Here at FireMon we have a bit of a different take on Cloud Security Posture Management. Cloud Defense was built from the ground up to support real-time security operations. Our goal, from day one, has been to help detect and remediate cloud security issues before they become cloud security problems.
Although we support automated remediations, either via the console, ChatOps, or full automated, in many situations it makes more sense to manually review and fix something so you are less likely to experience an unintended consequence. For many issues this should be handled by the team that owns the account/subscription/project, which is why we created our advanced ChatOps and ticketing notifications. By sending issues right to teams in the tools they already use in real-time you empower them to fix things more quickly using their preferred technique.
But sometimes, especially if something is exposed to the Internet at large (and maybe in the middle of the night) you will want SecOps to step in and fix it right away. This kind of break glass access should be restricted, used judiciously, and comprehensively logged.
That’s the example in this video. Watch, in real time (really, there aren’t any cuts) an entire response process from misconfiguration to remediation in less than two minutes:
1. Someone creates a snapshot of a storage volume and makes it public.
2. FireMon Cloud Defense instantly alerts the on-call incident responder via Slack.
3. The responder dives into the issue and identifies the exposed resource and AWS account.
4. The responder can even see the API calls that created the issue, and the attribution of who made the changes.
5. The responder then requests JIT access via ChatOps.
6. The manager sees the JIT request and approves it.
7. FireMon Cloud Defense’s Authorization Control feature then notifies the AWS account to create a session and sends the user to a zero-knowledge system to collect credentials (FireMon never has access to credentials).
8. The responder pivots into the AWS account and remediates the issue.
9. Cloud Defense detects the remediation and automatically cleans the issue and also sends out a ChatOps notification of the remediation.
It sounds like a lot, but check out the video to see how smooth and easy it is. This really shows the power of real-time and building a product for security practitioners.