Securing Your Resources In the Run Lifecycle

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L4 Transporter

By Shashank Chandramohan, Senior Customer Success Engineer 

 

In the past, application teams would be required to code from scratch, from building an application to releasing a new version, at best, every one or two years using standard shipping distribution methods. Today, application teams often use third-party open-source resource libraries and the cloud to get their products into the hands of users. These methods have sped up development to the point where application teams can release much faster, such as once a month or once a week. 

 

Information security has had to adopt a new model to span the application lifecycle to keep up with the development speed, new technologies, and infrastructure changes. 

 

At Palo Alto Networks, we use the Code & Build, Deploy, Run (CBDR) framework. With this approach, you have four phases to prevent misconfigurations that can lead to vulnerabilities. 

 

The phases are

 

  1. Code - Writing the code to create the resource.
  2. Build - Compiling the resource and its configuration.
  3. Deploy - Deploying the resource to where it is housed.
  4. Run - Running the resource and the live environment in which it is hosted.

 

This article focuses on the CBDR framework's final phase, the Run phase. If you want to start from the first phase, you can read about the Code & Build or Deploy lifecycle phases by clicking the blog links above.

 

Even though most successful exploits and breaches result from misconfigurations and vulnerabilities introduced in the Code & Build or Deploy phases, maintaining security is still crucial in the Run phase because vulnerabilities and exploits can be introduced in any phase of the application lifecycle. Run focuses on securing your workloads in the cloud with your security infrastructure, maintaining network security, and keeping an eye out for breaches, given that assets have already been deployed and are now externally facing.


RPrasadi_0-1686331925559.png

Figure 1:  Use cases of Prisma Cloud during the Run Phase_Palo-Alto-Networks

 

In the Run Phase, you're preventing and detecting breaches trying to access your production assets, network workloads, identities, and data. Prisma Cloud can help your organization’s security professionals detect, analyze, and remediate the common issues that appear in live environments, which range from crypto-jacking, where someone uses your Cloud resources to do crypto mining, to ransomware. 

 

The Run phase’s security should not depend on only daily and infrequent scans. Daily scans can miss costly breaches and malware that is gone by the time abnormal behavior is detected. In a modern production environment, ephemeral cloud resources might only exist for minutes or hours, so it's essential to have a solution that continuously monitors and looks for vulnerabilities and attacks while the resources are active.

 

Prisma Cloud secures your runtime environment using predictive and threat-based protections. It can run and deliver results in near real-time, 24/7/365, eliminating the missed spots from when your resources were checked only once or twice a day. Your security personnel can be notified and start working on threats within minutes, saving time and money at scale.

 

By continuously monitoring your runtime environments, Prisma Cloud goes beyond protecting you from known vulnerabilities and can detect the suspicious behavior of a zero-day vulnerability. Using our machine-learning models based on what is normal for your resources - if behavior deviates from the norm and is malicious, you will be alerted and able to act quickly. 

 

Prisma Cloud uses Palo Alto Wildfire to detect previously unseen targeted malware and advanced persistent threats. And best of all, we bring the resources and research from our world-renowned Unit 42 Security Group to help protect your runtime environment.

 

Drilling Down

Prisma Cloud can identify and remediate issues to secure your assets with the following capabilities:

 

  1. Compliance and Governance
  2. Misconfiguration and Threat Detection 
  3. Vulnerability Management
  4. Runtime Security
  5. Web App and API Security 
  6. Integrated Access Management Security
  7. Data Security
  8. Network Security. 

 

RPrasadi_1-1686331924723.png

Figure 2:  Run Segments_Palo-Alto-Networks

Compliance and Governance 

Cloud compliance comprises the procedures that ensure that your cloud environment complies with your governance rule. When you build a compliant cloud environment, your environment conforms to one or more specific sets of security and privacy standards. Some common compliance frameworks include PCI DSS, GDPR, FedRAMP, and various versions of NIST.

Prisma Cloud has you covered and comes with over 20 of the most commonly used compliance frameworks for use out-of-the-box, and you can tailor and create your own rules and policies for your organization’s specific needs, making it simple to set up and maintain compliance.

You can also view, assess, report, monitor, and create reports that contain summary and detailed findings of security and compliance risks in your cloud environment on one or more cloud accounts and review your cloud infrastructure's health and compliance posture. 

