Prisma Cloud CWP Radar

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
L1 Bithead
No ratings

Pramod Dhamenia, Senior Cloud Security Engineer

 

Introduction

 

Cloud Technology has rapidly evolved in the last decade resulting in several benefits like agility, scalability, flexibility and cost optimization over traditional on-prem data centers and accelerated  innovation and rapid product delivery in organizations. 

 

However, agility comes with challenges such as blind-sided visibility and limited security. Prisma Cloud Runtime Security provides tools to give your organization visibility and security into your cloud environment.  In this article, we will explore the visibility tools that Prisma Cloud provides to get visibility into your cloud environments.

 

Radar

 

Radar (Radio detection and ranging) is a military term used for detecting, locating, tracking, and recognizing objects of various kinds at considerable distances. The targets may be aircraft, ships, spacecraft, automotive vehicles, astronomical bodies, or birds, insects, and rain. 

 

Prisma Cloud Runtime Security formerly known as CWP (Cloud Workload Protection) Radar provides the ability to detect and protect your cloud-native assets via Cloud discovery. Prisma Cloud breaks the silos across different Business Units and provides a centralized dashboard for your next-generation cloud-native assets via RADAR.

 

Radar is a single pane of glass for various security personas. It gives a 10,000ft - birds-eye overview to visualize what assets have been deployed in your cloud environment, and a detailed view providing environment-specific information such as OS distribution, Kubernetes version, Vulnerabilities present, and Compliance issues.

 

The Default View of Radar

 

When you select Runtime Security in Prisma Cloud, you start in RADARS:

 

RPrasadi_0-1706040635518.png

Figure 1: Radar Menu_palo-alto-networks

 

2.0 Radar Pivots

 

Radar contains a number of views:

 

  1. Cloud
  2. Hosts
  3. Containers
  4. Serverless

 

2.1 Cloud Pivot

 

Cloud pivot presents a view of Cloud Service Providers (CSPs) used in different regions on a Global scale. 

 

RPrasadi_1-1706040635715.png

Figure 2 Cloud Pivot on Radar_palo-alto-networks

 

Filters such as Regions, Provider, Services, and Account Names can be used to view specific information.

 

RPrasadi_2-1706040634755.png

Figure 3: Filters on Cloud Pivot_palo-alto-networks

 

Information from a regional cloud data-center can be viewed by clicking on the dot.  This gives details about the regional data-center including which services are protected and unprotected. 

 

RPrasadi_3-1706040634848.png

 

 

RPrasadi_4-1706040635106.png

Figure 4: Deployed assets view on Cloud Pivot_palo-alto-networks

 

Viewers also have the option to defend their unprotected cloud accounts via Agentless scanning when the view is changed to “Services” from “Accounts”.

 

2.2 Host Pivot

 

Host pivot presents a view of all the virtual machines discovered in your Cloud Accounts with network communication paths in a graphical view. 

 

RPrasadi_5-1706040635277.png

Figure 5: Host Pivot on Radar_palo-alto-networks

 

When enquiring about a host, you see a high-level risk summary that comprises attributes like environment, Network, and web traffic communication (WAAS). Information such as the most critical Vulnerability / Compliance risks, runtime audits, and incidents are all available from this view.

 

Forensic data is available for hosts involved in an incident, and you can see warnings such as “host involved in an incident” and “unprotected web application running on the host” displayed at the top of the popup in red.

RPrasadi_6-1706040635128.png

Figure 6: Detailed Host information on Radar_palo-alto-networks


2.3 Container Pivot

 

Container pivot presents a view of all clustered and non-clustered container environments. You can explore the container level detail, similar to exploring the host level detail in the Host Pivot.

RPrasadi_7-1706040634786.png

Figure 7: Container Pivot on Radar_palo-alto-networks

 

Prisma Cloud shows the network communication paths between containers, namespaces, and outbound gateways in a graphical view.

RPrasadi_8-1706040634918.png

Figure 8: Kubernetes Clustered view on Radar_palo-alto-networks

 

RPrasadi_9-1706040634881.png

Figure 9: Namespace-specific view on Radar_palo-alto-networks

 

When a container is explored further, Image information, Cluster, Namespace, OS Distro, and Service Accounts are available in addition to the high-level risk summary also on host pivot.

RPrasadi_10-1706040638616.png

Figure 10: Detailed Container specific information on Radar_palo-alto-networks

 

Microservice architecture information is available as additional information:

  • container-container communication within namespace
  • containers communicating outside namespace with tcp ports
  • frontend gateway communications

 

RPrasadi_11-1706040635623.png

Figure 11: Container to container communication information on Radar_palo-alto-networks



RPrasadi_12-1706040635790.png

Figure 12: Frontend container to Internet communication information on Radar_palo-alto-networks


2.4 Serverless Pivot

 

Serverless pivot provides a view of AWS Lambda functions, showing how a function is invoked via its triggers and what services the Lambda functions utilize.

RPrasadi_13-1706040635851.png

Figure 13: Serverless graph view on Radar_palo-alto-networks


You can use filtering to find:

 

  1. an application-specific function, 
  2. what functions are defended or undefended, or 
  3. how many lambda functions exist in a given AWS account. 

