FireMon – FireMon.com https://www.firemon.com Improve Security Operations. Improve Security Outcomes. Tue, 27 Feb 2024 17:11:20 +0000 en-US hourly 1 https://wordpress.org/?v=6.4.3 https://www.firemon.com/wp-content/uploads/2023/03/256px_FMLogoBug_Color-100x100.png FireMon – FireMon.com https://www.firemon.com 32 32 Retail Cybersecurity: The Importance of Compliance and Risk Management https://www.firemon.com/retail-cybersecurity-the-importance-of-compliance-and-risk-management/ Tue, 27 Feb 2024 17:11:20 +0000 https://www.firemon.com/?p=1871

In today’s digital age, cybercrime has become big business and no industry is immune. Retailers, in particular, are attractive targets due to large repositories of customer data and often inadequate security measures. Traditional retail metrics have often prioritized initiatives to maximize store performance over security, leaving significant gaps in defenses.

A Shift in Retail IT Security

The retail industry’s approach to IT security has often been reactive, with cybersecurity investment sometimes lagging behind other industries due to smaller profit margins. However, these gaps in security are now becoming a critical issue, especially in light of evolving compliance standards like the Payment Card Industry Data Security Standard (PCI DSS), which releases version 4.0 in late March of this year with 63 new requirements.

Retail companies must prioritize compliance and risk management in their network security to avoid financial consequences and reputational damage, prevent customer identity theft, and protect their cybersecurity threat landscape.

What's at Stake?

The price of failure can be steep for compliance violations with fines ranging from $5,000 to $100,000 per month, which can increase over time if an organization remains out of compliance. Additional fines can be imposed due to data breaches, even if the organization is in compliance. Furthermore, banks and payment processors also reserve the right to terminate the relationship with the company.

As of 2023, the average cost of a data breach in the United States amounted to 9.48 million U.S., including fines, penalties, and potential lawsuits. These numbers highlight the importance of robust and proactive security strategies.

The Role of FireMon in Retail Cybersecurity

FireMon offers enhanced network security, compliance management, and real-time visibility and control, making it a valuable asset in a retail company’s cybersecurity strategy. FireMon’s tools assist in risk assessment and mitigation, helping security teams identify potential security gaps proactively. Furthermore, the scalability and adaptability of FireMon’s solutions make them suitable for dynamic and growing organizations, ensuring that their security infrastructure can evolve in line with the organization’s needs.

Why Choose FireMon?

FireMon offers a range of features that make it a powerful tool for retail cybersecurity. These include:

Consolidated Compliance Reporting

FireMon provides support for custom assessments using internal business policies or external frameworks and built-in industry assessments including PCI DSS, SOX, and GDPR.

Real-time Violation Detection

FireMon’s real-time violation detection feature scans across the entire environment to find and address violations. Customizable alerts allow teams to configure platforms to their needs, and guardrails check rules before they are deployed to prevent new violations.

Rule Lifecycle Management

FireMon offers automatic reviews to recertify rules that are required and decertify those that are not. Review tickets are automatically sent to policy owners based on business criteria, and documentation captures business owners and applications for ownership and governance.

Risk and Threat Modeling

FireMon allows you to conduct attack and change simulations to assess risk, test for policy-related vulnerabilities, then prioritize patching and device rule changes.

FireMon: Built for Compliance Reporting

FireMon offers various features to support compliance reporting. These include 12 built-in compliance reports supporting internal and external frameworks, support for top compliance standards including PCI DSS, SOX, and GDPR, and over 500 included controls that can be customized using SiQL native query language (FireMon’s custom query language) and RegEx(regular expressions).

Real-Time Compliance Management at Scale

FireMon is architected for real-time reporting, violation detection, and search in any environment. It offers time-proven scalability/performance verified to support 15K devices and 25M rules.

Advanced Asset Discovery

To reduce the risk of gaps in network visibility, FireMon offers real-time network and device discovery with automatic device profiling and custom details. It provides unmatched, real-time cyber situational awareness that enables network and security teams to discover the darkest corners of their often obscure infrastructure.

In Conclusion

In the fast-paced retail environment, where threats are evolving and regulations are continually updated, it’s critical to have a security partner like FireMon that can provide comprehensive, scalable, and real-time solutions to protect your business and your customers. FireMon’s commitment to helping retail organizations achieve continuous compliance and robust risk management makes it a trusted partner in the retail industry’s cybersecurity landscape.

Get 9x
BETTER

Book your demo now

Sign Up Now

]]>
Network Security: A Top Priority for Healthcare Organizations https://www.firemon.com/network-security-a-top-priority-for-healthcare-organizations/ Wed, 14 Feb 2024 20:56:26 +0000 https://www.firemon.com/?p=1833

Healthcare companies have a responsibility to protect sensitive patient data and ensure compliance with regulations like HIPAA. As a result, network security is a top priority for organizations in this industry. FireMon, a leader in network security policy management, offers solutions tailored to the needs of healthcare companies.

Healthcare data is an attractive target for cybercriminals, who frequently launch ransomware attacks, data breaches, and other threats to steal valuable personal and medical information. At the same time, healthcare organizations often grow through mergers and acquisitions, introducing new network security risks with each new entity and system added. Implementing strong safeguards and maintaining continuous visibility across the network environment is essential for identifying and responding to these threats promptly.

FireMon’s solutions provide enhanced network security, compliance management, and real-time visibility and control. They help streamline the complex task of managing firewalls and security policies, which is vital for maintaining a secure network. FireMon also assists in proactively identifying potential security gaps through risk assessment and mitigation. Furthermore, FireMon’s scalable and adaptable solutions are suitable for dynamic and growing organizations, ensuring that their security infrastructure evolves with the organization.

Why Act Now?

Manual compliance audits are resource-intensive and time-consuming, often taking weeks or months to complete for large healthcare organizations. The complexity of managing security across on-premises and cloud environments with multiple vendors can make audit reporting nearly impossible without the aid of automation. Pulling and consolidating firewall logs in spreadsheets also introduces opportunities for error that can lead to audit failure. The penalties for compliance violations like HIPAA can be steep, including fines of up to $250,000 per incident.

Why Choose FireMon?

FireMon offers consolidated compliance reporting across the network environment with built-in support for HIPAA, HITRUST, PCI DSS, GDPR, and custom frameworks. Standard and ad hoc reports provide compliance visibility on demand or on a schedule. Real-time violation detection scans the entire network to find and address issues as they arise, with customizable alerts. Rule lifecycle management automates reviews, recertification, and documentation for streamlined audits. Risk and threat modeling assesses vulnerabilities, and risk prevention guardrails eliminate new vulnerabilities when rules change.

How FireMon Is Better

FireMon is purpose-built for compliance reporting with 12 built-in reports, over 500 controls, and the ability to customize using a native query language. Highly customizable workflows are optimized for rule creation and changes. Real-time compliance management scales to support 15K devices and 25M rules. Guardrails prevent violations before deployment. Advanced asset discovery provides real-time tracking of all network devices without the use agents and enriches your CMDB, asset management, and vulnerability scanner data. The FireMon Customer Experience team helps maximize your desired compliance outcomes.

For healthcare organizations, network security and compliance are fundamental. FireMon provides the solutions to establish, maintain, and demonstrate a strong security posture in today’s complex, dynamic network environments. To learn more about how FireMon can help your healthcare organization, request a demo today.

FireMon, a leading provider of centralized firewall management, has played an instrumental role in empowering Convey Health Solutions to achieve and maintain HITRUST CSF certification and PCI DSS compliance amidst a demanding audit schedule. Housing over 40 decentralized firewalls, Convey Health was navigating labor-intensive and error-prone manual processes. The need for a comprehensive, flexible, and efficient regulatory compliance and risk management solution led them to FireMon’s Network Security Policy Management (NSPM) offering.

NSPM offered a host of advanced features like centralized firewall management, real-time visibility, and highly customizable reports. FireMon exceled in providing unified policy visibility and management, along with out-of-the-box and customizable compliance assessments. Automated rule documentation and reporting, rule review and recertification workflows, and automated real-time checks across 350+ custom controls and regulatory standards streamlined Convey’s compliance efforts.

With FireMon, Convey Health not only achieved continuous compliance but eliminated time-consuming and error-prone manual processes. FireMon’s solution offered real-time network behavior and traffic flow analyses, which further allowed Convey’s team to reduce risk by identifying and removing redundant, overlapping, or unused rules. With the ability to deploy rules directly to devices with one click, FireMon simplified and expedited the whole process.

As a result, Convey Health Solutions effectively reduced the time to produce accurate compliance reports by 66%, identified and removed over 150 redundant rules, and most importantly, achieved 100% PCI DSS compliance. Patrick Stoehr, Manager of Data Network Services, remarked on FireMon’s instrumental role, “With FireMon tracking compliance for us, we were able to shrink our overall audit time by two-thirds of our original schedule. Additionally, we were able to clean and push out almost 300 rules that had not been reviewed in over three years.”

Get 9x
BETTER

Book your demo now

Sign Up Now

]]>
Building a Privacy-Centric Organization with FireMon https://www.firemon.com/building-a-privacy-centric-organization-with-firemon/ Mon, 22 Jan 2024 14:55:22 +0000 https://www.firemon.com/?p=1795

How FireMon Can Help You Integrate Privacy into Your Business Foundation

As organizations increasingly rely on technology to streamline operations and connect with customers, the need for robust privacy measures has become more critical than ever. Here at FireMon, we play a pivotal role in building a privacy-centric organization by seamlessly integrating privacy into the very foundation of your business. 

Understanding the Privacy Landscape 

Before delving into the specifics of FireMon’s capabilities, it’s crucial to grasp the current privacy landscape. Data breaches, cyber threats, and regulatory requirements have heightened the awareness of privacy concerns. Customers are more discerning about the protection of their personal information, and regulators are tightening the screws on organizations that fail to meet privacy standards. 

FireMon’s Role in Privacy Integration 

  1. Comprehensive Visibility

Building a privacy-centric organization starts with understanding your digital environment. FireMon provides comprehensive visibility into your network, enabling you to identify and assess potential privacy risks. By mapping out your network architecture, you gain insights into data flows, potential vulnerabilities, and areas where privacy measures need reinforcement. 

  1. Policy Management and Enforcement

Effective privacy management requires robust policies and their consistent enforcement. FireMon excels in policy management, allowing organizations to define and implement privacy policies seamlessly. With a centralized single-source of truth platform, you can monitor and enforce policies across your entire network infrastructure, ensuring that privacy measures are consistently applied. 

  1. Continuous Compliance Monitoring

Privacy regulations are dynamic and subject to change. FireMon aids in maintaining continuous compliance by regularly updating its database with the latest privacy regulations and standards. This ensures that your organization stays ahead of regulatory requirements, reducing the risk of non-compliance and associated penalties. 

  1. Automated Risk Assessment

Identifying and mitigating privacy risks manually can be a daunting task. FireMon’s automation capabilities streamline the risk assessment process. By leveraging advanced analytics and machine learning, FireMon identifies potential privacy risks in real-time, allowing your organization to proactively address vulnerabilities and enhance overall privacy posture. 

  1. Incident Response and Forensics

Despite robust preventive measures, incidents can still occur. FireMon provides robust incident response and forensics capabilities, allowing organizations to investigate and mitigate the impact of privacy incidents swiftly. By tracing the origins of a breach and understanding its scope, your organization can take decisive action to minimize the fallout and uphold customer trust. 

Example: Privacy Success with FireMon 

To illustrate the impact of integrating FireMon into your organization’s privacy framework, let’s explore a hypothetical instance. A financial institution, subject to stringent privacy regulations, implemented FireMon to enhance its privacy posture. 

Through comprehensive visibility, the institution identified previously unnoticed data flows and vulnerabilities within its network. With FireMon’s policy management, the organization defined and enforced robust privacy policies, ensuring that customer data was consistently protected. 

Continuous compliance monitoring proved invaluable as privacy regulations evolved. FireMon’s automated risk assessment flagged potential vulnerabilities, allowing the institution to proactively address issues and maintain a strong privacy stance. 

Building a privacy-centric organization is not a one-time endeavor but an ongoing commitment to safeguarding sensitive information. FireMon emerges as a key ally in this journey, providing the tools and capabilities needed to integrate privacy seamlessly into your business foundation. 

By leveraging FireMon’s comprehensive visibility, policy management, continuous compliance monitoring, automated risk assessment, and incident response capabilities, organizations can navigate the complex privacy landscape with confidence. As technology continues to advance and privacy concerns intensify, embracing solutions like FireMon becomes imperative for organizations aspiring to uphold the highest standards of privacy and security. 

]]>
Securing Australia’s Critical Infrastructure: The Role of Asset Visibility in Meeting SOCI Obligations https://www.firemon.com/securing-australias-critical-infrastructure-the-role-of-asset-visibility-in-meeting-soci-obligations/ Tue, 31 Oct 2023 15:52:23 +0000 https://www.firemon.com/?p=1665

As Australia has grown increasingly connected, the security of critical infrastructure has never been more paramount. In response to the evolving threat landscape, the Australian government enacted the Security of Critical Infrastructure Act (SOCI) in 2018. While the act was designed to strengthen Australia’s national security posture, it has undoubtedly introduced additional challenges for organisations that fall under its jurisdiction.

One of the key obligations of the SOCI Act is “the requirement to report information to the Register of Critical Infrastructure Assets”. For CISOs and Network Security Leads, ensuring compliance while also maintaining a strong security posture can be a complex task.

The Challenge: Accurate and Comprehensive Reporting

The SOCI Act mandates that organisations provide comprehensive, accurate, and timely information about their critical infrastructure assets. This requirement ensures that the government can respond effectively to threats and is equipped with the knowledge needed to protect the nation’s vital services.

However, achieving a comprehensive overview of networked assets is not always straightforward. Many organisations have complex, distributed networks that have grown organically over time. Without a clear view of every connected asset, not only is there an increased security risk, but there’s also the potential for non-compliance with the SOCI Act, leading to severe fines and penalties.

The Solution: Asset Visibility

When maintaining SOCI compliance whilst protecting your organisation from cybercrime, the first step is to fully understand your environment and all that needs to be secured. You cannot protect what you cannot see. It sounds simple enough, but mergers and acquisitions, divestitures, and even onboarding remote new hires can significantly and rapidly expand your security team’s responsibilities. If you are not equipped to properly identify, manage, and secure your new assets, they become an immediate liability.

In addition to improved compliance, asset visibility solutions provide multiple benefits, including:

  • Comprehensive Visibility: Cyber asset visibility tools automatically scan and map out every connected device within an organisation’s infrastructure. This ensures that no asset remains hidden, offering a clear, bird’s-eye view of the entire network.
  • Up-to-Date Information: Network landscapes change frequently. Devices are added or retired, configurations are altered, and networks are restructured. An effective asset visibility tool will update the asset inventory in real-time, ensuring that the information provided to the Register of Critical Infrastructure Assets is always current.
  • Risk Identification: Beyond just identifying assets, modern network discovery solutions can also help identify vulnerabilities or misconfigurations. By tying these insights into the reporting process, organisations can proactively address security risks before they’re exploited.
  • Efficient Reporting: With a centralized dashboard that presents all discovered assets and their respective details, compiling reports for the SOCI becomes a straightforward task. No more manual checks or missed devices; everything is right at your fingertips.

