The term Cloud Security Posture Management (CSPM) was introduced around 2018. It appeared as companies started to adopt more and more cloud computing, which led to the need to have tools to manage and secure their cloud environments. The term was coined by Gartner, a leading research and advisory company. Gartner introduced CSPM to describe a category of security tools designed to identify and manage security risks in cloud environments. The main objective of CSPM was to ensure that organizations were strengthening their cloud security posture across their workloads.

The core of CSPM was based on the discoverability of cloud workloads, and the assessment of these workloads according to cloud security best practices. These cloud security best practices were grounded in a mix of cloud solution providers’ benchmarks and industry security standards, such as the Center for Internet Security (CIS), the International Organization for Standardization (ISO), and the National Institute of Standards and Technology (NIST).

Over time, some CSPM solutions also started to offer regulatory compliance lenses on top of the data to help organizations validate if their workloads were compliant with certain standards, such as the Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry (PCI).

Regardless of the benchmark in use, the traditional CSPM lifecycle used in the beginning had the following phases:

Figure 1.1: Traditional CSPM lifecycle

These phases are highlighted below:

• Onboarding: The first step was to onboard the CSPM solution to the cloud solution provider. For example, in an Azure environment, this step means enabling CSPM in the Azure subscription.
• Discoverability: Once the CSPM platform is enabled, it will perform the scan to discover all supported workloads in the cloud environment.
• Assessment: After discovering all supported workloads, and creating the initial inventory, it will perform the security assessment to evaluate if the workloads that were discovered are using security best practices based on industry standard benchmarks.
• Reporting: Security assessment is a continuous operation, but at the end of each assessment, a report will be created to present the current security state of the workloads. While some workloads may already be configured using security best practices, others may require additional steps to be compliant. For these scenarios, security recommendations will be presented to guide you through the steps on how to remediate the workload.

While these steps are generic and vendor agnostic, each CSPM solution available at that time (around 2018) was adding specific features to improve the overall user experience. For example, Azure Security Center, the Microsoft CSPM at that time, had the secure score, which was a measurement for organizations to identify their security posture by scoring recommendations based on the benchmarks’ asset criticality. The advantage of using a metric such as secure score was that it gave organizations the capability to evaluate progress over time and a North Star to follow: reach 100% on their secure score.

However, the use of secure score also exposed another problem in the cloud security environment, which was the lack of governance. This problem was exposed with the constant fluctuation of the secure score, as shown in the diagram below:

Figure 1.2: Secure score over time

In the fictitious sample diagram above, you have the secure score during the month of May. Notice that in the beginning, the progress was going in the right direction; the initial score was 40%, and it got better, all the way to 65%.

But then something happened, and it dropped to 35%. The question that many cloud administrators had at that time was: I didn’t do anything to change the environment, why did my secure score drop so much?

The reason that those drops occurred, and are still occurring, is the lack of security guardrails at the beginning of the pipeline. In other words, when users provision new resources (for example, a new storage account) that are not using security best practices from the get-go, the number of security recommendations that will need to be applied to leverage that resource’s security posture is high, and this will negatively affect the secure score. Every time the CSPM platform performs the assessment, it will either increase the score (if the resources are secure) or drop the score (when the resources are not secure). Of course, the score can stay the same in case the environment hasn’t changed, or new resources haven’t been provisioned, but in a cloud environment, the likelihood of having many resources getting created and deleted on a daily basis is very high. The lack of guardrails at the beginning of the pipeline led organizations to realize that CSPM was not the sole solution for cloud security. Governance became imperative to ensure that resources were created with security defaults.

Another buzzword that started to become more reality around that time was shift-left. The shift-left approach encouraged practices like early testing, continuous integration, and incorporating security considerations (often referred to as DevSecOps) from the very beginning of the development process. The shift-left approach also influenced how cloud workloads were provisioned with the proliferation of IaC. Amazon Web Services (AWS) introduced AWS CloudFormation in 2011, allowing users to define and manage their infrastructure using templates. In 2014, HashiCorp released Terraform, a tool that has since become one of the most widely used IaC solutions, allowing for the codification of infrastructure in a declarative manner. All these technologies contributed to ensuring that workloads were provisioned with security best practices from the beginning, and therefore contributed to a better overall security posture.

