This post was previously published on The New Stack

Regardless of which role a person has in an organization, they will always need access to one or more databases to be able to perform the functions of their job. Whether that person is a cashier at McDonald’s or a technical account manager supporting a Fortune 500 company, data entry and retrieval is core to the services they provide. 

In this article, we will explore some of the benefits that automation brings to an organization’s data security. We will explain how introducing automation into existing database access-control methods can increase efficiency and consistency, and we will also discuss how security-focused automation adds extra layers of protection, like improved data integrity and privacy controls, that help your business stay secure.

Removing Direct Access to Databases

Before modern technologies, all client information was readily available to everyone in the office in a nearby filing cabinet. Later, that same concept was transferred to electronic databases where everyone looks up everything in “the system.” 

This model is arguably easier to build, but it’s not scalable since all the data in each system has to be available to all employees — all of the time. It also increases the amount of manual cross-checking that people need to do between systems. And, don’t forget the risk of data drift as well as the heightened risk of a data leakage.

There are many benefits to automating data access between the people who ask for it and the actual databases themselves. Automated workflows can create a full view and flow of your data by pulling the requested pieces of information from their sources of truth, automatically. 

For example, when you pull an employee profile from an automated system, contact information comes from the HR system, information about currently assigned projects comes from a tool like Jira and the list of corporate assets that the employee has signed out is pulled from a tool like Service Now.

In addition, automated database access-control methods can reduce duplicate data entry, which can in turn reduce errors and drift. In the aforementioned employee profile, for example, the contact information always comes from the HR system, so the payroll system doesn’t need to have its own copy, nor does the helpdesk solution.

The Principle of Least Privilege

Adding a proxy between people and data by using automated workflows also allows you to embed security best practices and other controls. The principle of least privilege is at the core of these data access controls. 

For example, if someone is in a certain sales group, the automated solution can filter out all data that isn’t relevant to their needs. The same goes for people who pick orders in the warehouse; they don’t need to see how much every item costs or which credit cards are being used. You can make this as fine-grained as you want, but it requires that you put data access controls in place to support the safeguards.

A second approach that some organizations take is to log everything and audit it against what people are supposed to be doing rather than block access to the areas that people don’t need to access. This is technically easier to build, but it requires more people to run.

Data Access Approval Requests

The beauty of using security automation as a data broker is that it has the ability to validate data-retrieval requests. This includes verifying that the requestor actually has permission to see the data being requested. 

If the proper permissions aren’t in place, the user can submit a request to be added to a specific role through the normal request channels, which is typically the way to go. With automated data access control, this request could be generated and sent within the solution to streamline the process. 

This also allows additional context-specific information to be included in the data-access request automatically. For example, if someone requests data that they do not have access to within their role, the solution can be configured to look up the database owner, populate an access request and send it to the owner of the data, who can then approve one-time access or grant access for a certain period of time. A common scenario where this is useful is when an employee goes on vacation and someone new is helping with their clients’ needs while they are out.  

Audit Trails

As we mentioned above, some organizations might opt to log everything to track who is doing what. Any good data security automation solution will have the capability of creating extensive audit logs. This audit capability can – and should – be used to track both positive and negative events. A positive event would be like granting Fen permission to see the data that she is requesting, while a negative event would be like refusing Vijay access to the data of a patient who is seen at a different branch of the clinic.

Both types of events can be mined for trends. Every time Netflix alerts you that you’ve logged in from a new location, for example, it’s because its solution logged a positive authentication event and the backend solution then did something with that event when it arrived.

Automated Data Access Workflows

As we outlined above, incorporating secure data-access workflows that are run within automation frameworks into your existing business processes improves the integrity of the data being moved and ensures better privacy controls by showing only the data that is required. It also exposes more metrics, which can be tracked to find more areas that can be optimized and more places where additional automation might add more value. Companies like Torq can help organizations introduce data security automation into their infrastructure. Torq’s solutions are designed to address common scenarios as well as high-value use cases.

This post was previously published on The New Stack

You’ve secured your cloud identities. You’ve hardened your cloud security posture. You’ve configured strong cloud access controls. But there’s still one more thing you need in order to secure your cloud environment: a cloud workload protection platform, or CWPP. 

Cloud workload protection platforms secure the workloads that run on your cloud — which are distinct from the infrastructure, user identities and configurations that form the foundation of your cloud environment.

