Cavirin Blog

CIS Google Android Benchmark

Cavirin is excited to announce the availability of CIS Android 8.0 Security Benchmark! Download your copy from CIS Website today.

Android 8.0 (a.k.a. Android Oreo) was released on eclipse day last week by Google. It brings several enhancements to improve user experience and bolster platform security.

Some of the changes that affected the security benchmark were:

  • Redesigned Settings Menu – This required us to update the audit and remediation steps for all the 39 recommendations in the benchmark. The settings area and various menus have been reorganized to make things as simple and straightforward as possible.
  • Instant apps - Instant apps allow you to use apps without installing them on your device. On clicking app links, the browser downloads and run app modules as desired by the user. The new recommendation – “1.28 Ensure 'Instant apps' is set to Disabled” reads that “Having exposure to an app like this is dangerous since any malicious link could then potentially trick the user and then browser could download the app code and run on your device without requiring installation. Also, this feature defies enterprise security that relies on blacklisting or whitelisting apps based on installation. Hence, it is recommended to turn off instant apps.” 

Control Your Container

Cavirin is pleased to announce the inclusion of the latest framework from NIST – the Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 draft. The latest revision is a major update to the original 2014 document, and includes a common security vocabulary to help with cyber supply chain management.  For example, a small business selecting a cloud service provider or a federal agency contracting with a system integrator.

The overall framework is divided into five Framework Core Functions:

  • Identify (ID) - Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
  • Protect (PR) -  Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
  • Detect (DE) -   Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
  • Respond (RS) - Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
  • Recover (RC) - Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

Cybersecurity Framework

eBook = A Modern Approach to Securing Your Hybrid Cloud

Ten Selection Criteria, from the Cavern eBook, 'Securing Your Hybrid Cloud'

1: Flexibility

The ease of implementation and the ability to span multiple workload environments (i.e., IaaS, PaaS, on-premise, VMs, containers, and in the future, FaaS), delivering a single view, is integral for mid-size and enterprise organizations. Ideally, if initially deployed on-premise, the same tools and applications will extend into the cloud. This implies that the platform architecture has been conceived from the start for hybrid environments. Flexibility also includes ease of installation from a cloud service provider’s marketplace.

2: Extensibility

DevOps-friendly open APIs open the platform to external data sources and sinks such as IAM/PAM, SIEM/UEBA, logging, threat intelligence, or a helpdesk. This out-of-the box cloud and API interoperability is essential to accommodate business-critical applications. APIs also enable integration into an organization’s CI/CD process and their DevOps tools. This of course relates to lifecycle container support that encompasses images, the container runtimes, and orchestration.

3: Responsiveness

As today’s security threats quickly multiply, minimizing the time required for implementation and time to baseline, as well as quickly identifying any changes in posture, has become vital. This implies a microservices-based architecture for elastic scaling, and an agentless architecture that adapts well to containers and function-based workloads as well as eliminating ‘agent’ bloat that impacts CPU, memory, and I/O.

4: Agility

Permitting the organization to initially sample what part of the network (fraction of workloads) is critical to them within a given time period, and then scale from there. The cloud provides this agility, and the security tool architecture must be designed to follow suit.

5: Deep Discovery

It’s essential to automatically identify existing and new workloads as well as changes to existing ones across multiple cloud service providers, and then the ability to properly group these by function. This discovery should be a simple process, leveraging existing AuthN and AuthZ policies to avoid having to create a special IAM policy every time.

6: Broad Policy Library

The platform must support a wide range of benchmarks / frameworks / guidelines and the creation of custom polices based on workload type. These policies should automatically apply to existing and new workloads. Broad coverage also relates to OSs, virtualization, and cloud service providers. Capabilities may include OS hardening, vulnerability and patch management, configuration management, whitelisting, and system monitoring.

