Two years ago, FireMon elevated its game by introducing real-time features in our Cloud Defense platform. This was a significant development because it transformed our tool from a basic safety checker into a full-fledged cloud security guardian. Real-time capability is crucial for advancing tools from basic vulnerability assessment to a comprehensive cloud security operations platform. However, our journey towards real-time was not driven by customer requests; rather, it was motivated by our commitment to delivering improved efficiency and enhanced security operations.
Why We Built Real-Time:
Our initial goal was not to create a Cloud Security Posture Management (CSPM) tool. We began by building a cloud security automation platform with the aim of helping organizations address cloud security vulnerabilities more rapidly and bridging the gap between security and DevOps/Cloud Operations. While this may seem like a subtle distinction, it meant that we entered the CSPM market with a different perspective.
- Inefficiency of time-based scans: Initially, like everyone else, we relied on time-based scans. However, they proved to be slow, even when distributed, and could potentially exceed a customer’s service limits.
- Stale data: Periodic scans resulted in customers viewing outdated information. Even scanning every 15 minutes could lead to alerting a development team about something they had already resolved.
- Real-time nature of security operations: Responders need to have real-time awareness of events, alerts, and configurations.
- Efficiency for us: It’s not selfish to consider that dealing with timing and capacity planning in a multi-tenant system becomes challenging when everything is time-based.
This isn’t to say that time-based scans don’t have their place; we still use them for our Free tier, and we perform daily sweeps for all our Pro accounts to ensure nothing slips through the cracks.
Building Real-Time (The AWS Way):
Today, we will focus on how we enable real-time functionality for AWS. In future posts, we will provide details on how we implement it for Azure and GCP. We underwent several iterations, and thanks to AWS, the system we have now is remarkably efficient.
- EventBridge to Lambda to API: Initially, we forwarded events from EventBridge to an API gateway through a Lambda function deployed in customer environments. It worked but was not highly efficient.
- EventBridge to… EventBridge: AWS enhanced EventBridge, allowing customers to send events directly to us. Now, all we needed to do was deploy an EventBridge Rule in customer accounts. We didn’t even require special authentication because the AWS event headers are tamper-proof, and we discard anything not associated with a customer.
- Updating on change: We keep track of changes such as updates and deletions, capturing resource details. This initiates an update in our Discoverer service for that specific item.
- Trigger chain: The update hits the Inventory, and any change here triggers the Lambda functions for checks. All checks for a specific type of resource occur simultaneously, and findings are evaluated against alert and remediation rules.
- Instant alerts: This setup triggers an alert (or automated remediation) within just 5-15 seconds after a change, and all parts of the system are updated with consistent data (e.g., compliance). Most customers send alerts to ChatOps (Slack/Teams), but they can also send them via email, create a JIRA ticket, or forward them to a SIEM.
Real-Time Benefits:
Transitioning to real-time elevated Cloud Defense, finally enabling security operations as we had always envisioned. Without real-time capability, CSPM tools are essentially just another type of vulnerability scanner. There’s nothing wrong with vulnerability scanners; we use them ourselves. However, since cloud misconfigurations can become exposed to the internet instantly, we believe the response cycle needs to be much tighter.
- Up-to-date inventory: With real-time functionality, what you see in Cloud Defense accurately reflects the current configuration of your AWS account.
- Immediate checks: Security and compliance checks occur as changes are made, promptly identifying misconfigurations. You won’t be left exposed for 15 minutes to 24 hours, which is the scanning frequency of time-based tools.
- Complete understanding of changes: Cloud Defense tracks the API that triggered the change, the identity responsible for the API call, and the impact on the resource (including changes and check results) from start to finish. This comprehensive tracking allows for change tracking, examination of other API calls from the same IAM entity, exploration of resources connected to the affected resource, and other powerful analysis capabilities.
- Enabling security operations: With Cloud Defense, you gain insight into who made a change, when it was made, the security implications, and the ability to filter and forward information to facilitate rapid remediation, whether manual or automated. No more emailing spreadsheets. This transformation elevates the platform into a complete operational tool.
Our Cloud Defense platform demonstrates how real-time CSPM should be done. From our initial days of time-based scans to the swift transition to real-time monitoring, we have enhanced your ability to use CSPM as a security operations tool and introduced new methods of safeguarding your cloud deployments. Adding real-time capability to Cloud Defense was not just about a flashy feature; it was a game-changer in making cloud security robust, quick, and reliable.