Leveraging Threat Stack’s Out-of-the-Box Rulesets and Single View for Managing Multiple AWS Accounts

Increasingly, AWS users are leveraging multiple accounts to manage their infrastructure. While doing so is a recommended best practice that enables users to achieve the highest levels of resource and security isolation and to optimize operational costs, it can also increase the amount of time and effort required for effective administration and remediation.

As a remedy to this problem (and “account sprawl” in general), and as a means of providing more granular alerting and actionable data, Threat Stack has built two key functionalities into its Cloud Security Platform®:

  • The ability to view multiple AWS accounts from one central location: Our unified view reduces admin time and provides significant convenience because end users no longer need to gather information and alerts from multiple accounts. This means you can focus on business issues and not administration!
  • Rulesets that are focused on giving more granular alerting and context to your interactions with the AWS control plane: Our extensive out-of-the-box rulesets give customers increased control plane visibility and more granular tracking of AWS API actions within their accounts, and you still have the flexibility of creating new rules and modifying existing rules (as we have previously documented.)

Read on for more details. Read more “Leveraging Threat Stack’s Out-of-the-Box Rulesets and Single View for Managing Multiple AWS Accounts”

Kubernetes Security Tips & Best Practices

Recently, there has been a significant upswing in the adoption of containerized environments. In light of this, we’ve written a number of posts that focus on the advantages that containers afford and ways to ensure that you’re following security best practices when deploying and operating them. Most recently, we published Docker Security Tips & Best Practices, which identifies common container security issues together with best practices for reducing risk and increasing operational efficiency in containerized environments.

Along with the spike in container adoption, there has been a corresponding uptake in the use of container orchestration platforms, so in this post, we’re providing tips on how to address security issues when using Kubernetes, the most widely adopted container orchestration platform. Read more “Kubernetes Security Tips & Best Practices”

Docker Security Tips & Best Practices

Docker is a software platform that makes it easier to create, deploy, and run applications. Recently there has been a major surge in the adoption of this technology — and while it offers significant benefits, it also presents security challenges. Some of the advantages center on the fact that your applications are loaded into a private namespace and the required dependencies are codified, and when using Docker, developers can package all the parts needed to run an application stack and ship it out as one unit. But if container ecosystems aren’t properly designed, deployed, and managed, they can create problems that offset or undermine the benefits.

To put you on the path to effective and secure usage, this post identifies common security issues and outlines best practices for reducing risk and increasing operational efficiency in containerized environments. (If you want additional resources to brush up on your Docker skills, take a look at our list of 50 useful Docker Tutorials for IT professionals.) Read more “Docker Security Tips & Best Practices”

20 Developers and Kubernetes Experts Reveal the Biggest Mistakes People Make During the Transition to Kubernetes

Making the transition from virtual machines to containers is a complex process that can take some time, particularly for larger, more complex environments. Users are drawn to Kubernetes’ container-centric environment, as well as its ability to enable portability across infrastructure providers. Kubernetes also offers broad applicability; for the most part, an application that runs well in a container will run well on Kubernetes. These, along with myriad other benefits, are what make the transition to Kubernetes worthwhile for many applications. Not up-to-date on the ins and outs of Kubernetes? Check out our list of 50 Useful Kubernetes Tutorials for IT Professionals to get started.

Because the process can be both lengthy and complex, mistakes are common during a transition. First, it’s important to understand that Kubernetes is not a silver bullet. Organizations that adopt container orchestration platforms like Kubernetes before they really understand the technology are more vulnerable to configuration errors. There are also some important Kubernetes security considerations, such as blast radius (how far a malicious party can gain access beyond the initial point of compromise), that leave certain components of a cluster more vulnerable. That’s why it’s important to build security into your deployment as early as possible. To find out where your security maturity level stands, take our Cloud SecOps Maturity Assessment, and learn more about how Threat Stack can secure your containerized environments.

If you’re ready to get started with your infrastructure transformation, there are other pitfalls you’ll want to avoid. To help you get off on the right foot and avoid common mistakes, we reached out to a panel of developers and Kubernetes experts and asked them to answer this question:

“What’s the biggest mistake people make during the transition to Kubernetes?”

Read more “20 Developers and Kubernetes Experts Reveal the Biggest Mistakes People Make During the Transition to Kubernetes”

What is Cloud Workload Security?

A cloud workload is a distinct capacity or work function that we put on a cloud instance. It can be a Hadoop node, a Web server, a database, or a container, among other things.

Broadly speaking, therefore, cloud workload security is any means of protecting these workloads.

There is a common misconception that securing your workloads is the responsibility of the cloud service provider. But that’s not true if you work with an “infrastructure as a service” (IaaS) model such as Amazon Web Services. With IaaS, you share some of that responsibility. In some instances, you would need to extend the security policies, tools, and controls you have for your onsite systems to the cloud in order to secure these workloads. A widespread failure to fully understand and act on the shared responsibility model is demonstrated in a November 2017 survey, where we found that 73% of companies have at least one critical AWS security misconfiguration.

