New infosec products of the week: October 30, 2020

Confluera 2.0: Enhanced autonomous detection and response capabilities to protect cloud infrastructure

Confluera XDR delivers a purpose-built cloud workload detection and response solution with the unique ability to deterministically track threats progressing through the environment. Confluera holistically integrates security signals from the environment to provide a complete attack narrative of a cyberattack in real-time, as opposed to showing isolated alerts.

infosec products October 2020

Aqua Security unveils Kubernetes-native security capabilities

Aqua Security’s new Kubernetes security solution addresses the complexity and short supply of engineering expertise required to configure Kubernetes infrastructure effectively and automatically, by introducing KSPM – Kubernetes Security Posture Management – a coherent set of policies and controls to automate secure configuration and compliance.

infosec products October 2020

AWS Nitro Enclaves: Create isolated environments to protect highly sensitive workloads

AWS Nitro Enclaves helps customers reduce the attack surface for their applications by providing a trusted, highly isolated, and hardened environment for data processing. Each Enclave is a virtual machine created using the same Nitro Hypervisor technology that provides CPU and memory isolation for Amazon EC2 instances, but with no persistent storage, no administrator or operator access, and no external networking.

infosec products October 2020

GrammaTech CodeSentry: Identifying security blind spots in third party code

GrammaTech announced CodeSentry, which performs binary software composition analysis to inventory third party code used in custom developed applications and detect vulnerabilities they may contain. CodeSentry identifies blind spots and allows security professionals to measure and manage risk quickly and easily throughout the software lifecycle.

infosec products October 2020

Protegrity Data Protection Platform enhancements help secure sensitive data across cloud environments

Built for hybrid-cloud and multi-cloud serverless computing, Protegrity’s latest platform enhancements allow companies to deploy and update customized policies across geographies, departments, and digital transformation programs. Protegrity enables businesses to turn sensitive data into intelligence-driven insights to monetize data responsibly, and support vital AI and ML initiatives.

infosec products October 2020

Aqua Security unveils Kubernetes-native security capabilities

Aqua Security announced a suite of new Kubernetes-native security capabilities, providing a holistic approach to securing applications that run on Kubernetes, across the development, deployment, and runtime phases of the application lifecycle.

Aqua Security Kubernetes-native security

The company also announced significant new features in its Cloud Security Posture Management (CSPM) solution. These new capabilities, which will be generally available next week, are integrated into Aqua’s cloud native security platform, covering the spectrum of deployment options across containers, VMs and serverless functions.

In a recent research note, Gartner asserts that “Kubernetes’ inherent complexity often leads to outdated versions and misconfiguration by organizations, making clusters susceptible to compromise. Though some security mechanisms are included by design, K8s by itself is not a security offering, and security settings aren’t always enabled by default.

“Protecting a K8s cluster is a significant undertaking, requiring both substantial understanding of the underlying technology and engineering expertise to configure it all.”

Aqua’s new Kubernetes security solution addresses the complexity and short supply of engineering expertise required to configure Kubernetes infrastructure effectively and automatically, by introducing KSPM – Kubernetes Security Posture Management – a coherent set of policies and controls to automate secure configuration and compliance.

Additionally, Aqua now offers new agentless runtime protection capabilities, that use Kubernetes itself to deploy security controls into pods, leveraging and extending the native capabilities built into Kubernetes.

“The large-scale use of Kubernetes, as well as developments in the threat landscape, necessitate a comprehensive approach to securing applications that goes beyond generic benchmarks, providing seamless workload protection in runtime,” noted Amir Jerbi, CTO and co-founder at Aqua.

“We’ve been working with our enterprise customers to make it easier to securely deploy and seamlessly protect applications that run on Kubernetes, while complementing our existing capabilities in Kubernetes and container security.”

