API Security and Threat Intelligence Reduce Attack Surface in Prisma Cloud Workload Protection Release
by Ivan Melia
Three trends with cloud native applications present significant security concerns that can cost your organization through breach or valuable time lost in remediation.
The first area of risk enters with development. Modern cloud-native apps are constructed in CI/CD pipelines consisting of many components and dependencies, any number of which can unknowingly introduce vulnerabilities. The holy grail of vulnerability management is prioritizing vulnerabilities that matter while balancing risk and vulnerability impact on production environments.
Second, most of today’s traffic is web, and most web traffic is via API calls. API is a software intermediary that allows two applications to extract and share data. Cloud-native applications rely on APIs for communication, as APIs are the entry point to our apps and data. The explosive growth of insecure cloud-native deployments has made APIs a primary attack vector.
Third, all systems are vulnerable. It’s only a matter of time before a vulnerability is exploited. Unaddressed vulnerabilities amplify security alerts at runtime, and attackers have bountiful targets when vulnerabilities are discovered because 100% patch rates are rare.
Risk Prioritization Through Prisma Cloud Workload Protection
For DevOps and security teams that focus on runtime application security, Prisma Cloud is making it easier to adopt agentless and agent-based architectures that help with prioritizing threats and defending your workloads.
We’re pleased to announce the following key capabilities that reinforce security in your code to cloud journey:
API Risk Profiling: We’ve added API risks profiling to our API discovery capability. You can now better understand and prioritize risk based on 200+ risk factors for all APIs in your environment.
Vulnerability Explorer Enhancements: A primary approach to application security involves accurate risk prioritization to enable your team to focus on what’s most concerning. The first step in this process is to have a complete view of your vulnerabilities from filtering threats by risk factors. This is where Vulnerability Explorer comes in.
In our commitment to ongoing development, we’ve added new features that will make it easier for you to identify and prioritize security issues with our Vulnerability Explorer. You’ll find new ways to better track, analyze, and prioritize vulnerabilities across all your workloads.
Application Control for Hosts: With applications and versions evolving, it’s becoming difficult to track what runs on your hosts. We’ve added new capabilities to control applications and their versions that can run on your host machines.
With this protection policy, we provide compliance controls that give users the ability to select which applications can run on their host machines and specify the allowed versions. Now you can reduce the attack surface and ensure continuous compliance controls on all your hosts.
Agentless Workload Scanning for Containers: Now Prisma Cloud can scan container workloads for software vulnerabilities without the need of an agent. Identified vulnerabilities are prioritized with a risk score and a description of risk factors. The risk factor description guides the security team to the best course of action by reporting details — vulnerable packages, attack complexity and attack vector.
With the addition of container agentless scanning, customers can centralize visibility across hosts, VMs, serverless, and containers.
API Risk Profiling
Due to the massive growth in APIs, less than 50% of enterprise APIs will be managed by 2025, according to a recent study by Gartner. The speed of application development makes it incredibly challenging without automation to keep track of all API-associated risks. API Security needs to start with full insight into the risk APIs pose across your cloud environments.
Prisma Cloud has enhanced its API security capabilities with API risk profiling to help teams understand and prioritize risk based on 200+ factors for all APIs in your environment. Understanding the risk factors associated with APIs based on misconfigurations, best practices, exposure to sensitive data and access control is a key step before application security teams can take preventative measures to reduce the API attack surface.
In a single view, Prisma Cloud provides the API endpoint’s path, the method used to call, the number of times it’s been called, what protections are enabled, its risk factors and the vulnerabilities in the underlying workload. Prisma Cloud makes it easy to prioritize risk based on these filters and then users can enable runtime protection to enforce security across the OWASP API Top 10 security risks.
Figure 1: API Risk Profiling and Observations
Vulnerability Explorer Enhancements
We improved our risk mechanism for CVEs across a number of areas. First, you can now filter the CVE viewer in the Vulnerability Explorer by risk factors of your choice (see Figure 2). You can include factors, such as whether the container is privileged or if the container is exposed to the Internet. This will help you find affected assets fast.
Second, we added a new risk factor category — ‘Exploit in the wild’ (see figure 3) — with CISA Known Exploited Vulnerabilities Catalog as the main data source. Now you can know which CVEs have a proven risk of exploitation. Based on this, you can create alerts and block policies for ‘exploits in the wild’ vulnerabilities.
Figure 2: Additional search parameters in Prisma Cloud Vulnerability Explorer to help security teams focus on things that matter
Figure 3: Expanded Risk and Environmental factors overview for a more granularity and insights
Application Control for Hosts
To minimize the attack surface and prevent vulnerable applications from running on host machines, we’ve added a new capability to detect legacy applications and control the application inventory on your host machines with compliance checks.
Now you can identify legacy applications or the versions of the applications that can run on hosts (see Figure 4). Without this control, vulnerable applications and versions with vulnerabilities can run freely on host machines. But with compliance controls, you have the ability to select which applications can run on host machines and specify the allowed versions. Our compliance controls can alert on a range of versions or raise an alert on specific applications detected on host machines.
Figure 4: Added process for new application control rule in Prisma Cloud
Agentless Workload Scanning
Securing cloud environments in an agentless deployment model begins with quick visibility to inventory and threat prioritization but with little to no overhead processes. We are continuing the investment in agentless capabilities to help you map the environment and calculate and prioritize risk as a first step in implementing application security at runtime.
We know that distributed environments, mixed workload types and app stacks require frictionless security. Our latest release of agentless security brings support for containers across the major cloud providers. In addition to container scanning, we’ve introduced host scanning for Oracle Cloud and compliance assessment for Kubernetes clusters across the public cloud, including support for OpenShift clusters.