This article unpacks why a CWPP is a critical ingredient in any cloud security strategy. It explains how CWPPs work, identifies examples of workloads that you can secure with CWPPs  and discusses the importance of automation within the context of a CWPP.

What Is Cloud Workload Protection?

Cloud workload protection is the practice of securing workloads that you deploy in the cloud. In other words, cloud workload protection mitigates risks that exist at the workload level of your cloud environment, as opposed to the infrastructure or configuration level.

The workloads in question could be software, data or a combination thereof that your organization hosts in the cloud. For example, cloud workload protection could apply to the operating system and application running in a cloud-based VM instance, or it could secure the data inside an object storage bucket.

What Is a CWPP?

Tools that provide cloud workload protection are often called cloud workload protection platforms, or CWPPs. Protecting cloud workloads is important because most other types of cloud security practices don’t address workload risks.

Cloud security posture management, or CSPM, alerts you to problems within cloud infrastructure configurations that could create security issues, like IAM policies that provide public access to sensitive data. But CSPM doesn’t cover configuration risks within workloads, such as a lack of encryption for data as it moves within an application.

Likewise, you can track cloud metrics and logs to identify potential security threats. But that data originates mostly from cloud IaaS providers, not individual applications, so it does little to reveal security risks that are specific to applications or data you’ve deployed in the cloud.

CWPP solutions fill these gaps by ensuring that you can protect the code and data that actually run on your cloud, not just the underlying cloud environment.

It’s also worth noting that cloud workload protection platforms help you secure workloads across multiple clouds. Because CWPPs focus on your workload rather than the cloud that hosts it, you can use cloud workload protection to identify security risks in any type of cloud-based workload, even as it moves across clouds.

CWPPs at Work: Some Examples

To contextualize cloud workload protection further, consider how it applies in the following domains.

Containers

When you deploy cloud workloads using containers, you must address special security challenges. You need to make sure that containers can’t run in privileged mode, for example. You must also scan container images for malware.

Cloud workload protection for containers ensures that you have the specific processes in place that are required to protect containerized workloads, independent of other security processes that you apply to your cloud environment.

Kubernetes Security

Kubernetes, too, poses a variety of special security challenges that can only be addressed at the workload level. You must ensure that Kubernetes role-based access control policies and security contexts are configured properly, for instance. You should also use Kubernetes audit logs to monitor for potential security risks that arise within your Kubernetes environment.

Virtual Machine Security

Even if your cloud VM service is properly configured, security issues may lurk inside your VMs. The images you use could contain malware, or just configurations (like the absence of a kernel hardening framework) that lead to a weak security posture. Cloud workload protection alerts you to these risks.

Vulnerability Scanning

Vulnerabilities can arise in any number of places across a cloud environment — within applications, within operating systems, within container images and so on.

Cloud workload protection lets you scan for vulnerabilities across all components and layers of your workloads. Think of it as one-stop shopping for vulnerability discovery and management at the workload level, regardless of which workloads you run or which clouds host them.

Serverless Security

Serverless functions abstract applications from the underlying server environment, which reduces potential attack surfaces. But the functions themselves could still contain vulnerabilities. They could also be configured in ways that increase risks. Cloud workload protection automatically discovers problems like these within serverless functions.

Application Security

Cloud-based applications come in many forms, but they can all contain security risks — such as malware, vulnerable software components and a lack of security controls like encryption. By scanning applications for risks like these, cloud workload protection helps ensure application security across your cloud environment.

Choosing a Cloud Workload Protection Platform 

When integrating cloud workload protection into your cloud security strategy, strive to implement a solution that is:

• Fully automated, because you can’t feasibly manage workload-level security risks by hand.
• Cloud-agnostic, so you can deploy to secure any workload on any cloud.

A service such as Torq.io meets both of these requirements. It lets anyone – not just cybersecurity experts, but any member of your organization – define security rules that workloads must meet. Then Torq automatically and continuously scans your cloud workloads for deviation from these rules.

The result is fully secure and automated cloud workload protection, no matter how your cloud environment is configured or what you run on it.

