Category: InsightCloudSec

On November 6th, the National Institute of Standards and Technology (NIST) issued an update to SP 800-53, a NIST-curated catalog of controls that organizations can implement to effectively manage security and privacy risk. In this blog we’ll cover the new and updated controls within patch release 5.1.1, as well as review how Rapid7 InsightCloudSec helps security teams implement and continuously enforce them across their organizations. Let’s dive right in.

Updates to NIST SP 800-53 Compliance Pack: What You Need to Know About Revision 5.1.1

Unlike the large revision that occurred a few years back when Revision 5 was released - which brought with it nearly 270 control updates in aggregate - this update doesn’t have quite the far-reaching implications. That said, there are a few changes to be aware of. Release 5.1.1 added one new control with three supporting control enhancements, along with some minor grammar and formatting structure changes to other existing controls. Organizations are not mandated to implement the new control and have the option to defer implementation until SP 800-53 Release 6.0.0 is issued, however there is no defined timeline for when 6.0.0 will be released.

While there is no mandate at this time, the team here at Rapid7 generally advises our customers to adopt new patch releases immediately to ensure alignment with the most up-to-date best practices and that your team is covered for emerging attack vectors. In this case, we recommend adopting 5.1.1 primarily to ensure you’re effectively implementing encryption and authentication controls across your environment.

The newly-added control is Identification and Authentication (or IA-13) which states that organizations should “Employ identity providers and authorization servers to manage user, device, and non-person entity (NPE) identities, attributes, and access rights supporting authentication and authorization decisions.”

IA-13 has been broken down by NIST into three supporting control enhancements:

• IA-13 (01) - Cryptographic keys that protect access tokens are generated, managed, and protected from disclosure and misuse.
• IA-13 (02) - The source and integrity of identity assertions and access tokens are verified before granting access to system and information resources.
• IA-13 (03) - Assertions and access tokens are continuously refreshed, time-restricted, audience-restrained and revoked when necessary and after a defined period of non-use.

So, what does all that mean? Put simply, organizations should implement controls to effectively track and manage user and system entity permissions to ensure only authorized users are permitted access to corporate systems or data. This includes the proper use of encryption, hygiene and lifecycle management for access tokens.

This is, of course, a much needed and community-requested addition that speaks to the growing awareness and criticality of implementing checks and guardrails to mitigate identity-related risk. A key component of this equation is implementing a solution that can help you detect areas of your cloud environment that haven’t fully implemented these controls. This can be a particularly challenging thing to manage in a cloud environment, given its democratized nature, the sheer volume of identities and permissions that need to be managed and the ease with which improper allocation of permissions and privileges can occur.

Implement and Continuously Enforce NIST SP 800-53 Rev. 5 with InsightCloudSec

InsightCloudSec allows security teams to establish and continuously measure compliance against organizational policies, whether they’re based on service provider best practices, a common industry framework, or a custom pack tailored to specific business needs.

A compliance pack within InsightCloudSec is a set of checks that can be used to continuously assess your cloud environments for compliance with a given regulatory framework, or industry or provider best practices. The platform comes out of the box with 40+ compliance packs, including a dedicated pack for NIST SP 800-53 Rev. 5.1.1, which now provides an additional 14 insights that align to the newly-added IA-13.

The dedicated pack provides 367 Insights checking against 128 NIST SP 800-53 Rev. 5.1.1 requirements that assess your multi cloud environment for compliance with the controls outlined by NIST. With extensive support for various resource types across all major cloud service providers (CSPs), security teams can confidently implement and continuously enforce compliance with SP 800-53 Rev 5.1.1.

InsightCloudSec continuously assesses your entire multi-cloud environment for compliance with one or more compliance packs and detects noncompliant resources within minutes after they are created or an unapproved change is made. If you so choose, you can make use of the platform’s native, no-code automation to contact the resource owner, or even remediate the issue—either via deletion or by adjusting the configuration or permissions—without any human intervention.

