Get My Score


2019 Cloud Security Predictions

Plus Other Cloud Security Predictions for 2019

Well, 2018 is almost behind us, (sigh!) and we see 2019 as a watershed moment in hybrid and multi-cloud adoption. Organizations, maybe yours included, are increasingly comfortable in running critical workloads across multiple environments as long as they can maintain visibility and control. And, the major public cloud providers have embraced hybrid deployments with products that streamline adoption, such as Microsoft’s Azure Stack and the just-announced AWS Outposts. But we still have a long way to go. For example, how do you best secure these more complex deployments?

At Cavirin, we’ve supported and embraced the hybrid cloud from our earliest days. We offer security monitoring and remediation via CloudTrail and Lambda Functions for AWS, as well as the equivalent StackDriver and Functions on Google Cloud. The same capabilities are shortly coming to Azure. Across all three clouds, CIS hardening and network policy checks are available today. Increasingly, the public cloud providers are combining their own security offerings with those of their cloud partners, offering their customers better control. We recently announced Google Cloud Security Command Center integration--a good example of this trend.

Not to ignore the workloads, remember once again that under the cloud provider shared responsibility model, AWS, Azure, and Google Cloud secure the services they offer ‘in the cloud,’ but the customer takes over for their ‘on the cloud’ applications and data. Our new Ansible Playbooks, in combination with our continuous assessment, permits the operator to first create ‘golden images’ based on their risk profile, and then track any deployments for drift and immediately invoke corrective actions if required.

So, what are some specific predictions for 2019? Here’s a selection from our input to various publications:

  • Cloud 2.0: Security, especially across multi-cloud and in combination with on-premise, will continue to be top of mind. Additional awareness of both insider and external threats will be combined with effective tools that balance protection and usability. More CISOs will peer with CIOs as opposed to reporting to them. Further, mainstream enterprises will look beyond just getting their apps to work in the cloud. They will move to the next phase of optimizing performance, manageability, and security as part of a true multi-cloud deployment, where they have critical workloads both on-premise as well as within one or more public clouds. Smaller enterprises, with an awareness of cloud risks, will deploy third-party cloud security software.
  • Mind the Gap: Too often, SecOps or SIEM tools report on issues, but follow-up by DevOps is delayed. For security, this can result in major risks. We’ll see a wider deployment of tools that close the loop from this monitoring to change management, helping to automate many processes that require manual intervention. An example could be monitoring one’s hybrid infrastructure for change in security posture, automatically triggering Ansible Playbooks to correct to the known good baseline.
  • DevSecOps Becomes Real: On the back of DevOps and SecOps, many now understand the concept behind DevSecOps. But, that has happened, is that this is still pushback on how to best automate checks, and how to protect against potential job loss. This is solvable with some of the new approaches on the market, and through past technology and role transitions, job loss was never as high as anticipated.
  • Elevating the Importance of Cybersecurity: Business executives will embrace cybersecurity as a primary business responsibility, and not simply a technology issue. This will be combined with new state and potentially federal laws that improve privacy and reduce exposure. These shifts parallel trends internal to the organization, where technologies are increasingly vendor-managed and IT moves to the business units. The overall move to the cloud is only one example of this. Conversely, cyber and information security, due to importance, will transition from a technology function to a legal function.
  • ML and AI Reality Check: No set of predictions would be complete without homage to AI. There is no shortage of investment in this space, and startups with novel ideas. The goal will be to better understand how these technologies solve well-understood problems, how they integrate with existing workflows, and most importantly, how they remove risk. This all can’t happen soon, given that the hackers, especially those state-sponsored, are deploying many of the same tools. As noted in BlackHat this past summer, 2019 is the year that the industry must go back on the offensive.


Check out our News page for links to all the articles our leaders were featured in during 2018. 


