Get My Score

Blog

Last week, Mary Meeker and her team at Kleiner Perkins published their yearly internet opus.  For those keeping track, it is now at 355 slides!  Though much of it focuses on the continuing evolution of commerce, media and gaming, as well as China and India, there are some excellent nuggets on the cloud security.  Her analysis plays well into Cavirin’s strategy and product direction.

We live in an increasingly multi-cloud world.  Amazon with AWS got off to an early start, but Microsoft’s Azure, by virtue of its strong enterprise footprint, is gaining ground quickly.  Whereas companies leveraging AWS remained constant at 57% between 2016 and 2017, Azure use grew from 20% to 34%.   And not to be dismissed is the Google Cloud Platform (GCP), growing from 10% to 15% and benefitting from strong enterprise focus as evidenced at this year’s Google Next conference. Beyond this baseline, AWS will experience even greater competition in the future, as only 27% of organizations who don’t currently use AWS are experimenting with or planning to use the platform in the future.   This grows to 33% for Azure and 30% for GCP.   Cavirin natively supports the three major cloud service providers (CSPs), and delivers consistent analysis between these and any on-premise deployments.

 

0
0
0
s2sdefault
Control Your Cloud

This is the fifth blog in a series detailing workload best practices.

The first blog, 'Securing Modern Workloads', is available here

The second blog, 'Control Your Cloud', is available here

The third blog, 'Agility in Security', is available here

The fourth blog, 'Work Everywhere with Hybrid Solutions', is available here

-------------------

Extrapolating the cloud mindset, security as you go sounds promising. You could start small, sampling a fraction of your workloads, and then scale to accommodate everything that matters to you. The cloud gives you the flexibility to expand your resources as you need them. Your security tools should follow the same trait.

Automatically scaling your security tools help you to maintain their availability and allows you to scale your security tools as you need them without incurring significant costs. Let us understand this with an example. Security tools typically begin with a set of pre-requisite hardware configuration spec. This hardware specification is usually defined by the vendor at an optimum support level. But, you may not need it all the time. There are certain spikes (CPU, Memory or Network) at some stage of the security workflow in your tool. For example, if you are running an anti-virus tool, the resource requirements are high during a full system scan and low when you are just scanning for deltas. This did not “cost” you money if you kept running your anti-virus appliance in your own data center at the same resource allotment levels. But, in the cloud, if you choose a “bigger” instance size, you pay more whether you use it or not.

0
0
0
s2sdefault

CIS AWS Benchmark

Cavirin’s Platform manages the day-to-day challenges of implementing security best practices and assessing operational risk against the major compliance frameworks, including PCI, CIS, HIPAA, ISO, NIST, DISA and many more for on-premise, clouds and hybrid environments. It was purpose built as a single solution for managing risk and compliance in the enterprise. It works in the data center environment as well as in the cloud. It becomes a single compliance fabric that you can extend across your entire network, applying the same policies everywhere. Cavirin’s solution continuously monitors the entire environment and maps changes against operational and regulatory policies. By elevating the visibility of network changes as they happen, Cavirin ensures that you are always in a position to evaluate your level of risk and compliance and adjust it to suit your business’s unique needs. 

0
0
0
s2sdefault
Control Your Cloud

As a follow-up to our blog on how Cavirin can help combat WannaCry and other ransomware, this blog provides additional detail on our Network Policy Pack.

As a customer, you have seen several use cases that Cavirin helps you address in your hybrid cloud environment. This ranges from several CIS benchmarks to regulatory requirement such as PCI.

Today, we are pleased to announce the availability of Network Security Policies specifically designed for your AWS environment. These network policies are around the best practice that:


“Ensure no security group allows ingress from 0.0.0.0 or from the world on any port”


This policy pack contains all IANA registered ports and protocols.

Basically, you can use this policy pack to address below security requirements:

  1. Ensure that SSH connections are not open to the world
  2. Ensure that DB ports are not open to the world
  3. Ensure that any other random critical ports are not open to the world

Stopping port scans / blocking access are very important for upkeep of your infrastructure. If you have ports opened for world access, any known vulnerabilities in particular services could potentially be exploited to gain control. Additionally, removing unfettered connectivity to remote console services, such as RDP/SSH, reduces a server's exposure to risk and further reduces the overall attack surface area.

Scanning your security groups is pretty straight forward in Cavirin’s platform. Just select the region(s) that you want to scan and it automatically sweeps through your entire list of security groups.

Currently, by default, the policy pack contains *6221 ports*. These are the ports which are currently allocated by IANA. The only exceptions are port 80 and port 443 to allow web server traffic.

0
0
0
s2sdefault
Control Your Cloud

CIS Security Benchmark for Kubernetes is out. Grab your copy at https://learn.cisecurity.org/benchmarks.

Keen to give back to the Kubernetes community and to bring security visibility and agility in Kubernetes deployments, I started the CIS project for developing a security benchmark approximately 10 weeks back. It is humbling to see that in a short time period of 10-weeks, the community came together to document more than 100 recommendations detailed enough for you to take prescriptive actions towards securing your Kubernetes deployments.

When I look back, I was told that Kubernetes security configuration is hugely fragmented and it is a self-dissolving daunting task to document the controls and cover in a benchmark like document. The fragmented offering is just too big a beast to pet. I disagreed and committed.

Here are some interesting thoughts and stats around the 106 recommendations that we have in the benchmark today.

0
0
0
s2sdefault
Control Your Cloud

By now, anyone with any connection to security is aware of the WannaCry ransomware attack, and it says something, that on the Wiki entry, it is already listed amongst major incidents with Anthem, Sony Pictures, and the US Election.   As a quick review, the attack, leveraging the leaked NSA tool EternalBlue, took advantage of vulnerabilities in Microsoft’s SMB implementation.   The company issued a critical security bulletin, MS17-010 (CVE-2017-0144) on March 14, 2017, along with a patch for new versions of the OS.  Note that this was a 1-day exploit, and not a zero-day exploit since it was announced and patched.   But the issue is that older versions of the OS were still vulnerable, not every organization is on top of patches, and in some countries, the high percentage of bootleg software effectively disconnected the user from patching.  Nonetheless, Cavirin can play an integral role in helping to identify and remediate these types of vulnerabilities.

First off, Cavirin’s partner SecPod included the notification in its March 16, 2017 SCAP Feed Release.  This was two days after the Microsoft announcement.  This is automatically included in Cavirin’s Patches & Vulnerabilities policy pack, which continually updates the live deployment.   Based on this notification, the customer may quickly scan their environment and identify vulnerable resources.   They may then manually patch their workloads, or may have in place an automated mechanism (i.e., Chef, Ansible) to pull down the Microsoft patch and update their systems.

0
0
0
s2sdefault

© 2018 Cavirin Systems, Inc. All rights reserved.