AWS Security Hub is a cloud security posture management service that performs automated, continuous security best practice checks against your AWS resources. It aggregates your security alerts (findings) in a standardized format so that you can easily take action. Security Hub makes it simple to understand and improve your security posture with automated integrations to AWS partner products.
Now you can bring Sonrai’s unique insights into Security Hub. This integration enables organizations to monitor assets and send alerts on resource configurations, compliance violations, network security risks, and anomalous user activities across AWS environments.
The Sonrai Dig Platform runs on a patented graphing technology that continually collects data and finds identity and data risks – and then provides automated (or semi-automated) remediations. The platform then classifies the risks in separate categories. With built in operationalization features, like maturity modeling, teams see their progress in each security area over time.
A few examples of the risks that will get sent to AWS Security Hub are:
Let’s dive into how Sonrai Dig works with AWS Security Hub, and how you can monitor privilege escalation for a swimlane in your cloud environment – a critical step in improving your cloud security posture.
Sonrai Dig’s integration with AWS Security Hub allows you to view Sonrai tickets in the Security Hub console.
Sonrai uses swimlanes – logical groupings of cloud assets defined by the end customer, with owners and relevant users associated – to configure your choices with the Security Hub integration. The integration also enables users to see all of their Sonrai alerts within Security Hub with added context, including when findings have been solved within Sonrai, giving you a comprehensive log of activity across your cloud.
Here’s what Sonrai brings to Security Hub:
The above architecture diagram shows a high-level representation of the meta-data flow from the AWS Cloud Environment. When you configure the integration for Sonrai Dig and Azure Sentinel, the process looks like this:
To run this solution, you must have the following prerequisites:
Given the sheer amount of identities (people and non-people) in a typical AWS deployment, evaluating privilege escalation risk is challenging. There are myriad factors: Service control policies, permission boundaries, allow/deny statements, notPrincipal, notAction, resource statements, conditions, assumed roles, group membership, SSO users with multiple roles and resource policies (S3, KMS, etc.) – all making it hard to understand the effective permissions of an individual identity. It’s a problem that cannot be solved by evaluating a single policy or calling an AWS API.
Understanding escalation risk requires modeling trust relationships that allow an identity, resource (compute, container, serverless function), identity provider (SSO, Hashicorp Vault), or AWS Service to assume a role. In Sonrai, these models are created by the graph. Analytics are then run across the graph to calculate all effective permissions of an identity. The resulting records include the chain of identities allowing permission, what account the permission is applicable in, when the permission was last used, and how many times it has been used.
When the Sonrai analytics determine an entity’s effective permissions via privilege escalation violate the policies you have in place, an alert is generated in the Sonrai system. Depending on your remediation setup, this may be resolved in Sonrai and the record of remediation will appear within Security Hub, or the alert will appear as a finding for further processing. Either way, the Sonrai graphing technology has unearthed another hidden path to policy violation that can’t be seen in traditional identity management tools.
Sonrai enriches and extends Security Hub’s view of your security posture. We all want a clear picture of everything happening across our entire AWS footprint. By digesting all cloud logs and metadata in a unified format, Sonrai enables a much richer view of identity & data risk.
Monitoring issues like privilege escalation & remediating issues fast requires a full graph of access paths, as well as the frame of reference for the environment to reduce false positives. Sonrai completes the Security Hub vision of a singular command center for platform, identity, and data security.
For more information about AWS Security Hub, see the AWS documentation here. For more information about the Sonrai platform, navigate to the platform section of our website.
The post Monitor Privilege Escalation Risk of Identities from AWS Security Hub, with Integration from Sonrai appeared first on Sonrai Security.
*** This is a Security Bloggers Network syndicated blog from Blog - Sonrai Security authored by James Casagrande. Read the original post at: https://sonraisecurity.com/blog/monitor-privilege-escalation-risk-of-identities-from-aws-security-hub-with-integration-from-sonrai/
Penetration testing, or pen testing for short, is a critical way to protect IT systems and sensitive data from malicious…
Virtual private networks (VPNs) form a staple of the modern work environment. VPNs provide an essential layer of protection for…
Cradlepoint, a unit of Ericsson, today launched a secure access service edge (SASE) platform for branch offices using 5G wireless…
Casey recently was involved in an event that brought hackers and 5G technology together, tune-in to learn about the results…
What is the CCPA, the California Consumer Privacy Act? CCPA, or the California Consumer Privacy Act, is a law in…
Authors/Presenters: *Federico Cernera, Massimo La Morgia, Alessandro Mei, and Francesco Sassi* Many thanks to USENIX for publishing their outstanding USENIX…