Vulnerability Management System (“VMS”)
In the original post we defined steps to implement a bullet-proof Cloud Infrastructure Security Posture. Now it’s time to dive into the topic of
🎯 Vulnerability Management.
❓ How would you approach the implementation of the following?
– Scan container images, applications, hosts for Vulnerabilities;
– Perform Regular Host and Container Security Patching and Version Upgrades;
💪 Here is how, and while it’s quite challenging, it is *very* rewarding from the cybersecurity perspective:
— Part 1 – Hosts —
1. Choose a *base* Operating System (OS) for your virtual hosts, and make it a standard across your cloud environment. Ensure that the OS is actively maintained and supported (good examples are: RedHat, Ubuntu, Amazon Linux, etc.)
2. Establish “Hardening” pipeline for your base OS image to produce what is usually called a *Golden Image*. Choose between HashiCorp Packer, Amazon Web Services (AWS) EC2 ImageBuilder Pipeline, Microsoft Azure VM Image Builder,
The pipeline should take the base OS and apply a set of patches that will remediate most known vulnerabilities.
Most popular examples of such “sets of patches” are:
– *CIS Benchmarks* (https://lnkd.in/eH2-jeGq) maintained by Center for Internet Security. They supply patches for a variety of operating systems, most likely including yours.
– *DISA STIGs* (https://lnkd.in/eCw33hUP) maintained by United States Department of Defense.
Choose benchmarks that better satisfy your desired security level requirements. CIS Benchmarks are a good start, and provide a quite comprehensive protection for your images, while DISA STIGs are way more restrictive.
Although these benchmarks do not necessarily come pre-packaged for your Golden Image pipeline, there are multiple ways to automate them. If image builder pipeline is integrated in your CSP, hardening components are provided out of the box (such as STIGs for Amazon Linux on AWS); otherwise you can choose between available tools such as InSpec (https://lnkd.in/eMHp6h-g) or OpenSCAP (https://lnkd.in/es4YwQwq), and integrate those runs in your golden image pipeline.
Let me know in the comments to this post if you will need help implementing the vulnerability scans, I’d be happy to help.
3. Establish Golden Image verification pipeline. Once the Golden Image is ready, you must scan it for vulnerabilities to make sure that all security patched have been applied. This scanning can be done using the same tools such as OpenSCAP, but with a “check only” flag. Make sure to work with the report produced by the scanner to leave no vulnerability unaccounted for.
4. Spin up all your virtual hosts from your Golden Image. Make sure to shut down hosts running on any other images, and re-run them on your Golden one.
To be cont’d…
3 thoughts on “Cloud Security Series #6”
Comments are closed.