Incident response is a daily problem to solve in cybersecurity. Bad actors are constantly looking for new ways to hack into an enterprise. Due to the consequences of ill-intentioned hacking causing potential distress at a global scale, we all have a responsibility to be as prepared as possible to better protect our environments by the proactive action of incident response. Through the Cloud Workload Protection Platform (CWPP) of Prisma Cloud, there are ways to be proactive in achieving goals in incident response while creating protocols to coherently scope your applications and accounts in these environments. In this article, you will learn about the primary scoping utility that is available to you in the console through collections and approaches to optimally create scope.   When utilizing the Prisma Cloud Compute Console, a tool that can help you have the most efficient environmental setup within each cloud environment is collections . Collections allow you to be able to have the scoping that is necessary to be able to triage your incident response as well as proactively give you the capabilities that you will need to be able to report on any incident. Collections will also allow you to have an organized view into your cloud resources to be able to better help with your use cases. If your cloud environment is disorganized at the cloud service provider level, it will be a good practice to begin to organize these environments. One option is to look within the console to be able to work backwards in creating this coherency in every environment over time. Let’s begin to take a look at how collections can help you to have a better experience in utilizing cloud security technologies. 

Prisma Cloud Compute protects your containerized environment according to the policies you set in Prisma Cloud Console. Watch this demo with RD Singh, Sr. Customer Success Engineer, to learn how to Protect AWS ECS EC2 nodes and Fargate task with Prisma Cloud Compute Defender.

In December 2022 we released latest capabilities for Prisma Cloud Compute including API Risk Profiling, Enhanced Vulnerability Explorer, App Control for Hosts and Container support for Agentless Workload Scanning. We would like to showcase and demo new functionalities.

Prisma Cloud Compute provides a dynamic admission controller for Kubernetes and OpenShift that is built on the Open Policy Agent (OPA). Watch this demo with RD Singh, Sr. Customer Success Engineer, to learn how to enable dynamic admission controller to intercept admission requests to API Server, and then accept or reject those requests as per admission policy configured in the Prisma Cloud Compute. Note: Prisma Cloud currently does not support Admission Controller for Windows. To read the step-by-step instructions outlined in this video, visit our TechDocs:  Access Control: Open Policy Agent

This guide describes how to configure agentless vulnerability and compliance scanning for virtual machines in Microsoft Azure subscriptions.   This article will use a credential dedicated to the agentless scanning process.  In Prisma Cloud Enterprise Edition  / SaaS, you have the additional option of using a Prisma Cloud onboarded account credential which will be covered in a future article. The creation and use of an Azure service principal credential are also supported in SaaS.

Prisma Cloud Compute Agentless scanning enables you to quickly gain comprehensive visibility into vulnerability and compliance risks without having to install an agent on each host.   Cloud environments are dynamic in nature. Prisma Cloud gives you the flexibility to choose between agentless and agent-based security. At this time, Prisma Cloud supports agentless scanning of VMs on AWS, GCP and Azure.   This article outlines the process of setting Prisma Cloud Compute Agentless to scan Google Cloud Platform (GCP) Compute Engine to discover vulnerabilities and compliances.  

Throughout the security lifecycle of an application or cloud environment it is important to be able to understand the tools available to each security professional. One of the best tools for any security professional to be able to use is scripting. Scripting allows one to create a program that automates an individual task and, when coupled with the Prisma Cloud Compute Workload Protection Platform (CWPP), you can effectively complete your use cases with ease. All that it takes to create a script is an understanding of the tools available to you, practice, and studying the available documentation of API calls that can interface with your scripting program.    Through the CWPP API and this article, you will be able to begin to establish a new way to be able to solve your company’s problems while enhancing your available tools in problem solving. In this article, we are utilizing a SaaS CWPP console for the examples and a text editor which can save text files for scripting along with a linux command line available in MacOS terminal or in Windows with Subsystem for Linux.    When interacting with a command line, you can type directly into the command prompt. As an example, to help those of you who have not yet worked with a Linux command line, you can navigate to different directories using the “cd” or ‘current directory’ command. You can determine the path to your current directory by typing “pwd,” or ‘print working directory’, and you can list the files in the current directory using “ls”.

Many in the security industry have been pondering recently whether “agentless” or “agents” are most effective. The answer is simple: use both for comprehensive security. With that vision in mind, Prisma Cloud is proud to be the first security platform to offer both agent-based and agentless security together from a single solution, giving you and your teams the flexibility and choice to deploy or activate the right method of protection in a mixed environment. As a part of Prisma Cloud 3.0 launch, we announced the introduction of agentless security in addition to already available agent-based security to provide comprehensive security coverage.   Come learns what the new V2 release brings in this webinar

“What could you have done better as an organization to adjust to Log4J?”  This question has resonated with the cybersecurity community for a while now. Within the capabilities of the Prisma Cloud product here at Palo Alto Networks, there are a number of threat landscape views and preventative tools that are available to customers.    In this article, we will review some of the core features that security professionals can utilize to be notified of CVE detection, available API calls within the Prisma Compute console that will help to give a quick view into resources affected by Log4J through the correlated CVE, as well as some advanced preventatives, such as creating a custom CVE or uploading an MD5 malware hash, that are available to users of the console. With these additional tools there will be a better understanding of not only how to get a grasp around aspects of the threat landscape of Log4J in your environment, but also a better way to approach potential future zero-days through utilization of the capabilities of Prisma Cloud.  