With this context in mind, we can all agree that security posture management is a preventative control, because it helps to improve the security posture, which reduces the likelihood of successful compromise of workloads. According to Microsoft Digital Defense Report 2022¹, effective security hygiene can protect against 98% of attacks. This is a very important number, because it means that if you have solid security posture management, are aligned with good governance, and are constantly improving your security hygiene, you are going to strengthen your cloud environment against most attacks.

Having said that, organizations also understand that it is important to operate with the assume breach mindset. The assume breach approach gained prominence around the early 2010s, although its exact origin as a term is not well-documented. This approach emerged as cybersecurity professionals began to recognize the limitations of traditional perimeter-based defenses and the inevitability of breaches. Microsoft has been a notable advocate of the assume breach approach, incorporating it into their security strategies and guidelines in the early 2010s. This advocacy has helped popularize the term within the industry. Around 2010-2011, the cybersecurity industry started to increasingly acknowledge that breaches were not just possible but likely. This shift in mindset was influenced by high-profile data breaches and advanced persistent threats (APTs).

With the assume breach mindset, it became imperative to not only have a strong posture management with CSPM but also to actively monitor cloud workloads and detect potential attempts to compromise them. Threat detection for cloud workloads becomes a reality with Cloud Workload Protection.

One of the major differences between Cloud Workload Protection (CWP) and other threat detection technologies such as Intrusion Detection System (IDS) is the variation in the threat landscape according to each type of cloud workload. For example, the threat landscape of a cloud container is not the same as the threat landscape of a cloud storage. Therefore, it becomes imperative that the analytics that are built to create detection for each workload are tailored for the needs of that specific workload.

CWP is a critical pillar in cloud security because it enables organizations to quickly identify potential attacks on their cloud workloads, while it equips Security Operations Center (SOC) teams to perform incident response. Rich threat detection aligned with a solid incident response can be the difference between identifying a threat at the beginning of the cyber kill chain (for example, during reconnaissance) to take measures that can stop the proliferation of the threat, and only identifying a threat after the threat actor was able to fully compromise the environment.

Over the years, cloud vendors started to align their threat detections with the MITRE ATT&CK (https://attack.mitre.org/) framework. This approach helps cloud administrators, security analysts, and incident responders understand which phase of the attack an alert is related to. The code below is extracted from a sample alert from Microsoft Defender for Cloud, specifically for the Defender for Containers threat detection. Notice that this alert has a field called intent, which has the value “InitialAccess”.

This value represents the MITRE ATT&CK Initial Access (https://attack.mitre.org/tactics/TA0001) phase, which makes it easier for whoever is investigating this incident to understand the techniques that were potentially used in this attack.

