Managing vulnerabilities in the Cloud… and everywhere else
20 November 2017
By Gidi Cohen, CEO and Founder of Skybox Security
Security professionals are in a pickle. Along with IT teams, they’re getting marching orders from the C–suite to put everything in the cloud — and do it securely! They’re struggling to hire enough staff, let alone staff with the experience and knowledge to manage cloud security. There’s a growing threat of ransomware and other types of malware that can now spread across the globe —usually on a Friday. The public and, more importantly, government is losing patience with companies that fall victim to attacks because the latter didn’t address known vulnerabilities with available patches and highly publicized exploits, in the first instance.
Aside from how dangerous the leaked NSA–developed exploits can be in the hands of cybercriminals, attacks like WannaCry showed us how connected we are. The “ransomworm” spread like wildfire through networks and jumped into new areas through third–party connections. Where there was a path, there was a way. This should be of concern, especially amid the move to the cloud where complexity and visibility challenges only become more daunting.
READ MORE: Six ways of achieving endpoint security
To stay safe in the era of distributed attacks and cloud–first strategies, organisations need to rethink how they view their attack surface. Attackers don’t see your network with distinct boundaries, and neither can you. No matter if it’s your physical, virtual or cloud network — you need to approach security holistically and centralize management. Taking in the complete context of your hybrid network will help you identify and remediate the vulnerabilities attackers are most likely to target.
Scanless Vulnerability Assessments in the Cloud
For vulnerability identification, most organizations turn to scanning, which is a vital part of any traditional vulnerability management program. However, scanning alone is a challenge in dynamic cloud environments. CSP’s tend to be particular about how scanning is done in the cloud — and what customers are allowed to scan. In addition, even where scanning is allowed, CSPs often require a user account on every virtual machine — a problem when cloud networks change frequently or the organization is working with several service providers. The bottom line: traditional scanning in virtual and cloud networks can leave major blind spots between scans when new vulnerabilities are announced, virtual machines are spun up or down, or servers are offline while the scan is run.
To fill in those blind spots and discover vulnerabilities on demand, organizations can use other data repositories. By pairing data from third–party scanners and asset and patch management systems running in the cloud with vulnerability feeds, scanless assessments can deduce vulnerabilities based on product and version information, patch levels and other system data. In some enterprises, scanless assessments detect three–times more vulnerabilities than active scans with near 100 percent accuracy.
Vulnerability and Exposure Analysis
Vulnerabilities discovered in cloud, virtual and physical networks should all be analysed in a comprehensive program that takes into consideration the context of an organisation’s network as well as up–to–date threat intelligence. Traditional analysis using CVSS base scores and asset criticality alone fail to consider the complexities of modern networks and the threat landscape.
Vulnerability analysis also needs to include the actual state of network topology and security controls, as this influences the exposure of the asset on which a vulnerability exists. To determine exposure, network paths need to be analysed end to end — both between physical, virtual and multi–cloud networks and within these networks, as east/west movement could be used in the continuation of a multi–step attack.
Remediation priorities need to be aligned to the threat level a vulnerability poses. Threat intelligence can come from feeds you already subscribe to, but those that consolidate multiple feeds, prioritize alerts relative to your network and offer security–analyst verified, certified research are particularly beneficial.
For vulnerabilities with available but inactive exploits, the threat is potential. These and other non–exploitable vulnerabilities can be part of your gradual risk reduction process and dealt with over time, but they should be monitored for changes in exposure or exploit activity.
Those vulnerabilities that are actively being exploited in the wild pose an immediate threat. Vulnerabilities on exposed assets also represent an immediate threat as they are accessible to attackers. Both exposed and actively exploited vulnerabilities need to be dealt with straight away.
Remediation Beyond Patching
Even when patches are available, deploying them might not be an option for various reason. There also might be more efficient alternatives if your vulnerability management program is able to consider the network context. IPS signatures can be implemented, configurations changed, and firewall rules or security tags on cloud assets can be adjusted.
Cloud Complexity Demands Automation
The sheer scale of hybrid networks, the number of vulnerabilities, the elasticity of cloud environments and activity in the threat landscape are simply too much to correlate through manual processes. Without automation, time and resources are wasted on trying to figure out how an organization might be attacked, rather than being used for proactive action that truly reduce risk.
If organizations are in a cloud–first strategy, they need to ensure security programs are poised to support that approach. This means automating systems to gather, normalize and analyse data, yielding actionable intelligence that aligns vulnerability remediation to actual threat levels — and recommending the most efficient, effective remediation options.
With this approach, security teams can be more effective in managing cloud and hybrid environments and adapt their program even as the threat landscape and network evolves.