Author: Jesse Mack

3 Ways to Improve Data Protection in the Cloud

Cloud complexity is now a well-documented and widely felt phenomenon across technology teams — IT, development, and security alike. Multi-cloud architectures have become the norm, with 89% of organizations embracing a strategy that involves multiple cloud vendors. Not only are companies managing greater amounts of data than ever before, they're also spread across an ever-increasing array of cloud services, applications, and devices.

Securing all this information and preventing data loss in a multi-cloud environment would be a tall task for any security team. Add to the mix an increasingly heightened threat landscape and an ongoing cybersecurity skills shortage, and the challenge becomes even greater.

Rapid7, Mimecast, and Netskope recently published a joint white paper outlining best practices for cloud data protection and pinpointing some key resources that organizations can leverage in this effort. Here are three key concepts the paper highlights.

1. Embrace AI

Artificial intelligence (AI) and machine learning are well-known technologies at this point, but their potential is only just beginning to be tapped when it comes to helping security teams become more efficient and more effective.

Examples of AI-based tools that can help security teams include curated detections within an extended detection and response (XDR) platform, as well as intelligent threat and anomaly detection within cloud security tools.

Machine learning won't ever replace the trained eye and keen insight of a veteran cybersecurity analyst — but AI-based tools can take on some of the repetitive and time-consuming tasks that security pros face, allowing analysts to increase productivity and focus on the alerts and issues that matter most. The goal is human-machine collaboration, with AI augmenting and boosting the capabilities of the analyst.

2. Utilize automation

Automation and AI work together as a one-two punch of process improvement for security. If an AI-based tool detects an anomalous event, automation allows you to set up actions that can take place in response to that suspicious activity. This can help get the ball rolling faster on mitigating security issues — and speed is the name of the game when it comes to keeping out attackers.

In the context of a cloud security platform, built-in automation and remediation tools let you create bots that can carry out certain tasks, specified by:

  • Scope: What resources the bot should evaluate — i.e., specific cloud resource groups, or certain types of resources contained in those groups
  • Filters: The conditions in which a bot should act — e.g., what tags the resource has, or whether the ports are open
  • Actions: What task you want the bot to carry out — e.g., delete a resource, start or stop an instance, or send an email with key information about the resource in question

3. Leverage integrations

AI and automation can help drive efficiencies — but with a multitude of cloud services in play, there's a risk that these automated actions proliferate and become unwieldy, making it tough for security teams to reap the full benefits. This is where integrations become critical: They allow teams to coordinate actions quickly and seamlessly across multiple vendor systems.

Integrations make it easier to create a holistic security environment formed by a consistent set of controls, rather than a patchwork of best practices. For example, if you have an integration that links your email security gateway to your security information and event management (SIEM) tool, you can create an alert when a user receives an email containing suspected ransomware or malware, and take automated remediation actions instantly. Or if your security service edge (SSE) platform detects a serious data exfiltration risk, you can build a customized workflow in your security orchestration, automation, and response (SOAR) to quarantine that resource or take it offline.

Dive deeper on cloud data protection

Keeping data secure in the cloud comes with its share of challenges, but integrations that leverage AI-based analytics and automated workflows can help you ensure you know where your data is, what security controls are in place, and what threats there might be in your environment.

Looking to go deeper on how to bring this vision to life? Download the white paper today, or join experts from Mimecast, Netskope, and Rapid7 for the webinar "Data Protection and Control in the Cloud" at 2pm EST on Tuesday, September 13.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


Pushing Open-Source Security Forward: Insights From Black Hat 2022

Open-source security has been a hot topic in recent years, and it's proven to be something of a double-edged sword. On the one hand, there's an understanding of the potential that open-source tools hold for democratizing security, making industry best practices accessible to more organizations and helping keep everyone's data better protected from attackers. On the other hand, open-source codebases have been the subject of some of the most serious and high-impact vulnerabilities we've seen over the past 12 months, namely Log4Shell and Spring4Shell.

While the feeling around open-source understandably wavers between excitement and trepidation, one thing is for sure: Open-source frameworks are here to stay, and it's up to us to ensure they deliver on their potential and at the same time remain secure.

The future of open-source was common theme at Black Hat 2022, and two members of the Rapid7 research team — Lead Security Research Spencer McIntyre and Principal Security Researcher Curt Barnard — shined a light on the work they've been doing to improve and innovate with open-source tools. Here's a look at their presentations from Black Hat, and how their efforts are helping push open-source security forward.

A more powerful Metasploit

Spencer, whose work focuses primarily on Rapid7's widely used attacker emulation and penetration testing tool Metasploit, shared the latest and greatest improvements he and the broader team have made to the open-source framework in the past year. The upgrades they've made reflect a reality that security pros across the globe are feeling everyday: The perimeter is disappearing.

