Post Syndicated from Aaron Wells original https://blog.rapid7.com/2023/02/15/ciem-is-required-for-cloud-security-and-iam-providers-to-compete-gartner-r-report/

In an ongoing effort to help security organizations stay competitive, we’re pleased to offer this complimentary Gartner® report, Emerging Tech: CIEM Is Required for Cloud Security and IAM Providers to Compete. The research in the report demonstrates the need for Cloud Infrastructure Entitlement Management (CIEM) product leaders to adopt trends that can help deliver value across Cloud Security and Identity and Access Management (IAM) enterprises.

CIEM product leaders looking to remain competitive in Cloud Security and IAM practices should consider prioritizing specific capabilities in their planning in order to address new and emerging threats and, as Gartner says:                            

• Gain a further competitive edge in the CIEM market by investing in more-advanced guided remediation capabilities, such as automated downsizing of over-privileged accounts.
• Appeal to a larger audience beyond cloud security teams by positioning CIEM as part of broader enterprise security controls.

Businesses not currently prioritizing CIEM capabilities, however, can’t simply “do a 180” and expect to be successful. Managing entitlements in the current sophisticated age of attacks and digital espionage can feel impossible. It is imperative for security organizations to adopt updated access practices though, not only to remain competitive but to remain secure.

Least Privileged Access (LPA) approaches lacking in effectiveness can find support in CIEM tools that provide advanced enforcement and remediation of ineffective LPA methods. Gartner says:

“The anomaly-detection capabilities leveraged by CIEM tools can be extended to analyze the misconfigurations and vulnerabilities in the IAM stack. With overprivileged account discovery, and some guided remediation, CIEM tools can help organizations move toward a security posture where identities have at least privileges.”

Broadening the portfolio

Within cloud security, identity-verification practices are more critical than ever. Companies developing and leveraging SaaS applications must constantly grapple with varying business priorities, thus identity permissions across these applications can become inconsistent. This can leave applications — and the business — open to vulnerabilities and other challenges.

When it comes to dynamic multi- and hybrid-cloud environments, it can become prohibitively difficult to monitor identity administration and governance. Challenges can include:

• Prevention of misuse from privileged accounts
• Poor visibility for performing compliance and oversight
• Added complexity from short-term cloud entitlements
• Inconsistency across multiple cloud infrastructures
• Accounts with excessive access permissions

Multi-cloud IAM requires a more refined approach, and CIEM tools can capably address the challenges above, which is why they must be adopted as part of a suite of broader enterprise security controls.

Accelerating cloud adoption

Technology and service providers fulfilling IAM services are in critical need of capabilities that can address specific cloud use cases. Gartner says:

“It is a natural extension to assist existing customers in their digital transformation and cloud adoption journey. These solutions are able to bridge both on-premises identity implementations and cloud to support hybrid use cases. This will also translate existing IAM policies and apply relevant elements for the cloud while adding additional use cases unique to the cloud environment.”

In fact, a key finding from the report is that “visibility of entitlements and rightsizing of permissions are quickly becoming ‘table stakes’ features in the CIEM market.”

Mature CIEM vendors can typically be expected to also offer additional capabilities like cloud security posture management (CSPM). InsightCloudSec from Rapid7 is a CIEM solution that also offers CSPM capabilities to effectively manage the perpetual shift, adoption, and innovation of cloud infrastructure. Businesses and security organizations can more effectively compete when they offer strong solutions that support and aid existing CIEM capabilities.

Download the report

Rapid7 is pleased to continually offer leading research to help you gain clarity into ways you can stand out in this ultra-competitive landscape. Read the entire complimentary Gartner report now to better understand just how in-demand CIEM capabilities are becoming and how product leaders can tailor strategies to Cloud Security and IAM enterprises.

Gartner, “Emerging Tech: CIEM Is Required for Cloud Security and IAM Providers to Compete”

Swati Rakheja, Mark Wah. 13 July 2022.

Gartner is registered trademark and servicemark of Gartner, Inc and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.

Post Syndicated from Alon Berger original https://blog.rapid7.com/2022/11/29/unifying-threat-findings-to-elevate-your-runtime-cloud-security/

The widespread growth in cloud adoption in recent years has given businesses across all industries the ability to transform and scale in ways never before possible. However, the speed of those changes, combined with the drastically increased volume and complexity of resources in cloud environments, often forces organizations to choose between slowing the pace of their innovation or taking on massive amounts of unmanaged risk.

