¶ Cloud Security is a Shared Responsibility
Cloud security is a responsibility that is shared between the cloud provider and the customer. There are basically three categories of responsibilities in the Shared Responsibility Model: responsibilities that are always the provider’s, responsibilities that are always the customer’s, and responsibilities that vary depending on the service model:
- Infrastructure as a Service (IaaS)
- Platform as a Service (PaaS)
- Software as a Service (SaaS)
The security responsibilities that are always the provider’s are related to the safeguarding of the infrastructure itself, as well as access to, patching, and configuration of the physical hosts and the physical network on which the compute instances run and the storage and other resources reside.
The security responsibilities that are always the customer’s include managing users and their access privileges (identity and access management), the safeguarding of cloud accounts from unauthorized access, the encryption and protection of cloud-based data assets, and managing its security posture (compliance).
¶ CSPM vs. CWPP
Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platforms (CWPP) are two essential pillars of cloud security, each addressing different aspects of protecting cloud environments. CSPM focuses on continuously monitoring and improving the security posture of cloud infrastructure. It helps identify and remediate misconfigurations, enforce security policies, and ensure compliance with industry standards and regulations across multi-cloud environments. On the other hand, CWPP provides specialized security for cloud workloads, such as virtual machines, containers, and serverless functions. It offers runtime protection, vulnerability management, and threat detection, focusing on securing the applications and data within the cloud infrastructure. While CSPM ensures that the overall cloud environment is configured securely and compliant, CWPP safeguards the workloads running within that environment, making both crucial for comprehensive cloud security strategies.
|
Cloud Security Posture Management (CSPM) |
Cloud Workload Protection Platform (CWPP) |
|---|---|
|
Continuously monitor cloud infrastructure for gaps in security policy enforcement |
Zero Trust Security for cloud workloads |
|
Identify misconfiguration issues and compliance risks in the cloud |
Detects and removes threats inside cloud software |
¶ Cloud Security Posture Management (CSPM)
Cloud security posture management (CSPM) is a type of automated software tool that identifies security risks in cloud infrastructure. The cloud infrastructure that CSPM inspects may include software-as-a-service (SaaS), platform-as-a-service (PaaS), infrastructure-as-a-service (IaaS), containers, and serverless code.
CSPM is automated. Instead of requiring security teams to manually check their clouds for security risks, it runs in the background, analyzing the cloud for compliance risks and configuration vulnerabilities.
Most CSPM tools are able to scan multi-cloud environments, providing a combined view of the security state across all cloud services. This ability is crucial because many organizations use more than one cloud service, which increases the risk of misconfiguration and can be harder to manage manually.
Many organizations have to comply with strict requirements for protecting data and controlling access to that data. CSPM automatically scans for and detects any potential violations — for instance, if too many people have access to a database. This can help organizations better comply with regulations like the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA), and the General Data Protection Regulation (GDPR).
Regulatory compliance is complex, and use of a CSPM tool is just one of the many steps organizations may need to take.
¶ Compliance Reporting
Compliance identifies any configuration best practice violations that exist in your environment and notifies you through your chosen method. The compliance portion helps you understand configurations and audit controls so you deploy cloud resources using best practices. Exium continuously and automatically monitors your environment, so you do not need to create or edit policies or algorithms.
After you set up integration with your cloud provider(s), Exium scans your environment to find any account security risks, misconfigurations, etc. Exium accomplishes this by using Security Audit API calls to check all resource configurations and validating each control against CIS and Exium defined best practices. Exium then reports misconfigured items to be resolved.
For example, when you integrate Exium with AWS, AWS could contain misconfigurations of IAMs, S3, and security groups. The CIS benchmarks prescribe best practices for security groups, EC2 instances, IAM roles, etc. Exium then displays any violations in the Exium console AWS compliance report and compliance dossier. A Exium dossier contains detailed in-context data that you can use for security auditing and remediation. Exium can retain this data for up to 365 days.
Additionally, Exium ingests AWS CloudTrail, Azure Activity Log, and GCP Audit Logs and streams them to the Exium data warehouse to build a baseline of normal behavior, which is updated hourly. From this, Exium can provide detailed in-context alerts for anomalous behavior by comparing each hour to the previous one. Anomaly detection uses machine learning to determine, for example, if a user account accesses a specific resource for the first time, logs in from a new region, or if a user adds a new user. Exium then displays any anomalies in the Exium console.
Exium’s CloudTrail, Activity Log, and Audit Trail log scanning uses policy-based detection that contains Exium-defined policies. These predefined policies are visible in the Exium console. You can enable or disable policies as needed. The Exium console also has the ability to suppress AWS behavior anomaly policies, which allow you to tune alerts to focus on specific assets.
¶ Cloud Workload Protection Platform (CWPP)
A cloud workload protection platform (CWPP) is a security tool that detects and removes threats inside cloud software. The main difference compared to CSPM is that CSPM is external, looking for cloud misconfigurations and compliance violations; CWPP is internal, looking for threats inside the software that runs in the cloud. CWPPs automatically monitor a wide range of workloads, including physical on-premise servers, virtual machines, and serverless functions.
According to Gartner, a global research and advisory firm, these eight capabilities define CWPPs:
|
Item |
Capabilities Defining CWPP |
|---|---|
| 1 |
Hardening, configuration, and vulnerability management:
|
| 2 |
Network firewalling, visibility, and microsegmentation:
|
| 3 |
System integrity assurance:
|
| 4 |
Application control and allowlisting:
|
| 5 |
Exploit prevention and memory protection:
|
| 6 |
Server workload endpoint detection and response (EDR), behavioral monitoring, and threat detection and response:
|
| 7 |
Host-based intrusion prevention with vulnerability shielding:
|
| 8 |
Anti-malware scanning:
|
CWPPs are able to apply these capabilities in any type of workload, including physical servers, virtual machines, containers, and serverless functions.
Because CWPPs can cover a range of workloads, they are ideal for protecting infrastructure that is spread out across multiple clouds. Multi-cloud deployments, which combine multiple public clouds, and hybrid cloud deployments, which combine public clouds with private clouds and on-premise infrastructure, contain a wide variety of types of workloads. A CWPP provides a "single pane of glass" — one place where an organization can easily view and analyze cloud security risks across these workloads.
¶ Workload Security
The workload portion provides process-aware threat and intrusion detection for your cloud environment and notifies you through your chosen method of any events.
After you install the Exium agent on hosts, Exium scans those hosts and streams select metadata to the Exium data warehouse to build a baseline of normal behavior, which is updated hourly. From this, Exium can provide detailed in-context alerts for anomalous behavior by comparing each hour to the previous one. Anomaly detection uses machine learning to determine, for example, if a machine sends data to an unknown IP, or if a user logs in from an IP that has not been seen before.
Workload security uses policy-based detection. Two policy types are available, Exium-defined default policies and custom policies. Custom policies are policies that you create to check for unwanted behavior specific to your environment, for example, the use of Telnet. You can enable or disable policies as needed. The Exium console also has the ability to suppress host behavior anomaly policies, which allow you to tune alerts to focus on specific assets.
With threat feeds from multiple sources, Exium can detect bad IPs, bad file hashes, and crypto mining and alert you of any IOCs. Exium displays any anomalies in the Exium Console host dossiers, which contain activity in the following contexts: applications, files (FIM), machines, networks, processes, and users.
¶ Container Security
Exium provides the ability to scan, identify, and report vulnerabilities found in the operating system managed software packages in a container image before the container image is deployed. This means you can identify and take action on software vulnerabilities in your container images and manage that risk proactively. In addition, Exium automatically correlates assessed images to active containers in your monitored environment, so you have continuous visibility into your software vulnerability risk.
After integrating a container registry in Exium, Exium finds all container images in the registry repositories, scans those container images for software packages with known vulnerabilities, and reports them. For each container image found in the repositories, Exium also checks and reports the number of running containers found in the current workload for the current container image. The Exium Console also displays anomalies in the container dossiers, which contain activity in the container and Kubernetes contexts.
¶ Core Principles of Exium’s Cloud Security Architecture
The architecture of a cloud security system should account for tools, policies and processes needed to safeguard cloud resources against security threats. Among its core principles, it should include:
|
Item |
Core Principles of Exium’s Cloud Security Architecture |
|---|---|
| 1 |
Security by design –
|
| 2 |
Visibility –
|
| 3 |
Unified management –
|
| 4 |
Context-aware security –
|
| 5 |
Network security –
|
| 6 |
Agility –
|
| 7 |
Automation and Customization –
|
| 8 |
Compliance –
|
| 9 |
Actionable Intelligence –
|
¶ The power of two
With our combined, agentless (using API-only connections) and agent-based solution, Exium provides complete visibility and context into every layer of your cloud; from cloud services, IaaS and PaaS to packages, operating systems and hosted databases installed within workloads, all while eliminating friction, management overhead, and blind spots.
¶ Understand what’s happening on your systems
|
With our agent, you receive: |
Our combined approach tells you: |
|---|---|
|
Host intrusion detection (HIDS), File integrity monitoring (FIM). User, application, and process behavior monitoring. Network anomaly detection. Kubernetes, containers, and workloads security. Host vulnerability assessment. |
What services your cloud account is accessing, and who is accessing them. What configurations have been deployed, and if they’re compliant. What your system is running, what it’s talking to, and who’s accessing what. What vulnerabilities exist, and if the packages are active. What behaviors are different compared to your standard. |
¶ Uncover threats faster with automation
We use automation and machine learning to detect anomalies that signal malicious activity for cloud accounts and workloads deployed on AWS, Google Cloud, and Azure.
|
Collect |
Detect |
Inform |
|---|---|---|
|
Get complete cloud account asset inventory via agentless approach. Get data on all cloud workloads via an agent. Support AWS, Azure, Google Cloud, and Kubernetes, plus hybrid environments. Continuously monitor user, app, process, and network behavior, plus vulnerabilities and cloud configurations. |
Continuously monitor users, apps, processes, and network behavior. Uncover unknown threats like abnormal logins and escalation of privileges with anomaly-based approach. Identify malware and other known threats based on reputation score for files, DNS, and more. Get comprehensive file integrity monitoring (FIM) that detects changes in metadata. Find cloud misconfigurations like exposed assets. Identify when cloud best practices and compliance requirements are not met. |
Reduce noise and surface only the most critical events. Provide context-rich alerts and visualizations that give you the information necessary to respond rapidly. Accelerate action through integration with ticketing, messaging, and workflow applications. Eliminate alert fatigue and surface only the most critical risks. Respond quickly with context-rich visualizations and notifications. Create detailed reports for compliance. |
¶ Unlocking Cloud Security from Exium Control Panel
To unlock Cloud Security , follow the steps below:
¶ Step 1: Get Your Login Credentials
- Navigate to the MSP admin console → Companies → Click on Company name (or directly go to the Customer/ Client Workspace Sign In)
- Click on “XDR” in the left menu bar → Login → copy the password in the line “Dashboard”
¶ Step 2: Login to the XDR360 Console
- Username is the same as the workspace name (for example, "exiumngcnusa" in the screenshot below)
- Click on “Dashboard” in the left menu-bar → Login with the username and the password you copied in Step 1
¶ Step 3: Access Cloud Security Console
- Click on “Amazon AWS” or “Google Cloud Platform” as shown on the screenshot below
- Complete the integration and explore the dashboards
¶ Seeing Through the Cloud
Rapid adoption of cloud-native architectures have opened up new, broader attack surfaces, and security teams are often left in the dark without visibility or the requisite skill sets to hunt continuously around the clock for sophisticated threats across these complex cloud environments. As a result, adversaries are finding cloud assets and exploiting them faster than security teams can discover them.
Exium offers industry’s most advanced threat hunting service for hidden and advanced threats originating, operating or persisting in cloud environments. Leveraging Exium’s agent-based and agentless capabilities, cloud threat hunters investigate suspicious and anomalous behaviors and novel attacker tradecraft. Exium’s CybeROC Cloud Threat Hunting conducts 24x7x365 operations and can prevent incidents and breaches while proactively alerting customers to cloud-based attacks, including:
- Malicious activity in Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure environments
- Hands-on-keyboard activity and zero-days that can compromise cloud workloads and containers in production
- Control plane and serverless vulnerabilities, misconfigurations and other cloud-based indicators of attacks (IOAs)
- Attack paths that exploit traditional IT assets to gain initial entry and move on to cloud applications, systems and data
To learn more about implementing Cloud Security or SASE, XDR, IAM, and GRC products for your organization and explore tailored solutions that meet your unique requirements, contact Exium at partners@exium.net for a consultation or demonstration.