In a threat environment shaped by ransomware, supply chain attacks, and widespread vulnerabilities like Log4Shell, bad actors are increasingly stringing together complex attack workflows leveraging multiple vulnerabilities. These techniques allow adversaries to go from outside to within an organization's network more quickly and easily than ever before.

The updates Spencer and team have made to Metasploit are intended to help security teams keep up with this shift, with more modern, streamlined workflows for testing the most common attack vectors. These recent improvements to Metasploit include:

Credential capturing: Credential capture is a key component of the attacker emulation toolkit, but previously, the process for this in Metasploit involved spinning up 13 different modules and managing and specifying configurations for each. Now, Metasploit offers a credential capture plugin that lets you configure all options from a single start/stop command, eliminating redundant work.

User interface (UI) optimization: URLs are commonly used to identify endpoints — particularly web applications — during attacker emulation. Until now, Metasploit required users to manually specify quite a few components when using URLs. The latest update to the Metasploit UI understands a URL's format, so users can copy and paste them from anywhere, even right from their browser.

Payloadless session capabilities: When emulating attacks, exploits typically generate Meterpreter payloads, making them easy to spot for many antivirus and EDR solutions — and reducing their effectiveness for security testing. Metasploit now lets you run post-exploitation actions and operations without needing a payload. You can tunnel modules through SSH sessions or create a WinRM session for any Metasploit module compatible with the shell session type, removing the need for a payload like reverse shell or Meterpreter.

SMB server support: Metasploit Version 6 included SMB 3 server support, but only for client modules, which was limiting for users who were working with modern Windows targets that had disabled SMB 3 client support. Now, SMB 3 is available in all SMB server modules, so you can target modern Windows environments and have them fetch (often payload) files from Metasploit. This means you don't need to install and configure an external service to test for certain types of vulnerabilities, including PrintNightmare.

Defaultinator: Find default credentials faster

Metasploit is at the heart of Rapid7's commitment to open-source security, but we're not stopping there. In addition to continually improving Metasploit, our research team works on new open-source projects that help make security more accessible for all. The latest of those is Defaultinator, a new tool that Curt Barnard announced the release of in his Black Hat Arsenal talk this year. (Curt also joined our podcast, Security Nation, to preview the announcement — check out that episode if you haven't yet!)

Defaultinator is an open-source tool for looking up default usernames and passwords, providing an easy-to-search data repository in which security pros can query these commonly used credentials to find and eliminate them from their environment. This capability is becoming increasingly important for security teams, for a few key reasons:

  • Some commonly used pieces of hardware in IT environments come with default credentials that could give attackers an easily exploitable method of network access. Curt gave the example of the Raspberry Pi microcontroller board, which always comes with the username "pi" and password "raspberry" for initial login — a security flaw that resulted in a 10 CVSS vulnerability published in 2021.
  • Meanwhile, IoT devices have been proliferating, and many of these manufacturers don't have security best practices at the front of their mind. That means hardcoded default credentials for first-time logins are common in this type of tool.
  • Many software engineers (Curt included) spend a lot of time in Stack Overflow, and many of the code snippets found there contain example usernames and passwords. If you aren't careful when copying and pasting, default credentials could make their way into your production environment.

With a whopping 54 CVEs for hardcoded usernames and passwords released just in 2022 so far (by Curt's count), security pros are in need of a fast, accurate way to audit for default credentials. But until now, the tools for these kinds of audits just haven't been out there, let alone widely available.

That's why it was so important to make Defaultinator, the first tool of its kind for querying default usernames and passwords, an open-source solution — to ensure broad accessibility and help as many defenders as possible. Defaultinator offers an API search-based utility or a web-based user interface if you prefer not to interact with the API. It runs in Docker, and the quickstart repository on Github takes just four lines of code to get up and running.

Watch the replays of Spencer's and Curt's presentations, as well as other great sessions from Black Hat 2022, at our replay page.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


[VIDEO] An Inside Look at Black Hat 2022 From the Rapid7 Team

Of all the cybersecurity conferences that fill up our summertime schedules, Hacker Summer Camp — the weeklong series of security events in Las Vegas that includes BSides, Black Hat, and DEF CON — holds a special place in our hearts. When else do so many members of the cybersecurity community come together to share their work, their challenges, and some quality face-to-face time? (We're particularly in need of that last one after missing out on so many-full scale events in 2020 and 2021.)

Black Hat is the centerpiece of this jam-packed lineup of cybersecurity sessions and meet-ups, both in terms of its timing at the middle of the week and the fact that it hosts the greatest number of speakers, presentations, and gatherings. There's a lot to recap each year from this one event alone, so we asked three of our Rapid7 team members who attended the event— Meaghan Donlon, Director of Product Marketing; Spencer McIntyre, Manager of Security Research; and Stephen Davis, Lead Sales Technical Advisor — to tell us about their experience. Here's a look at their highlights from Black Hat 2022.

