DevOps.com, profile picture
Uploaded byDevOps.com
PPTX, PDF375 views

Vulnerability Discovery in the Cloud

The document discusses active host vulnerability monitoring with insights from Lacework's senior sales engineers, Sean Valois and Pat Haley. It covers the significance of vulnerability management in cloud environments, emphasizing continuous assessment, compliance requirements, and telemetry for effective security. Additionally, it highlights the importance of integrating vulnerability workflows into DevOps practices to address the challenges posed by ephemeral infrastructure and constant changes in cloud settings.

Embed presentation

Downloaded 54 times
The Future of Active Host Vulnerability Monitoring
Speakers Sean Valois Senior Sales Engineer at Lacework Sean has extensive experience in technical account management, general computer and network security, and has significant time working in vulnerability management. Pat Haley Senior Sales Engineer at Lacework Pat has a background primarily in customer facing, technical roles helping organizations better secure their environment. His time also includes significant experience in vulnerability management.
Agenda 0 1 2 3 About Lacework & Who is this for? The Lacework Platform Containers vs Hosts “What should be fixed?” Telemetry Active packages & Ephemeral Infrastructure Shift Left? Pre-Deployment Checks How to deal with constant change. Alerts
The Cloud Changes Constantly by Design NEW: Engineers x Cloud Accounts x Microservices x APIs x Scaling Compute = Constant Change UNCHANGED: Finite security talent & compliance requirements Engineer Developers Testers Analyst Security Compliance DBA IT Ops Containers Auto-scaling Compute Instances Acct N*Dev Acct N*Test Acct Prod CI/CD Pipelines ..? Microservices Amazon RDS Amazon S3 Amazon DynamoDB Amazon Kinesis Amazon’s Next Thing APIs Kubernetes Clusters Culture, Org, & Incentives Applications Architecture & Code Cloud Activity User and Entity Actions & Config Infrastructure Hosts, Containers, & K8s You Config Cloud Service Provider Service Integrity & Innovation Agents Agents APIs Not Your Security Problem Humans
Security Context is Buried In Meantime to WTF Finance: “Can you explain?” Event triage Alert triggers Write/refine/ tune rules Query 2nd level investigations Should I be panicked? “Alerts as data” Alert correlation Apply algo/ML to Raw security data Query 1st level investigations Suppress Alerts CIRCLE OF SECURITY DATA TOIL Event analysis WHO? WHAT? WHEN? WHY? HOW?
Lacework Toils So You Don’t Have To MACHINES MAP ACTIVITY MACHINES ANALYZE ACTIVITIES HUMANS TAKE ACTIONS
Lacework Grows With Your Needs Compliance, API, process, and vulnerability metadata Workload / Container Raw Security Data User & App Activity Mapping Behavioral Analysis of Activity Maps Over Time Anomaly Detection With Full Context Security Analytics Container & Host Registry Vulnerability APIs Host intrusion detection (IDS) Container and Kubernetes Security Compliance reporting & audit Cloud Activity & App Anomalies File integrity monitoring (FIM) Host Vulnerability Telemetry Data Exchange Security Data Lake CONTAINER REGISTRIES On-prem API DATA: Cloud Activity & Configurations CVE & Threat Data
What We’re Talking About Today Compliance, API, process, and vulnerability metadata Workload / Container Raw Security Data User & App Activity Mapping Behavioral Analysis of Activity Maps Over Time Anomaly Detection With Full Context Security Analytics Container & Host Registry Vulnerability APIs Host intrusion detection (IDS) Container and Kubernetes Security Compliance reporting & audit Cloud Activity & App Anomalies File integrity monitoring (FIM) Host Vulnerability Telemetry Data Exchange Security Data Lake CONTAINER REGISTRIES On-prem API DATA: Cloud Activity & Configurations CVE & Threat Data
Lacework Works With What You Have Compliance, API, process, and vulnerability metadata Workload / Container Raw Security Data User & App Activity Mapping Behavioral Analysis of Activity Maps Over Time Anomaly Detection With Full Context Security Analytics Container & Host Registry Vulnerability APIs Host intrusion detection (IDS) Container and Kubernetes Security Compliance reporting & audit Cloud Activity & App Anomalies File integrity monitoring (FIM) Host Vulnerability Telemetry Data Exchange Security Data Lake CONTAINER REGISTRIES On-prem API DATA: Cloud Activity & Configurations ALERTING / TICKETING / PERFORMANCE AUTOMATION & PIPELINES SECURITY INFO EVENT MANAGEMENT APP. CODE SEC. CASB SSO NETWORK/ ENDPOINTS CVE & Threat Data
Q: Who is this for (today)? A: Linux hosts scaling in the cloud • Nightly builds? • Lots of host images? • Hosts and Containers? • Ephemeral and Immutable Infrastructure? • Threat detection & Service Relationship Visibility? Vulnerability insight that fits the modern software team workflows. No Vulnerability Program HELP Consolidate tooling & agents, streamline workflows, and stop building DIY tooling. In-the-cloud Linux *Product* Vulnerability Program Existing Vuln Assessment & Prioritization Tools + DIY DATA SCIENCE Enterprise-Wide Vulnerability Compliance Programs
Vulnerabilities: Containers Versus Hosts Indispensable compute Pets are patched when updates are needed. Examples: • Load balancers • Database systems Fix while running Disposable compute Cattle are rebuilt and replaced when updates are needed Examples: • Scaling for compute • Failover for blue / green deploys Fix base image or while running HOST: PETS HOST: CATTLE Disposable compute Container images are rebuilt when updates are needed (not patched) Examples: • Every container Fix base image in registry CONTAINERS
Building Infra & Scan Schedules vs Installing Agent OLD: SETUP VULNERABILITY INFRASTRUCTURE Infrastructure Requirements • Scope infrastructure • and acquire infrastructure • and deploy infrastructure • and…. • and... • and deploy dedicated agents • and... • Schedule scans NEW: DEPLOY AN AGENT WITH ANY INFRA AUTOMATION TOOL… THEN COFFEE What Does The Agent Do For Vulnerability Telemetry? • OS and OS version • Enumerates package manager inventory • Sends the data to Lacework For threat detection, the agent also collects DNS and Application Process Data.
1. What should be fixed in prod? 2. Can we develop on better host images? 3. How do I deal with constant change? Three Questions Everyone Asks About Cloud Host Vulnerabilities