For more information about how to use InsightCloudSec to implement and enforce compliance standards like those outlined in NIST SP 800-53 Rev. 5.1.1, be sure to check out the docs page! For more on our cloud identity and access management capabilities, we’ve got some additional information on that here.

Over the past decade, cloud computing has evolved into a cornerstone of modern business operations. Its flexibility, scalability, and efficiency have reshaped industries and brought unprecedented opportunities.

However, this transformation has come with challenges—most notably those associated with cloud security. Our new cloud security webinar series will explore the dynamic landscape of cloud security, unveiling key trends, pinpointing critical challenges, and providing actionable insights tailored to security professionals.

In Commanding Cloud Strategies, the first webinar of the series, Rapid7's Chief Security Officer Jaya Baloo and other experts will share their thoughts on the cloud challenges that security leaders face and offer insights on how to overcome them.

Please register for the first episode of our Cloud Security Series here to find out what our security experts think are the top strategies to overcome these challenges and considerations.

Armed with the knowledge and insights provided in part-one, security professionals will be better equipped to safeguard their cloud environments and data assets in the modern digital landscape.

To learn more, check out the webinar abstract below.

Commanding Cloud Strategies Webinar Abstract

In the ever-evolving world of cloud security, staying ahead of the curve is paramount. Over the past ten years, several trends have emerged, shaping how organizations safeguard their digital assets.

The shift towards a shared responsibility model, greater emphasis on automation and orchestration, and a growing focus on identity and access management (IAM) are among the defining trends.

Cloud Security Challenges

• Data Privacy and Compliance: Ensuring data protection and regulatory compliance within cloud environments is a persistent challenge. As data becomes more mobile and diverse, maintaining compliance becomes increasingly complex.
• Evolving Threat Landscape: The threat landscape is in constant flux, with cyberattacks targeting cloud infrastructure and applications growing in sophistication. Security professionals must adapt to this ever-changing landscape to keep their organizations safe.

Considerations in Cloud Security

• Scalable Security Architecture: Large enterprises must design security architectures that are both scalable and flexible to adapt to evolving cloud infrastructure and workload needs. The ability to scale security measures efficiently is crucial.
• Identity and Access Management (IAM): Given the intricate web of user roles and permissions in large organizations, effective IAM is essential. Organizations should prioritize IAM solutions that streamline access while maintaining security.

Understanding Risk

Understanding cybersecurity risk is at the heart of cloud security. Effective risk assessment and mitigation involve evaluating internal and external tactics that could compromise an organization's digital assets and information security. Our security experts will delve into this critical domain's core challenges and considerations in the session.

Challenges in Understanding Risk

• Complexity of Cloud Ecosystems: Successful organizations often operate intricate cloud ecosystems with numerous interconnected services and platforms. Navigating this complexity while assessing risk can be daunting.
• Lack of Skilled Cybersecurity Personnel: The need for more skilled cybersecurity professionals capable of analyzing and managing cloud security risks is a widespread challenge. Organizations must find and retain the right talent to stay secure.

Considerations for Understanding Risk

• Risk Assessment and Prioritization: Organizations should prioritize the identification and assessment of cloud security risks based on their potential impact and likelihood. Effective risk assessment tools and threat modelling can help in this regard.
• Continuous Monitoring and Response: Establishing a robust, real-time monitoring system is essential. It allows organizations to continuously assess cloud environments for security incidents and respond promptly to emerging threats. Integrating Security Information and Event Management (SIEM) and DevSecOps practices can enhance this capability.

Threat Intelligence

In cloud security, threat intelligence is pivotal in staying one step ahead of potential threats and vulnerabilities. Effective threat intelligence involves collecting, analyzing, and disseminating timely information to protect cloud environments and data assets proactively.

