FireMon.com https://www.firemon.com Improve Security Operations. Improve Security Outcomes. Tue, 27 Feb 2024 17:11:20 +0000 en-US hourly 1 https://wordpress.org/?v=6.4.3 https://www.firemon.com/wp-content/uploads/2023/03/256px_FMLogoBug_Color-100x100.png FireMon.com https://www.firemon.com 32 32 Retail Cybersecurity: The Importance of Compliance and Risk Management https://www.firemon.com/retail-cybersecurity-the-importance-of-compliance-and-risk-management/ Tue, 27 Feb 2024 17:11:20 +0000 https://www.firemon.com/?p=1871
Retail Cybersecurity
A Shift in Retail IT Security
What’s at Stake?
The Role of FireMon in Retail Cybersecurity
Why Choose FireMon?
FireMon: Built for Compliance Reporting
Real-Time Compliance Management at Scale
Advanced Asset Discovery
In Conclusion
Get a Demo

In today’s digital age, cybercrime has become big business and no industry is immune. Retailers, in particular, are attractive targets due to large repositories of customer data and often inadequate security measures. Traditional retail metrics have often prioritized initiatives to maximize store performance over security, leaving significant gaps in defenses.

A Shift in Retail IT Security

The retail industry’s approach to IT security has often been reactive, with cybersecurity investment sometimes lagging behind other industries due to smaller profit margins. However, these gaps in security are now becoming a critical issue, especially in light of evolving compliance standards like the Payment Card Industry Data Security Standard (PCI DSS), which releases version 4.0 in late March of this year with 63 new requirements.

Retail companies must prioritize compliance and risk management in their network security to avoid financial consequences and reputational damage, prevent customer identity theft, and protect their cybersecurity threat landscape.

What's at Stake?

The price of failure can be steep for compliance violations with fines ranging from $5,000 to $100,000 per month, which can increase over time if an organization remains out of compliance. Additional fines can be imposed due to data breaches, even if the organization is in compliance. Furthermore, banks and payment processors also reserve the right to terminate the relationship with the company.

As of 2023, the average cost of a data breach in the United States amounted to 9.48 million U.S., including fines, penalties, and potential lawsuits. These numbers highlight the importance of robust and proactive security strategies.

The Role of FireMon in Retail Cybersecurity

FireMon offers enhanced network security, compliance management, and real-time visibility and control, making it a valuable asset in a retail company’s cybersecurity strategy. FireMon’s tools assist in risk assessment and mitigation, helping security teams identify potential security gaps proactively. Furthermore, the scalability and adaptability of FireMon’s solutions make them suitable for dynamic and growing organizations, ensuring that their security infrastructure can evolve in line with the organization’s needs.

Why Choose FireMon?

FireMon offers a range of features that make it a powerful tool for retail cybersecurity. These include:

Consolidated Compliance Reporting

FireMon provides support for custom assessments using internal business policies or external frameworks and built-in industry assessments including PCI DSS, SOX, and GDPR.

Real-time Violation Detection

FireMon’s real-time violation detection feature scans across the entire environment to find and address violations. Customizable alerts allow teams to configure platforms to their needs, and guardrails check rules before they are deployed to prevent new violations.

Rule Lifecycle Management

FireMon offers automatic reviews to recertify rules that are required and decertify those that are not. Review tickets are automatically sent to policy owners based on business criteria, and documentation captures business owners and applications for ownership and governance.

Risk and Threat Modeling

FireMon allows you to conduct attack and change simulations to assess risk, test for policy-related vulnerabilities, then prioritize patching and device rule changes.

FireMon: Built for Compliance Reporting

FireMon offers various features to support compliance reporting. These include 12 built-in compliance reports supporting internal and external frameworks, support for top compliance standards including PCI DSS, SOX, and GDPR, and over 500 included controls that can be customized using SiQL native query language (FireMon’s custom query language) and RegEx(regular expressions).

Real-Time Compliance Management at Scale

FireMon is architected for real-time reporting, violation detection, and search in any environment. It offers time-proven scalability/performance verified to support 15K devices and 25M rules.

Advanced Asset Discovery

To reduce the risk of gaps in network visibility, FireMon offers real-time network and device discovery with automatic device profiling and custom details. It provides unmatched, real-time cyber situational awareness that enables network and security teams to discover the darkest corners of their often obscure infrastructure.

In Conclusion

In the fast-paced retail environment, where threats are evolving and regulations are continually updated, it’s critical to have a security partner like FireMon that can provide comprehensive, scalable, and real-time solutions to protect your business and your customers. FireMon’s commitment to helping retail organizations achieve continuous compliance and robust risk management makes it a trusted partner in the retail industry’s cybersecurity landscape.

Get 9x
BETTER

Book your demo now

Sign Up Now

]]> Network Security: A Top Priority for Healthcare Organizations https://www.firemon.com/network-security-a-top-priority-for-healthcare-organizations/ Wed, 14 Feb 2024 20:56:26 +0000 https://www.firemon.com/?p=1833
Why Act Now?
Why Choose FireMon?
How is FireMon Better
Book a Demo

Healthcare companies have a responsibility to protect sensitive patient data and ensure compliance with regulations like HIPAA. As a result, network security is a top priority for organizations in this industry. FireMon, a leader in network security policy management, offers solutions tailored to the needs of healthcare companies.

Healthcare data is an attractive target for cybercriminals, who frequently launch ransomware attacks, data breaches, and other threats to steal valuable personal and medical information. At the same time, healthcare organizations often grow through mergers and acquisitions, introducing new network security risks with each new entity and system added. Implementing strong safeguards and maintaining continuous visibility across the network environment is essential for identifying and responding to these threats promptly.