Cloud Security Command Center (Cloud SCC) Integration

Many of the most high-profile breaches from recent years have been caused by misconfigured servers and cloud services that left sensitive information exposed. Cavirin is focused on protecting your cloud, container and server resources in the Google Cloud Platform (GCP), AWS, Azure and on-premises environments. With our Summer 2018 release, customers can:

  • automatically discover 9 GCP cloud resource types including VPCs, subnets, Cloud Account (including Identity and Access Management (IAM)), Google Kubernetes Engine (GKE), Google Compute Engine (GCE), BigQuery, Cloud SQL and Cloud Key Management Service (KMS), and 22 operating systems
  • evaluate several thousand technical controls at the cloud, container and OS levels spanning configuration, compliance and vulnerability checks
  • compute a proprietary CyberPosture Score that helps you translate assessments into an easy-to-understand risk metric
  • prioritize remediation plans based on CyberPosture score improvement potential
  • auto-remediate, where possible, via Ansible and serverless approaches

Today, we are thrilled to preview our integration into GCP Cloud Security Command Center which aggregates vulnerabilities, threats and security findings from Cavirin and other GCP security ecosystem partners. With this integration, customers will benefit from the following improvements:

Unified Dashboard for SecOps teams:  Cavirin’s security, compliance and vulnerability findings will be presented in the Cloud SCC dashboard alongside findings from other security offerings that customers may have purchased.

 Cloud SCC dashboard

Findings Prioritized by CyberPosture Scores. Each finding presented in the Cloud SCC dashboard represents a single configuration, compliance or security issue for one instance of 9 resource types. Cavirin presents up to 500 findings prioritized by their CyberPosture Score improvement potential, which is proportional to the relative risk of any finding based on the underlying technical control, its weight, resource criticality and other factors in Cavirin’s proprietary CyberPosture Scoring methodology.

Cloud Security Command Center CyberPosture Score 

Actionable Finding Details. Each finding also presents additional details on the security or compliance control framework that generated the finding, the GCP identifier of the failed resource, CyberPosture Score improvement potential, remediation steps, and other details.

 cloud scc and gcp identifier

Comprehensive Security & Compliance Frameworks. Findings in Cloud SCC are powered by the following control frameworks that contribute over 80,000 technical controls. Several of these frameworks were led by Cavirin security experts:

  • CIS GCP Foundation Benchmark, co-authored by Cavirin
  • Cavirin GCP Network Policy Pack to protect against open TCP ports
  • Compliance frameworks: GDPR, HIPAA, PCI-DSS 3.2, ISO 27002:2013, AICPA SOC2, CJIS
  • Security frameworks: CIS (OS-level), DISA, CIS Google Chrome, NIST 800-171, NIST 800-53r4, NIST CSF, Cavirin Patches & Vulnerabilities
  • Container frameworks: Cavirin Image Hardening, Cavirin Patches & Vulnerabilities, CIS Docker CE, Container Linux, CIS Kubernetes

CyberPosture Intelligence for GCP. Cloud SCC customers are one click away from the Cavirin dashboard with a “credit-score”-like representation of security and compliance posture across GCP, AWS, Azure, containers, and on-premises infrastructure. The Cavirin CyberPosture score helps customers analyze trends and drill into scores by asset group, environment, policy pack, cloud service, operating systems, and individual resources to pinpoint risk and prioritize remediation plans.

cybersecurity posture score for Cloud SCC customers 

Making the magic work

Getting started with Cavirin and Cloud SCC is easy. Contact Cavirin to get you provisioned for Cloud SCC access.  Once you have that information, please browse and find the Cavirin Cloud SCC Companion in the Google Marketplace. This application establishes trust and connectivity between Cavirin and GCP to post security findings about your organization’s GCP resources into Cloud SCC. Follow the self-service provisioning wizard steps for Cavirin Cloud SCC Companion (found in the Marketplace documentation).

Cavirin Cloud SCC Companion in the Google Marketplace 

Next, provision the Cavirin CyberPosture managed VM app in the Google Marketplace.

Finally, connect Cavirin to GCP Cloud SCC using the integration steps within Cavirin.

More to Come!

