What “expanding attack surface” means and what you can do about it

184

This post was originally published here by casey pechan.

Not to state the obvious but organizations adopting public cloud services don’t always do so in a coordinated manner. Cloud adoption takes testing – meaning multiple cloud accounts are often created by different teams for various applications. In the old days, if someone wanted a physical server they would have to go to IT and get one ordered and set up. In today’s world, you can go to the AWS website ] enter your credit card number and get a server in seconds – all by yourself. That means IT, and by extension Security teams, lack visibility because they’re no longer a checkpoint in that process. For security teams this rapid cloud adoption is at best a headache, and more often than not, a nightmare.

Gaining visibility into each public cloud account is essential for securing all workloads, and subsequently the business. As many organizations have learned the hard way, cloud accounts contain workloads filled with resources that can expose your organization to attacks when they’re misconfigured or if vulnerabilities are allowed to collect dust.

This is what we mean by the expanding attack surface.

An organization’s critical data is often being spun up or spun down through various workloads in a matter of seconds. Time waits for no one (and neither do attackers) and in order to protect this data security teams need a comprehensive, up-to-date inventory of cloud assets and their configurations so they can be hardened against attack.

Automation is half the battle

With new public cloud services being released on a frequent basis and thousands of new configuration parameters to examine, security teams struggle to maintain an accurate assessment of current risks. It’s nearly impossible to manually inspect an ever-changing list of thousands of security parameters. One way a security solution can keep up is if it’s automated and baked into the DevOps cycle. For example, the CloudPassage Halo platform works by deploying a lightweight agent onto each workload spun up in the public cloud. That agent then continuously monitors your workloads, sending that information back to the Halo portal where you can view and manage all of your workloads within a single window. Our latest and greatest offering, Project Cielo, takes that information a step further by identifying your public cloud workloads’ cyber-health – identifying vulnerabilities and misconfigurations that are most  important.

Comprehensive visibility AND assessment is the solution

Intelligent organization and presentation of your workload threats and vulnerabilities  with Project Cielo is a great way to take the unified visibility that CloudPassage Halo provides and turn it into something actionable.

Think of it this way: security teams can at any point in time have hundreds or thousands of security issues identified from various sources. When problems are found, providing clear remediation and mitigation steps to the right people can be challenging when critical information is lost in a sea of changes and alerts. This can result in precious time wasted and increased exposure time.

So yes, visibility and automation provide security teams with a way to keep up with DevOps practices and truly “see” their landscape, but without an easy way to categorize and use this information, vulnerabilities, configuration issues, access control changes, or high risk behavior still risk slipping through the cracks. Project Cielo allows cloud security teams to:

  • Eliminate blind spots and regain security control across all of your AWS accounts, regions and services.
  • Quickly identify vulnerabilities, misconfigurations, and changes in your public cloud environments that expose your organization to cyber threats.
  • Obtain single-point inventory and reporting of the security and compliance posture of public cloud resources in use across your entire organization.
  • Continuously monitor public cloud resources for critical risks and compliance violations.
  • Establish and maintain compliance with the CIS AWS Foundations Benchmark and other best practices and regulations using built-in, customizable policies.

Imagine telling your CISO that you can do all of that within a single cloud security platform. Automated workload security with comprehensive visibility and real-time assessment is possible with Project Cielo. To learn more about Project Cielo, visit our webpage.

Photo:Tripwire