FireMon’s solutions provide enhanced network security, compliance management, and real-time visibility and control. They help streamline the complex task of managing firewalls and security policies, which is vital for maintaining a secure network. FireMon also assists in proactively identifying potential security gaps through risk assessment and mitigation. Furthermore, FireMon’s scalable and adaptable solutions are suitable for dynamic and growing organizations, ensuring that their security infrastructure evolves with the organization.

Why Act Now?

Manual compliance audits are resource-intensive and time-consuming, often taking weeks or months to complete for large healthcare organizations. The complexity of managing security across on-premises and cloud environments with multiple vendors can make audit reporting nearly impossible without the aid of automation. Pulling and consolidating firewall logs in spreadsheets also introduces opportunities for error that can lead to audit failure. The penalties for compliance violations like HIPAA can be steep, including fines of up to $250,000 per incident.

Why Choose FireMon?

FireMon offers consolidated compliance reporting across the network environment with built-in support for HIPAA, HITRUST, PCI DSS, GDPR, and custom frameworks. Standard and ad hoc reports provide compliance visibility on demand or on a schedule. Real-time violation detection scans the entire network to find and address issues as they arise, with customizable alerts. Rule lifecycle management automates reviews, recertification, and documentation for streamlined audits. Risk and threat modeling assesses vulnerabilities, and risk prevention guardrails eliminate new vulnerabilities when rules change.

How FireMon Is Better

FireMon is purpose-built for compliance reporting with 12 built-in reports, over 500 controls, and the ability to customize using a native query language. Highly customizable workflows are optimized for rule creation and changes. Real-time compliance management scales to support 15K devices and 25M rules. Guardrails prevent violations before deployment. Advanced asset discovery provides real-time tracking of all network devices without the use agents and enriches your CMDB, asset management, and vulnerability scanner data. The FireMon Customer Experience team helps maximize your desired compliance outcomes.

For healthcare organizations, network security and compliance are fundamental. FireMon provides the solutions to establish, maintain, and demonstrate a strong security posture in today’s complex, dynamic network environments. To learn more about how FireMon can help your healthcare organization, request a demo today.

FireMon, a leading provider of centralized firewall management, has played an instrumental role in empowering Convey Health Solutions to achieve and maintain HITRUST CSF certification and PCI DSS compliance amidst a demanding audit schedule. Housing over 40 decentralized firewalls, Convey Health was navigating labor-intensive and error-prone manual processes. The need for a comprehensive, flexible, and efficient regulatory compliance and risk management solution led them to FireMon’s Network Security Policy Management (NSPM) offering.

NSPM offered a host of advanced features like centralized firewall management, real-time visibility, and highly customizable reports. FireMon exceled in providing unified policy visibility and management, along with out-of-the-box and customizable compliance assessments. Automated rule documentation and reporting, rule review and recertification workflows, and automated real-time checks across 350+ custom controls and regulatory standards streamlined Convey’s compliance efforts.

With FireMon, Convey Health not only achieved continuous compliance but eliminated time-consuming and error-prone manual processes. FireMon’s solution offered real-time network behavior and traffic flow analyses, which further allowed Convey’s team to reduce risk by identifying and removing redundant, overlapping, or unused rules. With the ability to deploy rules directly to devices with one click, FireMon simplified and expedited the whole process.

As a result, Convey Health Solutions effectively reduced the time to produce accurate compliance reports by 66%, identified and removed over 150 redundant rules, and most importantly, achieved 100% PCI DSS compliance. Patrick Stoehr, Manager of Data Network Services, remarked on FireMon’s instrumental role, “With FireMon tracking compliance for us, we were able to shrink our overall audit time by two-thirds of our original schedule. Additionally, we were able to clean and push out almost 300 rules that had not been reviewed in over three years.”

Get 9x
BETTER

Book your demo now

Sign Up Now

]]> Building a Privacy-Centric Organization with FireMon https://www.firemon.com/building-a-privacy-centric-organization-with-firemon/ Mon, 22 Jan 2024 14:55:22 +0000 https://www.firemon.com/?p=1795

How FireMon Can Help You Integrate Privacy into Your Business Foundation

As organizations increasingly rely on technology to streamline operations and connect with customers, the need for robust privacy measures has become more critical than ever. Here at FireMon, we play a pivotal role in building a privacy-centric organization by seamlessly integrating privacy into the very foundation of your business. 

Understanding the Privacy Landscape 

Before delving into the specifics of FireMon’s capabilities, it’s crucial to grasp the current privacy landscape. Data breaches, cyber threats, and regulatory requirements have heightened the awareness of privacy concerns. Customers are more discerning about the protection of their personal information, and regulators are tightening the screws on organizations that fail to meet privacy standards. 

FireMon’s Role in Privacy Integration 

  1. Comprehensive Visibility

Building a privacy-centric organization starts with understanding your digital environment. FireMon provides comprehensive visibility into your network, enabling you to identify and assess potential privacy risks. By mapping out your network architecture, you gain insights into data flows, potential vulnerabilities, and areas where privacy measures need reinforcement. 

  1. Policy Management and Enforcement

Effective privacy management requires robust policies and their consistent enforcement. FireMon excels in policy management, allowing organizations to define and implement privacy policies seamlessly. With a centralized single-source of truth platform, you can monitor and enforce policies across your entire network infrastructure, ensuring that privacy measures are consistently applied. 

  1. Continuous Compliance Monitoring

Privacy regulations are dynamic and subject to change. FireMon aids in maintaining continuous compliance by regularly updating its database with the latest privacy regulations and standards. This ensures that your organization stays ahead of regulatory requirements, reducing the risk of non-compliance and associated penalties. 

