RedLock is now a part of Palo Alto Networks - READ MORE
< Back

RedTalk: Discover, Detect, and Respond to Cloud Security Incidents Using an Extensible Language called RedLock Query Language (RQL)

by   |   06.21.18, 6:00 AM

In order to provide comprehensive security and operational visibility across AWS, Azure, and Google Cloud Platform (GCP) environments and help organizations respond to cloud security incidents, the RedLock Cloud 360 platform ingests various services from the cloud service providers such as IAM, Virtual Machines, Storage Services, and more. Once ingested, we provide standard, out-of-the-box policies to look for potential security risks.

These policies are created using an internally developed and easy-to-use Query Language called RedLock Query Language (RQL). Since each organization’s cloud environment is different, RQL is highly extensible and intuitive to use, allowing users to create custom queries for additional insights into their environment. With RQL, users can essentially ask any questions about their cloud environment and receive a response within minutes.

RQL supports four types of queries:

  1. Config Queries allow you to gain deeper insights into your resource configurations. You use RQL to look for "S3 buckets exposed to public" or "Security groups that allow internet traffic". You can also easily customize queries that can, for example, filter out S3 buckets used for hosting public-facing websites or security groups that are not attached to any EC2 instances.
  2. Network Queries allow you to investigate real-time network security threats in your cloud environment. You can use RQL to look for all public-facing resources that are currently receiving traffic from malicious IP addresses or internet-facing databases or instances that may have been compromised and used for illegal cryptomining, or cryptojacking.
  3. Event Queries allow you to investigate and create rules around privileged activities and anomalous user activities. You can use RQL to look for all changes made to Security Groups performed by a root user without MFA turned on. RQL can also look for events where a potential account or access key compromise were detected by RedLock using machine learning.
  4. Finally, RQL can be used to give Host-Level Insights. You can use RQL to look for all hosts with known critical vulnerabilities, such as Spectre and Meltdown, that have overly permissive Security Groups and are receiving traffic from the internet.

To summarize, organizations can use standard, out-of-the-box RQL policies or easily create custom RQL policies to meet their security and operational needs. Additionally, incident response teams can also use RQL to investigate potential security incidents that have or may impact their cloud environments.

 


Related Posts