In the coming months, we plan to further strengthen our GCP features by closing the loop from monitoring to risk scoring and auto-remediation by detecting new, deleted or changed resources via Google StackDriver Monitoring, scoring changes and allowing users to remediate via pre-built Google Functions.

Next Steps




Minimize Risks Due to Change Management Delays 

As DevOps leaders continue to deliver greater agility to the business, SecOps is faced with a widening security gap needing more time to manually work through change requests that ensure appropriate testing is achieved taking into account risk, security, and compliance. This whitepaper is for those looking to minimize the risks due to change management delays and manual processes. It highlights how Cavirin auto-remediates both compute instances and cloud services to minimize the security gap between SecOps and DevOps.


Many organizations separate security posture monitoring from change management, leaving them exposed when security alerts monitored by SecOps teams wait for DevOps teams for remediation. Closing this security gap via auto-remediation is a key outcome enabled by Cavirin. In this document, we discuss how Cavirin auto-remediates both compute instances and cloud services, starting with a chart that highlights an organization with and without auto-remediation. 


For compute instances, Configuration Management systems like Puppet Enterprise, Chef Automate, or Red Hat Ansible offer a good foundation. Their cloud counterparts include Microsoft Azure Automation as well as the AWS Elastic Compute Cloud Systems Manager. Cavirin’s approach, below, leverages Ansible to remediate compute instances in AWS, GCP, Azure or on-premise environments. 

First, a SecOps user using the Cavirin system defines a “golden configuration” of operating system parameters for a group of machines using Cavirin’s technical controls (CIS, in the figure below). The system continually assesses the organization’s machines against “golden” technical controls and identifies those assets drifting from it (Step 2 in the figure below). 

Next, the Cavirin system creates the list of drifting machines (“host file”) as well as a list of configuration settings (“variables file”) that require remediation in Ansible’s format. Finally, the Ansible server retrieves the Ansible hosts file, variables file and the Cavirin-supplied Ansible playbook to remediate machines to the golden state. 

The same approach can also be used to create ‘golden’ images during pre-production by assessing candidate images against a golden posture and involving Ansible with Cavirin playbooks to remediate images to a golden state. 

Moving from compute instances to cloud services, here we can use the monitoring, queuing, and remediation services provided by public clouds. Options for remediation include AWS Lambda, Azure Functions and Google Functions. Cavirin monitors cloud services via provider APIs and assessing them for various technical controls. The system then develops a list of the top resources for remediation, and then executes the provider-specific functions. 

Using AWS as an example, Cavirin, via its AWS Network Policy Pack, periodically assesses the status of commonly used TCP ports associated with the Security Groups created within a given AWS account. It then informs the operator of the top 50 ports, which if remediated will positively impact the score (see Figure below). 

Technically, in the figure below, 

  1. The operator issues the remediation command from the Cavirin dashboard 
  2. Which publishes a remediation request to an AWS SNS topic 
  3. …that then invokes the Cavirin-authored Lambda function 
  4. Remediation occurs and confirmation is now posted to Cavirin via SQS 
  5. Cavirin takes this confirmation and modifies the scoring accordingly 

To summarize, auto-remediating compute instances and cloud services as described in the article can help organizations accelerate responses to security gaps, reduce security risks, and eliminate manual processes. 




Risk and policy management

Excellent Hybrid Cloud Environment with Real-time Visibility

We are excited to announce that this week Cavirin’s CyberPosture Intelligence for the Hybrid Cloud was recognized by SC Magazine. The Cavirin solution earned five-star marks (the highest rating) in all six review categories: Features, Documentation, Value for Money, Performance, Support, and Ease of Use.


Risk and policy management - SC Magazine


The SC Magazine five-star rating is especially gratifying as it is based on an objective evaluation of features and capabilities.  Leading the charge, the reviewers thought that one of the most prominent features was Cavirin’s nonpareil CyberPosture Score.  

