Incident response is a daily problem to solve in cybersecurity. Bad actors are constantly looking for new ways to hack into an enterprise. Due to the consequences of ill-intentioned hacking causing potential distress at a global scale, we all have a responsibility to be as prepared as possible to better protect our environments by the proactive action of incident response. Through the Cloud Workload Protection Platform (CWPP) of Prisma Cloud, there are ways to be proactive in achieving goals in incident response while creating protocols to coherently scope your applications and accounts in these environments. In this article, you will learn about the primary scoping utility that is available to you in the console through collections and approaches to optimally create scope.
When utilizing the Prisma Cloud Compute Console, a tool that can help you have the most efficient environmental setup within each cloud environment is collections. Collections allow you to be able to have the scoping that is necessary to be able to triage your incident response as well as proactively give you the capabilities that you will need to be able to report on any incident. Collections will also allow you to have an organized view into your cloud resources to be able to better help with your use cases. If your cloud environment is disorganized at the cloud service provider level, it will be a good practice to begin to organize these environments. One option is to look within the console to be able to work backwards in creating this coherency in every environment over time. Let’s begin to take a look at how collections can help you to have a better experience in utilizing cloud security technologies.
To locate collections in your Prisma Cloud Compute console, navigate to the “Manage > Collections and Tags.” This will present you with the current set of collections available to you in your Prisma Cloud environment.
Figure 1: System defined collections_palo-alto-networks
To add a new collection, you will need a resource onboarded for the collection to be relevant. Click on the “Add Collection” button and you will be able to see the different options available to you in scoping resources within your new collection.
Collections are created with pattern matching expressions that are evaluated against attributes such as image name, container name, hostname, labels, function name, namespace, and more.
Figure 2: Create New Collection_palo-alto-networks
There are several options to create nested scoping within your collection.
The easiest way to achieve primary scoping is through a color code that can be associated with a type of environment, team, business unit, or stage in your software development lifecycle that a resource may reside in. There is none to minimal limitation to how you can define your scoping.
There are 20 unique color codes available to you within this primary scoping. To best utilize these available encoded value potentials, you can select a piece of your scoping that is relatively static and less than 20 in the objective count. This could be a business unit and, as an example, if you are a pharmaceutical company that has business units in research, accounting, human resources, technical support, management, cloud technology, and growth, you could assign a color code to represent each respective business unit to be able to standardize the scoping of your cloud resources.
Figure 3: Color Code scoping_palo-alto-networks
The last scoping tool that will be discussed in this article is tagging (Manage > Collections and Tags > Tags). Though it does not correlate directly to what can be utilized within a collection, tagging can help with incident response through allowing you to associate a tag to either an individual CVE or a package within an individual CVE that is available within the threat intelligence feed. This tag can then be applied to a vulnerability rule and an alert profile so that if you had a security incident with a CVE, such as CVE-2021-44228, you could then have that rule send a notification to an alert profile whenever that tagged CVE is detected.
Figure 4: Define Tags_palo-alto-networks
To further study this topic, check out this previous article: Understanding the Security Posture of your Organization - log4j.
You now have the tools to effectively scope the cloud resources that you onboard into the console.
Prisma Cloud Administrator’s Guide (CWP): Collections
RD Singh is a senior customer success engineer specializing in Prisma Cloud, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. RD uses collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage their multi industry knowledge to inspire success.
