Get My Score

Blog

Big Data aficionados should be familiar with data volume, velocity and variety as the key pillars that distinguish modern analytics environments from the prior generation. A similar trend is taking shape in infrastructure security with the adoption of public clouds and micro services architectures, significantly complicating the Security Operations (SecOps) job.

According to Datadog, there are 185 million Docker containers in use across 10,000 companies or 18,500 containers per company on average, for those that do use Docker! If this is any harbinger of scale, SecOps teams will continue to have a lot on their hands. Automated profiling and management of risk is the only way to secure an environment with such volumes. 

Several company’s DevOps organizations, are pushing code as often as several times a day – Amazon.com, for example, deploys every 11 seconds (see Velocity Culture). Compound that with the desire to optimize costs via auto-scaling approaches. The average container lifecycle is 2.5 days while the average virtual machine lasts 14 days, likely reflecting the transient nature of auto-scale workloads. An inadvertent configuration change or a vulnerable package in a high velocity continuous deployment can jeopardize your security posture. Active monitoring of infrastructure and timely remediation of gaps in security are keys to SecOps success.

According to Forbes citing RightScale’s 2017 State of the Cloud Survey: “85% of enterprises have a multi-cloud strategy today, up from 82% in 2016, 58% are planning a hybrid cloud strategy, up from 55% a year ago. RightScale also found an increase in the number of enterprises planning for multiple public clouds (up from 16% to 20%)”.

SecOps = Secure Hybrid Infrastructure  

 

0
0
0
s2sdefault

I am pleased to announce the availability of DISA STIGs on the Cavirin’s next generation Platform. Cavirin DISA STIG support provides several new security baselines for assessing and securing mission critical and several value-adds to DISA STIG assessments that ease implementation and usability.  These include browsing, as well as assessment and reporting.

 

DISA STIGs Browsing

DISA does not provide an easy to navigate mechanism for browsing the STIGs, requiring the user to work with XML and stylesheets.  There are no spreadsheets, pdfs, or detailed documentation, requiring the user to  work with the XML and the enclosed stylesheets to browse the content. If you are like me, perhaps, you have been using the STIG viewer for a long time.

0
0
0
s2sdefault

With the release of Cavirin 1.2, we’re upping the game in providing a comprehensive hybrid infrastructure security solution that spans on-premise, multiple clouds, and Docker. Note that this solution goes beyond cloud-account level security provided by CISPA (Cloud Infrastructure Security Posture Assessment) vendors or most CWPPs (Cloud Workload Protection Platforms).  Our belief is that true control of the cloud can only be accomplished by both cloud account as well as individual virtual or Docker instance level visibility, and the two must tie together. Key new capabilities include multi-cloud support, continuous monitoring, ‘Cavirin Secure’ DevSecOps scripting, true enterprise scalability, and additional 3rd party integrations. The platform’s scalability, usability, and DevOps capabilities were also recognized in a recently published SC Magazine product review with both a 5-star rating and recommendation.

True Multi-Cloud Support

As enterprises migrate critical workloads to the cloud, they increasingly leverage or are planning to leverage multiple CSPs.  For example, they may initially deploy on AWS, but place live or standby workloads on Azure for resiliency, geography, cost, or application compatibility reasons.  Cavirin now supports workloads across the three major clouds – AWS, Azure, and GCP – and has built a powerful abstraction layer that will permit our customers to deploy across other CSPs in the future.  The new hybrid enterprise requires a solution that spans all four deployment domains – on-premise, the cloud platform, cloud instances, and containers. We uniquely deliver a solution meeting this requirement.

0
0
0
s2sdefault

The need to have strong security practices in place to protect sensitive government data from outside threats has never been greater.  By December 31, 2017, the Department of Defense will require NIST SP 800-171 compliance for all its contracts that handle controlled unclassified information (CUI) outside of government agencies. 

According to the U.S. Nation Archives and Record Administration “CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended”.  In other words, it’s unclassified sensitive information that the US federal government believes should be protected to assure minimal risk of cyberattacks on America.  This includes citizen’s financial, legal, higher education, immigration, tax and healthcare records plus organizations patent, proprietary business, and SAFETY Act Information.   You can find the complete list of categories and sub-categories (with descriptions) on the National Archives Web site.  

0
0
0
s2sdefault

There is a great deal of interest in the NIST CSF and how to apply it within an organization.  Cavirin recently hosted a webinar detailing the rationale behind the framework, the suggested implementation process, and most importantly, the actual mapping to specific policies and controls.  Here, we detail this third point.

The CSF outlines five major functions – Identify, Protect, Detect, Respond, and Recover.  Using Identify as an example, the workflow is as follows:

So, mapping of the CSF to an organization’s environment is first accomplished by selecting the proper reference and control, and then selecting the Target of Evaluation, aka the operating system to which the control applies.  In the example above, ‘Ensuring separate partition exists for /tmp’ is one of literally dozens of controls that apply to RHEL7 and within ID-RA-1.  The audit and remediation for this is detailed within the CIS Red Hat Enterprise Linux 7 Benchmark, and specifically section 1.1.2.

We detail how this workflow matches the Cavirin Platform implementation, in our new infographic, as well as in a whitepaper available via NIST.   Visit https://www.cavirin.com/solutions/nist-support.html to learn more!     

 

0
0
0
s2sdefault

Cavirin provides vulnerability assessments for your operating systems (in the cloud, on-premise or hybrid) as well as Docker Images. This article shares vulnerability trending insights we have seen when working on vulnerability analysis project and training our risk reporting algorithms. 

Cavirin platform uses a synchronized feed from the NIST National Vulnerability Database. This feed directly provides the Common Vulnerabilities and Exposures (CVEs) severity and base score that is used in its risk scoring algorithm to project the risk posture from unpatched vulnerabilities

0
0
0
s2sdefault

© 2019 Cavirin Systems, Inc. All rights reserved.