Copied alert from Microsoft Defender for Cloud on 06/01/24, 09:07 AM (UTC-5)
https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/location/centralus/alertId/2516850500891662950_058ad4df-ac35-4dd6-92ec-db17363e2062/referencedFrom/copyAlertButton
{
  "id": "/subscriptions/XXXXXXXXXXX/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2516850500891662950_058ad4df-ac35-4dd6-92ec-db17363e2062",
  "name": "2516850500891662950_058ad4df-ac35-4dd6-92ec-db17363e2062",
  "type": "Microsoft.Security/Locations/alerts",
  "properties": {
    "status": "Active",
    "timeGeneratedUtc": "2024-06-01T14:06:27.226Z",
    "processingEndTimeUtc": "2024-06-01T14:06:26.8337049Z",
    "version": "2022-01-01.0",
    "vendorName": "Microsoft",
    "productName": "Microsoft Defender for Cloud",
    "productComponentName": "Containers",
    "alertType": "SIMULATED_K8S_ExposedDashboard",
    "startTimeUtc": "2024-06-01T14:05:10.8337049Z",
    "endTimeUtc": "2024-06-01T14:05:10.8337049Z",
    "severity": "High",
    "isIncident": false,
    "systemAlertId": "2516850500891662950_058ad4df-ac35-4dd6-92ec-db17363e2062",
    "intent": "InitialAccess",
    "resourceIdentifiers": [
      {
        "$id": "centralus_1",
        "azureResourceId": "/subscriptions/XXXXXXXX/resourceGroups/Sample-RG/providers/Microsoft.Kubernetes/ConnectedClusters/Sample-Cluster",
        "type": "AzureResource",
        "azureResourceTenantId": "XXXXXXX-XXXXXXXXX"
      },
      {
        "$id": "centralus_2",
        "aadTenantId": " XXXXXXX-XXXXXXXXX ",
        "type": "AAD"
      }
    ],
    "compromisedEntity": "Sample-Cluster",
    "alertDisplayName": "[SAMPLE ALERT] Exposed Kubernetes dashboard detected (Preview)",
    "description": "THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected exposure of the Kubernetes Dashboard by a LoadBalancer service.\nExposed dashboard allows an unauthenticated access to the cluster management and poses a security threat.",
    "remediationSteps": [
      "Review the LoadBalancer service in the alert details. In case the dashboard is exposed to the Internet, delete the LoadBalancer service immediately and escalate the alert to the information security team."
  }
}

CSPM and CWP are heavily utilized in the protect, detect, and response pillars. When you increase your security posture, you reduce the likelihood of successful compromise, which means you will likely have fewer threats to detect because your attack surface is more restricted. This will positively affect the SOC team, because they will have fewer alerts to triage, and they can invest more in proactive threat hunting in the environment.

Understanding this perspective that CSPM and CWP are different platforms, but should always work together, many vendors started to offer one single solution for CSPM and CWP. This was the case for Azure Security Center, which, since 2021, has been called Microsoft Defender for Cloud (MDC). Since its origins back in 2015 when Azure Security Center was released in Public Preview, CSPM and CWP have always been part of the platform. The goal was always to improve the security posture while detecting threats against cloud workloads. Over time, the product became more mature and created a feedback loop that allows cloud administrators to learn from incidents and see which gaps must be filled in their security posture to avoid that same type of attack happening again.

Some workloads, such as VMs, may require a separate agent to be installed to be able to have deeper visibility, real-time threat detection, and response. While many organizations don’t like to have an extra agent installed, the reality is that there are many functions that require an agent. For example, an agent can be used to analyze the behavior of applications and processes to identify anomalies that might indicate a compromise. This means that depending on the type of workload, the CWP platform may require the installation of an agent to provide better functionality and protection. For example, if VMs are very short-lived and may be reprovisioned every second day, and there is no publicly exposed workload running, an agentless approach might be sufficient. And that’s why most CWP providers offer both solutions.

In less than a decade, cloud security technology grew from security posture management with CSPM to an amalgamation of many other platforms that were created to address specific issues within the cloud security space, such as Cloud Infrastructure Entitlement Management (CIEM), which is focused on managing identities and their entitlements (permissions) within cloud environments. In addition to CIEM, other platforms started to proliferate, such as:

• External Attack Surface Management (EASM): Focused on identifying, monitoring, and managing the external-facing digital assets of an organization.
• Data Security Posture Management (DSPM): Focuses on managing and improving the security posture of an organization’s data across various environments, including cloud workloads.
• Vulnerability Assessment and Management (VAM): Focused on identifying, evaluating, prioritizing, and addressing security vulnerabilities within an organization’s cloud or on-premises environment.

Organizations started to adopt these tools by using the rationale of adopting the best-of-breed strategy. While a best-of-breed strategy can provide some benefits in terms of performance and functionality, it also involves challenges such as increased complexity in integration, potential compatibility issues, and the need for skilled IT management to maintain and support a heterogeneous environment. In addition to that, the growth of multicloud adoption added even more challenges when it comes to managing all these tools in different dashboards, across different cloud providers.

