Cloud Security Series #9

Antivirus Scanning and Security Patching

In the original post we defined steps to implement a bullet-proof Cloud Infrastructure Security Posture. Now it’s time to dive into the topic of 🎯 Vulnerability Management.

See
Part 1: Hosts
Part 2: Containers to learn about hardening pipelines for AMIs and container images, and
Part 3: Scanning at Runtime to learn about approaches to runtime vulnerability scanning of virtual hosts.



❓ How would you approach the implementation of the following?
– Scan container images, applications, hosts for Vulnerabilities;
– Perform Regular Host and Container Security Patching and Version Upgrades;

💪 Here is how, and while it’s quite challenging, it is *very* rewarding from the cybersecurity perspective:

— Part 4. Antivirus Scanning and Security Patching —
1. Include installation of the Antivirus software in your Golden Virtual Image (AMI) pipeline. ClamAV will work well (https://www.clamav.net/), but if you are looking for a powerful commercial solution, there are plenty available in the market (e.g. McAfee, Norton, Avast, etc.)

2. In the same pipeline, next to Antivirus installation, add configuration of a “cron job” (scheduled task) that runs full system Antivirus scan at regular intervals, during your defined maintenance windows (or simply on weekends). Every environment is different, but it is important to achieve at least weekly cadence to make sure that your systems are safe from viruses.

3. In the antivirus configuration, add running a “resident” (daemon) process that performs real time antivirus scans in response to changes in your file system.

4. Schedule your Golden Image pipeline to run regularly, to ensure that it is built from the most recent/patched version of the operating system. Make sure to update your auto-scaling group launch template every time the Golden AMI pipeline is executed.

5. Leverage your cloud provider’s capability to schedule regular security patching jobs (for example: AWS SSM Patch Manager, GCP Compute Engine Patch Jobs, and such). The patching job should run the system security updates. Configure the patching job to run at least weekly.

6. Schedule your Golden (“Base”) Container Image creation pipeline to run regularly, so it will be refreshed with the most updated and security-patched base container image OS. Configure your CI jobs to build application containers from the most recent build of your Golden Container Image.

7. Configure the CI job that builds your application containers to additionally run a command that performs security updates to receive the most recent security patches.