#1 - What to fix? What telemetry do you need to find the vulnerabilities that actually matter?
Terms and Definitions – Machine Status Purpose is to declutter ephemeral hosts from the user view. Source of data is the Agent heartbeat. Host has been live in the last 1-2 hours from current time ONLINE Host has not been live in the last 1-2 hours from current time OFFLINE Both online and offline hosts ALL
Lots of Hosts...Filtered By Online Within The Last 30 Days
Terms and Definitions – Vulnerability Assessment Vulnerability assessment for a distinct machine occurs in two forms Vulnerability states are continuously tracked for host lifecycle INITIAL ASSESSMENT = First assessment when an agent first registers a host to the Lacework platform, typically first hour. CONTINUOUS ASSESSMENT = Scheduled assessment that occurs every 24 hours for all hosts that transported data in the last 24 hour window. (Host was active long enough to transport).
… Filtered By Severity of Vulnerability
...and by image (or any tag or attribute like ‘external IP’)
Terms and Definitions – Package Status Data source is agent process details collected continuously. Uniquely identifies the dormant and active risk of vulnerabilities based on process in use. ACTIVE = In the last 24 hour period we have seen this package in use. In use means a process launch. <empty state> = We can not guarantee an inactive state.
Down to the fixable package
Terms and Definitions – Vulnerability Lifecycle Active; unmitigated, potentially exploitable software vulnerability detection within the environment Inactive; previously discovered potentially exploitable software vulnerability detection that was not detected in the last assessment Exception; previously discovered potentially exploitable software vulnerability detection that was detected in the last assessment and deemed as not applicable NEW, ACTIVE, REOPENED FIXED SUPPRESSED (future – not in this release)
API – All CVEs GET vulnerabilities/host
API – All machines with a specific CVE GET host/cveId/{CVE-ID}
API – Assessment for a specific machine GET host/machineId/{id}
Daily Evaluation Daily Evaluation Daily Evaluation Continuous Assessments DEPLOYMENT TYPE HOST LIFETIME FIRST ASSESSMENT NEXT DAY Host Supported OS1 Host alive for >= ~2 hours First Evaluation Daily Evaluation Host Yes >= 2 hours Container No < 2 hours
#2 Can we shift left and deploy on better host images?
Host Lifecycle DEVELOPER OPS BUILDS GOLDEN IMAGE QA / PROD Build application test environment Checkout host image from registry Add application required packages Install application Run tests Update repo with test results Job to build new host image Install packages, configs, agents Run Tests Query Lacework API Discover CVEs Query Lacework API Discover CVEs Discover CVEs Promote to registry Deploy to environment Scheduled agent scan runs
<= 10 request in last hour Payload valid API: On Demand Assessment – DevOps Use Case PREFLIGHT CHECKS IN CI/CD CONDITIONAL OR CATALOGUED DEPLOY POST to blocking API PAYLOAD • CVE-ID − Packages − Metadata − CVSS scores − First seen • Summary − Total vulns − Evaluation time • ... PAYLOAD • OS Distro – e.g., ubuntu, debian, fedora − Version – e.g, 18.04, 27 • YUM / APT package list − Package name − Package version Rate limited – HTTP Error code Relevant HTTP Error code Stateless response
API – Shift Left POST /scan
Example of /scan with HashiCorp Packer and Lacework Create inventory shell script. Build an AMI with HashiCorp packer. Packer uploads and executes inventory script. Outputs are saved. Vulnerabilities are discovered pre-deployment.
#3 How do we deal with constant changes and mistakes?
Alert Scenario Options NEW CVE PUBLISHED KNOWN CVE DEPLOYED CVE SEVERITY CHANGE PATCH STATUS CHANGE within a defined severity level among monitored hosts within a defined severity level among monitored hosts within monitored hosts within monitored hosts No fix available Fixable
All your infrastructure security alerts in one place
Alerts That Don’t Suck - Why, What, When, How
The Future of Vulnerability Telemetry is Here
Lacework Vulnerability Workflows are Different Today’s Vulnerability Tools • Compliance focused • Struggle with ephemeral cloud scaling • Teams of people building vulnerability data • Containers = build-time only • Focus on vulnerability existence in inventory • No visibility into vulnerable package use Lacework Host & Container Vulnerability Workflows • Focused on security efficacy • Built for ephemeral cloud scaling • Built for devops workflows • Live view into package execution
Wrap-Up 0 1 2 3 Lacework Can Grow With You The Lacework Platform Containers, Hosts, Cloud Activity The telemetry to find risks is easy to use. Active packages & Ephemeral Infrastructure Hosts can shift left too! Pre-Deployment Checks Alerts can keep you focused on your business. Alerts
Questions?
Thank you for Joining the Cloud Generation
Popular Scenarios Pre-Flight Checks Operational Efficiency: Avoid putting known vulns into production. Which active CVE’s Exist Get a list of CVEs that are present All machines with a CVE Rapid scan to find a particular CVE across an environment Health check on a specific machine Visibility of vulnerabilities on a particular instance Interrupt vulnerabilities at earliest part of the development lifecycle (SDLC early intervention) Dumb list versus list with context specific to your environment. (Vulnerabilities versus vulnerable) Oh noes a brand new CVE is on the front page of Hacker News! What’s the state of my super important app?
“I’ve been involved in vulnerability mitigation for 20 years. Lacework is the best tool I’ve ever seen. It resolves many problems and has clean telemetry.”
Type of API Call Cloud Accounts GeoIP Cloud Service Regions Principal Role API Call Results Web Console/ API Machines Can Now Map App & Activity Context
THANKS! @abnerg abner@lacework.com
Who Cares About Vulnerabilities? What Known Risks Are In Our Environment? Which vulnerabilities should we prioritize? To meet x compliance requirement can we report and fix vulnerabilities inside 30 days? Can I avoid introducing risk into the environment? Wants to write code while minimizing security & infra work Security Compliance DevOps / Production Engineering Developers Does the machine I’m investigating have an active vulnerability? Incident Response

More Related Content

PPTX
DevOps to DevSecOps Journey..
bySiddharth Joshi
 
PDF
Code-to-Cloud Visibility: An Essential Framework for DevOps Success
byJadeCampbell13
 
PDF
Monitoring Serverless Applications with Datadog
byDevOps.com
 
PDF
Connect Ops and Security with Flexible Web App and API Protection
byDevOps.com
 
PDF
Microservices at Scale: How to Reduce Overhead and Increase Developer Product...
byDevOps.com
 
ODP
Continuous Delivery with Spinnaker.io
byMartin Roderus
 
PDF
DevOps Digital Transformation: A real life use case enabled by Alien4Cloud
byCloudify Community
 
PDF
Spinnaker Microsrvices
byAmbassador Labs
 
DevOps to DevSecOps Journey..
bySiddharth Joshi
 
Code-to-Cloud Visibility: An Essential Framework for DevOps Success
byJadeCampbell13
 
Monitoring Serverless Applications with Datadog
byDevOps.com
 
Connect Ops and Security with Flexible Web App and API Protection
byDevOps.com
 
Microservices at Scale: How to Reduce Overhead and Increase Developer Product...
byDevOps.com
 
Continuous Delivery with Spinnaker.io
byMartin Roderus
 
DevOps Digital Transformation: A real life use case enabled by Alien4Cloud
byCloudify Community
 