Understanding the Attack Surface Using Prisma Cloud SaaS by RD Singh and Muhammad Rehan   Recent Log4Shell and SpringShell vulnerabilities created havoc for many organizations struggling to discover the impacted resources. The Palo Alto Networks Prisma Cloud (CSPM and CWPP) not only can help the organizations to discover the impacted resources, but can also protect the exploit from happening.   In this article, we will walk you through how to leverage the Prisma Cloud Product in order to gain visibility of your cloud resources.   How Prisma Cloud Can Help   The Palo Alto Networks Prisma Cloud Security Platform can detect and identify Log4Shell and SpringShell attack payloads sent to applications. The good news is that Prisma Cloud users can easily detect software components affected by these vulnerabilities.    The Prisma Cloud Intelligence Stream (IS) automatically updates to include the vulnerability information from official vendor feeds. This allows Prisma Cloud to directly reflect any updates or analysis by Linux distribution and application maintainers, allowing Prisma Cloud to detect any affected hosts, images, containers and functions. Figure 1: Log4Shell CVEs in the Intelligence Stream   Query Your Environment for Impacted Resources   Prisma Cloud’s Resource Query Language (RQL) provides a quick and easy way to query for resources impacted. In this case, users can utilize the Prisma Cloud platform's capabilities to isolate assets with vulnerabilities and prioritize further by looking for internet-exposed assets receiving traffic.   The below RQL lists the instances in your cloud that have the Log4Shell (CVE-2021-44228) and/or SpringShell (CVE-2022-22963 or CVE-2022-22965) specific vulnerabilities.    Note: RQL is only applicable to the Prisma Cloud SaaS.   config from cloud.resource where finding.type IN ( 'Host Vulnerability', 'Serverless Vulnerability', 'AWS GuardDuty Host') AND finding.name IN ('CVE-2022-22963', 'CVE-2022-22965', 'CVE-2021-44228')   Figure 2: Config RQL to discover the vulnerable instances   Here is the RQL to know the Internet exposed instances that are receiving traffic in your cloud and have the Log4Shell (CVE-2021-44228) and/or SpringShell (CVE-2022-22963 or CVE-2022-22965) specific vulnerabilities:   network from vpc.flow_record where bytes > 0 AND source.resource IN ( resource where finding.type IN ( 'Host Vulnerability', 'AWS GuardDuty Host') AND finding.source IN ( 'Prisma Cloud' ) AND finding.name IN ('CVE-2022-22963', 'CVE-2022-22965', 'CVE-2021-44228') ) AND destination.publicnetwork IN ('Internet IPs', 'Suspicious IPs')   Figure 3: Config RQL to discover the vulnerable instances   In addition to RQL Prisma Cloud Compute can help to search for the specific CVE in Vulnerability Explorer where Defender agents are deployed.   Note: The Prisma Cloud Compute needs to be enabled to view the Vulnerability Explorer within the Prisma Cloud SaaS.   Figure 4: CVE search result in Vulnerability Explorer The below screenshot is an example of container image details where CVE-2022-22965 is shown as Critical.   Figure 5: Image details Conclusion   The Log4Shell and SpringShell vulnerabilities are high-impact vulnerabilities that are easy for attackers to exploit and have far-reaching consequences on the industry as a whole. In this post, we discussed some detection and prevention strategies for these particular vulnerabilities, and showcased detection capabilities of the Prisma Cloud Security Platform.    Prisma Cloud can help in detecting all vulnerable instances in your deployments. Prisma Cloud may also be configured to fully prevent running any vulnerable images or hosts.   A complete proof-of-concept of Prisma Cloud protections for Log4Shell exploits, including runtime and WAAS protections, can be found in this video . References : https://unit42.paloaltonetworks.com/cve-2022-22965-springshell/ https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/   About the Authors: RD Singh and Muhammad Rehan are senior customer success engineers specializing in Prisma Cloud, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. They use collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage their multi industry knowledge to inspire success.      

Prisma Cloud provides comprehensive security for the cloud-native application’s entire journey from code to cloud. In this session, hear from the product team about the exciting new features that deliver unification of assets & alerts across the platform and several other features on tap for delivery in the near term. This session will also cover updates to the Cloud Security Posture Mgmt. and Identity security areas.   Session 1 Prisma Cloud Security Platform - Integrated Platform Experience, CSPM, and CIEM Updates June 2022   Session 2 Prisma Cloud’s Compute Workload & Code Security - New Release Updates June 2022

A best practice in security is alerting on the assets that you find most critical.  The concept of vulnerability and exploit defines that a vulnerability can be exploited.