Cloud security teams still struggle to gather all the relevant insights such as alerts, threat findings, and notifications in a single, consolidated place, and even when they succeed, these findings are often missing much of the context needed to perform quickly and conduct proper investigations with confidence.

A Single Pane of Glass for Runtime Security Threats

To address and overcome these challenges, we’ve introduced a series of agentless cloud detection and response (CDR) capabilities, empowering our customers to utilize better observability and context for proactive and collaborative investigations.

As part of our new CDR capabilities, we first introduced a unified threat findings view that curates runtime threat detections from various customer resources and cloud service providers to allow faster intelligence analysis and detection of potential risks.

This offers frictionless workflow integrations with third-party cloud vendors, collecting cloud events, alerts, and threat intelligence feeds from associated services, such as AWS GuardDuty. The new unified view not only consolidates all runtime threat detections from various sources, but also provides richer security context by associating the findings with the affected cloud resources and their properties, all in a single place.

These seamless integrations also ensure that companies are able to leverage their CSP’s newest security tools and capabilities, as well as keeping up with the latest developments in the ever-changing world of cloud infrastructure.

In addition to consolidating third-party threat findings, we’ve also built native detection for suspicious events in customer cloud environments. These native detection capabilities, which are based on research from Rapid7 cloud security experts and detect suspicious events within 90 seconds, include identifying potential threat actor behaviors such as:

• A user marking an existing resource as publicly accessible/exposed to the world
• A user making a resource unencrypted at rest
• A user removing transit encryption for a resource
• A user removing cloud protective measures, such as password policy
• A user adding overly permissive policies to an existing resource

Along with providing individual alerts for these detections, admin can now also filter resources to get a view of only those assets that have seen a suspicious event in the last 24 hours. This allows flexibility in how individuals and teams are able to review, investigate, and report on recent threats across their cloud environment.

Simplify Mitigation at Scale

Runtime security is key to providing visibility and detecting a variety of threats that piggyback on network resources. With Rapid7’s continuous monitoring and analysis of native and third-party threat findings, teams are able to leverage advanced automated remediation of risks in their environment, including misconfigured resources and hygiene drifts, known and unknown vulnerabilities, uncontrolled access (Secrets, tokens, credentials, etc.), and more.

Along with identifying threats, teams are now able to leverage an intelligent automated notification for third-party integrations such as SIEM, ticketing platform, or chat solutions. This significantly helps with an advanced and much faster remediation process to isolate relevant resources and prevent further suspicious activity until a thorough investigation is completed.

Take a Holistic Approach to Runtime Security in
the Cloud

Rapid7 is on a mission to help drive cloud security forward across the entire industry and community. With this new set of capabilities, including our recently launched unified threats findings view, getting visibility into risks and threats is easier and more powerful than ever. Ultimately, we aim for our customers to benefit from our current and upcoming offerings, helping them to create greater impact and to drive business forward faster and at scale.

Want to learn more? Click here.

Post Syndicated from Alon Berger original https://blog.rapid7.com/2022/11/28/reducing-risk-with-agentless-cloud-vulnerability-management/

In order to gain visibility into vulnerabilities in their public cloud environments, many organizations still rely on agent or network-based scanning technology that was initially built for traditional infrastructure and endpoints.

These methods often struggle to keep up with the speed of change and scale of complex, and constantly changing cloud environments, forcing infrastructure teams to constantly play catch up and avoid significant blindspots caused by unprotected workloads.

Vulnerability management in the cloud starts with continuous discovery of the container images and host workloads that may contain them and the supporting resources that control how they are launched.  The assessment step produces  long lists of vulnerabilities that can lack the necessary context to help prioritize and accurately route the issue to the correct owners for remediation.

Getting Better Visibility and Control

Rapid7’s InsightCloudSec now addresses all these challenges and provides agentless vulnerability assessment capabilities for cloud-based container workloads and hosts.  Building on InsightCloudSec’s industry leading cloud resource discovery technology, we’ve unleashed the latest generation agentless methods for assessing vulnerabilities on Containers using side-scanning and on Hosts using image snapshotting.  Combined, this fully enables security teams to quickly identify where the vulnerabilities exist across their cloud infrastructure, what resources are responsible for managing the dynamic workloads that launch them, and the tools to manage response prioritization and remediation.