  1. Automated Risk Assessment

Identifying and mitigating privacy risks manually can be a daunting task. FireMon’s automation capabilities streamline the risk assessment process. By leveraging advanced analytics and machine learning, FireMon identifies potential privacy risks in real-time, allowing your organization to proactively address vulnerabilities and enhance overall privacy posture. 

  1. Incident Response and Forensics

Despite robust preventive measures, incidents can still occur. FireMon provides robust incident response and forensics capabilities, allowing organizations to investigate and mitigate the impact of privacy incidents swiftly. By tracing the origins of a breach and understanding its scope, your organization can take decisive action to minimize the fallout and uphold customer trust. 

Example: Privacy Success with FireMon 

To illustrate the impact of integrating FireMon into your organization’s privacy framework, let’s explore a hypothetical instance. A financial institution, subject to stringent privacy regulations, implemented FireMon to enhance its privacy posture. 

Through comprehensive visibility, the institution identified previously unnoticed data flows and vulnerabilities within its network. With FireMon’s policy management, the organization defined and enforced robust privacy policies, ensuring that customer data was consistently protected. 

Continuous compliance monitoring proved invaluable as privacy regulations evolved. FireMon’s automated risk assessment flagged potential vulnerabilities, allowing the institution to proactively address issues and maintain a strong privacy stance. 

Building a privacy-centric organization is not a one-time endeavor but an ongoing commitment to safeguarding sensitive information. FireMon emerges as a key ally in this journey, providing the tools and capabilities needed to integrate privacy seamlessly into your business foundation. 

By leveraging FireMon’s comprehensive visibility, policy management, continuous compliance monitoring, automated risk assessment, and incident response capabilities, organizations can navigate the complex privacy landscape with confidence. As technology continues to advance and privacy concerns intensify, embracing solutions like FireMon becomes imperative for organizations aspiring to uphold the highest standards of privacy and security. 

]]> Empower Incident Response with Real-Time, Just-in-Time Alerts and Access https://www.firemon.com/empower-incident-response-with-real-time-just-in-time-alerts-and-access/ Fri, 03 Nov 2023 15:51:22 +0000 https://www.firemon.com/?p=1681

Here at FireMon we have a bit of a different take on Cloud Security Posture Management. Cloud Defense was built from the ground up to support real-time security operations. Our goal, from day one, has been to help detect and remediate cloud security issues before they become cloud security problems.

Although we support automated remediations, either via the console, ChatOps, or full automated, in many situations it makes more sense to manually review and fix something so you are less likely to experience an unintended consequence. For many issues this should be handled by the team that owns the account/subscription/project, which is why we created our advanced ChatOps and ticketing notifications. By sending issues right to teams in the tools they already use in real-time you empower them to fix things more quickly using their preferred technique.

But sometimes, especially if something is exposed to the Internet at large (and maybe in the middle of the night) you will want SecOps to step in and fix it right away. This kind of break glass access should be restricted, used judiciously, and comprehensively logged.

That’s the example in this video. Watch, in real time (really, there aren’t any cuts) an entire response process from misconfiguration to remediation in less than two minutes:

 

1. Someone creates a snapshot of a storage volume and makes it public.
2. FireMon Cloud Defense instantly alerts the on-call incident responder via Slack.
3. The responder dives into the issue and identifies the exposed resource and AWS account.
4. The responder can even see the API calls that created the issue, and the attribution of who made the changes.
5. The responder then requests JIT access via ChatOps.
6. The manager sees the JIT request and approves it.
7. FireMon Cloud Defense’s Authorization Control feature then notifies the AWS account to create a session and sends the user to a zero-knowledge system to collect credentials (FireMon never has access to credentials).
8. The responder pivots into the AWS account and remediates the issue.
9. Cloud Defense detects the remediation and automatically cleans the issue and also sends out a ChatOps notification of the remediation.

It sounds like a lot, but check out the video to see how smooth and easy it is. This really shows the power of real-time and building a product for security practitioners.

Try it for Free

See for yourself how Cloud Defense can protect your organization

Unlimited usage at no cost!

Sign Up Now

]]> Securing Australia’s Critical Infrastructure: The Role of Asset Visibility in Meeting SOCI Obligations https://www.firemon.com/securing-australias-critical-infrastructure-the-role-of-asset-visibility-in-meeting-soci-obligations/ Tue, 31 Oct 2023 15:52:23 +0000 https://www.firemon.com/?p=1665

As Australia has grown increasingly connected, the security of critical infrastructure has never been more paramount. In response to the evolving threat landscape, the Australian government enacted the Security of Critical Infrastructure Act (SOCI) in 2018. While the act was designed to strengthen Australia’s national security posture, it has undoubtedly introduced additional challenges for organisations that fall under its jurisdiction.

One of the key obligations of the SOCI Act is “the requirement to report information to the Register of Critical Infrastructure Assets”. For CISOs and Network Security Leads, ensuring compliance while also maintaining a strong security posture can be a complex task.

The Challenge: Accurate and Comprehensive Reporting

The SOCI Act mandates that organisations provide comprehensive, accurate, and timely information about their critical infrastructure assets. This requirement ensures that the government can respond effectively to threats and is equipped with the knowledge needed to protect the nation’s vital services.

However, achieving a comprehensive overview of networked assets is not always straightforward. Many organisations have complex, distributed networks that have grown organically over time. Without a clear view of every connected asset, not only is there an increased security risk, but there’s also the potential for non-compliance with the SOCI Act, leading to severe fines and penalties.

The Solution: Asset Visibility

When maintaining SOCI compliance whilst protecting your organisation from cybercrime, the first step is to fully understand your environment and all that needs to be secured. You cannot protect what you cannot see. It sounds simple enough, but mergers and acquisitions, divestitures, and even onboarding remote new hires can significantly and rapidly expand your security team’s responsibilities. If you are not equipped to properly identify, manage, and secure your new assets, they become an immediate liability.