This post was previously published on The New Stack

The Origins of Modern Cloud/IT Environments

With agile development, the software development life cycle has evolved, with a focus on customer satisfaction to enhance product features based on user feedback. This helps shorten the time to market, since teams can release a minimally viable product, then continuously improve its features. The agile technique encourages team cooperation through sprints, daily standups, retrospectives, testing, quality assurance and deployment. Through continuous integration and continuous development (CI/CD), along with the integration of security into operations, teams can deliver software faster. 

Yet, as more and more businesses adopt cloud computing, cybersecurity threats grow due to bad actors who target the security vulnerabilities of their complex hybrid infrastructures, which include public cloud services. Consequently, SecOps plays a crucial role in ensuring that DevOps teams prioritize security.  Modern security tools and frameworks aid SecOps teams, providing zero-downtime deployment, automated deployment and reduced attack surfaces.

Security Operation Center (SOC) and SecOps Evolution

Traditionally, security was an afterthought in most IT environments. It was structured as a siloed department and only came to the forefront when an incident had been discovered. Key organizations, such as government agencies, had network operations centers (NOCs), which focused on detecting incidents in their network devices. 

While traditional security operations centers (SOCs) were reactive to security threats and attacks, the next generation of SOCs takes a more proactive approach using automation and real-time security information and event management (SIEM). Modern SOCs are more sophisticated. They emphasize collaboration between people, technologies and processes to thoroughly monitor and investigate security events in real time, which enables them to prevent, detect, and respond to cyberattacks. They go above and beyond standard security compliance by establishing cyber defense and incident response centers that collaborate to manage threat intelligence and system security.

Cyber warfare has never been more complex, and the bad news is that it is only becoming more advanced and more pervasive. Security operations and SOCs are under increasing pressure to identify and respond to threats quickly, as well as to harden defenses against a growing range of threats. As a result, the  IT frameworks D3FEND and MITRE ATT&CK have been developed to solve many problems. These tools are used to detect, debug and protect against security breaches and attacks in today’s cloud systems.

To be successful, modern SecOps teams must be given more authority to use security solutions that replace “black box” security teams with automation, threat hunting, vulnerability management and real-time monitoring. 

What Is the MITRE ATT&CK Framework?

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge source that assists SecOps intelligence decision-makers. It’s a behavioral threat modelused to develop, test and improve behavior-based detection capabilities over time. Penetration testers use the MITRE ATT&CK methodology to orchestrate their attacks and locate vulnerabilities in your infrastructure, then exploit them and report their findings. It helps enterprises understand malicious behaviors and mitigate the risks and threats they face.

The MITRE ATT&CK framework employs a set of methodologies and tactics to identify compromise indicators , including defense evasion techniques to evade detection, lateral movement techniques to spread throughout your infrastructure and exfiltration to steal data. Employing these adversarial tactics helps enterprises create a comprehensive list of known prospective attack techniques, which SOC teams can use to find potential weaknesses, then focus on developing defensive measures.  

What Is the MITRE D3FEND Framework?

MITRE D3FEND is a companion of MITRE ATT&CK. It uses a knowledge graph to provide SOC teams with defensive countermeasures to harden and protect their infrastructures based on the identified attack tactics and techniques. D3FEND complements the threat-based ATT&CK model by providing ways to counter common offensive techniques, thereby reducing a system’s potential attack surface.

How Can Modern SOCs Benefit from MITRE ATT&CK and D3FEND Frameworks?

Security breaches, which can result in serious consequences such as lost customers, lost income and damaged reputations, remain a constant threat. SOC teams can use the ATT&CK framework to measure their effectiveness in detecting, analyzing and responding to cyber intrusions. They can also use ATT&CK to better understand and document adversarial group profiles so that they can simulate possible adversarial attack scenarios and come up with cybersecurity controls. Modern SOC teams can use MITRE D3FEND to implement security solutions with the detailed countermeasures that it provides. Using the ATT&CK and D3FEND frameworks together will help teams not only identify defensive gaps, but also make more strategic security tooling decisions.

One key concept behind the MITRE ATT&CK and D3FEND frameworks is threat hunting. Threat hunting tools search  for cyber threats lurking undetected in network and security defense endpoints. Here at Torq, we provide a threat-hunting tool that will quickly automate your SOC workflows in extended detection and response; security information and event management; and endpoint detection and response.  Start automating today!

This post was previously published on The New Stack

Just a few years ago, security orchestration, automation and response (SOAR) was the new buzzword associated with security modernization.

