CIS AWS Benchmark

Cavirin’s Platform manages the day-to-day challenges of implementing security best practices and assessing operational risk against the major compliance frameworks, including PCI, CIS, HIPAA, ISO, NIST, DISA and many more for on-premise, clouds and hybrid environments. It was purpose built as a single solution for managing risk and compliance in the enterprise. It works in the data center environment as well as in the cloud. It becomes a single compliance fabric that you can extend across your entire network, applying the same policies everywhere. Cavirin’s solution continuously monitors the entire environment and maps changes against operational and regulatory policies. By elevating the visibility of network changes as they happen, Cavirin ensures that you are always in a position to evaluate your level of risk and compliance and adjust it to suit your business’s unique needs. 

Details

Category: Amazon Web Services (AWS)

• CIS Benchmarks
• AWS Security

Read more ...

As a follow-up to our blog on how Cavirin can help combat WannaCry and other ransomware, this blog provides additional detail on our Network Policy Pack.

As a customer, you have seen several use cases that Cavirin helps you address in your hybrid cloud environment. This ranges from several CIS benchmarks to regulatory requirement such as PCI.

Today, we are pleased to announce the availability of Network Security Policies specifically designed for your AWS environment. These network policies are around the best practice that:

“Ensure no security group allows ingress from 0.0.0.0 or from the world on any port”

This policy pack contains all IANA registered ports and protocols.

Basically, you can use this policy pack to address below security requirements:

1. Ensure that SSH connections are not open to the world
2. Ensure that DB ports are not open to the world
3. Ensure that any other random critical ports are not open to the world

Stopping port scans / blocking access are very important for upkeep of your infrastructure. If you have ports opened for world access, any known vulnerabilities in particular services could potentially be exploited to gain control. Additionally, removing unfettered connectivity to remote console services, such as RDP/SSH, reduces a server's exposure to risk and further reduces the overall attack surface area.

Scanning your security groups is pretty straight forward in Cavirin’s platform. Just select the region(s) that you want to scan and it automatically sweeps through your entire list of security groups.

Currently, by default, the policy pack contains *6221 ports*. These are the ports which are currently allocated by IANA. The only exceptions are port 80 and port 443 to allow web server traffic.

Details

Category: Amazon Web Services (AWS)

• Cloud Security
• AWS
• Devops
• wannacry
• port scan
• AWS Security

Read more ...

CIS Security Benchmark for Kubernetes is out. Grab your copy at https://learn.cisecurity.org/benchmarks.

Keen to give back to the Kubernetes community and to bring security visibility and agility in Kubernetes deployments, I started the CIS project for developing a security benchmark approximately 10 weeks back. It is humbling to see that in a short time period of 10-weeks, the community came together to document more than 100 recommendations detailed enough for you to take prescriptive actions towards securing your Kubernetes deployments.

When I look back, I was told that Kubernetes security configuration is hugely fragmented and it is a self-dissolving daunting task to document the controls and cover in a benchmark like document. The fragmented offering is just too big a beast to pet. I disagreed and committed.

Here are some interesting thoughts and stats around the 106 recommendations that we have in the benchmark today.

Details

Category: Docker Container Security

• Docker
• Cloud Security
• Containers
• Devops
• Kubernetes

Read more ...

By now, anyone with any connection to security is aware of the WannaCry ransomware attack, and it says something, that on the Wiki entry, it is already listed amongst major incidents with Anthem, Sony Pictures, and the US Election.   As a quick review, the attack, leveraging the leaked NSA tool EternalBlue, took advantage of vulnerabilities in Microsoft’s SMB implementation.   The company issued a critical security bulletin, MS17-010 (CVE-2017-0144) on March 14, 2017, along with a patch for new versions of the OS.  Note that this was a 1-day exploit, and not a zero-day exploit since it was announced and patched.   But the issue is that older versions of the OS were still vulnerable, not every organization is on top of patches, and in some countries, the high percentage of bootleg software effectively disconnected the user from patching.  Nonetheless, Cavirin can play an integral role in helping to identify and remediate these types of vulnerabilities.

First off, Cavirin’s partner SecPod included the notification in its March 16, 2017 SCAP Feed Release.  This was two days after the Microsoft announcement.  This is automatically included in Cavirin’s Patches & Vulnerabilities policy pack, which continually updates the live deployment.   Based on this notification, the customer may quickly scan their environment and identify vulnerable resources.   They may then manually patch their workloads, or may have in place an automated mechanism (i.e., Chef, Ansible) to pull down the Microsoft patch and update their systems.

Details

Category: Trending in Security

• wannacry
• ransomware
• vulnerability management

Read more ...

Hybrid Solutions that natively work in the Cloud and On-Premise, equally well

This is the fourth blog in a series detailing workload best practices.

The first blog, 'Securing Modern Workloads', is available here

The second blog, 'Control Your Cloud', is available here

The third blog, 'Agility in Security', is available here

-------------------

As you are juggling between on-premise, cloud-first and cloud-only strategies?  Wouldn’t it be nice if you could just lift-and-shift your current security tools? Hybrid cloud security tools natively work in both environments equally well.

As you are embracing the digital transformation for your organization, you should evaluate your security tools and ensure they have these important criteria: 

1. Mix and match the workload origin
2. Product design and security controls
3. Minimize operational complexity
4. Pricing 

Let us look at these briefly.

Mix and match the workload origin for a Hybrid Cloud

Digital transformation to migrate workloads to the cloud may take anywhere between 6 months to 24 months. During this time, it is important for you to maintain the security posture of the current on-premise workloads and at the same time begin to look at the security posture of your migrated workloads. It would be great if you could continue to use the same tools that could offer you a monothematic view of both your on-premise and cloud workloads. Adopting new tools might take some time and may not produce composite reports combining your on-premise and cloud workloads.

For example, take this scenario. You have a web server farm with 10 on-premise Red Hat Linux servers. You begin to transition them in the cloud. Mid-way through the complete migration, you have 5 web servers on the cloud and 5 on-premises. Now suppose you need to have PCI security controls report at the OS level for your web farm. What do you do? A tool of your choice should continue to give you a comprehensive PCI security report at the web farm level irrespective of heterogeneity of the web farm composition. 

Details

Category: DevOps

• Cloud Security
• AWS
• Workloads
• Hybrid-Infrastructure
• Devops

Read more ...

This is the third blog in a series detailing workload best practices.

The first blog, 'Securing Modern Workloads', is available here

The second blog, 'Control Your Cloud', is available here

-------------------

A lot is being talked and written about agile practices and how they are transforming various aspects of modern IT. Agility in security, a.k.a. SecDevOps or DevSecOps or SecOps or Security Orchestration or Security Automation, is getting called out as well.

Let’s see what we are doing in this space. 

• Security Assessment of CloudFormation Deployments
• Vulnerability and Compliance assessments for Docker Containers
• API endpoints for integrating with backward-integration and forward-integration 

Security Assessment of CloudFormation Deployments

AWS CloudFormation is the cornerstone of IT stack deployments. You may leverage  AWS Quick Starts to build a secure and compliant cloud infrastructure. Quick starts, such as PCI Quick Start, come with a pre-built-in template that you may use to deploy a PCI compliant infrastructure. AWS lays out the Shared Security Responsibility Model for PCI.

Details

Category: DevOps

• Cloud Security
• Compliance
• AWS
• Workloads
• Hybrid-Infrastructure
• Devops

Read more ...