AWS Startups Blog
Enabling Cloud Threat Defense with RedLock
Guest post by Varun Badhwar, CEO and Cofounder, RedLock
The adoption of public cloud computing among established businesses and startups is outpacing the adoption of new cybersecurity defenses. In fact, the average customer’s traditional security tools are incompatible with the cloud, as they were designed for on-premises networks—and according to Gartner, 95% of cloud security failures through 2020 will be the customer’s fault. This breaches the shared responsibility model of cloud security, which clearly outlines the respective responsibilities of cloud service providers and their customers, and results in a loss of visibility and control.
At RedLock, my cofounder Gaurav Kumar and I believe that many organizations lack true visibility into cloud computing environments. We started our company to enable effective threat defense across public cloud computing environments such as Amazon Web Services (AWS). In this blog post, we explain how our new AI-driven approach correlates disparate data sets across large, distributed AWS environments and how this provides a unified view of security and compliance risks.
Dissecting the security challenge
To effectively solve the aforementioned problem, we first analyzed what changes moving to the cloud presented and what implications this move had on security. There are four main challenges to this move:
● Resource configurations
While the cloud enables agility by allowing users to create, modify, and destroy resources on-demand, this often occurs without any security oversight. The result is that the security team can’t rely on manual security audits. As an example, recent research from the RedLock Cloud Security Intelligence (CSI) team, a group of elite security researchers, revealed that 64% of databases are not being encrypted in the cloud, which goes against security best practices.
● Vulnerable hosts
Identifying vulnerable hosts is a different ball game in the cloud because customers can’t solely rely on their existing vulnerability management investments. These tools perform a periodic scan of the environment and identify hosts with missing patches by IP address. However, IP addresses in the cloud are constantly changing, which makes the results unreliable. Our CSI team found that 81% of organizations are not managing vulnerabilities in their cloud computing environment.
● User activities
Compared to on-premises networks that are tightly locked down, in the cloud there typically are more users with privileged access to the environments. As a result, it is important to vigilantly monitor users for anomalous activities to detect account compromises and insider threats. Alarmingly, according to the CSI team hundreds of organizations were leaking credentials to their cloud computing environments on internet-facing web servers.
● Network activities
The absence of a physical network boundary to the internet increases the attack surface in the cloud by orders of magnitude. Organizations must monitor their environments for suspicious network traffic. This can be challenging using traditional network monitoring tools because they can’t be deployed for monitoring traffic to API-driven services. Our research shows that 37% of databases are accepting inbound connection requests from the internet, which is a very poor security practice as databases should never be directly exposed to the internet. To make matters worse, the research revealed that 7% of these databases are receiving requests from suspicious IP addresses, which indicates that they have been compromised.
Designing a comprehensive platform
Our conclusion from the above analysis was that the only feasible way to solve these security conundrums is by looking at the problem holistically. To do so, we took these steps:
- We collect disparate data sets including resources configurations, host vulnerabilities, user activities, network traffic, and threat intelligence. We consume this data from various AWS and third-party APIs, and normalize it into a standardized format within the RedLock SaaS platform running on AWS.
- We apply AI to correlate the massive volumes of data and lift the signals from the noise.
- We display the risks in a visual way that enables users to quickly pinpoint issues and perform forensics.
- We realized that in order for security to keep pace with agile development, issues had to be automatically remediated to quickly close any windows of opportunities for malicious actors. Leveraging AWS APIs enables us to achieve this seamlessly. Additionally, our platform can integrate with third-party orchestration tools so that organizations can leverage their existing investments.
The following screenshot illustrates how the RedLock platform distills down large volumes of disparate data sets to highlight risks and enable rapid investigation.
Key applications of the RedLock platform
Today, the RedLock platform protects over five million cloud resources for global brands across a variety of verticals. We solve a variety of use cases, but here are our most common ones:
● Compliance assurance
Mapping cloud resource configurations to compliance frameworks such as CIS, PCI, and HIPAA can be challenging. Our solution enables you to monitor, auto-remediate, and report on compliance using out-of-the-box policies.
● Security governance
Security governance is challenging in dynamic public cloud computing environments due to the lack of visibility and control over changes. RedLock enables DevSecOps by establishing policy guardrails to detect and auto-remediate risks across resource configurations, network architecture, and user activities.
● SOC enablement
Security operations teams today are being inundated by alerts that provide little context on the issues, which makes it hard to triage issues in a timely manner. We enable you to identify vulnerabilities, detect threats, investigate current or past incidents, and auto-remediate issues across your entire cloud computing environment in minutes.
To learn more about how RedLock can effectively manage risks across your public cloud computing environment, come see us during AWS Security Week at the AWS New York Loft.