Facing Audits and Fines with Confidence

Since the SOCIs Act’s introduction, organisations are now facing stringent audits and potential fines for non-compliance. By leveraging a robust asset visibility solution, CISOs and Network Security Leads can approach these audits with confidence, knowing they have a reliable and up-to-date record of their assets.

Conclusion

In the age of increasing cyber threats, having a clear understanding of your networked assets is not just a matter of compliance but also a cornerstone of a robust cybersecurity strategy.

By embracing advanced asset visibility tools, organisations can not only meet their SOCI obligations but also identify unknown assets, improve response times, achieve continuous monitoring, and strengthen your security posture. Without complete asset visibility, your organization is at risk of cyberattacks that could lead to data breaches, reputational damage, and financial losses. Therefore, it’s essential to invest in tools and processes that provide asset visibility and continuously monitor your network for potential threats.

FireMon’s Asset Manager, formerly Lumeta, is a real-time network visibility solution that monitors an organization’s entire environment for anomalies, potential threats, and compliance violations. It continuously scans and discovers the entire network infrastructure for every device and connection including firewalls, routers, end points, and cloud devices. Other asset discovery tools require a person to initiate asset discovery searches, wasting precious time and leaving assets vulnerable.

Asset Manager has been around for over 22 years and is used by many Fortune 500 companies. It is largely recognized for its consistency, scalability, and reliability. On average, Asset Manager finds 30% more assets than our competitors, which are potentially thousands of unprotected devices waiting to become an attack vector for cybercriminals.

To learn more about how we can help your organisation meet its SOCI obligations and bolster its security, get in touch with us today.

Get 9x
BETTER

Book your demo now

Sign Up Now

]]>
How and Why FireMon Pioneered Real-Time CSPM https://www.firemon.com/how-and-why-firemon-pioneered-real-time-cspm/ Tue, 10 Oct 2023 15:38:46 +0000 https://www.firemon.com/?p=1626

Two years ago, FireMon elevated its game by introducing real-time features in our Cloud Defense platform. This was a significant development because it transformed our tool from a basic safety checker into a full-fledged cloud security guardian. Real-time capability is crucial for advancing tools from basic vulnerability assessment to a comprehensive cloud security operations platform. However, our journey towards real-time was not driven by customer requests; rather, it was motivated by our commitment to delivering improved efficiency and enhanced security operations.

Why We Built Real-Time:

Our initial goal was not to create a Cloud Security Posture Management (CSPM) tool. We began by building a cloud security automation platform with the aim of helping organizations address cloud security vulnerabilities more rapidly and bridging the gap between security and DevOps/Cloud Operations. While this may seem like a subtle distinction, it meant that we entered the CSPM market with a different perspective.

  • Inefficiency of time-based scans: Initially, like everyone else, we relied on time-based scans. However, they proved to be slow, even when distributed, and could potentially exceed a customer’s service limits.
  • Stale data: Periodic scans resulted in customers viewing outdated information. Even scanning every 15 minutes could lead to alerting a development team about something they had already resolved.
  • Real-time nature of security operations: Responders need to have real-time awareness of events, alerts, and configurations.
  • Efficiency for us: It’s not selfish to consider that dealing with timing and capacity planning in a multi-tenant system becomes challenging when everything is time-based.

This isn’t to say that time-based scans don’t have their place; we still use them for our Free tier, and we perform daily sweeps for all our Pro accounts to ensure nothing slips through the cracks.

Building Real-Time (The AWS Way):

Today, we will focus on how we enable real-time functionality for AWS. In future posts, we will provide details on how we implement it for Azure and GCP. We underwent several iterations, and thanks to AWS, the system we have now is remarkably efficient.

  • EventBridge to Lambda to API: Initially, we forwarded events from EventBridge to an API gateway through a Lambda function deployed in customer environments. It worked but was not highly efficient.
  • EventBridge to… EventBridge: AWS enhanced EventBridge, allowing customers to send events directly to us. Now, all we needed to do was deploy an EventBridge Rule in customer accounts. We didn’t even require special authentication because the AWS event headers are tamper-proof, and we discard anything not associated with a customer.
  • Updating on change: We keep track of changes such as updates and deletions, capturing resource details. This initiates an update in our Discoverer service for that specific item.
  • Trigger chain: The update hits the Inventory, and any change here triggers the Lambda functions for checks. All checks for a specific type of resource occur simultaneously, and findings are evaluated against alert and remediation rules.
  • Instant alerts: This setup triggers an alert (or automated remediation) within just 5-15 seconds after a change, and all parts of the system are updated with consistent data (e.g., compliance). Most customers send alerts to ChatOps (Slack/Teams), but they can also send them via email, create a JIRA ticket, or forward them to a SIEM.

Real-Time Benefits:

Transitioning to real-time elevated Cloud Defense, finally enabling security operations as we had always envisioned. Without real-time capability, CSPM tools are essentially just another type of vulnerability scanner. There’s nothing wrong with vulnerability scanners; we use them ourselves. However, since cloud misconfigurations can become exposed to the internet instantly, we believe the response cycle needs to be much tighter.

  • Up-to-date inventory: With real-time functionality, what you see in Cloud Defense accurately reflects the current configuration of your AWS account.
  • Immediate checks: Security and compliance checks occur as changes are made, promptly identifying misconfigurations. You won’t be left exposed for 15 minutes to 24 hours, which is the scanning frequency of time-based tools.
  • Complete understanding of changes: Cloud Defense tracks the API that triggered the change, the identity responsible for the API call, and the impact on the resource (including changes and check results) from start to finish. This comprehensive tracking allows for change tracking, examination of other API calls from the same IAM entity, exploration of resources connected to the affected resource, and other powerful analysis capabilities.
  • Enabling security operations: With Cloud Defense, you gain insight into who made a change, when it was made, the security implications, and the ability to filter and forward information to facilitate rapid remediation, whether manual or automated. No more emailing spreadsheets. This transformation elevates the platform into a complete operational tool.

Our Cloud Defense platform demonstrates how real-time CSPM should be done. From our initial days of time-based scans to the swift transition to real-time monitoring, we have enhanced your ability to use CSPM as a security operations tool and introduced new methods of safeguarding your cloud deployments. Adding real-time capability to Cloud Defense was not just about a flashy feature; it was a game-changer in making cloud security robust, quick, and reliable.

Try it for Free

See for yourself how Cloud Defense can protect your organization

Unlimited usage at no cost!

Sign Up Now

]]>
How Cloud Defense Free is Cheaper than Open Source/DIY CSPM https://www.firemon.com/how-cloud-defense-free-is-cheaper-than-open-source-diy-cspm/ Tue, 10 Oct 2023 15:38:36 +0000 https://www.firemon.com/?p=1624

We are big supporters of open-source security tools and even employ some of them ourselves. However, it’s not always the right answer. Deploying and managing the infrastructure and software updates becomes your responsibility. These tools don’t always scale effectively and may lack a complete user experience. Furthermore, you shoulder the cost of the infrastructure, and even top-notch tools often lose their maintainers and lack support.

Going Free Instead of OSS

When we made the decision to contribute to the community, we contemplated open-sourcing all or part of our platform. However, due to its complexity, it wasn’t well-suited for that kind of release, and creating a version fit for release would have required a significant amount of additional effort. We simply didn’t have enough developers to convert it over, and user maintenance would have been quite extensive. Instead, we chose to release a free version. While it may not offer all the bells and whistles, it’s free, has unlimited scope, and will remain free indefinitely without inundating you with marketing messages.

Users still have access to a comprehensive suite of assessments (perhaps even too many—we’re about to make some adjustments to reduce noise) and all the benefits of an enterprise-grade tool. However, Cloud Defense Free does have certain limitations to enable its continued operation. It only checks your deployments once a day, lacks our real-time capabilities, and maintains inventory for a shorter period. For obvious reasons, it doesn’t include everything we’ve developed (such as Just-in-Time authorizations for AWS). After all, we need to support our families. Nevertheless, Cloud Defense Free was designed for those of you that simply require basic CSPM without the burden of paying the ridiculous security tax to get it.

(Seriously, cloud providers should be giving this much away for free).

Benefits Over Open Source CSPM

The advantages are clear: you don’t need to manage infrastructure, host or pay for it, learn how to deploy or configure anything, worry about updates, you can switch it off whenever you want if it isn’t working for you, and you get a constantly updated library of checks. In under 10 minutes, you can be up and running, scale to thousands of accounts, eliminate maintenance concerns, enjoy a pretty good user experience, never spend a dime, and avoid being incessantly bombarded with upgrade emails.

We’re not attempting to compete with open-source CSPM. Some of you may have excellent reasons to choose that route, particularly if you have the time and technical skills and desire things to operate in a specific manner. However, we believe there’s a significant segment of organizations and individuals who could benefit from something more accessible and cost-effective to maintain. This is where Cloud Defense Free comes into play—a valuable addition to your toolkit and our way of supporting the community, even though releasing open source software wasn’t the right fit for us. You can check the cloud security box in 10 minutes or less, for free.

Try it for Free

See for yourself how Cloud Defense can protect your organization

Unlimited usage at no cost!

Sign Up Now

]]>
Deep Dive on Real-Time Inventory https://www.firemon.com/deep-dive-on-real-time-inventory/ Wed, 04 Oct 2023 20:37:05 +0000 https://www.firemon.com/?p=1614

Early on at FireMon (well, before we became FireMon), we realized that attempting to live-assess customers’ cloud accounts (including subscriptions/projects) was… problematic. Running that many assessments would quickly hit service limits and could potentially disrupt a customer’s internal API calls. Keep in mind that we started doing this about 7 years ago, before CSPM even existed, and everyone was learning the same lessons.

The first solution we came up with was to collect configuration data once, input it into our own inventory, and then perform our assessments there. This allowed us to reduce our API calls to only what was necessary to retrieve the metadata. Then, we could run multiple assessments based on the same dataset. For a while, this approach worked well. We still performed time-based configuration scans, but we could spread them out more evenly and optimize to minimize the overload of API calls. However, this approach had its own set of issues. What if something changed between our scan and when someone finally went in to manage the alert? Additionally, sweeping through a full AWS service for all resources in that service would still strain against API limits, which are based on the service and region.