In 2021, Gartner introduced the term Cloud-Native Application Protection Platform (CNAPP) to describe a new category of security platforms designed to provide comprehensive protection for cloud-native applications throughout their lifecycle.

The goal was to integrate various security functionalities, such as vulnerability management, compliance, runtime protection, and identity and access management, into a unified platform, aiming to address the complex security needs of cloud-native environments. In 2023, Gartner published the Market Guide for Cloud-Native Application Protection Platforms², which documents the architecture of a CNAPP solution, which includes elements shown in Figure 1.3:

Figure 1.3: CNAPP architecture

As shown in Figure 1.3, a CNAPP solution must contain these major pillars, which start with artifact scanning. This component describes the platform’s capability to scan different types of artifacts, including traditional workloads such as VMs, storage accounts, and containers, as well as code and Application Program Interfaces (APIs). The insights generated by artifact scanning will help enhance the security posture of the DevOps lifecycle and take into account the different aspects of cloud configuration, which includes IaC. These components will also integrate with runtime protection, which contains CWP. As you evaluate which CNAPP vendor you will adopt, you must ensure that the vendor’s solution is aligned with these components.

Attack disruption

One of the main benefits of having the artifact scanning capability integrated with the other elements of this platform is the possibility of sharing and crossing information to allow a better understanding of the assets and using this information to prioritize risk mitigation.

The artifact scanning will generate a series of insights that can be leveraged by the platform. For example, the artifact scanning of a storage account may find the following insights about the storage account:

• Access: The storage account is widely accessible through the internet.
• Permissions: The storage account has a very permissive set of permissions.
• Type of data: The storage account contains sensitive information.

Upon having these insights, the CNAPP will perform an attack path analysis to identify potential areas of compromise, including the capability to move laterally across workloads. Figure 1.4 has an example of what this looks like:

Figure 1.4: Attack path

The attack path shown in Figure 1.4 has three workloads, a VM, a managed identity, and a storage account. The insights into these workloads will give more details about the potential attack. For example, in this case, the VM’s insights show that this VM is exposed to the internet and has a series of vulnerabilities (CVEs) that were not patched and could be exploited by a threat actor. Once the threat actor gains access to this VM, it could authenticate to a managed identity that has permissions to a storage account. The insights from the storage account show that this storage account contains sensitive information.

Only CNAPP can provide this level of detail across multiple workloads (even if they are located in multiple cloud environments) due to the nature of the platform, which allows you to obtain intelligent insights from workloads that were scanned. CNAPP will analyze the correlation of these workloads with others, understand the potential attack, and show the results to you so you can take proactive measures to disrupt potential attacks.

This native CNAPP capability empowers cloud posture management teams to be more proactive and effective, and to prioritize what is truly important in their environment.

Attack path disruption also adds another KPI for organizations that want to track progress over time. Let’s say that your company opened the CNAPP dashboard and saw 100 attack paths. Their ultimate goal is to drop the number of attack paths to zero. When tracking the attack path over time, you can also find out what the time to resolution (TTR) is for those attack paths. In other words, once the attack path appears, how long does it take to resolve?

This is an important metric to track because it will directly reflect on how effective the security posture of your cloud environment is. Here, you will have the opportunity to use the continuous improvement mindset to always chase a better metric and ensure that you are driving your team to be more effective when it comes to rapidly remediating critical issues. Figure 1.5 has an example of an attack path over time, and the set of questions (A and B) that you must answer:

Figure 1.5: Tracking an attack path

In this case, some sample questions that could be asked by looking at this diagram are:

• Set of questions A:
  • How long did it take for the attack paths to grow from 50 to 100?
  • Why did the attack path grow in this period instead of dropping?
  • What were the lessons learned from this event?
• Set of questions B:
  • How long did it take for the attack paths to drop from 100 to 0?
  • What was the TTR for these attack paths?
  • How can we improve this TTR?

