Role API Call Results Web Console/ API Machines Can Now Map App & Activity Context
- 45. Who Cares About Vulnerabilities? What Known Risks Are In Our Environment? Which vulnerabilities should we prioritize? To meet x compliance requirement can we report and fix vulnerabilities inside 30 days? Can I avoid introducing risk into the environment? Wants to write code while minimizing security & infra work Security Compliance DevOps / Production Engineering Developers Does the machine I’m investigating have an active vulnerability? Incident Response