 

RPrasadi_2-1686331924578.png

Figure 3:  The Prisma Cloud Compliance Overview screen includes a line graph to the left showing the number of resources that exist, have failed, and passed on a monthly timeline. There is also a bar graph on the right that shows compliance coverage based on compliance frameworks_Palo-Alto-Networks

The Compliance Overview screen allows you to assess your compliance trends and coverage over time at a glance.

 

Web Application and API Security (WAAS)

WAAS enhances the traditional Web Application Firewall (WAF) protection model by deploying closer to the application, efficiently scaling up or down, and allowing for inspection of "internal" traffic (east-to-west) from other microservices as well as inbound traffic (north-to-south).

Prisma Cloud supports both inline and out-of-band WAAS, which you can use on your hosts and containers.  Inline WAAS offers more protection and features at the cost of using more resources in your cloud. Out-of-band WAAS allows you to run your production loads unchanged, with the WAAS monitoring done elsewhere in your network. 

 

Prisma Cloud WAAS can block new zero-day attacks as soon as they are identified without waiting for modified applications. 

 

Some Highlights of WAAS’s capabilities are:

  • OWASP Top-10 Coverage - Protection against most critical security risks to web applications, including injection flaws, broken authentication, broken access control, security misconfigurations, etc.
  • API Protection - WAAS can enforce API traffic security based on definitions or specs.
  • Access Control - WAAS controls access to protected applications using Geo-based, IP-based, or HTTP Header-based user-defined restrictions.
  • File Upload Control - WAAS secures application file uploads by enforcing file extension rules.
  • Detection of Unprotected Web Applications - WAAS detects and flags unprotected web applications in the radar view.
  • Penalty Box for Attackers - WAAS supports a 5 minutes ban of IPs triggering one of its protections to slow down vulnerability scanners and other attackers probing the application.
  • Bot Protection - WAAS detects good-known bots and other bots, headless browsers, and automation frameworks. WAAS can also fend off cookie droppers and other primitive clients by mandating the use of cookies and Javascript for the client to reach the protected origin.
  • DoS Protection - WAAS can enforce rate limitations on IPs to protect against high-rate and "low and slow" layer-7 DoS attacks.

 

RPrasadi_3-1686331925605.png

Figure 4:  Prisma Cloud’s WAAS Explorer dashboard in Prisma Cloud_Palo-Alto-Networks

 

There are four graphs: 

  • Web protection coverage graph: how many critical  unprotected and vulnerable web apps you have with a line for high, medium, low & none. 
  • Activity overview line graph: the number of policy changes, total traffic, access control, API, DoS, Custom, and WAF activities. 
  • Line graph: the inspected traffic by WAAS, showing how many requests and bytes with the WAAS actions by effect. 
  • Bar graph: total attacks per type and a summary of the WAAS configured policies & rules.

 

Runtime Security

Runtime security is a vast set of features that protect containers and threat-based active protection for running containers, hosts and serverless functions. Threat-based protection includes capabilities like detecting when malware is added to a workload or when a workload connects to a botnet - all in real time.

With Prisma Cloud, you can use both agent-based and agentless-based runtime defense and security separately or simultaneously. Agent-based can block threats in real-time, such as crypto mining and malicious code but is more resource intensive. With limited resources, agentless scanning can cover your entire cloud without deploying agents on every host. With both agent-based and agentless scanning, you can use Prisma Cloud to detect changes to the file system, network, and process activity, with each sensor having its own set of rules and alerting - keeping you protected no matter the number of resources you have available.

 

RPrasadi_4-1686331924707.png

Figure 5:  Active Incidents_Palo-Alto-Networks

 

Data Security

In the Run phase, data security is crucial for preventing leaks of personally identifiable information (PII) and sensitive data that may have been overlooked. With so many resources being run on your workloads, it is difficult to scan and ensure that none of them have potentially exposed data. 

 

Prisma Cloud has 600 data profiles & patterns out of the box and is customizable for your organization’s use cases. For example, you can set various roles at your organization to only see the data masked. This provides your organization with the principle of least privilege, ensuring that only authorized users can access sensitive data.

 

Conclusion

With faster development and release times come new technologies and challenges. Instead of relying on past methods that only scan and monitor once or twice daily, teams need real-time coverage of resources that can scale. Prisma Cloud can scale to meet these needs with automation and customizable tools that cover you from Compliance and Reporting to Runtime Security and WAAS.

 

About the Author

CSE's intro card (Shashank).png

 

  • 1836 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels