Despite these changes, we continue to observe unnecessary misconfigurations leading to incidents.
In this article, we’ll discuss how we, together with some of Norway’s largest companies, have tackled some of these challenges.
Challenges
So, what are the challenges that make cloud security different? We share some of our experiences working with organizations as part of their team and what we learn from our Cloud Security Assessments:
Cloud falls outside the competency of the security organization
A common organizational anti-pattern we encounter is that the established security team doesn’t scale or have the required knowledge to meet the cloud security challenges. The reason for this varies, but we commonly see that the security staff is not adept at the new ways of working (e.g., GitOps, Infrastructure as Code, and APIs), and doesn’t have the time to learn new technologies.
Suppose they’re always busy chasing the thousands of vulnerabilities. In that case, they won’t have time to learn Infrastructure as Code, how to use various SDKs, the cloud platform architecture, and a whole new cloud environment. Then, add a cloud container platform into the mix, and they’ll feel a complete lack of control.
Lack of visibility
Full visibility into all assets is a requirement for anyone to be in control. However, achieving full visibility is often cumbersome due to segmentation, complex applications, and applications interacting across segments. Understanding the true blast radius of any application in the cloud requires studying the intricate details of the configuration. Finding misconfigurations requires knowing every asset and how it should be consumed. Thus, achieving full visibility in the cloud is complex.
Operationalizing Cloud Security
Operationalization has been one of the most significant pain points I have experienced working with Cloud Security. How do we implement processes that allow us to work with Cloud Security continuously?
I’ve tried approaches, from conducting continuous assessments and outputting the findings into a ticketing system to procuring a CSPM in 2017 that didn’t do much to creating our own Security Posture Management tool. While all of them have helped us along the way, none has been a long-term solution to operationalizing cloud security.
Tackling these challenges
All the challenges can be solved by hard work and a clever approach, but there’s not a ‘one size fits all’ when you choose your own path.
If you’re in doubt or have decided not to choose your own path, continue reading..
O3 Cyber and Wiz
Last year, we changed our approach from being entirely independent to assessing the opportunity for partnerships that we genuinely believe can help our clients tackle these challenges.
Great technology scales our impact on clients better, and over the year we have worked with Wiz to tackle cloud security challenges with our clients. Through adopting Wiz, we have worked with clients to reduce the distance between the security and cloud team and provided continuous overview of cloud risks.
Visibility
We have helped clients gain full visibility of all cloud assets, including host configuration, vulnerabilities, and Toxic Combinations. The clients who chose Wiz with us have full visibility into their cloud environment from a single portal that they can log into every morning. The stakeholders have tailored dashboards that visualize their risks at any given time. Creating scheduled reports with actionable insights is intuitive.
The portal provides a full overview of all their clouds in a unified data model, giving visibility across segments and even multi-cloud or hybrid applications for all your workloads, regardless of whether they run on a container, serverless, or virtual machine.
Prioritization
Our clients can identify a Toxic Combination, such as a publicly exposed asset with a critical vulnerability that is known to be exploited. The asset has a privileged role and access to sensitive data. Rather than knowing that 100+ hosts are affected by the vulnerability, you now know the exact asset where you should prioritize remediation and what the potential impact would be.
And for those thousands of vulnerabilities in container images that you’ll never be able to remediate? Wiz will give you a parameter that you can query to see whether it is validated in Runtime.
Example graph from the Wiz environment, helping prioritize 146 thousand vulnerabilities into 67 Critical Attack Paths.
By focusing on the vulnerabilities that matter, we have, together with our clients, been able to redesign vulnerability management programs to be more efficient, actionable, and meaningful risk reduction-driven. We work with our clients to adapt the vulnerability management process with Wiz.
Integrations
While Wiz provides a Platform, no one platform can rule them all. Wiz's extensive integration ecosystem allows you to integrate with your favorite ticketing system or AppSec platform. And don’t worry if you are missing an integration. Wiz has a team ready to assist and work with the vendor on creating new integrations and becoming a partner. A strong integration ecosystem is key for adoption across the organization. We provide our clients with expertise in Wiz integrations.
Wiz has 144 integrations at the time of writing this article.
Continuous Monitoring
Our Cloud Security Assessments provide value, but one limitation is that they give you a snapshot of the risks in your cloud environment. With Wiz, however, it’s continuous. Once you’ve squashed the initial findings or tuned it to your intended configuration, you can be confident that you will discover new misconfigurations, toxic combinations, or even threats in near real-time the next time something occurs. Remediation often involves more than changing a single configuration. We help you architect or implement processes to build a resilient platform.
Opportunity
We’re building success stories together with Wiz. If you’re looking to track metrics that matter, have a single source of truth for your cloud configuration, and to adopt a platform that we believe will improve how you approach cloud security, then the time is now.
If you’re interested in learning more about how we’ve helped secure complex cloud environments together with Wiz or a demo of Wiz and want to join the Wiz User Group (Wuggies) in the Nordics, you should contact us!