Today, however, SOAR platforms are increasingly assuming a legacy look and feel. Although SOARs still have their place in a modern SecOps strategy, the key to driving SecOps forward today is no-code security automation.

Read on to learn what lightweight security automation means, how it compares to SOAR and why SOARs alone won’t help you stay ahead of today’s security threats.

What Is a SOAR?

A SOAR is a platform designed to help security teams detect, understand and manage their response to security threats.

Over the past decade or so, SOARs have become a key foundational tool for many security teams. That’s due especially to the fact that SOARs solve many of the problems associated with security incident and event management (SIEM) platforms, the old standby tool for security engineers.

What Is No-Code Security Automation?

Just as first-gen SOARs replaced SIEMs, a new category of security tools are replacing, or at least enhancing them. It’s no-code security automation.

No-code security automation refers to tools that anyone – not just security engineers – can use to define risks, enforce security rules and remediate threats automatically. These tools use a codeless (think: drag-and-drop and non-technical) automation approach to security, which allows businesses to manage risks without drawing on specialized engineering expertise.

SOARs vs. No-Code Security Automation

It would be wrong to think of SOARs and lightweight, no-code security automation platforms as being completely distinct types of solutions. SOARs and codeless platforms overlap in the following ways:

• Automation: Both solutions enable automated risk identification and management.
• Efficiency: SOARs and lightweight security tools are designed to help organizations manage risks more effectively.
• Going beyond threat detection: Unlike SIEMs, SOARs and lightweight security frameworks don’t just detect risks and send alerts, they can also be used to manage risk response.
• Threat intelligence: Both categories of tools draw on threat intelligence data to help identify and assess the newest types of security risks.
• Integrations: Both types of solutions can integrate with a variety of systems and environments, which means they can be used almost anywhere – on-premises, in the public cloud, in hybrid cloud environments, in multicloud architectures and so on.

But the similarities stop there. In general, lightweight no-code security automation delivers additional features and benefits that SOARs lack, including:

• Accessibility: Lightweight security automation frameworks are easy enough for anyone to use. In this way, they allow all stakeholders, not just cybersecurity experts, to define and enforce security requirements within the systems they manage.
• Automated response: In addition to making it easy to configure security rules, no-code automation frameworks can automate threat response based on those rules. Traditional SOARs often provide some automated remediation features, but they focus more on orchestrating threat response by cybersecurity professionals than on actually remediating the threat themselves.
• Configuration security posture management: Traditional SOARs usually focus on identifying active risks within environments, not assessing configurations to find flaws that could enable a breach. Lightweight security automation tools do both, however, which means they can address domains like cloud security posture management (CSPM) in addition to runtime security.
• Simple integration: While it’s possible to deploy a SOAR in a variety of environments and with many types of systems, doing so usually requires extensive configuration customizations. In contrast, no-code security automation platforms are designed to start working out of the box, across any mainstream environment, with minimal configuration tweaks.

For these reasons, SOARs increasingly no longer cut it as a standalone security solution. They are subject to too many shortcomings to enable modern SecOps.

SOARs and Lightweight No-Code Security Automation: Better Together

This is not to say that you’re required to ditch your SOAR and replace it with a lightweight security automation platform like Torq. Many businesses that have dedicated cybersecurity teams may opt to continue to use their SOARs as the place where they detect and manage the most complex threats, such as active, targeted attacks by professional threat actors.

But for managing more mundane risks – like blocking phishing emails, securing sensitive data or detecting malicious users – lightweight no-code security automation is a more practical solution. It’s much easier to deploy, and it empowers all stakeholders to support security operations, even at organizations that have minimal cybersecurity resources.

By extension, no-code security automation is the key to thriving in the face of today’s pervasive threats. When you operate in a world that sees 26,000 DDoS attacks and 4,000 ransomware attacks each day, and where threat actors are constantly probing your systems for an open door, you need more agility and automated remediation than a SOAR alone can deliver.

Conclusion

SOARs are great. And if it were still, say, 2015, we’d tell you that a traditional SOAR is all you need.

But it’s not, and we won’t. Lightweight no-code security automation fills the gaps within a SOAR-based SecOps strategy, empowering businesses to build security-centric cultures and to respond to threats as comprehensively and automatically as possible.