Aqua KSPM includes several new and innovative capabilities:

  • Kubernetes assurance policies: With more than 20 predefined rules available out of the box, and the ability to use OPA (Open Policy Agent) Rego rules, these policies define which Pods may be deployed in a cluster based on multiple parameters. These policies work in conjunction with Aqua’s Image Assurance Policies to control which containers run in your cluster based on both their image contents and configuration, as well as Pod configuration.
  • Kubernetes roles and subjects assessment: Reduces administration overhead of maintaining Kubernetes user and service account privileges by identifying risks and suggesting their remediation. This addresses least privilege security gaps while diminishing the need for Kubernetes security expertise, which is in short supply.

These new capabilities join Aqua’s existing certified CIS benchmark testing (powered by Aqua’s open source Kube-Bench), and penetration testing (powered by Aqua’s open source Kube-Hunter), providing enterprises with comprehensive insight into the security posture of their Kubernetes cluster, and the ability to address gaps efficiently with no need for specialized expertise.

With its new Kubernetes Runtime Protection module, Aqua introduces a new model for deploying security runtime controls in a Kubernetes cluster, complementing its existing container runtime security deployment options.

This new model leverages Kubernetes Admission Controllers to deploy and govern sidecar containers within Pods, in a similar fashion to other cloud native tools such as Envoy.

This mode of deployment enables greater automation of deployment and does not require any privileges on the node’s host OS, while providing dynamic runtime controls such as container drift prevention, behavioral controls, and network controls.

In addition to the extensions to Kubernetes security capabilities, this latest release adds many new features and enhancements including:

  • New customizable dashboard: Provides a clear view of the overall security status of your cloud native environment with dedicated widgets for key areas, such as host and image/container security, and drag & drop design. The new dashboard supports Aqua’s RBAC model to filter viewable data according to user role permissions.
  • AWS Bottlerocket support: The new AWS operating system for running containers is now available as a protected workload platform.
  • Auto-remediation for Azure in Aqua CSPM: Aqua CSPM now provides remediation advice and auto-remediation options for Azure cloud services, previously available for AWS.
  • New compliance reports in Aqua CSPM: Aqua CSPM now provides out-of-the-box compliance reports for additional compliance reporting, including SOC 2 Type 2, ISO27001, NIST SP 800-53, and NIST CSF.
  • VM security: Now allows flexible scan scheduling, scan history review, and malware scans on mounted NFS shares.

GitHub envisions a world with fewer software vulnerabilities

After five months in beta, the GitHub Code Scanning security feature has been made generally available to all users: for free for public repositories, as a paid option for private ones.

GitHub code scanning

“So much of the world’s development happens on GitHub that security is not just an opportunity for us, but our responsibility. To secure software at scale, we need to make a base-level impact that can drive the most change; and that starts with the code,” Grey Baker, GitHub’s Senior Director of Product Management, told Help Net Security.

“Everything we’ve built previously was about responding to security incidents (dependency scanning, secret scanning, Dependabot) — reacting in real time, quickly. Our future state is about fundamentally preventing vulnerabilities from ever happening, by moving security core into the developer workflow.”

GitHub Code Scanning

The Code Scanning feature is powered by CodeQL, a powerful static analysis engine built by Semmle, which was acquired by GitHub in September 2019.

The engine can analyze code written in C, C++, C#, Java, JavaScript, TypeScript, Python and Go, but since the Code Scanning feature built on the open SARIF standard, it can also work with third-party analysis engines available from the GitHub Marketplace.

“We want developers to be able to use their tools of choice, for any of their projects on GitHub, all within the native GitHub experience they love. We’ve partnered with more than a dozen open source and commercial security vendors to date and we’ll continue to integrate code scanning with other third-party vendors through GitHub Actions and Apps,” Baker noted.

GitHub Actions

Among the third parties that offer automated security scans via GitHub Actions are Checkmarx and DefenseCode.

GitHub code scanning

“The major value add here is that developers can work, and stay within, the code development ecosystem in which they’re most accustomed to while using their preferred scanning tools,” explained James Brotsos, Senior Solutions Engineer at Checkmarx.

“GitHub is an immensely popular resource for developers, so having something that ensures the security of code without hindering agility is critical. Our ability to automate SAST and SCA scans directly within GitHub repos simplifies workflows and removes tedious steps for the development cycle that can traditionally stand in the way of achieving DevSecOps.”