Spinnaker Microsrvices
byAmbassador Labs
 

What's hot

PPTX
Measure() or die()
byTamar Duvshani Hermel
 
PDF
DevOps, Common use cases, Architectures, Best Practices
byShiva Narayanaswamy
 
PPTX
Breaking the Monolith
byVMware Tanzu
 
PPTX
The Journey to Becoming Cloud Native – A Three Step Path to Modernizing Appli...
byVMware Tanzu
 
PPTX
Webinar: How and Why to Containerize Your Legacy Applications
byStorage Switzerland
 
PDF
Addressing the 8 Key Pain Points of Kubernetes Cluster Management
byEnterprise Management Associates
 
PDF
Infrastructure as Code
byRobert Greiner
 
PDF
RightScale Webinar: Continuous Integration and Delivery in the Cloud - How Ri...
byRightScale
 
PPTX
Infrastructure as Code principles and practices
byOpenSense Labs
 
PDF
Devtest Orchestration for SDN & NFV
byAlex Henthorn-Iwane
 
PDF
Four Steps Toward a Safer Continuous Delivery Practice (Hint: Add Monitoring)
byVMware Tanzu
 
PPTX
Bring Service Mesh To Cloud Native-apps
byThang Chung
 
PPTX
Splitting the Check on Compliance and Security
byJason Chan
 
PDF
Creating Event Driven Serverless Applications - Sandeep - Adobe - Serverless ...
byCodeOps Technologies LLP
 
PPTX
What it feels like to live in a Security Enabled DevOps World
byKarun Chennuri
 
PPTX
Microservices on top of kafka
byLivePerson
 
PDF
API and App Ecosystems - Build The Best: a deep dive
byCisco DevNet
 
PPTX
The Application Server Platform of the Future - Container & Cloud Native and ...
byLucas Jellema
 
PDF
ADDO 2020: "The past, present, and future of cloud native API gateways"
byDaniel Bryant
 
PPTX
DevOps and AWS - Code PaLOUsa 2017
byJames Strong
 
Measure() or die()
byTamar Duvshani Hermel
 
DevOps, Common use cases, Architectures, Best Practices
byShiva Narayanaswamy
 
Breaking the Monolith
byVMware Tanzu
 
The Journey to Becoming Cloud Native – A Three Step Path to Modernizing Appli...
byVMware Tanzu
 
Webinar: How and Why to Containerize Your Legacy Applications
byStorage Switzerland
 
Addressing the 8 Key Pain Points of Kubernetes Cluster Management
byEnterprise Management Associates
 
Infrastructure as Code
byRobert Greiner
 
RightScale Webinar: Continuous Integration and Delivery in the Cloud - How Ri...
byRightScale
 
Infrastructure as Code principles and practices
byOpenSense Labs
 
Devtest Orchestration for SDN & NFV
byAlex Henthorn-Iwane
 
Four Steps Toward a Safer Continuous Delivery Practice (Hint: Add Monitoring)
byVMware Tanzu
 
Bring Service Mesh To Cloud Native-apps
byThang Chung
 
Splitting the Check on Compliance and Security
byJason Chan
 
Creating Event Driven Serverless Applications - Sandeep - Adobe - Serverless ...
byCodeOps Technologies LLP
 
What it feels like to live in a Security Enabled DevOps World
byKarun Chennuri
 
Microservices on top of kafka
byLivePerson
 
API and App Ecosystems - Build The Best: a deep dive
byCisco DevNet
 
The Application Server Platform of the Future - Container & Cloud Native and ...
byLucas Jellema
 
ADDO 2020: "The past, present, and future of cloud native API gateways"
byDaniel Bryant
 
DevOps and AWS - Code PaLOUsa 2017
byJames Strong
 

Similar to Vulnerability Discovery in the Cloud

PDF
Lacework slides from AWS Meetups
byJohn Varghese
 
PDF
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
byPriyanka Aash
 
PPTX
Containers and Security for DevOps
bySalesforce Engineering
 
PPTX
Containers At-Risk: A Review of 21,000 Cloud Environments
byLacework
 
PPTX
Security on AWS, 2021 Edition Meetup
byCloudHesive
 
PDF
DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...
byraksac
 
PDF
edgescan vulnerability stats report (2018)
byEoin Keary
 
PPTX
Security as Code
byEd Bellis
 
PDF
Secure Application Development in the Age of Continuous Delivery
byBlack Duck by Synopsys
 
PPTX
Secure Application Development in the Age of Continuous Delivery
byTim Mackey
 
PPTX
Full stack vulnerability management at scale
byEoin Keary
 
PPTX
Skillful scalefull fullstack security in a state of constant flux
byEoin Keary
 
PDF
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
byDevOpsDays Riga
 
PDF
Securing the Container Pipeline at Salesforce by Cem Gurkok
byDocker, Inc.
 