We set two challenges for ourselves to address this situation better. First, we aimed to update the inventory in real-time to reduce API call spikes to a given service and ensure that customers never worked with outdated data. Second, we aimed to maintain a history so that customers and investigators could look back and see exactly what changed and how it changed. We’ll delve into the technical architecture later, and it varies slightly for each cloud platform. In brief, by directly connecting to the cloud provider’s event stream, we could identify change API calls, extract the involved resources, update our inventory in real-time, and trigger all our assessments for a given inventory type simultaneously.

While we still support this with a once-a-day/off-hours time-based sweep, transitioning to real-time addressed many issues and produced some interesting benefits. These benefits include:

  • Customers never encounter stale data; everything in the platform should closely match the actual running configuration/state.
  • As we monitor the API calls, we can identify who made those calls. Suddenly, we have complete identity attribution in our inventory.
  • It becomes easy to pinpoint what changed as changes are made, providing comprehensive change tracking.
  • We can run all checks and assessments in real-time as changes occur. This includes RESOLVING issues as someone rectifies them externally, not just identifying new issues.

Boom. A complete real-time, change-tracked, identity-attributed historical inventory! Yes, something like AWS Config provides this functionality natively within the cloud provider. However, aside from being cost-effective, our inventory and assessments are tightly integrated, cover multiple cloud deployments and providers, and offer some pretty impressive capabilities, such as comprehensive search functionalities.

The best way to experience this is through our 90-second video tour!

And here are a few key screenshots:

Main page, displaying a wealth of important data in a single view:

Here’s the change history view, presenting changes with full details and attribution. It also boasts useful features like related events, associated resources, exemptions, and a history of pass/fail findings for the resource:

This History view tracks changes chronologically with a graph depicting activity trends. Clicking on the timeline jumps to that date:

Have you ever needed to know which ephemeral cloud resource owned the IP address that appeared in the logs at a specific point in time? Incident responders love this one…

And that’s the quick overview. In future posts, we’ll provide more insight into the architecture and how we handle this for multi-cloud environments.

Try it for Free

See for yourself how Cloud Defense can protect your organization

Unlimited usage at no cost!

Sign Up Now

]]>
The Mysterious Case of the Ephemeral Data Exposure https://www.firemon.com/the-mysterious-case-of-the-ephemeral-data-exposure/ Wed, 04 Oct 2023 17:10:23 +0000 https://www.firemon.com/?p=1611

While we may not actively monitor customer accounts for findings and alerts, we recently had a customer reach out to us for a more proactive role in their journey towards automated remediation. At the customer’s request, we were keeping an eye on a few things when… something interesting happened.

Our CTO received an alert indicating that there was an exposed Public RDS instance in AWS. However, when he checked with the client, it wasn’t there anymore. Adding to the strangeness, a public RDS instance was being created every night, only to be terminated 50 minutes later. This kind of activity could easily be missed during timed assessments. Our CTO promptly informed the client and retrieved the metadata on the terminated instance from our inventory. After a thorough (and quick, it only took a few minutes) investigation of the triggering events and instance configuration, he discovered that a public instance was being created nightly based on the latest snapshot backup of a different database. It was then exposed to a small list of known corporate IP addresses (which was good news) before being terminated shortly afterward.

The Investigation
The client conducted their own investigation and found that this was part of an automation process for ETL that ran in the data center. A scheduled job on the cloud side was responsible for creating the ephemeral instance as public, restricting access to a handful of IP addresses (5, which still seemed like a lot), and then the data center would connect to extract the data. We never found out where the actual data transformation happened, but that isn’t overly relevant to the situation.

This presented an interesting challenge for the security team – the alert was valid, but there was no actual security issue at hand (although there are certainly more secure ways to handle this situation than a public RDS instance). Exempting the instance was not an option since a new one was created every night. Exempting the entire account from the check would also be risky, as it could potentially lead to the oversight of a genuinely exposed RDS instance. Even exempting based on tags posed a risk, as someone could easily change the process to expose the instance to an untrusted IP address.

Lessons Learned
My advice was to focus on fixing the underlying process rather than complicating the assessment side. The reality is that this process is not ideal from a procedural standpoint – allowing public RDS instances is never good form. Sometimes you need them, but they should only be a last resort. Instead, they should be placed in a private subnet and accessed through a dedicated or VPN-based connection from wherever you need.

While this didn’t turn out to be a security exposure, there are still some interesting lessons to learn. First, I refer to this as a “false false positive” since the alert was for a real condition that needed attention, but it did not necessarily pose a risk in this particular scenario. There was no actual data leakage, but the client couldn’t know without an investigation and communication with the team responsible for the resource and process.

Second, this is a tough one to try and fully prevent with Service Control Policies. There is no condition key to prevent public RDS instances, nor are there condition keys to prevent the opening of database ports (or any ports) in security groups.

Third, the ephemeral nature of the instances means that unless you operate in real-time or on a very short cycle, you might miss the exposure. I actually cover this topic in my incident response training, as there are many situations where something can be exposed and extracted within a tight timeframe, only to be destroyed later to eliminate evidence. This is why incident responders always need the capability to jump directly into deployments and should have access to an inventory that allows them to look back (such as AWS Config or a third-party tool like ours). API calls alone may not provide sufficient insight into what is happening since they lack context. In this case, you would detect the exposure, but then need to look directly at the DB Instance (or in inventory) to see what ports are exposed from where.

