This post was originally published on The New Stack.
Security teams waste significant time manually matching high-volume, low-risk alert data from many security products due to the constantly changing nature of cloud environments. Alert fatigue as well as a lack of prioritization and actionable information in these alerts may cause teams to miss critical issues.
This problem is escalating, particularly since point solution strategies fail to secure modern cloud environments end to end. Legacy point security tools were designed to solve independent, siloed architectural issues. They worked well until the cloud native era, which is more expansive, flexible and filled with countless configuration options. Context-based protection is required to detect and prioritize vulnerabilities, misconfigurations and malware in the cloud. To strengthen the cloud security posture of their cloud native environments, organizations must invest in context-based intelligence.
What Is Context in Relation to Cloud Security?
So what does “context” mean in terms of cloud security? According to the standard definition, context is a collection of information about potential threats, vulnerabilities and misconfigurations that could lead to a security breach in a cloud environment. Context gives you a complete picture of the events and situations taking place in the background of your cloud environment as seen through the eyes of an attacker. In addition to strengthening the security posture of their cloud environments, this provides security teams with contextual security intelligence and unified visibility across their cloud estate, allowing them to improve security operations more efficiently.
Contextual security intelligence systems use software and hardware to automatically collect and analyze data from deep inside the workload along with cloud configuration details, thereby providing unified information about surface risks and their root cause. This context and the ability to surface critical attack paths enables organizations to put security issues into perspective to effectively eliminate risks and maximize productivity in cloud environments.
How Context Helps with Cloud Security
Cloud native environments face a variety of security risks, including human-caused misconfigurations, compromised and unprotected assets, poorly encrypted data, dangerous default settings from the cloud service, risky permissions and common vulnerabilities and exposures (CVEs). These provide attackers with a broad attack surface from which to devise various attack paths to critical assets. This is where context comes into play. Context helps organizations paint a complete picture of potential risks and prioritize the remediation of the most critical threats.
Prioritizing Cloud Security Risks
Context helps reduce false positive security alerts, thus lowering alert fatigue among teams. When security tools are equipped with contextual information about potential threats, they are able to analyze that contextual data to help prioritize risks. To do so, they should consider three crucial factors: the severity of the threat if a breach were to occur, the accessibility of the underlying assets to an attacker and the potential impact on the business. Once the identified risks have been prioritized, teams can focus on resolving the most important threats first for faster remediation.
Visibility into Cloud Environments from an Attacker’s Perspective
The most common way in which attackers exploit your environments is by first analyzing the entire attack surface to discover the weakest links and forming direct routes to your precious assets. By exploiting this vulnerability, they use any relationships between assets to laterally move with your environments. With contextual security intelligence, security teams can beat attackers at their own game by visualizing potential attack paths (lateral movement options that an attacker potentially could take to move to other workloads) in a visual graph with data on all relevant cloud entities and their risks, including vulnerability status, misconfiguration risks, trust and authorization, data and the relationships between them.
In addition, contextual security intelligence provides security teams with the ability to identify the location of crown jewel assets — including personal identifiable information (PII), secrets exposure, intellectual property, financial information and other sensitive data — relative to where active threats are operating. This is essential for understanding the threat context and determining which threats are most dangerous. It also allows security teams to immediately understand which attack paths are most critical to the business so they can remediate those first.
Attack Path Analysis and Scoring
One of the most common cloud security posture management (CSPM) tool errors is failing to account for the numerous configurations and combinations that can potentially endanger a company’s assets. Consider the following example: You have an insecure interface that is accessible via the internet for third-party integration, and your Amazon RDS stores unencrypted client data. An attacker who gains access to the endpoint can readily alter the stored data due to the API’s unsecured internet exposure. You can use Attack Path Analysis to find hazardous risk combinations that might expose the company’s most valuable assets. Such context is crucial in helping to secure the cloud. Context assists security teams by scoring and prioritizing an attacker’s numerous paths and the connections between them.
Conclusion: Adopting Context-Aware Cloud Security
For any cloud security efforts to bear fruit, risks must be viewed in context with the intelligence required to prioritize threats based on severity, visualize potential attacks from an attacker’s perspective, and identify, analyze and score multiple exploitable attack paths to valuable cloud assets. Context-based security intelligence also provides supplemental information to improve security decisions and reduce alert fatigue.
Organizations must invest in a reliable cloud security platform that uses a unified data model to gather and correlate contextual data on each asset, including details on potential risks in the workload and configuration of the cloud as well as information on external and internal cloud connectivity.
Orca Security does exactly that (among other things) by scanning a real-world cloud deployment for potential vulnerabilities, visualizing attackers’ potential paths and prioritizing risk remediation. Orca’s CSPM is enhanced with context-aware security data to aid in the security of cloud native, Kubernetes and microservices in a multi-cloud environment.
Further Reading