Challenges in Threat Intelligence

• Data Overload and False Positives: Organizations generate vast amounts of security data, including threat intelligence feeds. Managing this data can lead to data overload and false positives, causing alert fatigue.
• Integration and Compatibility: Integrating threat intelligence feeds into existing security infrastructure can be complex, as different sources may use varying formats and standards.

Considerations in Threat Intelligence

• Customization and Contextualization: To make threat intelligence actionable, organizations should customize it to their specific cloud environments, industry, and business context. Tailored alerting rules and threat-hunting workflows can enhance effectiveness.
• Sharing and Collaboration: Collaborating with industry peers, Information Sharing and Analysis Centers (ISACs), and government agencies for threat intelligence sharing can provide valuable insights into emerging threats specific to the industry.

Security Capabilities

Cloud security capabilities encompass the ability to comprehend evolving risks, establish benchmark standards, and take immediate, informed actions to safeguard cloud environments and data assets effectively. The final topic in the webinar will explore the core challenges and considerations in building robust security capabilities.

Challenges in Security Capabilities

• Resource Allocation and Prioritization: Allocating resources effectively across vast cloud environments can be challenging, leading to difficulties prioritizing security efforts and ensuring critical areas receive the necessary attention and investment.
• Complexity of Hybrid and Multi-Cloud Environments: Managing security capabilities becomes particularly challenging when organizations operate in hybrid or multi-cloud environments. Ensuring consistent security practices and policies across different platforms and providers requires specialized expertise.

Considerations in Security Capabilities

• Integrated Security Ecosystem: Organizations should strive to create an integrated security ecosystem that combines various security tools, technologies, and processes to provide a comprehensive view of their cloud environment.
• Scalability and Elasticity: Cloud security capabilities should be designed to scale and adapt to the organization's evolving cloud infrastructure and workloads. This includes automated resource scaling and continuous security testing.

The Center for Internet Security (CIS) recently released version two of their AWS Benchmark. CIS AWS Benchmark 2.0.0 brings two new recommendations and eliminates one from the previous version. The update also includes some minor formatting changes to certain recommendation descriptions.

In this post, we’ll talk a little bit about the “why” behind these changes. We’ll also look at using InsightCloudSec’s new, out-of-the-box compliance pack to implement and enforce the benchmark’s recommendations.

What’s new, what’s changed, and why

Version 2.0.0 of the CIS AWS Benchmark included two new recommendations:

• Ensure access to AWSCloudShellFullAccess is restricted
  An important addition from CIS, this recommendation focuses on restricting access to the AWSCloudShellFullAccess policy, which presents a potential path for data exfiltration by malicious cloud admins that are given full permissions to the service. AWS documentation describes how to create a more restrictive IAM policy that denies file transfer permissions.
• Ensure that EC2 Metadata Service only allows IMDSv2
  Users should be using IMDSv2 to avoid leaving your EC2 instances susceptible to Server-Side Request Forgery (SSRF) attacks, a critical fault of IMDSv1.

The update also included the removal of the previous recommendation:

• Ensure all S3 buckets employ encryption-at-rest
  This recommendation was removed because AWS now encrypts all new objects by default as of January 2023. It’s important to note that this only applies to newly created S3 buckets. So, if you’ve got some buckets that have been kicking around for a while, make sure they are employing encryption-at-rest and that it can not be inadvertently turned off at some point down the line.

Along with these changes, CIS also made a few minor changes related to the wording in some of the benchmark titles and descriptions.

How does ICS help me implement this in my environment?

Available as a compliance pack within InsightCloudSec right out-of-the-box, Rapid7 makes it easy for teams to scan their AWS environments for compliance against the recommendations and controls outlined in the CIS AWS Benchmark. If you’re not yet using InsightCloudSec today, be sure to check out the docs pages here, which will guide you through getting started with the platform.

Once you’re up and running, scoping your compliance assessment to a specific pack is as easy as 4 clicks. First, from the Compliance Summary page  you’ll want to select your desired benchmark. In this case, of course, CIS AWS Benchmark 2.0.0.