Fourth, due to the limited preventative options available, detective and corrective controls must be utilized. In this case, you can directly detect the CreateDBInstance API call and check for the PubliclyAccessible=True parameter. Additionally, continuous monitoring with CSPM (again, from your CSP or a vendor like us) for Public RDS Instances is highly recommended. In terms of remediation, one option is to terminate the instance upon detection of its creation. However, a better approach may be to use ModifyDBInstance to remove the PubliclyAccessible parameter. If you do this, it’s important to only implement such automation in a deployment where you are certain that public RDS instances will not be allowed. The day you disrupt an expected and authorized database connection that’s been running for 3 years because you failed to communicate with the team is probably a good day to pull out that resume.

Ultimately, this incident did not pose a security risk for the customer. However, it did highlight the need for more secure processes, and they are actively exploring options to handle things in a more secure manner. I find this example particularly interesting because ephemeral data exposures, leaks, and exfiltration are genuine concerns, and what we initially discovered seemed indistinguishable from an actual attack. Only after digging in did we, and the client’s security team, realize it was part of an expected process. It’s crucial to work closely with your teams to cultivate good habits, ensure your monitoring is capable of handling the highly volatile nature of the cloud, and understand that when something unusual like this occurs, it is critical to engage with the individuals responsible for the deployment.

In the cloud, sometimes the only way to differentiate between a false positive and a really bad problem is to check with those directly involved. As I wrote in Schrödinger’s Misconfigurations, attackers utilize the same API calls and, unfortunately, identities, rather than relying on some zero-day vulnerability.

Guest Speaker

Rich Mogull

SVP of Cloud Security, FireMon
Rich is the SVP of Cloud Security at FireMon where he focuses on leading-edge cloud security research and implementation. Rich joined FireMon through the acquisition of DisruptOps, a cloud security automation platform based on his research while as CEO of Securosis. He has over 25 years of security experience and currently specializes in cloud security and DevSecOps, having starting working hands-on in cloud nearly 10 years ago. Prior to founding Securosis and DisruptOps, Rich was a Research Vice President at Gartner on the security team.

Try it for Free

See for yourself how Cloud Defense can protect your organization

Unlimited usage at no cost!

Sign Up Now

]]>
FireMon Launches a More Powerful CSPM for Less https://www.firemon.com/firemon-launches-a-more-powerful-cspm-for-less/ Mon, 02 Oct 2023 13:37:35 +0000 https://www.firemon.com/?p=1605

In the ever-evolving landscape of cloud security, businesses are on a perpetual quest for comprehensive yet cost-effective solutions to safeguard their cloud infrastructure. FireMon, a pioneer in network security management solutions, has always been at the forefront of this endeavor. In April, the company launched Cloud Defense Free to mitigate the ‘cloud security tax’ that has burdened many organizations.

Now, FireMon is taking another giant leap by introducing Cloud Defense Pro, offering the industry’s best pricing for a top-tier Cloud Security Posture Management (CSPM) solution. This new offering embodies a more powerful CSPM solution for less, making cloud security more accessible and uncomplicated for all.

FireMon now supports two pricing models. Flat pricing is simple at $200 per account per month. But we know some organizations prefer different pricing models, so FireMon can adapt to resource-based or other pricing models to fit customers’ preferred patterns.

Jody Brazil, CEO of FireMon, expresses the company’s vision, “We’re on a mission to redefine the economics of cloud security. Cloud Defense Pro is a reflection of that mission, presenting an unrivaled CSPM solution that’s not only highly affordable but also feature-rich, empowering businesses to enhance their cloud security seamlessly.”

Cloud Defense Pro is engineered with a gamut of powerful features, including:

  • Real-time Security and Compliance Monitoring: Stay ahead of attackers by detecting problems right when they happen.
  • Real-time, Change-tracked, Identity-attributed Historical Inventory: A dynamic cloud inventory that tracks changes in real-time, attributes who made the change, and keeps a historical timeline. This even includes a history of when checks passed or failed, and everything is searchable.
  • Real-time Threat Detectors: Enhance your Security Information and Event Management (SIEM) with real-time threat detection. These reduce response cycles and can fully integrate with event routing and ChatOps to improve the signal and reduce the noise.
  • Granular Event Filtering, Enrichment, and Routing: Get the most out of your cloud provider security alerts with intelligent event management. Filter out noisy alerts from less-important deployments, send alerts directly to the teams that own the environment, and enrich alerts with information on the affected resources, all in Slack or Teams.
  • Just-In-Time (JIT) Authorizations with Policy Restrictions: Defend against lost, stolen, exposed, or abused credentials with CLI and ChatOps-based authorizations to access cloud deployments. Cloud Defense Pro supports advanced capabilities like multiple approvers, out-of-band approvals, location (IP) based restrictions, and can even lock a session to a user’s current IP address to defend against session token theft.
  • Full ChatOps Support for… EVERYTHING: Foster organizational collaboration and expedite remediations by bridging silos with Slack, Teams, JIRA, and other developer-centric tools. Push information right to the teams who run the deployments without having to email spreadsheets or force them to log into a security tool.
  • Automated or ChatOps-based Remediations: Swiftly close security loopholes with automated or ChatOps-based remediations. Let the platform do the work, or keep control in the hands of the teams that run the deployments.