PDF
Securing the Container Pipeline
bySalesforce Engineering
 
PDF
Containers at risk a review of 21,000 cloud environments
bydhubbard858
 
PDF
Containers At-Risk A Review of 21,000 Cloud Environments
byLacework
 
PPTX
Security on AWS, 2021 Edition Meetup
byCloudHesive
 
PDF
Webinar–Vulnerabilities in Containerised Production Environments
bySynopsys Software Integrity Group
 
PDF
edgescan vulnerability stats report (2019)
byEoin Keary
 
Lacework slides from AWS Meetups
byJohn Varghese
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
byPriyanka Aash
 
Containers and Security for DevOps
bySalesforce Engineering
 
Containers At-Risk: A Review of 21,000 Cloud Environments
byLacework
 
Security on AWS, 2021 Edition Meetup
byCloudHesive
 
DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...
byraksac
 
edgescan vulnerability stats report (2018)
byEoin Keary
 
Security as Code
byEd Bellis
 
Secure Application Development in the Age of Continuous Delivery
byBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
byTim Mackey
 
Full stack vulnerability management at scale
byEoin Keary
 
Skillful scalefull fullstack security in a state of constant flux
byEoin Keary
 
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
byDevOpsDays Riga
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
byDocker, Inc.
 
Securing the Container Pipeline
bySalesforce Engineering
 
Containers at risk a review of 21,000 cloud environments
bydhubbard858
 
Containers At-Risk A Review of 21,000 Cloud Environments
byLacework
 
Security on AWS, 2021 Edition Meetup
byCloudHesive
 
Webinar–Vulnerabilities in Containerised Production Environments
bySynopsys Software Integrity Group
 
edgescan vulnerability stats report (2019)
byEoin Keary
 

More from DevOps.com

PPTX
The Evolving Role of the Developer in 2021
byDevOps.com
 
PPTX
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
byDevOps.com
 
PDF
Next Generation Vulnerability Assessment Using Datadog and Snyk
byDevOps.com
 
PPTX
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
byDevOps.com
 
PDF
Service Mesh: Two Big Words But Do You Need It?
byDevOps.com
 
PDF
How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...
byDevOps.com
 
PDF
Modernizing on IBM Z Made Easier With Open Source Software
byDevOps.com
 
PDF
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
byDevOps.com
 
PDF
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
byDevOps.com
 
PDF
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
byDevOps.com
 
PDF
Don't Panic! Effective Incident Response
byDevOps.com
 
PDF
A New Year’s Ransomware Resolution
byDevOps.com
 
PPTX
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
byDevOps.com
 
PPTX
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
byDevOps.com
 
PDF
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
byDevOps.com
 
PDF
Deliver your App Anywhere … Publicly or Privately
byDevOps.com
 
PDF
2021 Open Source Governance: Top Ten Trends and Predictions
byDevOps.com
 
PPTX
Secure Data Sharing in OpenShift Environments
byDevOps.com
 
PPTX
Securing medical apps in the age of covid final
byDevOps.com
 
PDF
How to Build a Healthy On-Call Culture
byDevOps.com
 
The Evolving Role of the Developer in 2021
byDevOps.com
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
byDevOps.com
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
byDevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
byDevOps.com
 
Service Mesh: Two Big Words But Do You Need It?
byDevOps.com
 
How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Techn...
byDevOps.com
 
Modernizing on IBM Z Made Easier With Open Source Software
byDevOps.com
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
byDevOps.com
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
byDevOps.com
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
byDevOps.com
 
Don't Panic! Effective Incident Response
byDevOps.com
 
A New Year’s Ransomware Resolution
byDevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
byDevOps.com
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
byDevOps.com
 
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
byDevOps.com
 
Deliver your App Anywhere … Publicly or Privately
byDevOps.com
 
2021 Open Source Governance: Top Ten Trends and Predictions
byDevOps.com
 
Secure Data Sharing in OpenShift Environments
byDevOps.com
 
Securing medical apps in the age of covid final
byDevOps.com
 
How to Build a Healthy On-Call Culture
byDevOps.com
 

Recently uploaded

PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Database Performance at Scale: The TL;DR
byScyllaDB
 
PDF
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
PDF
WebXR in Android and Linux with OpenXR
byIgalia
 