What was it like being in Vegas and back at full-scale in-person conferences after two years?

[VIDEO] An Inside Look at Black Hat 2022 From the Rapid7 Team

What was your favorite presentation from Black Hat? What insights did the speaker offer that will change the way you think about security?

[VIDEO] An Inside Look at Black Hat 2022 From the Rapid7 Team

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


What We're Looking Forward to at Black Hat, DEF CON, and BSidesLV 2022

The week of Black Hat, DEF CON, and BSides is highly anticipated annual tradition for the cybersecurity community, a weeklong chance for security pros from all corners of the industry to meet in Las Vegas to talk shop and share what they've spent the last 12 months working on.

But like many beloved in-person events, 2020 and 2021 put a major damper on this tradition for the security community, known unofficially as Hacker Summer Camp. Black Hat returned in 2021, but with a much heavier emphasis than previous years on virtual events over in-person offerings, and many of those who would have attended in non-COVID times opted to take in the briefings from their home offices instead of flying out to Vegas.

This year, however, the week of Black Hat is back in action, in a form that feels much more familiar for those who've spent years making the pilgrimage to Vegas each August. That includes a whole lot of Rapid7 team members — it's been a busy few years for our research and product teams alike, and we've got a lot to catch our colleagues up on. Here's a sneak peek of what we have planned from August 9-12 at this all-star lineup of cybersecurity sessions.

BSidesLV

The week kicks off on Tuesday, August 9 with BSides, a two-day event running on the 9th and 10th that gives security pros, and those looking to enter the field, a chance to come together and share knowledge. Several Rapid7 presenters will be speaking at BSidesLV, including:

  • Ron Bowes, Lead Security Researcher, who will talk about the surprising overlap between spotting cybersecurity vulnerabilities and writing capture-the-flag (CTF) challenges in his presentation "From Vulnerability to CTF."
  • Jen Ellis, Vice President of Community and Public Affairs, who will cover the ways in which ransomware and major vulnerabilities have impacted the thinking and decisions of government policymakers in her talk "Hot Topics From Policy and the DoJ."

Black Hat

The heart of the week's activities, Black Hat, features the highest concentration of presentations out of the three conferences. Our Research team will be leading the charge for Rapid7's sessions, with appearances from:

  • Curt Barnard, Principal Security Researcher, who will talk about a new way to search for default credentials more easily in his session, "Defaultinator: An Open Source Search Tool for Default Credentials."
  • Spencer McIntyre, Lead Security Researcher, who'll be covering the latest in modern attack emulation in his presentation, "The Metasploit Framework."
  • Jake Baines, Lead Security Researcher, who'll be giving not one but two talks at Black Hat.
    • He'll cover newly discovered vulnerabilities affecting the Cisco ASA and ASA-X firewalls in "Do Not Trust the ASA, Trojans!"
    • Then, he'll discuss how the Rapid7 Emergent Threat Response team manages an ever-changing vulnerability landscape in "Learning From and Anticipating Emergent Threats."
  • Tod Beardsley, Director of Research, who'll be beamed in virtually to tell us how we can improve the coordinated, global vulnerability disclosure (CVD) process in his on-demand presentation, "The Future of Vulnerability Disclosure Processes."

We'll also be hosting a Community Celebration to welcome our friends and colleagues back to Hacker Summer Camp. Come hang out with us, play games, collect badges, and grab a super-exclusive Rapid7 Hacker Summer Camp t-shirt. Head to our Black Hat event page to preregister today!

DEF CON

Rounding out the week, DEF CON offers lots of opportunities for learning and listening as well as hands-on immersion in its series of "Villages." Rapid7 experts will be helping run two of these Villages:

  • The IoT Village, where Principal Security Researcher for IoT Deral Heiland will take attendees through a multistep process for hardware hacking.
  • The Car Hacking Village, where Patrick Kiley, Principal Security Consultant/Research Lead, will teach you about hacking actual vehicles in a safe, controlled environment.

We'll also have no shortage of in-depth talks from our team members, including:

  • Harley Geiger, Public Policy Senior Director, who'll cover how legislative changes impact the way security research is carried out worldwide in his talk, "Hacking Law Is for Hackers: How Recent Changes to CFAA, DMCA, and Other Laws Affect Security Research."
  • Jen Ellis, who'll give two talks at DEF CON:
    • "Moving Regulation Upstream: An Increasing Focus on the Role of Digital Service Providers," where she'll discuss the challenges of drafting effective regulations in an environment where attackers often target smaller organizations that exist below the cybersecurity poverty line.
    • "International Government Action Against Ransomware," a deep dive into policy actions taken by global governments in response to the recent rise in ransomware attacks.
  • Jakes Baines, who'll be giving his talk "Do Not Trust the ASA, Trojans!" on Saturday, August 13, in case you weren't able to catch it earlier in the week at Black Hat.

