A best practice in security is alerting on the assets that you find most critical. The concept of vulnerability and exploit defines that a vulnerability can be exploited.
Once the Prisma Cloud tool completes the data ingestion, the organization of the data can be daunting. The approach of stepping back into a design mindset is the value and the benefit of organizing first and then ingesting the data.
Some companies start with the database servers due to the corporate rules, and discovered the non-conformed rules (taxonomy) and enforced compliance they could not put in place due to the flat structure of data.
Figure 1: 3-Tier architecture for a Web Application_palo-alto-networks (Web servers, database servers, and middleware servers)
A single dashboard allows cloud security engineers to filter out the alerts to the proper groups for alert resolution in Prisma Cloud Compute.
Figure 2: Prisma Cloud Compute Dashboard_palo-alto-networks (filtered down to the Acmeshop application vulnerabilities)
Figure 3: Prisma Cloud Compute Dashboard_palo-alto-networks (Sock Shop is an internal product that is used to track sock inventory before sending the data to the external application from where customers would purchase the socks. This view is filtered down to the Sock Shop application vulnerabilities)
The teams continue process improvement by fine tuning the rules to reduce the number of vulnerable assets. As an example, the security team can explain when a driver needs to be updated to remove the vulnerability in the application, and if the OS needs attention from the system administrator to update the Apache server. There are requirements for teams to handle 1000 AWS accounts, 500 GCP accounts and 1400 Azure AD accounts for an organization, and this drives the need to organize the complexity.
Our recommended approach begins with the current state discovery where customers shine light on the areas that are most crucial for security, while your entire environment is scanned.
Group the compute resources to the lowest level of detail possible, and prioritize any vulnerabilities by severity of risk:
Group by importance, based on what is the most vulnerable system, and what has the most sensitive information. Remember to review three key items:
For financial and banking industry customers, it may be critical to organize the environment by resources that belong to an application, or by a specific resource group such as “Accounting Team,” or “System Administrator” or “Development Team.” When organizing your resources in Prisma Cloud Compute to send your alerts, consider the most granular way to organize - by host, cluster, and application. This will help you when you get to Runtime rules specifically designed to be detailed and granular. Once your environments are organized, you can set specific runtime rules for each application. Database servers may have different runtime rules than the application servers.
In conclusion, remember to start with design and organize your infrastructure resources in a tool to help you navigate the attack surface landscape. Completing this activity before you turn on the rules will help reduce the alert fatigue, and bring the alerts from 10,000 to 3,000. This will allow you to focus on what matters most: protecting your enterprise from vulnerabilities and making each day safer than the one before.
