Resilient Patching for Unified Risk Management

Introduction

2021 was a record year for cybersecurity attacks of all types. Some credit the increased number of attacks to Covid-19 driven digital transformation efforts made that greatly expanded the IT estates of companies. Others point out that applications and infrastructure have become too complex for threats to hide in plain sight. Then there are the monetary rewards that for-profit hacking groups reap thanks to the benefits of tools and techniques discovered and shared by nation-state actors on the dark web.

Defense teams are overwhelmed, and the band-aid security approach is vastly under-efficient for today's complex networks. Cloud and Cloud-Native apps have brought their own challenges and introduced new risks that many don’t know how to deal with. This paper will look into contemporary risk buckets and turn to the future to understand how a solid framework like NIST can guide us.

Resilient Patching

Resilient Patching covers many of the critical items called out in our “Security Guide for Cloud Native Startups” and aligns well with the NIST cybersecurity framework. While proactive patching helps with protection, reactive patching completes the circle with a response. Imagine patching your entire application as if it was one large expansive application. Resilient patching can prevent data leaks and illegitimate external connections while detecting possible intrusions you need to respond to.

SaaS access to data is protected by following a couple of steps. SaaS access must first be restricted to a VPC, followed by only allowing relevant apps in the VPC to access SaaS services. In that sense, resilient patching can also be applied to SaaS services, locking out any intruder access. Open attack venues are mitigated by resilient patching your user and partner facing web-apps, thus reducing their exposure to intrusions that can cause them to misbehave.

Aligning to NIST Framework

1. Identify (risk-based assessment)
2. Protect (resilient patching - proactive/ seal your app)
3. Detect (seal and monitor your borders)
4. Respond (reactive patching)
5. Recover (redeploy with resilient patching)

1. Identify

Araali continuously scans your runtime to evaluate and prioritize the inherent risks within your enterprise. It automatically detects your most vulnerable apps (critical and high CVEs), most valuable apps (Database and Database-as-service), as well as the underlying critical services (metadata service, key stores, etc.) that support it all. It also looks for apps with excessive privileges, unutilized open ports, keys on disk, over-privileged IAM, etc., to harden your attack surfaces.

Fig: Auto-detect vulnerabilities to Identify critical elements to protect

2. Protect

Once the risk is evaluated, Araali offers customers a workflow to proactively reduce risk. This involves prioritized vulnerability patching and implementing security controls according to best practice and least privilege access. Many teams are uncomfortable with resilient patching and locking down their full app and databases. Araali allows them to surgically go after a containerized process instead of the entire app. In addition, customers can proactively seal their critical services and SaaS services to ensure app vulnerabilities cannot exploit these services to get essential information.

Fig: Resilient Patch to lock down the vulnerabilities

3. Detect

As it is impossible to neutralize all the risks, it is paramount for security teams to continuously monitor their environment. Araali enables the timely discovery of cybersecurity events. These are triggered as Alerts and intelligently routed to the SecOps team or pushed to SIEM for further correlation and analysis. The alerts are rich in meaningful context. In addition, Araali also allows the SecOps team to go and replay the alert triggering action in a DVR mode to understand the sequence of events - a powerful way to understand threat progression.

Fig: Continuous monitoring of app infra for Threats

Araali also enables the developers and DevOps team to subscribe to their specific applications to get real-time alerts routed to them via their messenger of choice - email, slack, ms-teams, etc. The intelligent routing of specific and contextual alerts unlocks a seamless dialogue and collaboration between the devs, DevOps, and the SecOps team.

Fig: Alerts with full context gets routed to SecOps team

4. Respond

Araali enables the SecOps team to respond to a threat in a precise and surgical manner. This is especially critical for enterprises where business continuity SLAs are top-of-mind for the leadership team.

The quarantine process neutralizes any out of bound behavior via reactive resilient patching. Remember, the resilient patch is a compensating control that gives SecOps team the additional time to understand the threat vector, analyze it, and develop a fix. If the fix is not available, the SecOps can automatically make the resilient patching proactive every time DevOps deploys the app. The DevOps team also have the option to run with the proactive resilient patch forever - “patch one” and “protect forever”

Fig: Ability to surgically respond without impacting business continuity

5. Recover

The DevOps team will redeploy fresh copies of the app, infrastructure, and configuration with mitigation controls activated in the final stage. Generally, the three steps happened because of unknown risks or the skipped low-risk profile that got critical or exploited. As the risk are now on the radar, the DevOps team can add the app to the proactive protection plan, i.e., part of the “Identify” step, completing the virtuous circle.

Fig: Recover and operate with resilient patch

Learn more about the Araali Resilient Patching

Cloud-native apps have ushered in an era of velocity and complexity that are challenging DevOps and SecOps teams to plug a growing array of unknown security holes. It’s time to stop running a race against external threat actors you cannot win against in the long term. If you would like to know more about how resilient patching can alleviate the struggle of patching and protecting your digital assets, we encourage you to learn more here.

Short demo video links on Resilient Patching:

• Log4shell (remote code execution)
• CapitalOne attack detection and prevention (SSRF vulnerability)
• Equifax (remote code execution)