6. Risk Management

CloudGuard provides alerts from multiple sources like Compliance engine, Intelligence, etc. With the immense number of alerts, security teams do not always know which alerts they need to address first.

Effective Risk Management (ERM) helps you to prioritize remediation and ensures you make the highest impact to decrease the risk for your cloud environments. CloudGuard calculates a risk score for cloud assets based on many inputs.

Discussion Points

  • Maximizing the productivity of security teams.

  • Visibility of each asset's risk score based on all risk vectors, context, and business priority.

  • Visibility of environments at high risk.

  • Identification of potential attack paths with Security Issues.

Instructions

Step

Instructions

1

Navigate to Risk Management > Dashboard.

In the first section of the dashboard, you can see the distribution of security issues found in your cloud environments according to their severity.

Security issues represent potential attack paths obtained by identifying dangerous combinations such as an exposed asset containing sensitive data.

Security issues allow you to focus on fixing your most important threats.

Another widget shows your top security issues according to severity and number of occurrences.

2

The Dashboard presents the following statistics on Assets at high-risk in the following widgets:

  • Assets at risk (In total) - Assets with a risk score equal or greater than 7 out of all scored assets.

  • Public - Public Assets from Network and IAM perspective with a risk score equal or greater than 7 out of all scored assets.

  • Critical / high severity secrets - Assets with score equal or greater than 7 and with exposed credentials in High or Critical severity.

  • Critical / high severity CVEs - Assets with a risk score equal or greater than 7 and with CVEs in High or Critical severity.

  • Sensitive Data – Assets with a risk score equal or greater than 7 and containing sensitive data.

3

The Dashboard also provides you a view of riskiest asset types, riskiest assets, and risk distribution of your cloud environments.

4

Navigate to Risk Management > Protected Assets to see the Risk Score of your assets.

The score ranges from 0 to 10. The assets with the highest risk score need to be addressed first.

CloudGuard recalculates the risk score every few hours or in case of business priority update.

  • Risk Score

    The risk score of an asset considers these aspects:

    • Base Risk

      • Misconfigurations

      • Vulnerabilities - CVEs in the asset code (instances, functions, and containers), Threats (malicious code running), and Secrets (exposed credentials).

  • Context Modifiers

    • Network exposure - The level of the asset accessibility from the public domain.

    • IAM Exposure – Accessibility from external principals due to IAM configuration.

  • Business priority

    The importance of the asset to the business.

    The business priority is an optional parameter that can be defined using parameters like environment, tags or name under Risk Management \ Business Priority Rules.

Note - Risk score calculation does not include vulnerabilities with Informational and Unknown severity.

5

Click on the Instance: mongodb (i-0610fc98ecdb7959d) to open the detailed view page:

6

The Overview tab summarizes information about the security posture of the asset.

This includes the most important (top five) remediation actions that are necessary to do to reduce the asset risk.

7

The demo tenant was on-boarded with the AWP (Agentless Workload Posture) feature which scanned the virtual machines (AWS EC2 instancesAzure Virtual Machines) for insecure configurations and vulnerabilities.

AWP’s scan is done without the need for an agent. It is done via a volume snapshot that is deleted after the scan has been performed.

 

The Benefits of using AWP :

  • Deep security visibility with seamless deployment.

  • Continuous scanning for vulnerabilities, secrets, and malware.

  • Feed for CloudGuard Risk Management solution to identify and prioritize risks.

8

Click on the VULNERABILITIES tab to review the scan results of AWP:

It shows the most recent scan date and time.

9

You can search and filter the scan results by appropriate criteria in the Remediation Summary.

Four tabs show these types of vulnerability:

  • CVEs - Shows scan of packages installed on the EC2, scanning package managers existing on the machine. and all libraries. Sorted by severity. Each package contains a list of CVEs found on it, sorted by severity as well. The header shows the file path, so if the package is installed in more than one place, you must apply the remediation for every found instance of the CVE.

    If the issue is fixable, the Remediation section in the header shows the way.

  • Threats - Shows malicious URLs, suspect IPs, malware, and where each of them was found.

  • Secrets - Shows insecure or exposed keys, passwords, and where each of them was found. You find the insecure item in the code and delete it. (Coming soon)

  • Remediation Summary - Shows the contents of three previous pages in one location.

    For secrets and threats, it directs you to the file. For CVEs, it indicates which package requires an upgrade.

10

Click on Critical CVE's found to present the detailed description and vector:

11

Click on Remediation Summary tab to review the suggested remediation for the mongodb (i-0610fc98ecdb7959d) instance:

12

Navigate to Risk Management > Security Issues.

As we explained before, you can see here the list of potential attack paths that were found in your cloud environments.

You can click on an issue to see more details displayed in a drawer that opens.