InsightCloudSec’s vulnerability management  capabilities are  purpose-built for cloud-native environments and leverage Rapid7’s proven vulnerability management expertise and intelligence.  Our agentless approach  reduces the unnecessary overhead of agent management on highly ephemeral cloud resources.

Vulnerability Management with Rapid7’s InsightCloudSec

Vulnerability management with InsightCloudSec focuses on container and host-based workloads found in production environments, where the risk of exploitation is the highest. The solution leverages event-driven detection capabilities, allowing teams to maintain an up-to-the-minute inventory of all resources in production. This in turn minimizes blind spots and allows for more trustworthy reporting.

The solution automatically analyzes new container images and host instances upon deployment and provides detailed intelligence and remediation guidance for known vulnerabilities. InsightCloudSec then periodically revalidates running hosts against the newest vulnerability data to detect and protect against drift.

Our comprehensive vulnerability detection spans operating systems, installed software packages, network services, and open-source software libraries and packages typically used as dependencies in these environments, providing customers with the broadest coverage available in the market.

Agentless Container and Host Workload Assessment

With agentless Vulnerability assessment, security teams gain robust, continuous visibility into what vulnerabilities exist in their cloud environment, without having to include an agent in their container and host golden images. We discover new container images and host instances in near-real-time and immediately gather the information necessary to perform the assessment without waiting for a scheduled scan window or impacting the performance of the live workloads.  

When new container images are detected in the monitored registries, InsightCloudSec performs a side-scan on them to index the inventory of operating system and installed software packages as well as any other dependent libraries that exist on which we can detect vulnerabilities.

In the same way, once a new running host (VM) instance is detected, InsightCloudSec fetches the workload’s runtime storage layer using remote harvesting and automated snapshot triggering to gather the data required for vulnerability assessment.

By combining workloads metadata gathered from cloud provider APIs with container and host vulnerability data, we are able to provide contextualized vulnerability reports and deep visibility of where they exist in cloud environments, allowing security teams to respond to those impacting the most critical applications and cloud accounts.

Conclusion

Rapid7 and InsightCloudSec strive to help security and operation teams apply proper processes and procedures across the deployment pipeline, allowing them to quickly respond to vulnerabilities of any sort and severity.

With an accurate assessment of detected vulnerabilities and intelligent, automated routing for faster remediation, our solution empowers teams to have a robust and continuous visibility into vulnerabilities that exist in their cloud environments.

Want to learn more? Click here.

Post Syndicated from Shalini Subbiah original https://blog.rapid7.com/2022/07/05/cloud-complexity-requires-a-unified-approach-to-assessing-risk/

There has been an unprecedented acceleration in the shift to the cloud as a result of the COVID-19 pandemic. McKinsey experts estimate companies have moved to the cloud “24 times faster […] than they thought” over the past two years. As organizations move quickly to scale, drive innovation, and revamp the way they engage with their consumers by moving to the public cloud, there is an increasing need for a security strategy that aligns with the varied states of organizations’ maturity in their usage and adoption of the cloud.

Modern cloud environments are complex and require multiple areas of focus, including security, application modernization, reduction of infrastructure overhead, accelerating software delivery, maintaining compliance, and countless more. All of these are critical to realizing the end goals of cloud adoption: increased speed, flexibility, and performance. Rapid cloud adoption without the appropriate visibility and automated security controls will lead to imminent exposure and vulnerability.

Whose responsibility is cloud security?

When it comes to cloud environments, security and compliance are a shared responsibility between the cloud service provider (CSP) and the customer’s internal security team. In the typical shared responsibility model, cloud providers are responsible for the security OF the cloud. This essentially means they are on the hook to make sure the actual underlying resources you’re using – such as a storage bucket or a compute instance – or the physical hardware sitting in their data centers aren’t a security threat.

So, if the provider is responsible for security of the cloud itself, what falls to the customer? Customers are responsible for security IN the cloud, meaning they are responsible for making sure their own data – and their customers’ data – is properly secured. Generally speaking, this means keeping track of how various resources and services are configured properly; identifying and remediating exploitable vulnerabilities; managing identity and access management (IAM) policies to maintain least privilege access; and utilizing encryption for data, whether it’s at rest, in transit, or even in use.

So why is it that such a large majority of breaches are the fault of the customer if the responsibility is shared? There are a few drivers behind this, but it’s primarily because the goal of most bad actors is to gain access to sensitive and potentially lucrative customer data, which falls outside of the responsibility of the cloud provider.

