Cavirin Blog

It’s the week of Google Cloud NEXT and, as a Google Cloud Technology Partner, we are glad to see our efforts to add Google Cloud Platform (GCP) into the Cavirin family of cloud security products succeed. The March 2017 release of Cavirin's platform will include support for continuous security assessment of workloads on GCP, and marks a major milestone in our company’s vision to be the provider of consistent security solution across workloads running on multiple cloud providers’ platforms.

Regardless of the public cloud platform of choice for the enterprise, the fundamental problems remain, and manifest themselves in the form of the following questions:

  • As a CIO or CISO of the enterprise, can I safely migrate my business-critical workloads to the public cloud, and still have the same level of security management built over years of operational experience within my private data center?
  • Knowing that, security operations in the cloud is a totally different ball game, particularly with the expectation of the “shared responsibility model” from the cloud providers. Will I have a “security companion” to make migration less risky?
  • Once in the cloud, will I continue to be able to run my business-critical workloads securely, with an ability to monitor the risk posture quantitatively, and be able to report to the management and board convincingly about our security?

These are fair questions to be expected and, perhaps at a faster rate, as the trend towards public cloud migration of enterprise workloads are intensifying.  This was also confirmed by Diane Greene, the senior VP of Google Cloud, with the announcement this week of major names using GCP that include Disney, Home Depot, Verizon and Colgate-Palmolive.

We, at Cavirin, look at cloud security through a single prism: regardless of what cloud an enterprise may adopt, cloud security assessment/monitoring must be simple, canonical and consistent across the clouds. This seemingly simple objective, when viewed from the multitude of differences in today’s cloud topologies and operational procedures, gains significant importance since it allows us to address the cloud security concerns with a simple model.

Within Cavirin’s cloud security products the security orchestration is straight forward: with a few mouse clicks from our Control Plane User interface (or with the invocation of a few REST APIs, if you are a DevOps or SecOps professional), you can discover your GCP infrastructure assets, identify the resources with comprehensive details, assess & harden the resources against security benchmarks (CIS & DISA), and do this automatically and continuously.

The primary objective of this practice, assisted by Cavirin’s products, is to have a “security companion” for your GCP infrastructure. Fortunately, Cavirin has also the most comprehensive set of OS hardening rules that can automatically test any number of operating system versions that may be installed and operated on GCP running critical workloads. These rules and the automated tests enable the security assessment and continuous monitoring and significantly reduce the attack surfaces of our customers’ infrastructure.

 

 

 

 

This week yet another Linux vulnerability was discovered - CVE-2017-6074 – that could be exploited to gain kernel code execution from an unprivileged processes. The vulnerability is associated with the DCCP protocol.

The DCCP protocol is recommended by the security benchmarks to be disabled to reduce the attack surface. 

DISA RHEL 6 STIG reads “Disabling DCCP protects the system against exploitation of any flaws in its implementation.

The CIS Security Benchmark for Debian 8 reads “The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery. If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface.

Cavirin’s solution automates the assessment of these security baselines in your hybrid cloud. It continuously protects you from vulnerabilities arising out of misconfiguration and such zero-day vulnerabilities arising out of default attack surface. Vulnerabilities such as these do not really bother you if you used the solution to detect the presence of such uncommon network protocols and already reduced the attack surface by disabling them all together if not in use. You cannot really protect what you don’t see and Cavirin’s solution helps you with security evidence, audit reports, and operational procedures instead of verbal security assurances and recommendations.

First of a multi-part series on the CIS benchmarking process, by Pravin Goyal.

ON CIS BENCHMARKS

What are CIS Benchmarks?

The CIS Security Benchmarks program provides well-defined, un-biased and consensus-based industry best practices to help organizations assess and improve their security. The Security Benchmarks program is recognized as a trusted, independent authority that facilitates the collaboration of public and private industry experts to achieve consensus on practical and actionable solutions. Because of the reputation, these benchmarks are recommended as industry-accepted system hardening standards and are used by organizations in meeting various compliance requirements such as PCI and HIPAA.

What is the typical CIS benchmark development process?

CIS Benchmarks are created using a consensus review process comprised of subject matter experts. Consensus participants provide perspective from a diverse set of backgrounds such as consulting, software development, audit and compliance, security research, operations, government, and legal. Each CIS benchmark undergoes two phases of consensus review. The first phase occurs during initial benchmark development. During this phase, subject matter experts convene to discuss, create, and test working drafts of the benchmark. This discussion occurs until consensus has been reached on benchmark recommendations. The second phase begins after the benchmark has been published. During this phase, all feedback provided by the Internet community is reviewed by the consensus team for incorporation in the future versions of the benchmark.

What does it take to develop a new benchmark?

It is easy to contribute to CIS benchmarks. Just write to the CIS community program managers with your proposal for addition. The respective program manager will respond to you followed by a call to understand your proposition and discuss timelines, project announcement and project marketing to attract community participants. With some internal approvals, the project is created in around two weeks of time.

How long does it usually takes to develop a new benchmark?

It usually takes around 12-24 weeks based on the number of participants in the community and the size of the project.

Who else is providing security benchmarks like CIS does?

I would say none. CIS provides the broadest set of benchmarks covering both software and hardware. These include databases, operating systems, applications, mobile operating systems, firewalls, browsers, office applications and almost anything else that touches IT. The only other agency that provides a subset of the benchmarks is DISA. Also, sometimes vendors provide security documentation in the benchmark format. For example, VMware provides a VMware vSphere hardening guide for securing vSphere deployments.

How can we contribute?

Join the existing CIS communities. It is exciting and challenging, and you will get to work with amazing people.

How do we implement CIS benchmarks in our product?

You have two ways to implement CIS benchmarks. The first one leverages the content directly from CIS. The second method is to develop your own proprietary content to implement the benchmark.

Tell us a bit about CIS Docker and CIS Android benchmarks?

Both CIS Docker and CIS Android benchmarks have fascinating community members. I had the privilege to work on both as an author. One thing interesting to note is that CIS Docker benchmark exists from Docker version 1.6.  At that time not many people knew Docker or Docker security. But, the community did an amazing job by documenting 84 security recommendations! That is the power of community.  I'll cover Docker and Android in more detail in a future segment.

 

 No security means you will likely have no business in the cloud

For an engineer such as myself, who is involved in cloud computing, and generally excited about being in the middle of nothing short of a “computing revolution”, attending AWS re:invent 2016 is akin to making an annual pilgrimage. The experience of being among the fellow travelers at the expo hall, listening to keynote addresses that set the tone for next phase of cloud computing, and walking by the myriad of booths with solutions that vie with each other pushing the envelope, was nothing short of transformational.

Cavirin provides security management across physical, public, and hybrid clouds, supporting AWS, Microsoft Azure, Google Cloud Platform, VMware, KVM, and Docker.

 

Address

5201 Great America Pkwy Suite 419  Santa Clara, CA 95054

- 1-408-200-3544

  sales@cavirin.com

  press@cavirin.com

  info@cavirin.com

Monday - Friday: 9:00 - 18:00

Cavirin US Location