Whew, that's a lot — time to get your itinerary sorted. Get the full details of what we're up to at Hacker Summer Camp, and sign up for our Community Celebration on Wednesday, August 10, at our Black Hat 2022 event page.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


Collaboration Drives Secure Cloud Innovation: Insights From AWS re:Inforce

This year's AWS re:Inforce conference brought together a wide range of organizations that are shaping the future of the cloud. Last week in Boston, cloud service providers (CSPs), security vendors, and other leading organizations gathered to discuss how we can go about building cloud environments that are both safe and scalable, driving innovation without sacrificing security.

This array of attendees looks a lot like the cloud landscape itself. Multicloud architectures are now the norm, and organizations have begun to search for ways to bring their lengthening lists of vendors together, so they can gain a more cohesive picture of what's going on in their environment. It's a challenge, to be sure — but also an opportunity.

These themes came to the forefront in one of Rapid7's on-demand booth presentations at AWS re:Inforce, "Speeding Up Your Adoption of CSP Innovation." In this talk, Chris DeRamus, VP of Technology - Cloud Security at Rapid7, sat down with Merritt Baer — Principal, Office of the CISO at AWS — and Nick Bialek — Lead Cloud Security Engineer at Northwestern Mutual — to discuss how organizations can create processes and partnerships that help them quickly and securely utilize new services that CSPs roll out. Here's a closer look at what they had to say.

Building a framework

The first step in any security program is drawing a line for what is and isn't acceptable — and for many organizations, compliance frameworks are a key part of setting that baseline. This holds true for cloud environments, especially in highly regulated industries like finance and healthcare. But as Merritt pointed out, what that framework looks like varies based on the organization.

"It depends on the shop in terms of what they embrace and how that works for them," she said. Benchmarks like CIS and NIST can be a helpful starting point in moving toward "continuous compliance," she noted, as you make decisions about your cloud architecture, but the journey doesn't end there.

For example, Nick said he and his team at Northwestern Mutual use popular compliance benchmarks as a foundation, leveraging curated packs within InsightCloudSec to give them fast access to the most common compliance controls. But from there, they use multiple frameworks to craft their own rigorous internal standards, giving them the best of all worlds.

The key is to be able to leverage detective controls that can find noncompliant resources across your environment so you can take automated actions to remediate — and to be able to do all this from a single vantage point. For Nick's team, that is InsightCloudSec, which provides them a "single engine to determine compliance with a single set of security controls, which is very powerful," he said.

Evaluating new services

Consolidating your view of the cloud environment is critical — but when you want to bring on a new service and quickly evaluate it for risk, Merritt and Nick agreed on the importance of embracing collaboration and multiplicity. When it's working well, a multicloud approach can allow this evaluation process to happen much more quickly and efficiently than a single organization working on their own.

“We see success when customers are embracing this deliberate multi-account architecture," Merritt said of her experience working with AWS users.

At Northwest Mutual, Nick and his team use a group evaluation approach when onboarding a new cloud service. They'll start the process with the provider, such as AWS, then ask Rapid7 to evaluate the service for risks. Finally, the Northwest Mutual team will do an assessment that pays close attention to the factors that matter most to them, like disaster recovery and identity and access management.

This model helps Nick and his team realize the benefits of the cloud. They want to be able to consume new services quickly so they can innovate at scale, but their team alone can't keep up the work needed to fully vet each new resource for risks. They need a partner that can help them keep pace with the speed and elasticity of the cloud.

“You need someone who can move fast with you," Nick said.

Automating at scale

Another key component of operating quickly and at scale is automation. "Reducing toil and manual work," as Nick put it, is essential in the context of fast-moving and complex cloud environments.

“The only way to do anything at scale is to leverage automation," Merritt insisted. Shifting security left means weaving it into all decisions about IT architecture and application development — and that means innovation and security are no longer separate ideas, but simultaneous parts of the same process. When security needs to keep pace with development, being able to detect configuration drift and remediate it with automated actions can be the difference between success and stalling out.

Plus, who actually likes repetitive, manual tasks anyway?

“You can really put a lot of emphasis on narrowing that gray area of human decision-making down to decisions that are truly novel or high-stakes," Merritt said.

This leveling-up of decision-making is the real opportunity for security in the age of cloud, Merritt believes. Security teams get to be freed from their former role as "the shop of no" and instead work as innovators to creatively solve next-generation problems. Instead of putting up barriers, security in the age of cloud means laying down new roads — and it's collaboration across internal teams and with external vendors that makes this new model possible.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


[VIDEO] An Inside Look at AWS re:Inforce 2022 From the Rapid7 Team

The summer of conferences rolls on for the cybersecurity and tech community — and for us, the excitement of being able to gather in person after two-plus years still hasn't worn off. RSA was the perfect kick-off to a renewed season of security together, and we couldn't have been happier that our second big stop on the journey, AWS re:Inforce, took place right in our own backyard in Boston, Massachusetts — home not only to the Rapid7 headquarters but also a strong and vibrant community of cloud, security, and other technology pros.