I know what you’re thinking: “The answer is simple – just don’t leave a cloud resource housing sensitive data exposed to the public internet.” That’s, of course, the intent of any well-meaning engineer. That said, mistakes are unfortunately quite common. As engineers and developers work at light speed to bring new products to market, it can be very easy for security and compliance to fall through the cracks, especially as powerful new cloud capabilities enable infrastructure to be implemented with the click of a mouse.

This is consistent with our own research in our 2022 Cloud Misconfigurations Report, in which we found the most commonly breached resources were those that were secure and private by default, such as a storage bucket. This suggests human error played a pivotal role in leaving data exposed.

Prioritizing risk requires a unified approach to cloud security

The scale and complexity of modern cloud environments make it impossible to respond to every alert and potential issue that arises. So, what can you and your team do to make sure you’re not vulnerable to attack?

The key is context.

It is imperative for organizations to think of cloud security holistically so that they can understand their true risk exposure. Organizations need to be able to easily prioritize the issues that are the most critical to fix right away from the flood of alerts and incidents that are calling for their teams’ attention.

The question that needs answering seems simple, yet can be quite complex: “What are the biggest threats to my cloud environment today, and how do I mitigate them?” As mentioned earlier, it is not sufficient anymore to look at an issue through a single lens. Without a unified approach to cloud security, you could be leaving your organization and the systems it relies on in jeopardy.

This means examining not just the risks associated with a workload itself, but a holistic mapping of all resource interdependencies across your environment to understand how one compromised resource may impact others. It means taking into consideration whether or not a given resource is connected to the public internet, or whether there is potential for improper access to potentially sensitive information. There is also business context that needs to be taken into account, where an understanding of resource ownership and accountability can highlight relevant stakeholders that need to be looped in for remediation or audits and provide color as to potential business impact.

See? Simple – yet complex.

Extend this concept across millions of resources spanning hundreds of cloud environments, architectures, and technologies, and you have the complexity of cloud security today. It is therefore a non-negotiable starting point to have a consolidated, weighted, and standardized view of risk to one’s cloud estate. This can only be accomplished by gathering and analyzing all of the relevant data in a single solution that helps you see the full context – and passing that context along to other teams like DevOps – so that organizations can start being more strategic about prioritizing and remediating risks in their environment.

While there are many cloud security tools and vendors that focus on various aspects of cloud security, such as misconfigurations, vulnerabilities, access permissions, and exposure to the internet, very few offer a holistic understanding of all of the above combined to provide a “true” understanding of risk.

A holistic approach to cloud security with InsightCloudSec

Maintaining visibility can only get you so far from a security perspective. Given the sheer volume of monitored resources, chances are without an effective strategy to prioritize the flood of alerts cloud environments produce, your teams won’t know where to start.

The cloud is here to stay, and it is ever-changing. As cloud security and technologies evolve, so do attempts by bad actors to breach it. It is crucial for organizations to invest in best practices and automated cloud security throughout the development lifecycle. Cloud architectures and initiatives must be built on solid risk detection, prioritization and management processes, and platforms that provide seamless and real-time visibility into the true risk posture of the organization.

Increasingly, organizations want to focus their efforts on activities that increase their bottom line and competitive advantage. They simply don’t have the time to sift through multiple lines of code, teams, and repositories to understand the breadth and depth of risks associated with their cloud estate. Cloud security has to be looked at holistically to understand its true impact and threat to the organization.

That’s the difference with InsightCloudSec. We go beyond providing visibility to help organizations uncover the most critical threats facing their cloud ecosystem and provide guidance toward prioritization and response based on the true, holistic risk across multiple security domains. With a higher signal-to-noise ratio, development teams will be able to detect, understand, prevent, prioritize, and respond to threats better and faster, enabling them to build safely and efficiently in a multi-cloud environment.

Interested in learning more? Don’t hesitate to request a free demo!

Additional reading:

• How to Secure App Development in the Cloud, With Tips From Gartner
• Security Is Shifting in a Cloud-Native World: Insights From RSAC 2022
• Identifying Cloud Waste to Contain Unnecessary Costs
• Cybersecurity Is More Than a Checklist: Joel Yonts on Tech’s Unfair Disadvantage

Post Syndicated from Ryan Blanchard original https://blog.rapid7.com/2022/05/13/update-for-cis-google-cloud-platform-foundation-benchmarks-version-1-3-0/

The Center for Internet Security (CIS) recently released an updated version of their Google Cloud Platform Foundation Benchmarks – Version 1.3.0. Expanding on previous iterations, the update adds 21 new benchmarks covering best practices for securing Google Cloud environments.

