Many teams are relying on automation to streamline their Security Operations Center. Automation allows customers to scale their operations as their cloud presence grows and allows the data from Prisma Cloud to be integrated with a customer’s existing workflow to manage Cloud security. This API is also used by Cortex XSOAR playbooks for alert remediation and alert report generation.
We are proud to announce that Prisma Cloud Data Security for Azure Blob Storage is now GA! Data Security on Prisma Cloud enables you to discover and classify data stored in Azure blob and protect against accidental exposure, sharing of sensitive data.
In addition, it ensures data stores in your Azure blob are free from malware by performing malware analysis using the Enterprise WildFire engine. Enable data security and onboarding your Azure cloud subscription to start scanning your Azure blob storage.
As organizations increasingly adopt Infrastructure-as-a-Service (IaaS) models for cloud development, the number of entities that are granted access to critical infrastructure necessarily grows as well. However, organizations must ensure these entitlements are tightly controlled. To help our customers better address these growing risks, Prisma Cloud offers Cloud Infrastructure Entitlement Management (CIEM) multi-cloud capabilities. These capabilities include: * Net effective permissions analysis: Seamlessly analyze and gain visibility for accounts, resources, and workloads. * IDP integration: Ingest single sign-on (SSO) data from IDPs to calculate net-effective user permissions, no matter which CSP or service the user is accessing.
Understanding the Attack Surface Using Prisma Cloud SaaS
by RD Singh and Muhammad Rehan
Recent Log4Shell and SpringShell vulnerabilities created havoc for many organizations struggling to discover the impacted resources. The Palo Alto Networks Prisma Cloud (CSPM and CWPP) not only can help the organizations to discover the impacted resources, but can also protect the exploit from happening.
In this article, we will walk you through how to leverage the Prisma Cloud Product in order to gain visibility of your cloud resources.
How Prisma Cloud Can Help
The Palo Alto Networks Prisma Cloud Security Platform can detect and identify Log4Shell and SpringShell attack payloads sent to applications. The good news is that Prisma Cloud users can easily detect software components affected by these vulnerabilities.
The Prisma Cloud Intelligence Stream (IS) automatically updates to include the vulnerability information from official vendor feeds. This allows Prisma Cloud to directly reflect any updates or analysis by Linux distribution and application maintainers, allowing Prisma Cloud to detect any affected hosts, images, containers and functions.
Figure 1: Log4Shell CVEs in the Intelligence Stream
Query Your Environment for Impacted Resources
Prisma Cloud’s Resource Query Language (RQL) provides a quick and easy way to query for resources impacted. In this case, users can utilize the Prisma Cloud platform's capabilities to isolate assets with vulnerabilities and prioritize further by looking for internet-exposed assets receiving traffic.
The below RQL lists the instances in your cloud that have the Log4Shell (CVE-2021-44228) and/or SpringShell (CVE-2022-22963 or CVE-2022-22965) specific vulnerabilities.
Note: RQL is only applicable to the Prisma Cloud SaaS.
config from cloud.resource where finding.type IN ( 'Host Vulnerability', 'Serverless Vulnerability', 'AWS GuardDuty Host') AND finding.name IN ('CVE-2022-22963', 'CVE-2022-22965', 'CVE-2021-44228')
Figure 2: Config RQL to discover the vulnerable instances
Here is the RQL to know the Internet exposed instances that are receiving traffic in your cloud and have the Log4Shell (CVE-2021-44228) and/or SpringShell (CVE-2022-22963 or CVE-2022-22965) specific vulnerabilities:
network from vpc.flow_record where bytes > 0 AND source.resource IN ( resource where finding.type IN ( 'Host Vulnerability', 'AWS GuardDuty Host') AND finding.source IN ( 'Prisma Cloud' ) AND finding.name IN ('CVE-2022-22963', 'CVE-2022-22965', 'CVE-2021-44228') ) AND destination.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
Figure 3: Config RQL to discover the vulnerable instances
In addition to RQL Prisma Cloud Compute can help to search for the specific CVE in Vulnerability Explorer where Defender agents are deployed.
Note: The Prisma Cloud Compute needs to be enabled to view the Vulnerability Explorer within the Prisma Cloud SaaS.
Figure 4: CVE search result in Vulnerability Explorer
The below screenshot is an example of container image details where CVE-2022-22965 is shown as Critical.
Figure 5: Image details
The Log4Shell and SpringShell vulnerabilities are high-impact vulnerabilities that are easy for attackers to exploit and have far-reaching consequences on the industry as a whole. In this post, we discussed some detection and prevention strategies for these particular vulnerabilities, and showcased detection capabilities of the Prisma Cloud Security Platform.
Prisma Cloud can help in detecting all vulnerable instances in your deployments. Prisma Cloud may also be configured to fully prevent running any vulnerable images or hosts.
A complete proof-of-concept of Prisma Cloud protections for Log4Shell exploits, including runtime and WAAS protections, can be found in this video .
About the Authors:
RD Singh and Muhammad Rehan are senior customer success engineers specializing in Prisma Cloud, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. They use collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage their multi industry knowledge to inspire success.