In addition to improved compliance, asset visibility solutions provide multiple benefits, including:

  • Comprehensive Visibility: Cyber asset visibility tools automatically scan and map out every connected device within an organisation’s infrastructure. This ensures that no asset remains hidden, offering a clear, bird’s-eye view of the entire network.
  • Up-to-Date Information: Network landscapes change frequently. Devices are added or retired, configurations are altered, and networks are restructured. An effective asset visibility tool will update the asset inventory in real-time, ensuring that the information provided to the Register of Critical Infrastructure Assets is always current.
  • Risk Identification: Beyond just identifying assets, modern network discovery solutions can also help identify vulnerabilities or misconfigurations. By tying these insights into the reporting process, organisations can proactively address security risks before they’re exploited.
  • Efficient Reporting: With a centralized dashboard that presents all discovered assets and their respective details, compiling reports for the SOCI becomes a straightforward task. No more manual checks or missed devices; everything is right at your fingertips.

Facing Audits and Fines with Confidence

Since the SOCIs Act’s introduction, organisations are now facing stringent audits and potential fines for non-compliance. By leveraging a robust asset visibility solution, CISOs and Network Security Leads can approach these audits with confidence, knowing they have a reliable and up-to-date record of their assets.

Conclusion

In the age of increasing cyber threats, having a clear understanding of your networked assets is not just a matter of compliance but also a cornerstone of a robust cybersecurity strategy.

By embracing advanced asset visibility tools, organisations can not only meet their SOCI obligations but also identify unknown assets, improve response times, achieve continuous monitoring, and strengthen your security posture. Without complete asset visibility, your organization is at risk of cyberattacks that could lead to data breaches, reputational damage, and financial losses. Therefore, it’s essential to invest in tools and processes that provide asset visibility and continuously monitor your network for potential threats.

FireMon’s Asset Manager, formerly Lumeta, is a real-time network visibility solution that monitors an organization’s entire environment for anomalies, potential threats, and compliance violations. It continuously scans and discovers the entire network infrastructure for every device and connection including firewalls, routers, end points, and cloud devices. Other asset discovery tools require a person to initiate asset discovery searches, wasting precious time and leaving assets vulnerable.

Asset Manager has been around for over 22 years and is used by many Fortune 500 companies. It is largely recognized for its consistency, scalability, and reliability. On average, Asset Manager finds 30% more assets than our competitors, which are potentially thousands of unprotected devices waiting to become an attack vector for cybercriminals.

To learn more about how we can help your organisation meet its SOCI obligations and bolster its security, get in touch with us today.

Get 9x
BETTER

Book your demo now

Sign Up Now

]]> Improving the Grand Unified Theory of Cloud Governance https://www.firemon.com/improving-the-grand-unified-theory-of-cloud-governance/ Tue, 24 Oct 2023 16:31:56 +0000 https://www.firemon.com/?p=1656 A smidge over a year ago I wrote the Grand Unified Theory of Cloud Governance. It’s a concept I’ve been playing with for about 5 or 6 years to try and encapsulate the root cause of the difficulties companies have adapting to cloud. Sure, the title is a bit egotistical, but I used to be a Gartner analyst so, shrug? 

Like any (hopefully) good theory I keep evolving it over time as I work with more companies and talk to more people. I’ve been using it a ton over the past couple years in my speaking and training, especially as I’ve been pulled into more governance scenarios. Time and time again the major problems I run into aren’t so much technical, but organizational. Yes, there are many MANY technical complexities to cloud security, and they can and do result in breaches, but in my experience the governance issues far outweigh the technical ones. 

Good governance can’t patch a zero day, but bad governance means the attacker never needs one.

The core of the theory hasn’t really changed, I just keep working on better ways to explain it. I also decided to trim it down slightly. Here’s how I currently plop it onto my slides:

  • Cloud decentralizes operations and infrastructure
  • But cloud unifies all administrative interfaces
  • And puts all admin portals and resources on the Internet, protected with a username and password

Going back to the previous version the changes are small but also big:

  • Cloud has no chokepoints, and thus no gatekeepers.
  • All administrative and management functions are unified into a single user interface that is on the Internet.
    • Protected with a username, password, and, maybe, MFA.
  • Technology evolves faster than governance.

I still use the “no chokepoints and gatekeepers” in my talk track but I found that it’s a longer way of saying “decentralized”. The fundamental issue is the independent control of the full stack outside of centralized infrastructure. That a dev or app team can build and manage all of their own infrastructure in their own environment with just a credit card. Now there are still some dependencies and controls, especially in the data plane or when you need to tie back into networks, but that doesn’t change the primary point.

Trying to completely recentralize is rarely going to work.

Next, I didn’t really change the unification of administrative interfaces. To expand, we decentralized all the infrastructure and control at the deployment level, but everyone, in the world, uses the same web console and API endpoints. 

Attackers have one gateway to infinite targets.

Then I took the sub-bullet from version one and made it bullet 3. These admin portals are all on the Internet, and by default use little more than a username and a password. All resources are also one setting away from being on the Internet, just ask all those S3 buckets and ElasticSearch clusters.

It really is that simple. Teams manage their own stuff independently. They all, around the world, use the same web portals and API endpoints. And any idiot with the right credentials can poke and prod at the back end of your “datacenter”.

Now the crazy part; this was all laid out in 2011 in NIST 800-145, the 2 page NIST Definition of Cloud Computing. That defined the five essential characteristics of cloud computing as:

  • On-demand Self Service
  • Broad Network Access
  • Resource Pooling
  • Rapid Elasticity
  • Measured Service

Take the first three points and we have:

  • Teams manage their own stuff
  • It’s all on the Internet
  • And all based on collective resource pools

Alright, so what does this all mean what do we do?

Accept it.

That’s the first step. Understand the problem and use it as a lens to devise our solutions. As I wrote recently in my Strong Authorization post:

Because they aren’t used to everything (potentially) being on the Internet. The entire management plane is on the Internet, so if an attacker gets credentials, you can’t stop them with a firewall or by shutting down access to a server.

Start there. Accept the base reality. What can we do to reduce that risk? To reduce those attacks? I think the most impactful choice is to focus on IAM, and the intersection of governance and IAM. Who do you have manage permissions? Access? What security controls can prevent, detect, and correct IAM related attacks? What are your processes around IAM? Do your incident responders know the deep ins and outs of the IAM for your given cloud provider(s)? Do you use JIT/Strong Authorization? How do you manage IAM for contractors and external services?  

Start with your IAM governance and processes. Then choose and use technologies to support them. This is the single most impactful way to improve your cloud security. I really hope I’m not the first person to tell you that.

]]> On Least Privilege, JIT, and Strong Authorization https://www.firemon.com/on-least-privilege-jit-and-strong-authorization/ Wed, 18 Oct 2023 18:50:50 +0000 https://www.firemon.com/?p=1652 I’ve been employed as a security professional for over 20 years. I cannot possibly count the number of times I have uttered the words “least privilege”. It’s like a little mantra, sitting on the same bench as “defense in depth” and “insider threat”. 

But telling someone to enforce least privilege and walking out of the room is the equivalent to the doctor telling you to “eat healthier” while failing you on your insurance physical and walking out of the room before over-charging you.

Least privilege is real. It matters. Unlike changing passwords every 90 days, it can have a material impact on improving your security. 

Least privilege is also really hard. Especially at scale. And it doesn’t work for your most important users. 

Why? Because least privilege isn’t the least privileges you need at that moment, they are the least privileges you might ever need to do your job… ever. And when someone needs to do something out of scope from when those privileges were first mapped it kicks off a slow change process that has to cross different teams and managers.

Or sometimes you just have to talk Bob into giving you access. And Bob is kind of a defensive jerk since he doesn’t trust anyone and doesn’t want to be blamed when you screw up.

Even with least privilege, if an attacker gets those credentials (the primary source of cloud native breaches) they can still likely do mean things. Because although least privilege isn’t always too horrible to implement for the average user or employee, it’s really hard to enforce on developers and administrators who, by design, need more privileges.

Just as we have MFA for strong authentication, we need something for strong authorization.

This is where Just in Time (JIT) comes into play. Instead of trying to figure out all the privileges someone needs ahead of time, they can request time-limited permissions at any point in time. I now believe that JIT should be the standard for administrative and sensitive access. 

I recommend that least privilege is a great concept for general user access, but JIT is better for any level of admin/dev/sensitive access in cloud.

Just in Time

JIT is a flavor of PIM/PAM. Privileged Access Management and Privileged Identity Management are systems designed to escalate a user’s privileges. They operate with a lower level until they need to escalate and these systems use multiple techniques to provide expanded access, usually for a time-limited session. Today isn’t the day to get into the nuance, but the advantage is they allow for flexibility while still maintaining security. Someone must request additional privileges when they need them, so even if their credentials are compromised the attacker is still limited.

“JIT” (Just in Time) is one technique for PAM/PIM (or, really, any access). A user has base credentials that might not have access to anything at all, and then their privileges are escalated on request. We use JIT ourselves (and it’s available in Cloud Defense), and Netflix released an open source tool called ConsoleMe based on their internal tool. Azure has a built in (but for an additional fee) service called Entra ID Privileged Identity Management. (Entra ID is what we used to call Azure AD before someone decided it was a good idea to confuse millions of customers for branding purposes) There are more options, these are just examples.

To enhance security, JIT needs to use an out-of-band approval flow and provide time-limited access. Those are the basics. The request and approval should flow through a different path than the normal authentication, like a form of MFA. The difference is that MFA is an out of band factor for authentication (proving you are who you say you are) and JIT is a form of authorization (you request and receive permission to do something). 

Managing Friction

Both least privilege and JIT introduce friction. I mean, everything we do in security introduces some kind of friction, especially Bob. With least privilege the main friction is the overhead to define and deploy privileges, and what breaks when someone doesn’t have privileges they need. With JIT the friction is the process of submitting and receiving an approval.

Having used and researched both least privilege and JIT for a long time, I’ve learned techniques to reduce the friction. In some cases you end up with faster and better processes than how we’ve historically done things

  • The request and approval flow needs to be real time. This means approvals via ChatOps, text messages, or the 5G chip implanted with your COVID vaccine.
  • For lower-privileged access, like read access to some logs, you can and should support a self approval. How does this help? Because it still uses the out of band process and reduces the ability of an attacker to leverage lost/stolen/exposed credentials.
  • You can also support auto-approvals where you don’t even need to click over to self approve. How does this help? You can auto-approve but also use your out of band channel to notify that privileges were escalated. You’ve probably seen this if you ever add a Netflix or Hulu device to your account. Awareness alone can be incredibly effective.
  • If this is for developers, you need to support the command line and other tools they use. Go to them. Make it super-easy to use. If you force them to log into a security tool the project will fail.
  • If approvers aren’t responsive, like instantly, you will fail. Don’t make Bob the only approver.

Bring the capability to your devs/admins in the tools they already use. Make it fast and frictionless. Ideally, make it easier and faster than opening up a password manager or clicking around an SSO portal stuffed with 374 cloud accounts to pick from. Buy Bob some cookies. Chocolate chip. (Oh wait, that’s me).

You can also use automation to reduce friction for least privilege access. The Duckbill Group implemented their own version of automated least privilege using different tech with the help of Chris Farris. Tools like AWS Access Advisor are there to help you monitor used permissions and scope them down. Automation is there to help you implement least privilege at scale, and can also be an adjunct to JIT.

When to use which

Least privilege isn’t a dead concept by any means. It’s still the gold standard for everyday users/employees that need a pretty consistent level of access. JIT is best for more-privileged access, especially to production environments, and especially in cloud where credential exposures are THE biggest source of breaches. Here’s where we use it ourselves:

  • Developer read access to production.
  • Developer change access to production (outside CI/CD). Far more restricted with more approvers required.
  • Admin access to prod accounts.
  • Incident response access.
  • Some dev account access, since it can be faster than going back to the SSO portal, especially when working on the command line.

I no longer think least privilege alone is a valid concept for any significant level of privileged access in cloud (IaaS/PaaS), even when we use strong MFA. It’s too hard to properly scope permissions at scale, over time. JIT is a far better option in these use cases. Least privilege is still very viable when consistent permissions over time are needed, especially combined with good access logging and MFA. JIT is the companion to MFA. It’s the strong authorization to pair with your strong authentication. As we continue to move more critical operations into management planes that are exposed to the Internet, JIT is the way.

]]> A Paramedic’s Top 2 Tips for Cloud Incident Response https://www.firemon.com/a-paramedics-top-2-tips-for-cloud-incident-response/ Wed, 11 Oct 2023 19:28:10 +0000 https://www.firemon.com/?p=1636

One of the advantages of having a lot of unique hobbies is that they wire your brain a little differently. You will find yourself approaching problems from a different angle as you mentally cross-contaminate different domains. As a semi-active Paramedic, I find tons of parallels between responding to meat-bag emergencies and managing bits-and-bytes emergencies.

I’ve been teaching a lot of cloud incident response over the past few years and started using two phrases from Paramedicland that seem to resonate well with budding incident responders. These memory aids do a good job of helping refine focus and optimizing the process. While they apply to any incident response, I find they play a larger role on the cloud side due to the inherent differences caused predominantly by the existence of the management plane.

Sick or Not Sick

Paramedics can do a lot compared to someone off the street, but we are pretty limited in the realm of medicine. We are exquisitely trained to rapidly recognize threats to life and limb, be they medical or trauma, and to stabilize and transport patients to definitive care. One key phrase that gets hammered into us is “sick or not sick.” It’s a memory aid to help us remember to focus on the big picture and figure out if the patient is in deep trouble.

I love using this one to help infosec professionals gauge how bad an incident is. For cloud, we teach them to identify significant findings that require them to hone in on a problem right then and there before moving on. In EMS, it’s called a “life threat.” Since cloud incident response leverages existing IR skills with a new underlying technology, that phrase is just a reminder to consider the consequences of a finding that may not normally trigger a responder’s instincts. Here are some simple examples:

  • Data made public in object storage (S3) that shouldn’t be.
  • A potentially compromised IAM entity with admin or other high privileges.
  • Multiple successful API calls using different IAM users from the same unknown IP address.
  • Cross-account sharing of an image or snapshot with an unknown account.
  • A potentially compromised instance/VM that has IAM privileges.

When I write them out, most responders go, “duh, that’s obvious,” but in my experience, traditional responders need a little time to recognize these issues and realize they are far more critical than the average compromised virtual machine.

“Sick or not sick” in the cloud almost always translates to “is it public or did they move into the management plane (IAM).”

Sick or not sick. Every time you find a new piece of evidence, a new piece of the puzzle, run this through your head to figure out if your patient is about to crash, or if they just have the sniffles.

Stop the Bleed

Many of you have probably taken a CPR and First Aid class. You likely learned the “ABCs”: Airway, Breathing, and Circulation.

Yeah, it turns out we really screwed that one up.

Research started to show that, in an emergency, people would focus on the ABCs to the exclusion of the bigger picture. Even paramedics would get caught performing CPR on someone who was bleeding out from a wound to their leg. Sometimes it was perfect CPR. You could tell by how quickly the patient ran out of blood. These days we add “treat life threat” to the beginning, and “stop the bleed” is the top priority.

See where I’m headed?

In every class I’ve taught, I find highly experienced responders focusing on their analysis and investigation while the cloud is bleeding out in front of them. Why?

Because they aren’t used to everything (potentially) being on the Internet. The entire management plane is on the Internet, so if an attacker gets credentials, you can’t stop them with a firewall or by shutting down access to a server. If something is compromised and exposed, it’s compromised and exposed to… well, potentially everyone, everywhere, all at once.

Stop the bleed goes hand in hand with sick or not sick. If you find something sick, do you need to contain it right then and there before you move on? It’s a delicate balance because if you make the wrong call, you might be wasting precious time as the attacker continues to progress. Stop the bleed equals “this is so bad I need to fix it now.” But once you do stop the bleed, you need to jump right back in where you were and continue with your analysis and response process since there may still be a lot of badness going on.

My shortlist?

  • Any IAM entity with high privileges that appears compromised.
  • Sensitive data that is somehow public.
  • Cross-account/subscription/project sharing or access to an unknown destination.

There’s more, but that’s the shortlist. Every one of these indicates active data loss or compromise and you need to contain them right away.

Seeing it in Action

Here’s an example. The screenshots are a mix of Slack, the AWS Console, and FireMon Cloud Defense. That’s my toolchain, and this will work with whatever you have. In the training classes, we also use Athena queries to simulate a SIEM, but I want to keep this post short(ish).