PPTX
Odoo_by_Infinys_All_in_One_Business_Solution_for_Small_Companies.pptx
byAgusto Sipahutar
 
PDF
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 
PPTX
AI and Linux in 2025 - Jay LaCroix, Learn Linux TV
byAll Things Open
 
PDF
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
PDF
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
PDF
Getting started with Agent Framework.pdf
byNilesh Gule
 
PDF
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
PDF
The Accel 2025 Globalscape: Race for compute
byPhilippe Botteri
 
PDF
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
PDF
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
PDF
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PDF
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Database Performance at Scale: The TL;DR
byScyllaDB
 
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
WebXR in Android and Linux with OpenXR
byIgalia
 
Odoo_by_Infinys_All_in_One_Business_Solution_for_Small_Companies.pptx
byAgusto Sipahutar
 
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 
AI and Linux in 2025 - Jay LaCroix, Learn Linux TV
byAll Things Open
 
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
Getting started with Agent Framework.pdf
byNilesh Gule
 
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
The Accel 2025 Globalscape: Race for compute
byPhilippe Botteri
 
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 

Vulnerability Discovery in the Cloud

  • 1.
    The Future ofActive Host Vulnerability Monitoring
  • 2.
    Speakers Sean Valois Senior SalesEngineer at Lacework Sean has extensive experience in technical account management, general computer and network security, and has significant time working in vulnerability management. Pat Haley Senior Sales Engineer at Lacework Pat has a background primarily in customer facing, technical roles helping organizations better secure their environment. His time also includes significant experience in vulnerability management.
  • 3.
    Agenda 0 1 23 About Lacework & Who is this for? The Lacework Platform Containers vs Hosts “What should be fixed?” Telemetry Active packages & Ephemeral Infrastructure Shift Left? Pre-Deployment Checks How to deal with constant change. Alerts
  • 4.
    The Cloud ChangesConstantly by Design NEW: Engineers x Cloud Accounts x Microservices x APIs x Scaling Compute = Constant Change UNCHANGED: Finite security talent & compliance requirements Engineer Developers Testers Analyst Security Compliance DBA IT Ops Containers Auto-scaling Compute Instances Acct N*Dev Acct N*Test Acct Prod CI/CD Pipelines ..? Microservices Amazon RDS Amazon S3 Amazon DynamoDB Amazon Kinesis Amazon’s Next Thing APIs Kubernetes Clusters Culture, Org, & Incentives Applications Architecture & Code Cloud Activity User and Entity Actions & Config Infrastructure Hosts, Containers, & K8s You Config Cloud Service Provider Service Integrity & Innovation Agents Agents APIs Not Your Security Problem Humans
  • 5.
    Security Context isBuried In Meantime to WTF Finance: “Can you explain?” Event triage Alert triggers Write/refine/ tune rules Query 2nd level investigations Should I be panicked? “Alerts as data” Alert correlation Apply algo/ML to Raw security data Query 1st level investigations Suppress Alerts CIRCLE OF SECURITY DATA TOIL Event analysis WHO? WHAT? WHEN? WHY? HOW?
  • 6.
    Lacework Toils SoYou Don’t Have To MACHINES MAP ACTIVITY MACHINES ANALYZE ACTIVITIES HUMANS TAKE ACTIONS
  • 7.
    Lacework Grows WithYour Needs Compliance, API, process, and vulnerability metadata Workload / Container Raw Security Data User & App Activity Mapping Behavioral Analysis of Activity Maps Over Time Anomaly Detection With Full Context Security Analytics Container & Host Registry Vulnerability APIs Host intrusion detection (IDS) Container and Kubernetes Security Compliance reporting & audit Cloud Activity & App Anomalies File integrity monitoring (FIM) Host Vulnerability Telemetry Data Exchange Security Data Lake CONTAINER REGISTRIES On-prem API DATA: Cloud Activity & Configurations CVE & Threat Data
  • 8.
    What We’re TalkingAbout Today Compliance, API, process, and vulnerability metadata Workload / Container Raw Security Data User & App Activity Mapping Behavioral Analysis of Activity Maps Over Time Anomaly Detection With Full Context Security Analytics Container & Host Registry Vulnerability APIs Host intrusion detection (IDS) Container and Kubernetes Security Compliance reporting & audit Cloud Activity & App Anomalies File integrity monitoring (FIM) Host Vulnerability Telemetry Data Exchange Security Data Lake CONTAINER REGISTRIES On-prem API DATA: Cloud Activity & Configurations CVE & Threat Data