With Threat Stack, a leader in cloud-native security and compliance management, you can better secure your cloud environment and cloud workloads. Our Cloud Security Platform® is designed to meet the unique challenges facing Security and Operations teams working in the cloud. Let’s take a look at the common threats facing cloud workloads along with best practices for enhancing cloud workload security. Read more “What is Cloud Workload Security?”

Threat Stack Announces New and Enhanced CloudTrail Rules

As AWS continues to expand its services landscape, Threat Stack has made a commitment to keeping in step by crafting additional coverage that keeps your cloud environment secure. The latest additions we’ve made to Threat Stack’s CloudTrail rules are focused on giving more granular alerting and context to your interactions with the AWS control plane.

Threat Stack has significantly expanded the CloudTrail Base Ruleset in its Cloud Security Platform®. Not only have we increased the number of rules from 26 to 87 — we have also provided rules for five AWS Services that were not covered previously (DynamoDB, Elastic Container Service, Elastic Kubernetes Service, Security Token Service, and AWS Support). And don’t forget — the Cloud Security Platform still gives you the flexibility to create custom rules based on CloudTrail event data.

While we’re not going to comment on all 87 rules in this post, we are going to focus on important highlights, including:

  • New rules to cover five additional AWS Services
  • Expanded rules for Identity and Access Management (IAM)
  • Expanded rules for Virtual Public Cloud (VPC)

The new rules for five additional AWS Services are discussed in Part 1 below, while Part 2 gives an overview of the expanded rules for AWS Services that we already support. Read more “Threat Stack Announces New and Enhanced CloudTrail Rules”

Detecting Unsafe Data Deserialization With Threat Stack

UPDATED — January 22, 2019
The Threat Stack SOC is aware of the recent disclosure of a breach of the PHP Extension and Application Repository (PEAR). Details of the breach have not been disclosed publicly, and we have no special knowledge of the breach. However, attacks against code repositories and injection of malicious code into third-party application dependencies help to underscore the importance of behavioral detection methods to identify and mitigate the exploitation of insecure PHP deployments. We will update this blog as appropriate pending additional public information on the PEAR breach.

UPDATED — February 1, 2019
Several weeks after the original publication of this blog, the PHP Extension and Application Repository (PEAR) disclosed a breach of its website, which led to the compromise of go-pear.phar. While Threat Stack has no inside or special knowledge of the breach at PEAR, based on publicly available information, we have confirmed that the Threat Stack Cloud Security Platform and Cloud SecOps Program can detect and mitigate an attack leveraging this injected PHP code.

It appears the attackers in this incident leveraged the research Sam Thomas presented at Black Hat 2018, which we discussed in this blog post. Based on publicly available information, the attackers appeared to be performing the first step in the attack chain by attempting to deliver injected phar files into a target environment. It is possible this attack was part of a poison well tactic targeting a specific or multiple organizations known to use PEAR and this file.

Insecure data deserialization first made its way into OWASP’s 2017 Top 10 list by way of community feedback. In the history of application security, that makes it a relatively new vulnerability that can be harder to detect due to the way it uses popular code libraries that are commonly used in web development.

The Threat Stack Cloud SecOps Program℠ exists not only to monitor customer environments and investigate alerts, but also to work with customers to help them improve their security postures. Occasionally, here in the SecOps Program’s security operations center (SOC), we get questions about the detection capability of the Threat Stack Cloud Security Platform®, and whether it is capable of detecting new and advanced attack vectors. (Our system uses behavioral detection, which is an extremely robust methodology for detecting new and old attack techniques.)

In this post, I’ll walk through how my colleagues and I in the SOC addressed an inquiry regarding a specific insecure deserialization exploit seen in the wild. Read more “Detecting Unsafe Data Deserialization With Threat Stack”

Aligning SecOps Teams With Compliance Roadmaps

Compliance is essential, and organizations need to get it right. Despite the importance of compliance, organizations often treat it as an afterthought, rather than a business driver. Some see it as a hurdle or uninvited challenge, even though it can have a significant positive impact on the business.

With the rise of new compliance frameworks like GDPR, the stakes are even higher. If you aren’t compliant, there are heavy fines. Now, more than ever, it’s time to ensure that your organization is adhering to the applicable compliance guidelines.

In this post, we show how SecOps teams can align with compliance roadmaps to drive a more continuous, proactive approach to meeting compliance objectives. Read more “Aligning SecOps Teams With Compliance Roadmaps”

Three Old-School Network Security Tips That (Still!) Work for Modern Infrastructure

The adage “Everything old is new again,” rings true in the cybersecurity industry as much as anywhere else. Some of the best practices from old-school network security still apply to modern virtual server or containerized environments.

Even though hackers are becoming increasingly sophisticated with their attacks, applying some of these oldies but goodies to your arsenal could help reduce the risk of a security incident or breach.

Here are a few security best practices that stand the test of time. Read more “Three Old-School Network Security Tips That (Still!) Work for Modern Infrastructure”