7: Real Time Risk Scoring Across Infrastructure

Assets, once discovered and with policies applied, must be scored. This may be individually, across different slices of the infrastructure (i.e., location, subnet, department), by workload type across environments (i.e., cloud and on-premise), or by application (i.e., PCI, web). Scoring must be prioritized, available historically, integrated with 3rd party tools for automation or into an existing UI, and most importantly, correlated. For example, an organization operates a web server farm with 10 on-premise Red Hat Enterprise Linux servers and begins to transition to the cloud. Mid-way through the migration, five web servers are on Azure, and five on-premise. If tracking PCI compliance, the tool must generate a normalized view across both environments.

8: Container (Docker) Support

Docker technology has attracted the attention of many enterprise adopters -- if you are implementing containers either on-premise or as part of a cloud deployment, you need to ensure that their workloads are secure. And, if you bring in images from a registry, you need to ensure that these are not corrupted. Many of the same capabilities described in (6) apply here as well, such as hardening, scanning, and whitelisting. One way to look at container support is across a lifecycle that includes image scanning, run-time hardening, and security at the orchestration layer.

9: Cloud-agile Pricing

Reflecting the cloud compute and storage pricing model, it’s important to adopt a pricing model that has the exibility to meet changing requirements. This may involve a SaaS offering, or connecting the back-end of the platform to the cloud service provider’s billing engine, with an ability to charge to the minute. Alternatively, pricing may be abstracted but still agile, closer to the concept of committed and burst workloads, and analogous to a cellphone provider’s rollover-minutes model. In either case, this is a departure from existing static pricing.

10: Intelligence

Predictive analytics permits the platform to ‘predict’ the outcome of change, a ‘what-if’ analysis for con gurations and OSs, is crucial in today’s quickly changing environment. It is capable of bringing in data from 3rd parties via APIs to create a more correlated view of this change. Some customers describe this as a ‘virtual whiteboard.’

For more content from the eBook go to, https://www.cavirin.com/ebook-securing-your-hybrid-cloud

eBook = A Modern Approach to Securing Hybrid Workloads

 Did you know? 

  • Through 2020, 90% of cloud breaches will be due to customer misconfiguration, mismanaged credentials, or insider theft, and not cloud provider vulnerabilities
  • 89% of breached organizations had a firewall in place at the time of compromise
  • 70% of all healthcare data breaches were due to device theft or loss
  • In one case, a US health insurer experienced a data breach of millions of patient (PHI) records, with a direct cost of only 4% but a total exposure of $1.68B

Is there a way out?

We’re pleased to announce the availability of our eBook, ‘A Modern Approach to Securing Hybrid Workloads.’  It looks at how to build an architecture that is both continuous and agile for cloud infrastructure security, reducing the potential threat of a breach by providing a single, hybrid view, across private and public clouds.  We look at the following challenges facing CISOs, their IT staff, and DevSecOps, and outline solutions.

  • What are the challenges facing today’s CISO with regard to information overload and accountability?
  • Why continuous security is so critical in the cloud and for containers
  • The shared responsibility model and where enterprises trip up
  • Fundamentals of a cloud-native security architecture including micro-services and APIs
  • Operations including an AWS CloudFormation example
  • Container security and Functions as a Service
  • Ten Selection Criteria –
    • Flexibility
    • Extensibility
    • Responsiveness
    • Agility
    • Deep Discovery
    • Broad Policy Library
    • Real-Time Risk Scoring Across Infrastructure
    • Container (Docker) Support
    • Cloud-agile Pricing
    • Intelligence
  • Benchmark Development
  • Glossary and references for cloud security

Learn more - Pick up your copy today

 

 

Cavirin provides security management across physical, public, and hybrid clouds, supporting AWS, Microsoft Azure, Google Cloud Platform, VMware, KVM, and Docker.

 

Address

5201 Great America Pkwy Suite 419  Santa Clara, CA 95054

- 1-408-200-3544

  sales@cavirin.com

  press@cavirin.com

  info@cavirin.com

Cavirin US Location