Let’s start with a medium-severity alert in Slack from our combined CSPM/CDR platform:

Sick or Not Sick? We don’t know yet. This could be totally legitimate. Okay, time to investigate. I’ll show this both in the platform and in the AWS console. My first step is to see what is shared where. Since the alert has the AMI ID, we can jump right to it:

Okay- I can see this is shared with another account. Is that an account I own? That I know? My tool flags it as untrusted since it isn’t an account registered with the system, but in real life, I would want to check my organization’s master account list just to double-check.

Okay, sick or not sick? In my head, it’s still a maybe. I have a shared image to a potentially untrusted account. But I don’t know what is shared yet. I need to trace that back to the source instance. I’m not bothering with full forensics; I’m going to rely on contextual information since I need to figure this out pretty quickly. In this case, we lucked out:

It has “Prod” in the name, so… I’m calling this “probably sick.” Stop the bleed? In real life, I’d try to contact whoever owned that AWS account first, but for today, I do think I have enough information to quarantine the AMI. Here’s how in the console and Cloud Defense:

Okay, did we Stop the Bleed? We stopped… part of the bleed. We locked down the AMI, but we still don’t know how it ended up there. We also don’t know who owns that AWS account. Can we find out? Nope. If it isn’t ours, all we can do is report it to AWS and let them handle the rest.

Let’s hunt for the API calls to find out who shared it and what else they did. I’m going to do these next bits in the platform, but you would run queries in your SIEM or Athena to find the same information. I’ll do future posts on all the queries, but this post is focused on the sick/bleed concepts.

Okay- I see an IAM entity named ImageBuilder is responsible. Again, because this post is already running long, I checked a few things and here is what I learned:

  • ImageBuilder is an IAM user with privileges to create images and modify their attributes, but nothing more. However, the policy has no resource constraints so it can create an image of any instance. And no conditional restraints so it can share with any account. This is a moderate to low blast radius- it’s over-privileged, but not horribly. I call it, sorta-sick.
  • The API call came from an unknown IP address. This is suspicious, but still only sorta-sick.
  • It is the first time I see that IP address used by this IAM user, and the user shows previous activity aligned with a batch process. Okay, now I’m leaning towards sick. Usually we don’t see rotating IP addresses for jobs like this, it smells of a lost credential:
  • That IAM user can continue to perform these actions. Unless someone tells me they meant to do this, I’m calling it Sick and I’m going to Stop the Bleed and put an IAM restriction on that user account (probably a Deny All policy unless this is a critical process, and then I’d use an IP restriction).

In summary:

  • I found an AMI shared to an unknown account: Sick
  • That AMI was for a production asset: Sick and Stop the Bleed
  • The action was from an IAM user with wide privileges to make AMIs and share them, but nothing else: Maybe sick, still investigating.
  • The IAM user made that AMI from an unknown, new IP address: Sick, Stop the (rest of the) Bleed.
  • There is no other detected activity from the IP address: Likely contained and no longer Sick
  • I still don’t know how those credentials were leaked: Sick, and time to call in our traditional IR friends to see if it was a network or host compromise.

I went through this quickly to highlight how I think of these issues. With just a few differences this same finding would have been totally normal. Imagine we realized it was shared with a new account we control but wasn’t registered yet. Or the AMI was for a development instance that doesn’t have anything sensitive in it. Or the API calls came from our network, at the expected time, or from an admins system and they meant to share it. This example is not egregious, but it is a known form of data exfiltration used by active threat actors. As I find each piece of information I evaluate if it’s Sick or Not Sick and if I need to Stop the Bleed.

How is this different in cloud? Because the stakes are higher when everything potentially touches the Internet. We need to think and act faster, and I find this memory aid helpful, to keep us on track.

Try it for Free

See for yourself how Cloud Defense can protect your organization

Unlimited usage at no cost!

Sign Up Now

]]> How and Why FireMon Pioneered Real-Time CSPM https://www.firemon.com/how-and-why-firemon-pioneered-real-time-cspm/ Tue, 10 Oct 2023 15:38:46 +0000 https://www.firemon.com/?p=1626

Two years ago, FireMon elevated its game by introducing real-time features in our Cloud Defense platform. This was a significant development because it transformed our tool from a basic safety checker into a full-fledged cloud security guardian. Real-time capability is crucial for advancing tools from basic vulnerability assessment to a comprehensive cloud security operations platform. However, our journey towards real-time was not driven by customer requests; rather, it was motivated by our commitment to delivering improved efficiency and enhanced security operations.

Why We Built Real-Time:

Our initial goal was not to create a Cloud Security Posture Management (CSPM) tool. We began by building a cloud security automation platform with the aim of helping organizations address cloud security vulnerabilities more rapidly and bridging the gap between security and DevOps/Cloud Operations. While this may seem like a subtle distinction, it meant that we entered the CSPM market with a different perspective.

  • Inefficiency of time-based scans: Initially, like everyone else, we relied on time-based scans. However, they proved to be slow, even when distributed, and could potentially exceed a customer’s service limits.
  • Stale data: Periodic scans resulted in customers viewing outdated information. Even scanning every 15 minutes could lead to alerting a development team about something they had already resolved.
  • Real-time nature of security operations: Responders need to have real-time awareness of events, alerts, and configurations.
  • Efficiency for us: It’s not selfish to consider that dealing with timing and capacity planning in a multi-tenant system becomes challenging when everything is time-based.

This isn’t to say that time-based scans don’t have their place; we still use them for our Free tier, and we perform daily sweeps for all our Pro accounts to ensure nothing slips through the cracks.

Building Real-Time (The AWS Way):

Today, we will focus on how we enable real-time functionality for AWS. In future posts, we will provide details on how we implement it for Azure and GCP. We underwent several iterations, and thanks to AWS, the system we have now is remarkably efficient.