The answers to those questions will help your organization improve its security posture over time and keep fine-tuning the TTR for future attack paths.

Agentless approach

The posture management side of CNAPP enables organizations to quickly obtain insights about workloads due to the agentless approach. When you onboard a cloud environment to use CNAPP, the onboarding process is frictionless because, by default, you will not need an agent just to obtain the initial security posture insights of a workload. This means that you don’t need to wait until an agent is deployed to be able to obtain information about the workload’s security posture. Figure 1.6 summarizes the process:

Figure 1.6: Agentless process

Figure 1.6 shows a VM being provisioned and the artifact scan taking place to generate the insights. It is important to mention that different vendors may implement different methods to perform this artifact scanning for VMs upon provisioning. Regardless of the method running behind the scenes, the result is a faster onboarding process as you will have rapid access to key information from the VM, such as vulnerability assessment, software inventory, secret scanning, and potential malware.

Proactive hunting

While the term hunting is more often used in the context of threat hunting, which is more of a task done by the SOC team, CNAPP enables you to perform proactive hunting based on security posture information available about your workloads.

Once you have all workloads scanned and all insights created, you will not only have access to potential paths of attack but also access to the big data that was collected. This data contains the full inventory of your workloads and the security posture information of those workloads. With this information available, you can create queries that will give you even more information about different scenarios.

How this query will be executed depends on the CNAPP vendor. The Microsoft CNAPP solution, Defender for Cloud, enables you to perform visual queries using a feature called Cloud Security Explorer. Figure 1.7 has an example of a query that returns all VMs that are vulnerable to the Log4Shell vulnerability and have an identity attached with permissions to a storage account.

Figure 1.7: Cloud Security Explorer

Cloud Security Explorer is a functionality that will be covered in more detail in Chapter 9 of this book.

Alert enrichment

Although many of the capabilities that really highlight the power of CNAPP are related to posture management, there is a lot of value added when it comes to enhancements in CWP. Mainly because now, you can analyze the data from different angles. For example, you may see an attack path that has a VM that is exposed to the internet and has unpatched vulnerabilities and this VM has been attacked already. Notice that, in the same sentence, I included proactive elements (attack path) with reactive elements (has been attacked already). This is possible because the CWP is integrated with all other security posture modules of the overall CNAPP solution.

This data enrichment can also benefit the SOC team when they are triaging alerts, as they will have additional information that can help them prioritize how fast they need to respond. The data can be streamed to the Security Information and Event Management (SIEM) platform and the investigation will take place on the SIEM level where data ingestion from multiple data sources is taking place.

In this chapter, we discussed the roots of cloud security with CSPM and CWP. We covered the traditional CSPM lifecycle, the use of secure score to track progress over time, and the challenges introduced with multicloud and shift-left. We also discussed the main aspects of CWP, the use of the MITRE ATT&CK framework to map alerts to different workloads, and the need to have agents for some types of workloads. The foundational knowledge obtained throughout this chapter will help you connect the dots about CNAPP and how Defender for Cloud implements those core capabilities.

We discussed how CNAPP was idealized, and the main advantages of using a CNAPP, which included attack disruption, agentless approach, proactive hunting, and SOC enrichment.

The next chapter is about accessing your environment security posture.

1. You can download this report from https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE5bUvv?culture=en-us&country=us.
2. You can download a copy of this report at https://start.paloaltonetworks.com/gartner-market-guide-cnapp.

• Webinar with author Yuri Diogenes about an agnostic approach to CNAPP: https://bit.ly/CNAPPBook1
• Podcast with author Yuri Diogenes where he talks about CNAPP: https://bit.ly/CNAPPBook2
• Episode of Defender for Cloud in the Field with author Yuri Diogenes talking about CNAPP: https://bit.ly/CNAPPBook3

Join our community on Discord

Read this book alongside other users. Ask questions, provide solutions to other readers, and much more.

Scan the QR code or visit the link to join the community.

https://packt.link/SecNet