Rich Mogull, SVP of Cloud Security at FireMon, shed light on what’s on the horizon, “We’re soon launching a Cloud Security Maturity Model dashboard with Key Performance Indicators (KPIs) to help organizations better understand and improve their security program. This is a step further in our long-term vision to provide actionable insights that drive better security outcomes.”

For more information and to stay up-to-date, check out FireMon’s Cloud Defense Product Page.

Try it for Free

See for yourself how Cloud Defense can protect your organization

Unlimited usage at no cost!

Sign Up Now

]]>
The Dangers of DIY Network Security Policy Management https://www.firemon.com/the-dangers-of-diy-network-security-policy-management/ Wed, 30 Aug 2023 16:43:03 +0000 https://www.firemon.com/?p=1571

Network security has become a top priority for enterprises to safeguard their sensitive data, protect against cyber threats, and ensure compliance with industry regulations. And rightfully so; with today’s rapidly evolving digital landscape, network security is of utmost importance, with 74% of all breaches involving human element (DBIR Verizon, 2023) tools like Network Security Policy Management (NSPM) solutions drastically reduce these odds.  

An efficient NSPM solution is essential to ensure the smooth functioning of an organization’s network while mitigating risks effectively. While some enterprises may be tempted to build their own in-house security policy management system, opting for a specialized and proven solution, like FireMon, offers numerous advantages. 

1. Lack of expertise and experience creates opportunities for mistakes: Established NSPM vendors, like FireMon, have spent years honing their solutions and gaining valuable experience in the field of network security. They understand the complexities and nuances of managing security policies effectively, and their solutions are designed to meet the unique challenges faced by modern enterprises. Building in-house NSPM solution requires considerable expertise, research, and ongoing maintenance, which can be both time-consuming and costly. 

2. Unable to react quickly to changes in the environment: Time-tested NSPM solutions come equipped with a comprehensive feature set that caters to the diverse needs of enterprises. These features may include policy analysis, risk assessment, compliance reporting, change management, and automation tools. Developing a feature-rich in-house solution that matches the capabilities of proven vendors would demand significant resources and time and might not be feasible for all enterprises.

3. Time and cost inefficiency: Building an NSPM solution from scratch demands extensive resources, including hiring specialized personnel and ongoing development efforts. The process can be time-consuming and divert focus from core business activities. In contrast, purchasing an NSPM solution allows enterprises to quickly deploy a ready-to-use system, saving valuable time and reducing costs associated with development, testing, and maintenance.

4. Inability to scale: As enterprises grow and their network infrastructure expands, the demands on their NSPM solution increase. NSPM vendors design their solutions with scalability in mind, accommodating the evolving needs of enterprises seamlessly. Building an in-house solution that can scale effectively may prove challenging, leading to potential inefficiencies and increased expenses.

5. Inadequate updates and support: Network security is an ever-changing landscape, with new threats emerging regularly. Trusted NSPM vendors provide regular updates to their solutions for new vendor devices, software versions, and features, ensuring that enterprises are equipped with the latest security defenses. Additionally, reputable vendors offer ongoing support and assistance, helping enterprises address issues promptly and efficiently. Developing and maintaining an in-house system with the same level of continuous updates and support can be daunting and resource intensive.

6. Lack of integration and compatibility: Enterprises typically use a range of security tools and devices to protect their network. NSPM solutions are designed to integrate seamlessly with various security infrastructure components, providing a unified and cohesive security management environment. Developing an in-house solution that aligns with existing tools and devices can be complex and may lead to compatibility issues. 

7. Unproven security and reliability: Proven NSPM solutions undergo rigorous testing and validation processes to ensure they meet industry standards for security and reliability. Vendors prioritize data protection and deploy robust security measures to safeguard sensitive information. Building an in-house solution that adheres to the same high standards might be challenging, and any lapses in security could have severe consequences for the enterprise.

8. Time consuming training and development: The talent you have today might not be the talent you have tomorrow, this means there is significant uplift and effort of continuously training new teams that have never seen the system before. Building a robust and secure NSPM solution demands expertise in network security, software development, and policy management. If the enterprise lacks these skills, it can lead to vulnerabilities and ineffective security controls. 

While building an in-house network security policy management solution might seem appealing to some enterprises, the benefits of opting for a trusted and specialized solution far outweigh the drawbacks. NSPM vendors offer expertise, a comprehensive feature set, scalability, continuous updates, integration support, and robust security measures. By opting for a proven NSPM solution, enterprises can focus on their core business objectives while ensuring their network remains secure, compliant, and protected against emerging cyber threats.  

FireMon provides expertise, efficiency, scalability, continuous support, and compliance features that empower enterprises to bolster their network security posture effectively. By choosing FireMon, enterprises can focus on their core business objectives while confidently safeguarding their network from the ever-evolving cyber threats. 

Get 9x
BETTER

Book your demo now

Sign Up Now

]]>