The current state of the art in cloud security posture management (CSPM) ensures that you have a secure cloud environment and secure code based on your organizational security policy and associated checks and balances across your DevOps pipeline. That’s the “preventive” component of CSPM, which helps prevent vulnerabilities in cloud applications and infrastructure that your IT team knows about.
But what about “detective” capabilities? For example, can CSPM technology help you identify vulnerabilities in assets outside your known attack surface? An all-too-common example is an “unsanctioned” and misconfigured Dev instance in a public cloud that exposes sensitive data?
To discuss the challenges and best practices for managing cloud security enterprise-wide, Fausto Lendeborg, co-founder and Chief Customer Officer at Secberus, joined a recent episode of The Virtual CISO Podcast. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show as usual.
Is auto-remediation worth the risk?
A major focus of the Secberus platform is on mitigating the single biggest enterprise cloud security risk, which is misconfigurations at scale. According to Fausto, enterprises need both preventive and corrective components to their CSPM programs.
Orgs have historically been reluctant to turn on auto-remediation features in CSPM solutions. On one hand, fixing something the moment technology detects it is a powerful “shift security left” technique, which could block vulnerabilities from manifesting in a production environment.
But what about the negative potential impacts of an automated fix?
“If it’s a false positive and you break something, now you have a business risk,” Fausto explains. “What we do and the way we build [auto-remediation] is it’s configurable to the customer’s risk appetite and their remediation strategy. We have technology for detecting and notifying the correct person.”
The high value of targeted notifications
In real-world terms, sending alerts to the right people saves enormous amounts of time. It also reduces “alert fatigue” for the security team while improving the odds that important notifications won’t be overlooked.“When you inform the right person of the problem, you now are cutting the investigation time by 100x,” points out Fausto. “In the typical security world, we used to send all the alerts to the security team. But the security team doesn’t have any context on the application [the org is] building.”
Secberus puts significant emphasis on understanding each client’s application ownership scenario, so that when the platform detects security policy violations it can route the notifications most effectively.
“We have a multi-action workflow engine,” characterizes Fausto. “That allows us to prevent. If not, then we can detect across multiple channels to multiple people. And then we can also create automation to fix automatically. So, it’s an array of tooling that we provide within the platform that allows customers to say, ‘This is my strategy, and now I’m going to configure and implement my strategy using the Secberus platform.’”
How the Secberus platform works
Secberus is a full SaaS agentless application, so it doesn’t reside in the client’s DevOps code. It works by identifying changes to configurations and infrastructure to trigger an assessment of the asset(s).
“Let’s say today there was a database change,” says Fausto. “We then go and assess the entire configuration and all the assets around the database against the policies that are in place. We building something called a policy execution engine that, when we detect a change in the configuration, we can then execute the policies that are enabled for that enterprise on that application.”
To hear the complete show with Fausto Lendeborg, click here.
Looking for some best-practice guidance on cloud security and compliance? The Cloud Security Alliance (CSA) has you covered: Essential Cloud Security & Compliance Tips from CSA