 

Other filtering options include:

 

RPrasadi_14-1706040635844.png

Figure 14: Filters for Serverless Pivot on Radar_palo-alto-networks

 

Detailed information about a lambda function can be found by clicking on the node. In addition to the details you have seen in other pivots, the serverless pivot also displays Permissions for the services that have been granted to the selected Lambda function.

RPrasadi_15-1706040636048.png

Figure 15:  Detailed Serverless Function information on Radar_palo-alto-networks

Prisma Cloud will also display the IAM permissions that every service has granted to the lambda functions by clicking on the specific service under Services. In the figure below, Prisma Cloud displays which functions can access S3 Service.



RPrasadi_16-1706040636067.png

Figure 16: Functions accessing  AWS S3 Service on Radar_palo-alto-networks

 

By clicking on Actions under the details tab Prisma Cloud displays the exact permissions given the Lambda function. As shown in the figure below, the specific actions this Lambda function has on the specified resources.

RPrasadi_17-1706040636187.png

Figure 17: A lambda function with specific permissions assigned for AWS S3 Service on Radar_palo-alto-networks


Prisma Cloud can also find which triggers have been created for a specific event type.

RPrasadi_18-1706040636185.pngFigure 18: Lambda Triggers_palo-alto-networks

 

3.0 Radar Settings


Radar Settings allow us to specify what network connections can be monitored, whether to monitor connections between containers 

 

  • on a single host 
  • across all hosts

 

RPrasadi_19-1706040636275.png

Figure 19: Radar Settings_palo-alto-networks


Prisma Cloud allows us to create groupings of objects on radar pivots called Network Objects. 

 

  • Image, Network, Host and DNS type are supported network objects.
  • For Image and Host type, the scope is selected from defined collections
  • For Subnet, a single IP address or a range of IP addresses can be defined.
  • For DNS, a domain such as “google.com” or “8.8.8.8” can be defined.

 

RPrasadi_20-1706040636420.png

Figure 20: Network Object Types_palo-alto-networks

Reference the documentation for further details on Network Objects.

 

3.1 Decoding the color code in Radar
Nodes are color coded in 5 different colors to identify the security risks easily.

 

  • Dark Red –  High risk. One or more critical severity issues detected
  • Red –  High severity issues detected
  • Orange –  Medium severity issues detected
  • Yellow – Low severity issues detected
  • Green –  Denotes no issues detected
  • Gray— Only applies to Serverless function and denotes that Prisma Cloud hasn’t been configured to scan this function for vulnerability and compliance issues

RPrasadi_21-1706040636469.png

Figure 21: Nodes with different color codes_palo-alto-networks

 

This color coding applies to all workload types - Host, Containers and Serverless.  You can also switch the risk type between Vulnerabilities, Compliance and Runtime for all workload types.

 

3.2 Understanding special symbols and networking in Radar

 

When an unprotected web application is detected, it is reflected with a red striked-over firewall symbol

 

RPrasadi_22-1706040636539.png

 

RPrasadi_23-1706040635199.png

Figure 22: Unprotected Web Application Symbol_palo-alto-networks

 

The number in the circle reflects the number of containers running in a specific pod. The color of the circle specifies the state of the container’s runtime model. A blue circle indicates the container’s model is still in learning mode while a black circle indicates the container’s model is activated. 

 

A globe symbol indicates that a container can access the Internet.

 

Connections between running containers are depicted as arrows in Radar. Dotted line reflects an existing network path between pods. When the traffic is observed, the dotted line becomes a solid line.

 

RPrasadi_24-1706040635288.png

Figure 23: Network connections between 2 container pods_palo-alto-networks

 

RPrasadi_25-1706040635451.png

Figure 24: Network connections between 2 container pods_palo-alto-networks


Prisma Cloud can also discover Istio service mesh if defenders are deployed with the “Monitor Istio” feature set enabled. Once successfully deployed, the pods display the Istio logo.

 

RPrasadi_26-1706040635478.png

Figure 25: Istio enabled monitoring_palo-alto-networks


4.0 Conclusion

 

Prisma Cloud Runtime Radar is an important cloud security asset monitoring interface. Radar gives visibility into your microservices environment for known and unknown traffic and prevents lateral movement. 

 

Radar helps to collate all the data on Prisma Cloud and provides bird's-eye visibility at first glance. Radar also provides a detailed view of different kinds of assets to identify security risks such as Vulnerabilities, Compliance, runtime monitoring, web application, and API traffic.

 

The importance of Radar lies in its ability to visualize cloud-based application/microservices architectures for inter-network and intra-network connections between containers, apps, and cluster services across your environment.

 

Reference

 

[1] Prisma Cloud Administrator’s Guide (Compute), Prisma Cloud RADAR

 

About the Author

 

Pramod Dhamenia is a senior cloud security engineer specializing in Prisma Cloud, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. Pramod utilizes a collaborative and consultative approach to break down complex cyber security problems into solutions for global enterprise customers and leverage their multi-industry knowledge to inspire success.

Rate this article:
  • 384 Views
  • 0 comments
  • 3 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎01-25-2024 09:22 AM
Updated by: