Understand and Prioritize Risk Amplifiers Within Your Cloud with AWS Services and Sonrai Dig
By James Casagrande, Sr. Product Marketing Manager – Sonrai Security
By Nathan Schmidt, Principal Solutions Architect – Sonrai Security
By Jeremy Brockett, Sr. Solutions Architect – AWS
For enterprise clouds, proactively eliminating security risks can be daunting. With limited security resources, a dynamic Amazon Web Services (AWS) footprint, and an active development pipeline you don’t want to disrupt, prioritization is key.
Prioritization of risks requires understanding two things: how can someone (or something) access your cloud, and what can they do once they’re in?
In the old data center world, this meant protecting a “perimeter” with firewalls and vulnerability scanners, and then looking for paths of lateral movement to other workloads via network holes. The innovation of a cloud environment changed all that—defining a “perimeter” around a cloud that’s changing size and shape throughout the day isn’t as simple as it used to be.
Sonrai Security saw the same problem AWS did and addressed the lateral movement and prioritization angle. Sonrai, an AWS Security Competency Partner, built an analytics engine that could tell you who could access what, when, and how—and took the insights from Inspector, GuardDuty, and other services to get a full picture of risk severity on AWS.
Under the Management and Governance Lens of the AWS Well-Architected Framework, AWS highlighted the ability of security tools to “identify, prioritize, and mitigate threats, gain visibility into suspicious activities, and acknowledge risks” in real time as a critical function. From here, Sonrai takes its mandate.
In this post, we’ll go over how this all comes together in Sonrai Dig—namely, how you can leverage Sonrai Dig to prioritize remediating risks like the vulnerabilities Amazon Inspector finds. We’ll walk through evaluating “risk amplifiers” and getting the full environmental context around a workload to rate how urgent it is to fix.
Amazon Inspector and GuardDuty: Foundational Risk Intel
Let’s start with the tools you need for vulnerability management and threat detection. Amazon Inspector is mainly tasked with protecting Amazon Elastic Compute Cloud (Amazon EC2) instances and Amazon Elastic Container Registry (Amazon ECR) resources.
It checks your EC2 and ECR resources against a library of best practices, common compliance standards, and public libraries of known vulnerabilities. It then prioritizes these issues into security findings by severity level and describes how to resolve issues to protect your AWS environment. The severity levels are scored high, medium, and low.
All of these vulnerabilities provide an indication to the existence of security issues that could lead to compromised confidentiality, integrity, and availability of information in or through Amazon EC2 or ECR resources.
Amazon GuardDuty combines threat detection and machine learning (ML) of your AWS accounts, data stored in Amazon Simple Storage Service (Amazon S3), and workloads to provide an AWS-specific view into your accounts to reduce risk.
GuardDuty looks for things like abnormal API and AWS CloudTrail activity, potential unauthorized deployment of resources or compromised instances, evidence of S3 bucket compromise, and threats and vulnerabilities in your Amazon Elastic Kubernetes Service (Amazon EKS) clusters.
GuardDuty is a security service that keeps an eye on what’s going on in your accounts, and alerts you to any undesirable behavior. Each GuardDuty finding has an assigned severity level, which are scored high, medium, and low.
It’s easy to see how this information can be valuable to securing your cloud accounts in AWS. Having these services directly from AWS provides a certain deep specialty that Amazon provides.
In most organizations, a human being or team is tasked with analyzing this data. With a rapid development pipeline that takes advantage of ephemeral infrastructure at enterprise scale, acting on every single piece of security intel is counterproductive.
Organizations are straining valuable resources under the weight of alert fatigue, so much so that teams can resort to quiet quitting, putting the organization at risk. Gone are the days when simply knowing the age, Common Vulnerability Scoring System (CVSS) score, and exploit status of your risks were enough to prioritize securing your environment.
In the end, a vulnerability is just a crack in the perimeter, but revealing if it’s concerning enough to expose a path to sensitive data comes from examining all the elements of public cloud risks together.
Getting Smarter About Alerts
To put this issue in simple terms: there is a big difference between the alarm that’s supposed to wake you up in the morning and a fire alarm. This alert distinction needs to happen with minimal human input. Prioritization needs to be good enough out of the box to be useful right away, yet still be customizable enough to adapt to the way each team works, so it matures with you in your cloud journey.
Figure 1 – Group workloads by sensitivity and set goals to prioritize remediation.
Prioritization starts with asking the question: does this alert really impact sensitive data? We must be able to understand that a sandbox EC2 instance that’s completely walled off from the rest of the organization, with no public access and no critical data, should be one of the last things security-minded teams should be worried about—even if it has a comical number of vulnerabilities with high CVSS scores.
Instead, remediation priority should be given to risks on an EC2 instance when it has public access to the internet and has toxic combinations of trust relationships between roles, and that gives virtual machines (VM) access across accounts to a production environment’s critical data—even if the vulnerabilities are fewer or even slightly less severe.
If the fundamental challenge in security is enabling limited resources to take the most valuable actions, then we need automation to tell us what risk has the greatest impact to the organization’s most critical assets in the cloud. “What should I fix next?” should have a simple but well-evidenced answer: the risk that threatens your business the most.
Prioritizing Vulnerabilities with Identity and Data Analytics
Sonrai Dig gives organizations visibility into everything you deploy in your public clouds, normalized across AWS, and in multi-cloud deployments.
Sonrai gives you visibility into hundreds of resource types cloud service providers offer natively. From there, it prioritizes risk based on data, because that’s what adversaries are looking to get from your cloud. Sonrai finds your critical data and makes sure you know where that is, and that guides a contextual analysis of your risks to best protect that data.
Figure 2 – Workload-based risk amplifiers show a vulnerability’s threat level.
Locating your critical data is step one. To protect it, you must know all of the ways to get access to that critical data by understanding lateral movement and through attack path analysis.
The first of the Sonrai Dig patents is the ability to understand identities in the cloud. Identities aren’t just people—they are anything that can do things in the public cloud. Roles, EC2 instances, as well as users are all examples of things that can execute cloud actions.
Understanding permissions goes beyond simply knowing when someone or something has too many, which Sonrai does well. Sonrai Dig’s real innovation is seeing all potential privileges and access for any identity, even across accounts or across clouds.
By combining this key perception of context with Sonrai patented technology, the hidden “blast radius” of each vulnerability is shown so you can understand how severe a vulnerability is.
Figure 3 – Indirect permissions can obscure the blast radius of a vulnerability.
To see the full picture, you need a cross-sectional view of cloud risks to reveal where exploitable vulnerabilities and harmful host-based risks align. Sonrai calls these “risk amplifiers” and they automatically highlight vulnerabilities with high privileges, access to sensitive data, or external exposure.
Sonrai’s platform with the integration of AWS tooling provides real and functional return on investment (ROI) through meaningful workload insights, without overwhelming the people responsible for securing cloud resources. The end result for your team, and for the organization as a whole, is better prioritization and faster resolution of vulnerabilities and risks uniquely dangerous to your cloud, before adversaries exploit those vulnerabilities and risks.
Figure 4 – An identity “risk amplifier” on a vulnerable compute instance.
Growing a Risk Remediation Operation
The problems many leaders experience when they are concerned with the journey of cybersecurity in the cloud include:
- Finding complementary solutions
- Leveraging existing organizational talent
- Minimizing the effort to get going
- Not forced to redo processes
If you have been swamped in your work trying to secure your cloud and are looking to the market for help, you might be overwhelmed with what you find in your research. There is an ever-increasing quantity of disparate tools being developed for various bits and pieces of cybersecurity in the cloud.
Once you make your decision, you have to figure out what to do with the output. The most common choices for consuming alerts from security tools has been to send it all to a Security Information and Event Management (SIEM) or a Security Orchestration, Automation and Response (SOAR) and have the human beings responsible for tweaking yet more tooling try to make sense of all the alerts coming in.
Services like AWS Security Hub help by aggregating, organizing, and attempting to prioritize findings from AWS services and from those that use the AWS Security Finding Format. For enterprise AWS customers, the volume of alerts dictates an additional layer of prioritization analytics is needed.
Figure 5 – Sonrai integrates with over 150 AWS services.
Sonrai Dig is a platform built from the ground up to solve threats to your cloud through early recognition of significant risks. This can prevent the exploitation and monetizing of your data.
Together, Sonrai Dig, Amazon Inspector, and Amazon GuardDuty complement each other’s ability to find and categorize risk urgency. It goes beyond alerting by offering automated remediation and governance and integrating with services like AWS Control Tower, AWS Security Hub, ServiceNow, Jira, or Splunk.
However your business runs, Sonrai Dig and AWS can help you discover and remediate weaknesses in your cloud before the attackers do.
Sonrai Security – AWS Partner Spotlight
Sonrai Security is an AWS Competency Partner that delivers an enterprise cloud security platform addressing workload, platform, identity, and data risks.