From there, we can select the specific cloud or clouds we want to scan.

And because we’ve got our badging and tagging strategies in order (right…….RIGHT?!) we can hone in even further. For this example, let’s focus on the production environment.

You’ll get some trending insights that show how your organization as a whole, as well as how specific teams and accounts are doing and whether or not you’re seeing the improvement over time.

Finally, if you’ve got a number of cloud accounts and/or clusters running across your environment, you can even scope down to that level. In this example, we’ll select all.

Once you’ve got your filters set, you can apply and get real-time insight into how well your organization is adhering to the CIS AWS Benchmark. As with any pack, you can see your current compliance score overall along with a breakdown of the risk level associated with each instance of non-compliance.

So as you can see, it’s fairly simple to assess your cloud environment for compliance with the CIS AWS Benchmark with a cloud security tool like InsightCloudSec. If you’re just starting your cloud security journey or aren’t really sure where to start, utilizing an out-of-the-box compliance pack is a great way to set a foundation to build off of.

In fact, Rapid7 recently partnered with AWS to help organizations in that very situation. Using a combination of market-leading technology and hands-on expertise, our AWS Cloud Risk Assessment provides a point-in-time understanding of your entire AWS cloud footprint and its security posture.

During the assessment, our experts will inspect your cloud environment for more than 100 distinct risks and misconfigurations, including publicly exposed resources, lack of encryption, and user accounts not utilizing multi-factor authentication. At the end of this assessment, your team will receive an executive-level report aligned to the AWS Foundational Security Best Practices, participate in a read-out call, and discuss next steps for executing your cloud risk mitigation program alongside experts from Rapid7 and our services partners.

If you’re interested, be sure to reach out about the AWS Cloud Risk Assessment with this quick request form!

Particularly at enterprise scale, it’s not uncommon to have hundreds of thousands of resources running across your cloud environments at any given time. Of course, these resources aren’t running independently. In modern environments, these resources are all interconnected and in many cases interdependent. This interconnectivity means that if one resource or account is compromised, the whole system is at risk. Should a bad actor gain access to your systems via an open port, there are a number of avenues for them to move laterally across your environment, and even across environments, if your cloud environment is connected to your on-premises network.

Because of this, security teams need to understand how resources deployed across their environment relate to and interact with each other to effectively assess and prioritize risk remediation efforts.

For example, it’s helpful to know whether or not a resource is publicly available and it shouldn’t be, but what if that’s not the whole story? Perhaps that resource also provided an avenue to a database that was housing sensitive customer data, or was assigned a role that enabled it to escalate privileges and cause havoc across your environment. These types of toxic combinations compound risk and widen the potential blast radius should a resource or account be compromised.

Introducing Attack Path Analysis in InsightCloudSec

Attack Path Analysis provides a graph-based visualization that enables users to quickly identify the potential avenues that bad actors could use to navigate your cloud environment to exploit a vulnerable resource and/or access sensitive information.

With Attack Path Analysis, you can:

• Visualize risk across your cloud environments in real-time, mapping relationships between compromised resources and the rest of your environment.
• Prioritize remediation efforts by understanding the toxic risk combinations present in your environment that provide bad actors avenues to access business-critical resources and sensitive data.
• Clearly communicate risk and the potential impact of an exploit to non-technical stakeholders with easy-to-consume attack path visualizations.

Identifying Toxic Combinations that Compound Risk and Widen the Blast Radius of an Attack

To effectively prioritize remediation efforts for the various risk signals across your environment, you need to take into account exploitability—whether or not a vulnerable account or resource can actually be accessed by a bad actor—and the potential impact should that vulnerable resource be compromised.

As an example, let’s dive into an attack path that highlights a publicly exposed compute instance with an attached privileged role. This can be exceedingly difficult to identify, because there are a variety of reasons that a compute instance might be assigned a set of permissions. When that instance is also publicly accessible, even if not directly, this can quickly become a major issue.