Checkmarx’s SCA (software composition analysis) help developers discover and remedy vulnerabilities within open source components that are being included into the application and prioritizing them accordingly based on severity. Checkmarx SAST (static application security testing) scans proprietary code bases – even uncompiled – to detect new and existing vulnerabilities.

“This is all done in an automated fashion, so as soon as a pull request takes place, a scan is triggered, and results are embedded directly into GitHub. Together, these integrations paint a holistic picture of the entire application’s security posture to ensure all potential gaps are accounted for,” Brotsos added.

Leon Juranic, CTO at DefenseCode, said that they are very excited by this initiative, as it provides access to security analysis to over 50+ million Github users.

“Having the security analysis results displayed as code scanning alerts in GitHub provides an convenient way to triage and prioritize fixes, a process that could be cumbersome usually requiring scrolling through many pages of exported reports, going back and forth between your code and the reported results, or reviewing them in dashboards provided by the security tool. The ease of use now means you can initiate scans, view, fix, and close alerts for potential vulnerabilities in your project’s code in an environment that is already familiar and where most of your other workflows are done,” he noted.

A week ago, GitHub also announced additional support for container scanning and standards and configuration scanning for infrastructure as code, with integration by 42Crunch, Accurics, Bridgecrew, Snyk, Aqua Security, and Anchore.

The benefits and future plans

“We expect code scanning to prevent thousands of vulnerabilities from ever existing, by catching them at code review time. We envisage a world with fewer software vulnerabilities because security review is an automated part of the developer workflow,” Baker explained.

“During the code scanning beta, developers fixed 72% of the security errors found by CodeQL and reported in the code scanning pull request experience. Achieving such a high fix rate is the result of years of research, as well as an integration that makes it easy to understand each result.”

Over 12,000 repositories tried code scanning during the beta, and another 7,000 have enabled it since it became generally available, he says, and the reception has been really positive, with many highlighting valuable security finds.

“We’ll continue to iterate and focus on feedback from the community, including around access control and permissions, which are of high priority to our users,” he concluded.

Attacks growing in both scope and sophistication, exposing gaps in the cloud native toolchain

There’s a growing, organized and increasingly sophisticated pattern of attacks on cloud native infrastructure, according to Aqua Security.

attacks cloud native infrastructure

While most attacks were aimed at abusing public cloud compute resources for cryptocurrency mining, the methods used open the door for higher-value targets that leverage security gaps in container software supply chains and runtime environments.

The report provides trends and observed categories of attacks, but also explains in great detail the specific progression of several attack vectors, from the originating malicious images to the specific evasion techniques, malicious payloads, and propagation attempts.

Attacks on cloud native infrastructure

  • Container images in public registries being poisoned with Potentially Unwanted Applications (PUAs) that cannot be detected using static scanning. They spring into action only when the container is running.
  • Sophisticated evasion techniques are being used to hide attacks and make them more persistent. This includes the use of “vanilla” images that seem innocuous, disabling other malware, delaying before downloading payloads into the running container, using 64-bit encoding to obfuscate malware, and more.
  • Since the beginning of 2020, the volume of attacks has dramatically increased, suggesting that there is organized infrastructure and systematic targeting behind these attacks. More than 16,000 individual attacks were tracked back to multiple locations across the globe.
  • The main motivation of the malicious actors has been to hijack cloud compute resources to mine for cryptocurrency, but Team Nautilus has seen evidence that other objectives, such as establishing DDoS infrastructure, were also attempted.

“The attacks we observed are a significant step up in attacks targeting cloud native infrastructure. We expect a further increase in sophistication, the use of evasion techniques and diversity of the attack vectors and objectives, since the widespread the use of cloud native technologies makes them a more lucrative target for bad actors,” notes Idan Revivo, Head of Team Nautilus at Aqua.

“Security teams are advised to take the appropriate measures both in their pipelines as well as runtime environments, to detect and intercept such attempts.”