A security researcher reports to that a sensitive access key to the organization’s production cloud environment was found exposed on GitHub.
The organization’s CISO asks Jane to investigate whether this has led to a compromise of the cloud environment.
Jane discovers that the access key and secret token was used to login from an usual location and perform activities not previously associated with that key.
Jane downloads a report that lists all anomalous activities associated with the key and shares it with management.
Security operations teams today are being inundated by alerts that provide little context on the issue, which makes it hard to triage issues in a timely manner. Decentralized and rapidly changing cloud environments expand the threat landscape and exacerbate the issue.
Data from existing third party vulnerability scanning tools which identify missing patches by IP address is not actionable, since IP addresses are constantly changing in cloud environments. RedLock correlates vulnerability data with host configurations and network traffic in the cloud to accurately pinpoint the vulnerable host, provide context on its business purpose, and ultimately determine its level of exposure, which helps prioritize patching. For example, if a vulnerable host is identified as a database that is exposed to the internet, it should be prioritized for patching.
To truly detect threats in public cloud computing environments, comprehensive visibility is necessary. RedLock takes a new AI-driven approach that correlates disparate security data sets including network traffic, user activities, risky configurations and threat intelligence. This enables it to detect complex threats and auto-remediate issues quickly. In the example above, if the vulnerable database is receiving traffic from a known malicious IP address, it should be immediately quarantined into a private network.
Investigations are challenging in public cloud computing environments because they are constantly changing. RedLock maintains snapshots of your environment so that you can investigate any current or past incidents. You can run complex queries across your environment in seconds and analyze the results with an interactive risk map. You can also get a detailed incident timeline to trace incidents. For example, you could get a timeline of a user’s activity for the past month to determine if there was any suspicious activity.
In the DevOps era, changes occur very rapidly and it is simply impossible to manually triage all issues. Not only is it important to identify what risky configuration was identified in your environment, but also to determine which developer introduced the issue, and have the option to automate remediation. RedLock enables you to fully automate security from incident detection to remediation. It also offers you the ability to leverage your existing investments by integrating with a number of third party orchestration tools. For example, if the platform detects an account hijacking attempt, it can instantly disable the user’s account.