According to Cavirin’s Director of Product Management, the CyberPosture Score is derived by continuously assessing the security posture of all managed cloud services and workloads to compute a CyberPosture score, a number between 0 and 100. A score of 100 represents the least risk. Representing risk in this manner facilitates prioritized response plans and in-depth security analytics including score drill downs from the company level to asset groups, individual resources, policy pack/control families and operating systems. At any of these levels, with visibility that spans your entire hybrid infrastructure, Cavirin’s solution depicts trends of CyberPosture scores to help CISOs assess the impact of security posture improvements.


Risk and policy management - SC Magazine


In addition, SC Labs evaluators Matthew Hreben & Katelyn Dunn highlighted the importance of a single, unified view, emphasizing that “point” security solutions can be costly and have limited visibility into an organization’s defensive security posture:

“Users typically struggle building a meaningful risk security assessment process across a hybrid environment due to the lack of network visibility and the cost of needing multiple products. Cavirin CyberPosture Intelligence for the Hybrid Cloud serves as a single, unified view of the hybrid cloud environment that gives real-time, continuous monitoring and assessment, has automatic asset discovery and encompasses an API-first architecture that integrates security into DevOps. It enables continuous improvement of security posture and is cost-effective compared to alternatives requiring multiple products.”

In closing, the verdict of the SC Magazine analysts on Cavirin’s CyberPosture Intelligence for the Hybrid Cloud is:

“Great API-driven technology that integrates with Slack, Jira and Okta for SSO, also provides users concrete documentation and workflow suggestions. This is a strong contender in its space and worth a look.”

 To read the complete review visit,

 For more information on Cavirin’s CyberPosture Score check out our latest whitepaper:  Cavirin CyberPosture - Your Credit Score for Security.


voting vulnerabilities

Regardless of Potential Vulnerabilities - We Must Vote

With less than six days until one of the most important elections in recent history, coverage of potential vulnerabilities has never been greater.  Compared to 2016, the typical voter is more aware of any threats, and probably more scared.  There is a concern that people will just stay home, thinking that their vote will be compromised, as captured in a recent Pew Research Center Survey

mid-term election vulnerabilities

Given that the vote is fundamental to our democracy, this isn’t good. But, as the New York Times summed it up, even though or voting process is vulnerable and outsiders are looking to sow pervasive doubt over the integrity of American elections--the only chance we have is to vote. 

As we look back as early as a decade ago and confirmed just this last summer at DefCon, researchers identified vulnerabilities in both the voting machines as well as state election infrastructures. During the lead-up to 2016, Russia actively probed for security gaps.  Given that elections fall under state jurisdiction, the potential attack surface varies widely depending upon whether paper records are maintained, the training of personnel, and the chain-of-custody of voting results.  Best practices are summarized here.  One alarming statistic is that, although states can take advantage of federal programs to vet their systems, less than half actually requested it as of the end of October.  This where the types of attacks have become much more sophisticated over the last two years.

However, there are other, indirect threats as well, over which individuals have more direct control.

Recently, McAfee published a good rundown on deficiencies in state election websites.  Here, the threat is not at the polling place, but beforehand, with an unsuspecting voter fooled into going to the incorrect polling location entering personal information.  The cat may already be out of the back regarding the latter threat, with security firms reporting that over 35 million voter records are now available on the dark web.   These types of threats, in terms of sheer numbers of voters impacted, can be more destructive than the small percentage of voting machines that may (or may not) be compromised. 

And, we’re increasingly aware of the potential impact of social networks in spreading disinformation.  Unlike 2016, the Facebooks and Twitters of the world have realized their roles, both positive and negative, and are attempting to put the necessary checks in place.  But they will be hard-pressed to stay a step ahead of the hackers.

Hopefully, with additional focus, federal dollars, and press overwatch, Nov 6th won’t present any issues.  And even if we run into some concerns, the strength of our overall voting democracy will prevail, as long as we continue to believe, stay resilient, and vote.