We asked three of our team members who attended the event — Peter Scott, VP Strategic Enablement - Cloud Security; Ryan Blanchard, Product Marketing Manager - InsightCloudSec; and Megan Connolly, Senior Security Solutions Engineer — to answer a few questions and give us their experience from AWS re:Inforce 2022. Here's what they had to say.

What was your most memorable moment from AWS re:Inforce this year?

[VIDEO] An Inside Look at AWS re:Inforce 2022 From the Rapid7 Team

What was your biggest takeaway from the conference? How will it shape the way you think about cloud and cloud security practices in the months to come?

[VIDEO] An Inside Look at AWS re:Inforce 2022 From the Rapid7 Team

Thanks to everyone who came to say hello and talk cloud with us at AWS re:Inforce. We hope to see the rest of you in just under two weeks at Black Hat 2022 in Las Vegas!

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


What We’re Looking Forward to at AWS re:Inforce

AWS re:Inforce 2022 starts tomorrow — Tuesday, July 26th — and we couldn't be more excited to gather with the tech, cloud, and security communities in our home city of Boston. Here's a sneak peek of the highlights to come at re:Inforce and what we're looking forward to the most this Tuesday and Wednesday.

Expert insights at the Rapid7 booth

After two and half years of limited in-person gatherings, we have kind of a lot to say. That's why we're making the Rapid7 booth at AWS re:Inforce a hub for learning and sharing from our cybersecurity experts. Stop by and learn how our team members are tackling a range of topics in cloud and security overall, including:

  • Adapting Your VM Program for Cloud-Native Environments — Jimmy Green, VP of Software Engineering for Cloud, will walk through some of the key considerations when building a fully cloud-first approach to vulnerability management.
  • Speeding Up Your Adoption of CSP Innovation — Chris DeRamus, VP of Technology - Cloud, will detail how Rapid7 evaluates cloud service providers (CSPs) for risk in order to promote faster, more secure adoption.
  • Context Is King: The Future of Cloud Security Operations — Peter Scott, VP of Strategic Engagement for Cloud Security, will discuss why obtaining context around security data is key to managing complexity in cloud environments.
  • Hybrid Is Here: Is Your SOC Ready? — Megan Connolly, Senior Security Solutions Engineer, will highlight the role that extended detection and response (XDR) technology can play in helping SOCs move toward a cloud-first model.
  • InsightCloudSec Demo — Joe Brumbley, Cloud Security Solutions Engineer, and Sean Healy, Senior Domain Engineer - Enterprise Cloud Security, will show InsightCloudSec in action, taking you through the different use cases and features that enable integrated security for multi-cloud environments.

Sharing how we walk the walk

At Rapid7, we're laser-focused on helping companies accelerate in the cloud without compromising security. Our technology and expertise help security teams bring that vision to life — and they form the foundation for how we secure our own cloud infrastructure, too.

In the AWS re:Inforce featured session, "Walking the Walk: AWS Security at Rapid7," Ulrich Dangle (Director, Software Engineering - Platform) and Lauren Clausen Fenton (Manager, Software Engineering - Platform) will share their firsthand experiences developing, scaling, and operationalizing a cloud security program at Rapid7. They'll talk about how they manage to reduce risk while supporting Rapid7's business goals, as well as the needs of our fast-moving DevOps team.

Join us on Tuesday, July 26th, at 11:40 AM, or Wednesday, July 27th, at 10:05 AM to learn how our security team is working around-the-clock to keep our large cloud environment secure and compliant, with standardized configurations and a tried-and-true threat response playbook.

Conversations over cloudy beers

It's no secret that great craft beer is an integral part of tech culture — so where better to talk about all things cloud than a Boston brewery known for the cloudy appearance of its hazy New England IPAs?

On Tuesday, July 26th, from 5:15 PM to 8 PM, we'll be at Rapid7 Reception at Trillium Fort Point, right in the heart of the Seaport District. It's a perfect chance to network with your fellow protectors and meet some of our Rapid7 security experts over a double dry-hopped pale ale or a nitro milk stout. (If beer's not your thing, not to worry — we'll have wine and seltzer, too.)

If that wasn't enough...

Last but not least, we're giving away a vacation of your choice valued at $5,000! The more you engage with us at re:Inforce, the more chances you have to win. You'll be entered in the drawing when you stop by to see us at Booth 206 to receive a demo or watch a presentation, or when you attend the Rapid7 Reception at Trillium Fort Point.

Check out what we have planned and register with us today!