  • 9.
    Lacework Works WithWhat You Have Compliance, API, process, and vulnerability metadata Workload / Container Raw Security Data User & App Activity Mapping Behavioral Analysis of Activity Maps Over Time Anomaly Detection With Full Context Security Analytics Container & Host Registry Vulnerability APIs Host intrusion detection (IDS) Container and Kubernetes Security Compliance reporting & audit Cloud Activity & App Anomalies File integrity monitoring (FIM) Host Vulnerability Telemetry Data Exchange Security Data Lake CONTAINER REGISTRIES On-prem API DATA: Cloud Activity & Configurations ALERTING / TICKETING / PERFORMANCE AUTOMATION & PIPELINES SECURITY INFO EVENT MANAGEMENT APP. CODE SEC. CASB SSO NETWORK/ ENDPOINTS CVE & Threat Data
  • 10.
    Q: Who isthis for (today)? A: Linux hosts scaling in the cloud • Nightly builds? • Lots of host images? • Hosts and Containers? • Ephemeral and Immutable Infrastructure? • Threat detection & Service Relationship Visibility? Vulnerability insight that fits the modern software team workflows. No Vulnerability Program HELP Consolidate tooling & agents, streamline workflows, and stop building DIY tooling. In-the-cloud Linux *Product* Vulnerability Program Existing Vuln Assessment & Prioritization Tools + DIY DATA SCIENCE Enterprise-Wide Vulnerability Compliance Programs
  • 11.
    Vulnerabilities: Containers VersusHosts Indispensable compute Pets are patched when updates are needed. Examples: • Load balancers • Database systems Fix while running Disposable compute Cattle are rebuilt and replaced when updates are needed Examples: • Scaling for compute • Failover for blue / green deploys Fix base image or while running HOST: PETS HOST: CATTLE Disposable compute Container images are rebuilt when updates are needed (not patched) Examples: • Every container Fix base image in registry CONTAINERS
  • 12.
    Building Infra &Scan Schedules vs Installing Agent OLD: SETUP VULNERABILITY INFRASTRUCTURE Infrastructure Requirements • Scope infrastructure • and acquire infrastructure • and deploy infrastructure • and…. • and... • and deploy dedicated agents • and... • Schedule scans NEW: DEPLOY AN AGENT WITH ANY INFRA AUTOMATION TOOL… THEN COFFEE What Does The Agent Do For Vulnerability Telemetry? • OS and OS version • Enumerates package manager inventory • Sends the data to Lacework For threat detection, the agent also collects DNS and Application Process Data.
  • 13.
    1. What shouldbe fixed in prod? 2. Can we develop on better host images? 3. How do I deal with constant change? Three Questions Everyone Asks About Cloud Host Vulnerabilities
  • 14.
    #1 - Whatto fix? What telemetry do you need to find the vulnerabilities that actually matter?
  • 15.
    Terms and Definitions– Machine Status Purpose is to declutter ephemeral hosts from the user view. Source of data is the Agent heartbeat. Host has been live in the last 1-2 hours from current time ONLINE Host has not been live in the last 1-2 hours from current time OFFLINE Both online and offline hosts ALL
  • 16.
    Lots of Hosts...FilteredBy Online Within The Last 30 Days
  • 17.
    Terms and Definitions– Vulnerability Assessment Vulnerability assessment for a distinct machine occurs in two forms Vulnerability states are continuously tracked for host lifecycle INITIAL ASSESSMENT = First assessment when an agent first registers a host to the Lacework platform, typically first hour. CONTINUOUS ASSESSMENT = Scheduled assessment that occurs every 24 hours for all hosts that transported data in the last 24 hour window. (Host was active long enough to transport).
  • 18.
    … Filtered BySeverity of Vulnerability
  • 19.
    ...and by image(or any tag or attribute like ‘external IP’)
  • 20.
    Terms and Definitions– Package Status Data source is agent process details collected continuously. Uniquely identifies the dormant and active risk of vulnerabilities based on process in use. ACTIVE = In the last 24 hour period we have seen this package in use. In use means a process launch. <empty state> = We can not guarantee an inactive state.
  • 21.
  • 22.
    Terms and Definitions– Vulnerability Lifecycle Active; unmitigated, potentially exploitable software vulnerability detection within the environment Inactive; previously discovered potentially exploitable software vulnerability detection that was not detected in the last assessment Exception; previously discovered potentially exploitable software vulnerability detection that was detected in the last assessment and deemed as not applicable NEW, ACTIVE, REOPENED FIXED SUPPRESSED (future – not in this release)