The updates were broad in scope, with recommendations covering configurations and policies ranging from resource segregation to Compute and Storage. In this post, we’ll briefly cover what CIS Benchmarks are, dig into a few key highlights from the newly released version, and highlight how Rapid7 InsightCloudSec can help your teams implement and maintain compliance with new guidance as it becomes available.

What are CIS Benchmarks?

In the rare case that you’ve never come across them, the CIS Benchmarks are a set of recommendations and best practices determined by contributors across the cybersecurity community intended to provide organizations and security practitioners with a baseline of configurations and policies to better protect their applications, infrastructure, and data.

While not a regulatory requirement, the CIS Benchmarks provide a foundation for establishing a strong security posture, and as a result, many organizations use them to guide the creation of their own internal policies. As new benchmarks are created and updates are announced, many throughout the industry sift through the recommendations to determine whether or not they should be implementing the guidelines in their own environments.

CIS Benchmarks can be even more beneficial to practitioners taking on emerging technology areas where they may not have the background knowledge or experience to confidently implement security programs and policies. In the case of the GCP Foundation Benchmarks, they can prove to be a vital asset for folks looking to get started in cloud security or that are taking on the added responsibility of their organizations’ cloud environments.

Key highlights from CIS GCP Foundational Benchmarks 1.3.0

Relative to benchmarks created for more traditional security fields such as endpoint OS, Linux, and others, those developed for cloud service providers (CSPs) are relatively new. As a result, when updates are released they tend to be fairly substantial as it relates to the volume of new recommendations. Let’s dig in a bit further into some of the key highlights from version 1.3.0 and why they’re important to consider for your own environment.

2.13 – Ensure Cloud Asset Inventory is enabled

Enabling Cloud Asset Inventory is critical to maintaining visibility into your entire environment, providing a real-time and retroactive (5 weeks of history retained) view of all assets across your cloud estate. This is critical because in order to effectively secure your cloud assets and data, you first need to gain insight into everything that’s running within your environment. Beyond providing an inventory snapshot, Cloud Asset Inventory also surfaces metadata related to those assets, providing added context when assessing the sensitivity and/or integrity of your cloud resources.

4.11 – Ensure that compute instances have Confidential Computing enabled

This is a really powerful new configuration that enables organizations to secure their mission critical data throughout its lifecycle, including while actively in use. Typically, encryption is only available while data is either at rest or in transit. Making use of Google’s new Secure Encrypted Virtualization (SEV) feature, Confidential Computing allows customers to encrypt their data while it is being indexed or queried.

A dozen new recommendations for securing GCP databases

The new benchmarks added 12 new recommendations targeted at securing GCP databases, each of which are geared toward addressing issues related to data loss or leakage. This aligns with Verizon’s most recent Data Breach Investigations Report, which found that data stores remained the most commonly exploited cloud service, with more than 40% of breaches resulting from misconfiguration of cloud data stores such as AWS S3 buckets, Azure Blob Storage, and Google Cloud Storage buckets.

How InsightCloudSec can help your team align to new CIS Benchmarks

In response to the recent update, Rapid7 has released a new compliance pack – GCP 1.3.0 – for InsightCloudSec to ensure that security teams can easily check their environment for adherence with the new benchmarks. The new pack contains 57 Insights to help organizations reconcile their own existing GCP configurations against the new recommendations and best practices. Should your team need to make any adjustments based on the benchmarks, InsightCloudSec users can leverage bots to notify the necessary team(s) or automatically enact them.

In subsequent releases, we will continue to update the pack as more filters and Insights are available. If you have specific questions on this capability or a supported GCP resource, reach out to us through the Customer Portal.

Additional reading:

• Is Your Kubernetes Cluster Ready for Version 1.24?
• Cloud-Native Application Protection (CNAPP): What’s Behind the Hype?
• 2022 Cloud Misconfigurations Report: A Quick Look at the Latest Cloud Security Breaches and Attack Trends
• InsightCloudSec Supports the Recently Updated NSA/CISA Kubernetes Hardening Guide