4 Strategies for Achieving Greater Visibility in the Cloud

The cloud giveth, and the cloud taketh away. It giveth development teams the speed and scale to get applications into production and deployment faster than ever; it taketh away security teams' comfort that they know exactly what's going on in their environment.

Much has been said about the inherently slippery and hard-to-pin-down nature of the cloud in recent months — who thought the word "ephemeral" would appear in as much technology content as it has in 2022? The conversation has grown more critical as high-impact open-source vulnerabilities have proliferated just as fast as multi-cloud architectures have become the standard operating model in IT.

In this context, achieving cross-environment visibility — i.e., the very thing the cloud makes difficult — has become more critical than ever. While it may seem like an uphill battle, one we're fighting against the very nature of the cloud, there are some strategies that can help in the effort. Here are four ways to put visibility at the center of your cloud security approach and understand what's going on in your environment with greater clarity.

1. Take an inventory

Multi-cloud environments are now the dominant model, with 89% of organizations using this approach. As distributed architectures become the norm and the number of cloud providers in play at any given organization continues to climb, it becomes difficult to understand exactly what services are in use at any given time. This is where the problem of cloud visibility really starts — "What services are actually in our environment?" becomes a complex question to answer.

Parting the clouds of confusion and gaining visibility begins with getting a complete asset inventory, so you can understand what components are in your environment and clearly evaluate the risk associated with them.

That's why it's critical that your cloud security solution can provide a single, standardized asset inventory across all cloud service providers. This capability provides the foundation for many of the subsequent steps that help promote visibility for security teams, including consolidating policy management and spotting cloud misconfigurations.

2. Monitor from one vantage point, not many

With a cohesive inventory of all cloud assets in place, the next step is to monitor the environment — and as you might have guessed, monitoring from a centralized hub is another key way to promote big-picture visibility. But with multiple cloud providers and SaaS solutions, each with their own data and dashboards, actually achieving that consolidated view is easier said than done.

A cloud security tool that provides centralized monitoring can let you see the full picture of activity across a multi-cloud environment. This level of clarity will help you evaluate risks not just at the level of an individual cloud service but holistically, in the environment as a whole. And with developers working in a variety of platforms to innovate and iterate as quickly as possible, centralized monitoring also helps you quickly identify and remediate any issues that arise during development, such as unwanted configurations or compliance issues.

3. Prioritize risks through analytics

Alert fatigue is one of the biggest contributors to the noisiness that inundates security teams. Security operations center (SOC) analysts know this all too well when they're faced with huge volumes of alerts from a security incident and event management (SIEM) solution. Especially when there's a continued shortage of cybersecurity talent, there just aren't enough hours in the day to chase down every alert.

A similar effect can take hold when monitoring cloud environments for risks and vulnerabilities. With increased complexity thanks to a growing number of services and a multitude of endpoints, how do you know what risks to prioritize and tackle first?

Analytics can help shed light on this often-cloudy picture, utilizing algorithms to set a baseline for "normal" activity, spot anomalies, and prioritize them based on severity. It's one way to gain context into the data without actually being able to get the whole story as quickly as you need it. Some cloud security solutions provide these insights through integrations with cloud service provider (CSP) tools like Amazon GuardDuty, which continuously monitors for malicious activity in AWS environments.

4. Embrace automation

The first three steps are all about how security teams can collect and interpret data to more fully understand their cloud environments — but data is only as good as what you do with it. That's where automation comes in: It helps standardize the remediation steps that occur after a security risk is identified.

Automation is often thought of as a means to increase speed and efficiency — and that's certainly true. Being able to automatically set specific remediation actions in motion when a threat is detected can help reduce the time and effort it takes to mitigate the issue and reduce its potential impact. But automation can also be a key toward improving visibility.

When you're looking back at a now-resolved security issue, understanding the timeline and sequence of events often becomes a hazy picture, especially when your team is working with increased urgency and speed. If you've set up automated actions as a standardized part of the remediation process, you won't need to ask as many questions about what mitigation steps were taken, when, and who authorized them. There will surely be a large human element involved in mitigating cloud security issues, but automation can help provide structure and repeatability to the effort, streamlining the effort and reducing the number of places where confusion can creep in.

How are you handling cloud visibility challenges?

How to secure cloud environments effectively is an ongoing, dynamic conversation, and new difficulties surely lie ahead — but when security practitioners face challenges, they tend (rightly) to turn to their best and most reliable resource: each other.

What kinds of challenges is your team facing when it comes to achieving visibility in the cloud? Come chat with us at AWS re:Inforce on July 26-27, 2022 — we want to hear how you're tackling these issues as you work toward fully cloud-native security.

3 Key Challenges for Cloud Identity and Access Management

Identity and access management (IAM) is one of the most critical tools for today's cloud-centric environment. Businesses' IT architectures have become more highly distributed than ever, and users need to access a growing suite of cloud services on demand. Determining the identities of users and resources, and what services each user needs access to, is critical to cloud-native security. It provides the basis for enforcing the principle of least privilege, which aims to minimize risk by giving each user the lowest level of access they need without limiting their job effectiveness or reducing productivity.