  • 23.
    API – AllCVEs GET vulnerabilities/host
  • 24.
    API – Allmachines with a specific CVE GET host/cveId/{CVE-ID}
  • 25.
    API – Assessmentfor a specific machine GET host/machineId/{id}
  • 26.
    Daily Evaluation DailyEvaluation Daily Evaluation Continuous Assessments DEPLOYMENT TYPE HOST LIFETIME FIRST ASSESSMENT NEXT DAY Host Supported OS1 Host alive for >= ~2 hours First Evaluation Daily Evaluation Host Yes >= 2 hours Container No < 2 hours
  • 27.
    #2 Can weshift left and deploy on better host images?
  • 28.
    Host Lifecycle DEVELOPER OPS BUILDS GOLDENIMAGE QA / PROD Build application test environment Checkout host image from registry Add application required packages Install application Run tests Update repo with test results Job to build new host image Install packages, configs, agents Run Tests Query Lacework API Discover CVEs Query Lacework API Discover CVEs Discover CVEs Promote to registry Deploy to environment Scheduled agent scan runs
  • 29.
    <= 10 request in lasthour Payload valid API: On Demand Assessment – DevOps Use Case PREFLIGHT CHECKS IN CI/CD CONDITIONAL OR CATALOGUED DEPLOY POST to blocking API PAYLOAD • CVE-ID − Packages − Metadata − CVSS scores − First seen • Summary − Total vulns − Evaluation time • ... PAYLOAD • OS Distro – e.g., ubuntu, debian, fedora − Version – e.g, 18.04, 27 • YUM / APT package list − Package name − Package version Rate limited – HTTP Error code Relevant HTTP Error code Stateless response
  • 30.
    API – ShiftLeft POST /scan
  • 31.
    Example of /scanwith HashiCorp Packer and Lacework Create inventory shell script. Build an AMI with HashiCorp packer. Packer uploads and executes inventory script. Outputs are saved. Vulnerabilities are discovered pre-deployment.
  • 32.
    #3 How dowe deal with constant changes and mistakes?
  • 33.
    Alert Scenario Options NEWCVE PUBLISHED KNOWN CVE DEPLOYED CVE SEVERITY CHANGE PATCH STATUS CHANGE within a defined severity level among monitored hosts within a defined severity level among monitored hosts within monitored hosts within monitored hosts No fix available Fixable
  • 34.
    All your infrastructuresecurity alerts in one place
  • 35.
    Alerts That Don’tSuck - Why, What, When, How
  • 36.
    The Future ofVulnerability Telemetry is Here
  • 37.
    Lacework Vulnerability Workflowsare Different Today’s Vulnerability Tools • Compliance focused • Struggle with ephemeral cloud scaling • Teams of people building vulnerability data • Containers = build-time only • Focus on vulnerability existence in inventory • No visibility into vulnerable package use Lacework Host & Container Vulnerability Workflows • Focused on security efficacy • Built for ephemeral cloud scaling • Built for devops workflows • Live view into package execution
  • 38.
    Wrap-Up 0 1 23 Lacework Can Grow With You The Lacework Platform Containers, Hosts, Cloud Activity The telemetry to find risks is easy to use. Active packages & Ephemeral Infrastructure Hosts can shift left too! Pre-Deployment Checks Alerts can keep you focused on your business. Alerts
  • 39.
  • 40.
    Thank you forJoining the Cloud Generation
  • 41.
    Popular Scenarios Pre-Flight Checks OperationalEfficiency: Avoid putting known vulns into production. Which active CVE’s Exist Get a list of CVEs that are present All machines with a CVE Rapid scan to find a particular CVE across an environment Health check on a specific machine Visibility of vulnerabilities on a particular instance Interrupt vulnerabilities at earliest part of the development lifecycle (SDLC early intervention) Dumb list versus list with context specific to your environment. (Vulnerabilities versus vulnerable) Oh noes a brand new CVE is on the front page of Hacker News! What’s the state of my super important app?
  • 42.
    “I’ve been involvedin vulnerability mitigation for 20 years. Lacework is the best tool I’ve ever seen. It resolves many problems and has clean telemetry.”
  • 43.
    Type of API Call Cloud AccountsGeoIP Cloud Service Regions Principal Role API Call Results Web Console/ API Machines Can Now Map App & Activity Context
  • 44.
  • 45.
    Who Cares AboutVulnerabilities? What Known Risks Are In Our Environment? Which vulnerabilities should we prioritize? To meet x compliance requirement can we report and fix vulnerabilities inside 30 days? Can I avoid introducing risk into the environment? Wants to write code while minimizing security & infra work Security Compliance DevOps / Production Engineering Developers Does the machine I’m investigating have an active vulnerability? Incident Response