For voter registration and other critical infrastructure officials looking to protect future cybersecurity threats check out the Cavirin Playbook, "Leveraging NIST CSF".




cybersecurity utilities

 Cybersecurity for Our Critical Infrastructure - Utilities - Thoughts of a CSO

The Utilities sector has been well positioned for several years as a Critical Infrastructure based on Federal Energy Regulatory Commission (FERC) requirements to adhere to the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) guidelines and Cybersecurity Risk Management Process guidance.  In the past, the challenge has been that Corporate Information Technology was managed separately then Industrial Control Systems (ICS) which provided gaps for bad actors to exploit.  These days the challenge is expanding to end users with emerging "always-on" Internet-connected smart devices.  The challenges posed are both to the end-user consumer and to the overall power grid based on coordinated attack capabilities.  This is further complicated by most end-user consumer smart devices having all or some components manufactured outside the USA entering foreign made embedded chips that could be used against another nation, corporation, and/or individual with minimal effort.  This sector is the most important of all Critical Infrastructure industries as the other sectors need utilities to operate.

These types of threats have been proven and the genie is out of the bottle.  Stuxnet, a sophisticated computer worm that targets centrifuges used to produce the enriched uranium that powers nuclear weapons and reactors, is the prime example of this situation that was contained and tested in a controlled environment protected to a greater level than Utilities.  Direct action may be more difficult to execute but still, nation-state actors will find successful opportunities. 

The challenge for the Utilities sector is to establish detective controls that spot anomalies before they can be detected by a human.  The biggest threats will come from indirect sources (Vendors, Suppliers, Customers) in the future.  These channels will have weaknesses that cannot be addressed, and safe measures will need to be implemented with the expectation that those channels are compromised.  Visualization of your organizational CyberPosture at all levels will become the norm and monitored as closely as are Voltage range and Kilowatt usage.  When there is no defined boundary to keep bad actors out the shift is towards real-time monitoring.

Yes, all organizations are implementing best practices shift left for coding, DevSecOps, etc., but in many cases, the ability to consolidate the CyberPosture view in real-time has not yet been implemented.  The usage of data visualization is another dynamic tool that has been lagging, but I expect this to become the new security domain field that will attract a great deal of attention over the next 12 to 18 months.  The National Association of Corporate Directors, highlighted in their 2017 Cyber-Risk Oversight guidance, the need for this data visualization.  My previous work at Verizon on the Verizon Risk Report (VRR) combined the Verizon Data Breach Investigations Report (DBIR) with threat intelligence from Recorded Future and external risk vectors from BitSight, which provided a security industry foundational baseline for others to build from that created great visualization techniques.  Side Note: There was some data visualization introduced with the 2018 DBIR report on the website that reduced the report size which provided historical context of top threats over time.  The second level of the VRR started to include various elements of inside-out security sources (starting with End Point Detection and Protection leveraging Tanium and Cylance) and was expanding to culture and process elements at the third level.  There is more work to be done with many other security areas being incorporated.  In my recent discussions with a major telecommunications provider and a national bank,  the data visualization movement has started and will continue gaining momentum. 

Besides data visualization, I expect that all critical infrastructure industries will expand physical air gap separation of networks.  In some ways, we are returning to the 1990s.  Back in those days, I supported customers that had air gaps.  A French bank kept Internet computers off the corporate network; a major University kept Student and Financial systems on a separate network, and a major of military establishment used air gaps.  We have allowed technology gains to fool us into thinking that we are more secure when in fact those solutions increased the risk factors.  This happened for several reasons: product development cycles were sped out the door and there is a minimal financial risk of providing insecure software and hardware to most customers.   If you introduce an unsafe automotive vehicle then there are financial penalties that those manufacturers must pay for the people that are hurt and/or killed as a result.  When have you seen a technology company punished for releasing unsafe hardware and/or software?  Therefore Utilities, actually all critical infrastructures, need to design security architectures that expect security flaws to be built-in the solutions that they purchase and implement.

For more on this and protecting our critical infrastructure, check out our Webcast on October 24th, Protecting Our Critical Infrastructure Starts with NIST CSF.  If you cannot make it, no worries, register anyway and a link to the recording will be sent to you following the event.


© 2019 Cavirin Systems, Inc. All rights reserved.