But getting an IAM solution up and running comes with its own headaches and stresses — especially in the context of complex cloud environments. Here are three of the main challenges that security teams face when implementing a cloud IAM solution, as well as some strategies to help tackle them.

1. Onboarding without errors

The first step is always the hardest, right? Getting your entire team onboarded with the correct level of access is the earliest snag many organizations hit with IAM.

Obviously, large enterprises with huge numbers of employees will likely feel this pinch more than others. But with cloud complexity now fully entrenched at even small and mid-sized organizations, making sure each team member has the correct level of access to the right applications on day one can seem like an overwhelming task, no matter how large your team. The stakes of a misstep here are high: Improperly configuring user access not only introduces risk, it can also slow down employees in their critical tasks — hindering the business's ability to provide value for customers.

One of the keys to success here is having a tool that makes it easy to adhere to the principle of least-privileged access. Role-based access controls, for example, help assign user rights in an automated way based on the team member's job function and department. This can help take some pressure off the security team to stay up-to-the-minute on every employee's access and allows necessary changes to be made faster.

2. Integration across services

Cloud adoption is big and sprawling. The average company now uses 110 software-as-a-service (SaaS) applications, and for large enterprises, some estimates put the number of cloud services in play at over 1,900.

That's a whole lot of solutions to integrate with your IAM platform — and if every user currently has a separate, distinct identity when they sign on to each application, the numbers grow exponentially. When implementing IAM, network administrators need to take full stock of all cloud services in play, as well as ensure any new services that teams subsequently bring on board are integrated with IAM. At large, growing companies where things move quickly, that can mean provisioning several new services per week or per month.

To help alleviate these issues and reduce complexity, it's critical to integrate your IAM platform with a single sign-on (SSO) tool that allows users to access SaaS applications with a single identity, linked to a central directory. While there are still quite a number of integrations necessary to make this happen, the one-two punch of IAM and SSO provides much-needed structure to that complex picture. It also helps out the end user, providing them the convenience of only needing one sign-on identity to access all their critical applications.

3. Maintaining and auditing identities

In cloud computing as in life, change is the only constant. Not only are organizations onboarding new cloud services all the time, but they also see employees leave, change roles, switch offices, and transition to fully remote work. Any of these actions may bring about some needed adjustment in a team member's access permissions.

IAM can't be a set-it-and-forget-it solution. Improperly provisioning and deprovisioning users — i.e., granting access where it may not be needed, or failing to remove access when an employee leaves or switches teams — can lead to major gaps in an organization's risk profile. It can allow the proliferation of so-called "zombie accounts," identities that still exist for users who are inactive. It can also result in an excess of admin accounts, giving users the highest level of access even if they may not need it.

Automation is one of the best tools to help security teams circumvent issues associated with out-of-date identities and improper access provisioning. If you have rules set up for reducing or removing access privileges when an employee leaves, for example, you can get ahead of the problem before it grows. Behavioral analytics can also be immensely helpful in spotting dormant accounts or removing access to applications and services that haven't been used for a prolonged period of time. It can also help identify unusual user actions, which could indicate an account has been provisioned incorrectly.

What cloud IAM issues are you facing?

Complexity is the tradeoff of the flexibility and scale that cloud architectures offer — which makes it all the more important to streamline wherever possible. Having a unified solution that provides IAM alongside the other key elements of cloud security can save security teams a lot of time and stress, helping them identify and remediate risks more quickly.

What kinds of IAM challenges is your team facing? Come chat with us at AWS re:Inforce on July 26-27, 2022 — we want to hear how you're tackling IAM as you work toward fully cloud-native security.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


Security Is Shifting in a Cloud-Native World: Insights From RSAC 2022

The cloud has become the default for IT infrastructure and resource delivery, allowing an unprecedented level of speed and flexibility for development and production pipelines. This helps organizations compete and innovate in a fast-paced business environment. But as the cloud becomes more ingrained, the ephemeral nature of cloud infrastructure is presenting new challenges for security teams.

Several talks by our Rapid7 presenters at this year's RSA Conference touched on this theme. Here's a closer look at what our RSAC 2022 presenters had to say about adapting security processes to a cloud-native world.

A complex picture

As Lee Weiner, SVP Cloud Security and Chief Innovation Officer, pointed out in his RSA briefing, "Context Is King: The Future of Cloud Security," cloud adoption is not only increasing — it's growing more complex. Many organizations are bringing on multiple cloud vendors to meet a variety of different needs. One report estimates that a whopping 89% of companies that have adopted the cloud have chosen a multicloud approach.