In this scenario, the environment would be susceptible to account takeover attacks, in which an attacker can gain control of the instance and use its assigned privileges to steal sensitive data such as login credentials, customer data, financial information or intellectual property. Perhaps even worse, the instance could be weaponized to launch attacks on other systems, cause a denial of service (DOS), or distribute malware across your network.

To remediate this issue, you’ll want to perform an audit to understand whether the compute instance needs to have the permissions and privileges it’s been granted and if it needs to be publicly accessible. Chances are, the answer to one or both will be “no”, and you’ll want to close off public access and/or adjust the privileges assigned to the resource in question.

There are a variety of attack paths that can be detected and investigated in InsightCloudSec upon launch, and we’ll continue to add more in the coming quarters. If you’re interested in learning more about Attack Path Analysis in InsightCloudSec, be sure to check out the dedicated docs page!

The term “Shadow IT” refers to the use of systems, devices, software, applications, and services without explicit IT approval. This typically occurs when employees adopt consumer products to increase productivity or just make their lives easier. This type of Shadow IT can be easily addressed by implementing policies that limit use of consumer products and services. However, Shadow IT can also occur at a cloud infrastructure level. This can be exceedingly hard for organizations to get a handle on.

Historically, when teams needed to provision infrastructure resources, this required review and approval of a centralized IT team—who ultimately had final say on whether or not something could be provisioned. Nowadays, cloud has democratized ownership of resources to teams across the organization, and most organizations no longer require their development teams to request resources in the same manner. Instead, developers are empowered to provision the resources that they need to get their jobs done and ship code efficiently.

This dynamic is critical to achieving the promise of speed and efficiency that cloud, and more specifically DevOps methodologies, offer. The tradeoff here, however, is control. This paradigm shift means that development teams are spinning up resources without the security team’s knowledge. Obviously, the adage “you can’t secure what you can’t see” comes into play here, and you’re now running blind to the potential risk that this could pose to your organization in the event it was configured improperly

Cloud Shadow IT risks

Blind spots: As noted above, since security teams are unaware of Shadow IT assets, security vulnerabilities inevitably go unaddressed. Dev teams may not understand (or simply ignore) the importance of cloud security updates, patching, etc for these assets.

Unprotected data: Unmitigated vulnerabilities in these assets can put businesses at risk of data breaches or leaks, if cloud resources are accessed by unauthorized users. Additionally, this data will not be protected with centralized backups, making it difficult, if not impossible, to recover.

Compliance problems: Most compliance regulations requirements for processing, storing, and securing customers’ data. Since businesses have no oversight of data stored on Shadow IT assets, this can be an issue.

Addressing Cloud Shadow IT

One way to address Shadow IT in cloud environments is to implement a cloud risk and compliance management platform like Rapid7’s InsightCloudSec.

InsightCloudSec continuously assesses your entire cloud environment whether in a single cloud or across multiple clouds and can detect changes to your environment—such as the creation of a new resource—in less than 60 seconds with event-driven harvesting.

The platform doesn’t just stop at visibility, however. Out-of-the-box, users get access to 30+ compliance packs aligned to common industry standards like NIST, CIS Benchmarks, etc. as well as regulatory frameworks like HIPAA, PCI DSS, and GDPR. Teams also have the ability to tailor their compliance policies to their specific business needs with custom packs that allow you to set exceptions and/or add additional policies that aren’t included in the compliance frameworks you either choose or are required to adhere to.

When a resource is spun up, the platform detects it in real-time and automatically identifies whether or not it is in compliance with organization policies. Because InsightCloudSec offers native, no-code automation, teams are able to build bots that take immediate action whenever Shadow IT creeps into their environment by either adjusting configurations and permissions to regain compliance or even deleting the resource altogether if you so choose.

To learn more, check out our on-demand demo.