When software vulnerabilities and zero days moved up the enterprise worry list fifteen years ago, nobody imagined the world would one day end up with a vulnerability in the Apache Log4j open source logging framework that’s used in software on all major operating systems.
In the good old days, flaws affected single applications and individual software vendors. The problem was inside one company’s code. It wasn’t always easy to fix the flaws, but at least the hierarchy of responsibility was clear.
It was not the same as Log4Shell to give it’s precise name. The December 2021 RCE mega-flaw is an example of a new and increasingly common type of super-vulnerability. The kind of zero day that would allow a remote attacker complete control over a vulnerable server was the beginning of the anxiety.
Log4j is one of the most popular tools used by developers to collect information across networks and websites. It was inside countless applications built around Apache Frameworks, including Apple’s iCloud. The Lego on which today’s cloud platforms rest were partly a product of the way the world has tilted towards large software systems.
93 percent of cloud environments were vulnerable to the Log4Shell vulnerability according to analysis by cloud security startup Wiz and EY. 45 percent of vulnerable cloud environments were patched within 10 days of the flaw being public. The task of patching this type of flaw can be difficult in the cloud. The affected library can be deployed either as a package or already integrated into an application, even though finding the flaw is a major task.
If the flaws threatened the integrity of individual applications, in the cloud era, a similar issue could undermine entire services and the platforms on which they depend. Fixes would be expensive and slow. In some organizations, Log4J2 could be buried in hundreds of individual instances, a mammoth clean-up job.
Hidden exposure
It was created in 2020 to solve this and many other problems that are starting to affect hybrid clouds. Even though security teams weren’t rushing to fix flaws such as Log4Shell, the company’s founders realized that it was difficult to secure these platforms. There is a large amount to go wrong.
Security holes were opened by misconfiguration.
Infrastructure is code and there are hidden exposures.
Container deployment, including on-premises environments such as Red Hat’s OpenShift, can be secured.
The cloud native application protection platform is being implemented to unify management.
Complying with cloud infrastructure entitlement management is mandatory.
There are data repository that contain sensitive information that might accidentally be exposed.
It’s a challenge that existing tools struggle with, argues Yinon Costica, who says that these have been adapted ad-hoc from an established computing model not built with cloud security in mind.
“Existing tools take from months to years to deploy and still result in blind spots and a lack of visibility into the environment,” he says. “These look at layers such as containers or a single risk factor like vulnerability management which generate a lot of noisy alerts requiring manual effort to correlate risk.” Real attack paths are more sophisticated and involve exploiting many risk factors together.
Point solutions that don’t work well in hybrid clouds or integrations with cloud monitoring are platform-specific tools. It’s difficult to tackle security alerts in cloud environments which feature multiple stakeholders and technology layers.
These cloud security issues were the reason for the founding of Wiz. It integrates a suite of capabilities into a new type of platform that supports the whole cloud stack, including OSes and code libraries connected to the whole stack. The only thing customers need to do is connect their cloud environment, is use rival tools.
Visibility is the key
The platform first scans for misconfigurations, weaknesses, and possible malicious compromises, a role carried out using API calls without the need for traditional agents, one of the platform’s distinguishing features. The agentless approach ignores the problem that some systems can’t run agents, don’t exist for long enough to have them installed, or run them would consume precious resources.
Costica says that Wiz is able to rapidly reduce the time it takes to deploy from months to years with traditional agent-based approaches down to minutes to day.
The security picture may be incomplete and misleading because of the patchy coverage provided by agents. Through snapshots, Wiz can ingest all relevant security data, which is then run through a risk analysis engine across different layers and modeled in a graph database to correlate everything together.
The Wiz Security Graph is a visual representation of the risks in an environment, including vulnerability management and IaC scanning, and cloud workload protection state. The Graph can be used to answer many deeper queries.
By modelling the cloud environment and risk factors on a graph, Wiz provides context and an easily explorable view of the cloud for users. The underlying cloud environment is examined by the Security Graph.
Customers can see the vulnerabilities, misconfigurations, and attack paths in their entire infrastructure for the first time with the Security Graph.
It’s not enough to address the problem of the security team to make cloud security work. Developing cloud native applications in an Agile manner involves teams that can build their applications independently of each other.
“Wiz allows development teams to take action independently of security with direct visibility, risk prioritization, and context into the environments they own so they can ship faster, more securely.”
Developers only see the resources and risks they own with the help of role based access control. Wiz is used by teams to implement a golden image pipeline, hardening their images before distribution and making sure all teams create instances from hardened images.”
Discovering blind spots
Costica shows an example of a container exposed to the internet that has exploitable vulnerabilities that give attackers a way into the production environment. Any one of these issues is potentially dangerous, but the combination of oversights turns it into a disaster. It was designed to spot this type of security problem before the damage was done.
Costica says the most critical risks are often a combination of different risk factors. Real attack paths often involve exploiting many risk factors in combination.
The cloud vulnerabilities fall between the reporting gaps. In the software sphere, vulnerabilities are made public and tracked, using a system that has proved less suited to the cloud security context. The CVE model in which the customer manages fixes at their own discretion is what the cloud service provider tips on its head. Customers don’t find it easy to work out which fixes are the most urgent because they don’t have CVEs. Email is an unreliable method of communication when it’s told to them.
The Open Cloud Vulnerability and Security Issue Database is an open initiative that has set itself the task of becoming a public repository for cloud flaws. The site states this.
To pave the way for a centralized cloud vulnerability database, our goal in this project is to catalogingCSP security mistakes and listing the steps customers can take to detect or prevent these issues in their own environments.
The customer understands their exposure to critical issues as soon as possible. Costica says that Log4Shell was a case of point.
Less than 24 hours after the discovery of Log4Shell, customers could use Wiz to detect if they were using vulnerable Log4j libraries in their environment and follow the product’s guidance to reduce the risk.
The reality is that this type of flaw can quickly turn into trench warfare and won’t be any different than other famous flaws such as the Heartbleed. Many server remain vulnerable to this issue years later, he points out. Log4Shell will continue to be a problem because many organizations don’t have time to fix it or see their vulnerability in the first place. When they fix Log4Shell, they don’t address the larger issue that another big flaw will strike at some point in the future.
The scale of the problem needs to be seen quickly by customers. The right software is required for that job.
Sponsored by Wiz.