This model is so popular because of the flexibility it offers organizations to utilize the right technology, in the right cloud environment, at the right cost — a key advantage in a today's marketplace.

"Over the last decade or so, many organizations have been going through a transformation to put themselves in a position to use the scale and speed of the cloud as a strategic business advantage," Jane Man, Director of Product Management for VRM, said in her RSA Lounge presentation, "Adapting Your Vulnerability Management Program for Cloud-Native Environments."

While DevOps teams can move more quickly than ever before with this model, security pros face a more complex set of questions than with traditional infrastructure, Lee noted. How many of our instances are exposed to known vulnerabilities? Do they have property identity and access management (IAM) controls established? What levels of access do those permissions actually grant users in our key applications?

New infrastructure, new demands

The core components of vulnerability management remain the same in cloud environments, Jane said in her talk. Security teams must:

  • Get visibility into all assets, resources, and services
  • Assess, prioritize, and remediate risks
  • Communicate the organization's security and compliance posture to management

But because of the ephemeral nature of the cloud, the way teams go about completing these requirements is shifting.

"Running a scheduled scan, waiting for it to complete and then handing a report to IT doesn't work when instances may be spinning up and down on a daily or hourly basis," she said.

In his presentation, Lee expressed optimism that the cloud itself may help provide the new methods we need for cloud-native security.

“Because of the way cloud infrastructure is built and deployed, there's a real opportunity to answer these questions far faster, far more efficiently, far more effectively than we could with traditional infrastructure," he said.

Calling for context

For Lee, the goal is to enable secure adoption of cloud technologies so companies can accelerate and innovate at scale. But there's a key element needed to achieve this vision: context.

What often prevents teams from fully understanding the context around their security data is the fact that it is siloed, and the lack of integration between disparate systems requires a high level of manual effort to put the pieces together. To really get a clear picture of risk, security teams need to be able to bring their data together with context from each layer of the environment.

But what does context actually look like in practice, and how do you achieve it? Jane laid out a few key strategies for understanding the context around security data in your cloud environment.

  • Broaden your scope: Set up your VM processes so that you can detect more than just vulnerabilities in the cloud — you want to be able to see misconfigurations and issues with IAM permissions, too.
  • Understand the environment: When you identify a vulnerable instance, identify if it is publicly accessible and what its business application is — this will help you determine the scope of the vulnerability.
  • Catch early: Aim to find and fix vulnerabilities in production or pre-production by shifting security left, earlier in the development cycle.

4 best practices for context-driven cloud security

Once you're able to better understand the context around security data in your environment, how do you fit those insights into a holistic cloud security strategy? For Lee, this comes down to four key components that make up the framework for cloud-native security.

1. Visibility and findings

You can't secure what you can't see — so the first step in this process is to take a full inventory of your attack surface. With different kinds of cloud resources in place and providers releasing new services frequently, understanding the security posture of these pieces of your infrastructure is critical. This includes understanding not just vulnerabilities and misconfigurations but also access, permissions, and identities.

"Understanding the layer from the infrastructure to the workload to the identity can provide a lot of confidence," Lee said.

2. Contextual prioritization

Not everything you discover in this inventory will be of equal importance, and treating it all the same way just isn't practical or feasible. The vast amount of data that companies collect today can easily overwhelm security analysts — and this is where context really comes in.

With integrated visibility across your cloud infrastructure, you can make smarter decisions about what risks to prioritize. Then, you can assign ownership to resource owners and help them understand how those priorities were identified, improving transparency and promoting trust.

3. Prevent and automate

The cloud is built with automation in mind through Infrastructure as Code — and this plays a key role in security. Automation can help boost efficiency by minimizing the time it takes to detect, remediate, or contain threats. A shift-left strategy can also help with prevention by building security into deployment pipelines, so production teams can identify vulnerabilities earlier.

Jane echoed this sentiment in her talk, recommending that companies "automate to enable — but not force — remediation" and use tagging to drive remediation of vulnerabilities found running in production.

4. Runtime monitoring

The next step is to continually monitor the environment for vulnerabilities and threat activity — and as you might have guessed, monitoring looks a little different in the cloud. For Lee, it's about leveraging the increased number of signals to understand if there's any drift away from the way the service was originally configured.

He also recommended using behavioral analysis to detect threat activity and setting up purpose-built detections that are specific to cloud infrastructure. This will help ensure the security operations center (SOC) has the most relevant information possible, so they can perform more effective investigations.

Lee stressed that in order to carry out the core components of cloud security and achieve the outcomes companies are looking for, having an integrated ecosystem is absolutely essential. This will help prevent data from becoming siloed, enable security pros to obtain that ever-important context around their data, and let teams collaborate with less friction.

Looking for more insights on how to adapt your security program to a cloud-native world? Check out Lee's presentation on demand, or watch our replays of Rapid7 speakers' sessions from RSAC 2022.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.