Cloud Vulnerability Management for Hosts

Vulnerability management plays an essential role in cybersecurity, even receiving attention from governments. Traditional vulnerability management of on-premises hosts (physical or virtual machines) cannot scale to cloud environments. To cope with rapidly-changing cloud environments, vulnerability management needs a new approach.

Our threat research department, Unit 42, recently released in their biannual Cloud Threat Report the exponential growth in cloud usage across almost all industries and also, more concerningly, the even greater increase in cloud security incidents.

What Does Vulnerability Management Look Like in the Cloud?

By default, the cloud can be more secure than standard on-premises environments. Default network topologies and configurations (VPCs, security groups, NACLs, and routing) make it harder for attackers to exploit hosts in the cloud. However, if you leave hosts with known vulnerabilities, you negate all of those benefits and are exposed to the attacks.

Cloud configurations also enable DevOps as a key operating principle. Infrastructure and workloads like virtual machines are typically deployed from templates and vetted images. Security requirements like vulnerability detection need to follow the same model. Detecting and mitigating vulnerabilities early on in the development lifecycle, hardening the software, plugs critical holes in security controls.

Another operating paradigm is that cloud infrastructure can be treated as cattle rather than pets and either truly immutable or regarded as immutable. Patching live instances is relegated to emergency situations only. Instead, old instances will be wiped out and fully-patched instances will replace them.

The shift to immutable infrastructure needs to be deliberate. Assessing vulnerabilities in production and mitigating them is a lot of manual effort and will be too late as those vulnerabilities are already exposed. Resolving known vulnerabilities ahead of time frees up risk and SOC teams to focus on things that matter.

Let's explore the practical methods for organizations to create top notch vulnerability practices in the cloud, for both lift & shift and cloud native workloads.

Getting Started with Vulnerability Management

Not all organizations will be able to adopt vulnerability management practices immediately across all environments. However, all organizations can get started and put the right foundation in place. Start small with the projects or applications that are amenable to utilizing DevOps practices.

Here are the first 5 steps to begin using cloud native host security:

1. Start with discovery across your cloud accounts. Gain visibility into your environment, the instances and the images being used.
2. Implement scanning of your building blocks. Virtual machine image scanning, such as Amazon Machine Image (AMI) scanning, is unobtrusive and will establish a baseline of operating systems in use.
3. Establish your standard operating environment (SOE) with this information.
4. Implement continuous improvement by building a ‘golden’ image pipeline. Begin with as much automation as possible but remember that this is about improving over time.
5. Scan your running estate - this needs to be fast and accurate - with results routed to the correct team.
6. Check the context of your alerts and the level of false alarms. If there is no context or a high rate of false positives then you are creating too much noise for your teams.

Start with a comprehensive discovery scan to find your existing posture across all virtual machines. Cover vulnerabilities and compliance assessments of your VM images, such as AMIs. In the cloud, these are the building blocks of your virtual infrastructure. By scanning at this level you can create your standard operating environment (SOE) and build that into an image factory.

When it comes to scanning running VMs, ensure that your scanning techniques can accommodate rapidly changing environments. To do this, they will need to have breadth, depth, and speed - waiting 8 hours for scan results is no longer acceptable.

Before summing up the steps, it’s important to drill into the depth and breadth requirements. When we talk of cloud computing it doesn’t mean computing in the public cloud or one public cloud. Instead your vulnerability management must be able to adapt to changing environments and be as at home scanning public cloud resources as those running within the datacenter. Cloud native applications and development will make use of the most appropriate tooling. That may be Python on Ubuntu Linux running in Azure today, .Net on Windows running in AWS tomorrow, or Node.js on Red Hat Enterprise Linux on-prem in the future.

Consequently, ensure your scanning tooling can:

• Work across multiple operating systems and public/private clouds.
• Provide context specific vulnerability information tailored to your environment and not just generic risks -  Is the package that contains the vulnerability even in use? Instead of spending time updating the software perhaps it can just be removed.
• Operate at the pace of cloud computing - if it takes more than 30 minutes to scan a host then that’s too long.

Provide visibility to stakeholders by creating a report that shows instances that are part of the process and those that are not. Include a vulnerability trend chart to showcase the improvements over time as you adopt this approach.

Finally, it is crucial to remember that vulnerability and compliance management has to take place across your hosts and all your other workloads, and provide out-of-the-box support across your virtual machines, containers, and serverless functions.

Start Using Prisma Cloud

At Prisma Cloud by Palo Alto Networks, we’ve invested heavily in providing a solution which will work across your private and public cloud environments, thus providing in-depth visibility, low false positives, and context aware protections.

Request a 30-day trial and learn how Prisma Cloud extends functionality across vulnerability and compliance management, through CI/CD, and even to File Integrity Monitoring with runtime protection.