Vulnerability Scanning at Runtime
🎯 Vulnerability Management System (“VMS”). Part 3: Scanning at Runtime.
In the original post we defined steps to implement a bullet-proof Cloud Infrastructure Security Posture. Now it’s time to dive into the topic of 🎯 Vulnerability Management. See Part 1: Hosts and Part 2: Containers to learn about hardening pipelines for AMIs and container images.
❓ How would you approach the implementation of the following?
– Scan container images, applications, hosts for Vulnerabilities;
– Perform Regular Host and Container Security Patching and Version Upgrades;
💪 Here is how, and while it’s quite challenging, it is *very* rewarding from the cybersecurity perspective:
— Part 3. Scanning at Runtime —
1. Install an eXtended Detection and Response (XDR) platform such as Wazuh (https://www.wazuh.com), or a professional grade network scanner such as Nessus Pro (https://lnkd.in/e__j-yTj).
Interestingly, the XDR tool will represent a miniature SOC (Security Operations Center) inside your cloud environment, and – in addition to vulnerability scanning of the running hosts and application containers – will provide great observability to the internal and externally sourced security events (such as: privilege escalation, port scanning, DDoS attacks, etc). This is how you achieve the “Threat Detection” piece of cloud infrastructure security. Beware, though, that to fully enjoy this part you will have to perform additional configuration in the SOC world known as “noise canceling”, “event correlation”, and “prioritization”. We’ll get to these in the future posts, while discussing Observability.
Now, back to vulnerability scanning.
I prefer Wazuh as it is open-source and free to use, while Nessus Pro from Tenable is a commercial product. At the same time, Wazuh is way harder to configure, but it also provides a *continuous* vulnerability scanning capability, and the closest matching Tenable product to that is Tenable.sc.
2. Set up XDR agents on your running hosts to continuously feed security audit logs from your hosts and containers into the XDR.
3. If using Nessus Pro, configure regular network and host scans. Wazuh will perform scans continuously.
4. Make time in your calendar to visit your XDR dashboard every day, or every other day. On the hosts / containers scanning dashboards, look for the discovered CVEs and prioritize them based on your use case. Some alerts will be the obvious false-positives, but in general the information provided by the XDR is a treasure, as it helps you see the vulnerabilities that are showing up at runtime (which you cannot necessarily catch at the Golden Image build time), and take corresponding corrective actions.
In the next post we will talk about regular security patching.
One response to “Cloud Security Series #8”
[…] Part 2: Containers to learn about hardening pipelines for AMIs and container images, and– Part 3: Scanning at Runtime to learn about approaches to runtime vulnerability scanning of virtual […]