  • EventBridge to Lambda to API: Initially, we forwarded events from EventBridge to an API gateway through a Lambda function deployed in customer environments. It worked but was not highly efficient.
  • EventBridge to… EventBridge: AWS enhanced EventBridge, allowing customers to send events directly to us. Now, all we needed to do was deploy an EventBridge Rule in customer accounts. We didn’t even require special authentication because the AWS event headers are tamper-proof, and we discard anything not associated with a customer.
  • Updating on change: We keep track of changes such as updates and deletions, capturing resource details. This initiates an update in our Discoverer service for that specific item.
  • Trigger chain: The update hits the Inventory, and any change here triggers the Lambda functions for checks. All checks for a specific type of resource occur simultaneously, and findings are evaluated against alert and remediation rules.
  • Instant alerts: This setup triggers an alert (or automated remediation) within just 5-15 seconds after a change, and all parts of the system are updated with consistent data (e.g., compliance). Most customers send alerts to ChatOps (Slack/Teams), but they can also send them via email, create a JIRA ticket, or forward them to a SIEM.

Real-Time Benefits:

Transitioning to real-time elevated Cloud Defense, finally enabling security operations as we had always envisioned. Without real-time capability, CSPM tools are essentially just another type of vulnerability scanner. There’s nothing wrong with vulnerability scanners; we use them ourselves. However, since cloud misconfigurations can become exposed to the internet instantly, we believe the response cycle needs to be much tighter.

  • Up-to-date inventory: With real-time functionality, what you see in Cloud Defense accurately reflects the current configuration of your AWS account.
  • Immediate checks: Security and compliance checks occur as changes are made, promptly identifying misconfigurations. You won’t be left exposed for 15 minutes to 24 hours, which is the scanning frequency of time-based tools.
  • Complete understanding of changes: Cloud Defense tracks the API that triggered the change, the identity responsible for the API call, and the impact on the resource (including changes and check results) from start to finish. This comprehensive tracking allows for change tracking, examination of other API calls from the same IAM entity, exploration of resources connected to the affected resource, and other powerful analysis capabilities.
  • Enabling security operations: With Cloud Defense, you gain insight into who made a change, when it was made, the security implications, and the ability to filter and forward information to facilitate rapid remediation, whether manual or automated. No more emailing spreadsheets. This transformation elevates the platform into a complete operational tool.

Our Cloud Defense platform demonstrates how real-time CSPM should be done. From our initial days of time-based scans to the swift transition to real-time monitoring, we have enhanced your ability to use CSPM as a security operations tool and introduced new methods of safeguarding your cloud deployments. Adding real-time capability to Cloud Defense was not just about a flashy feature; it was a game-changer in making cloud security robust, quick, and reliable.

Try it for Free

See for yourself how Cloud Defense can protect your organization

Unlimited usage at no cost!

Sign Up Now

]]> How Cloud Defense Free is Cheaper than Open Source/DIY CSPM https://www.firemon.com/how-cloud-defense-free-is-cheaper-than-open-source-diy-cspm/ Tue, 10 Oct 2023 15:38:36 +0000 https://www.firemon.com/?p=1624

We are big supporters of open-source security tools and even employ some of them ourselves. However, it’s not always the right answer. Deploying and managing the infrastructure and software updates becomes your responsibility. These tools don’t always scale effectively and may lack a complete user experience. Furthermore, you shoulder the cost of the infrastructure, and even top-notch tools often lose their maintainers and lack support.

Going Free Instead of OSS

When we made the decision to contribute to the community, we contemplated open-sourcing all or part of our platform. However, due to its complexity, it wasn’t well-suited for that kind of release, and creating a version fit for release would have required a significant amount of additional effort. We simply didn’t have enough developers to convert it over, and user maintenance would have been quite extensive. Instead, we chose to release a free version. While it may not offer all the bells and whistles, it’s free, has unlimited scope, and will remain free indefinitely without inundating you with marketing messages.

Users still have access to a comprehensive suite of assessments (perhaps even too many—we’re about to make some adjustments to reduce noise) and all the benefits of an enterprise-grade tool. However, Cloud Defense Free does have certain limitations to enable its continued operation. It only checks your deployments once a day, lacks our real-time capabilities, and maintains inventory for a shorter period. For obvious reasons, it doesn’t include everything we’ve developed (such as Just-in-Time authorizations for AWS). After all, we need to support our families. Nevertheless, Cloud Defense Free was designed for those of you that simply require basic CSPM without the burden of paying the ridiculous security tax to get it.

(Seriously, cloud providers should be giving this much away for free).

Benefits Over Open Source CSPM

The advantages are clear: you don’t need to manage infrastructure, host or pay for it, learn how to deploy or configure anything, worry about updates, you can switch it off whenever you want if it isn’t working for you, and you get a constantly updated library of checks. In under 10 minutes, you can be up and running, scale to thousands of accounts, eliminate maintenance concerns, enjoy a pretty good user experience, never spend a dime, and avoid being incessantly bombarded with upgrade emails.

We’re not attempting to compete with open-source CSPM. Some of you may have excellent reasons to choose that route, particularly if you have the time and technical skills and desire things to operate in a specific manner. However, we believe there’s a significant segment of organizations and individuals who could benefit from something more accessible and cost-effective to maintain. This is where Cloud Defense Free comes into play—a valuable addition to your toolkit and our way of supporting the community, even though releasing open source software wasn’t the right fit for us. You can check the cloud security box in 10 minutes or less, for free.

Try it for Free

See for yourself how Cloud Defense can protect your organization

Unlimited usage at no cost!

Sign Up Now

]]>