How to Keep Up With Vulnerability Management Challenges in Ephemeral Cloud Environments

This blog is part of an ongoing series sharing key takeaways from Rapid7’s 2020 Cloud Security Executive Summit. Interested in participating in the next summit on March 9? Register here!

The modern perspective is that the cloud has made it much easier to have visibility of your attack surface and everything you’re working with. While still responsible for setting up patching, monitoring, remediation, and notification, you’re likely to find many security processes smoother in the cloud, enabling a never-before-seen velocity.

However, there are still many who are ramping up their knowledge of how to optimize cloud processes. And if you’re fragmented across multiple providers, what’s the best way forward if you’re working with a new company or otherwise looking to scale quickly?

The need for speed (and more speed and more speed)

In a post-office world, remote work culture has signaled the need to innovate and get workloads deployed at breakneck speed. However, the cost of misconfigurations from personnel who aren’t familiar with cloud security could be disastrous—it can impact shareholder value as well as a company’s public-facing perception. So, even though the need exists to deploy and scale quickly, education is a crucial component in the race to win. Configuring for the cloud is complex, but if done right, it makes things easier. With the right training for security and dev teams, shifting left with cloud can become a reality.

As this education and scaling process goes along, who is ultimately responsible for vulnerabilities in the cloud? Whether it’s on-premises or off-premises, a customer-facing team should be one ready and able to address the unique hybrid environments of each customer. To optimize for this more modern—and demanding—paradigm, developers and engineers are getting more involved with the security of their workloads than ever before. There is more of a willingness to embrace things like confirmation templates, Terraform, and Azure ARM templates as preferred models for cloud deployment.

At the same time, security teams are realizing they need to keep up with trends and extend their own skill sets. CISOs and team leaders are learning not to rely on any one process in the long term, instead opting to be flexible as vulnerability management (VM) scales and changes.

Visibility and the cloud standard of excellence

As organizations look to make shifts that will optimize processes and bring them closer to their unique standards of cloud excellence, we find that the real success cases are ensuring consistency across teams as shifts are made. Doing it differently in one business unit than another is only going to delay deployments and cost the company money. Visibility across teams is the key to consistency in the face of the ephemeral nature of cloud security.

Amazon alone has a plethora of visibility-enablement services ramping up to deploy. It’s important that developers and security personnel understand these solutions, because they can all become vulnerabilities that present new attack vectors. A customer might use Rapid7’s own DivvyCloud to pull in VM data about their cloud so they have a broad view of risk management across the attack surface.

Vulnerabilities have…matured?

The word “matured” is usually used in a positive context. Thus, we don’t usually associate it with something negative like a security vulnerability. We do, however, talk about how attacker methods have become more “sophisticated.” Plugging vulnerabilities is part and parcel of shifting security left and being more proactive. In using more positive language, it starts to create a culture that’s ready to go on the offensive—one that’s continuously thinking ahead about how to manage vulnerability as it matures. It only makes sense, then, for CISOs and security leaders to periodically ask important questions like:

• What should we be looking for in terms of a VM technology partner?
• How have the core pillars of our VM strategy changed in the past couple of years?

It starts with a cloud-native solution that will enable organizations to deal with the volume, speed, and ephemeral nature of VM at scale. As teams respond to threats and discover new vulnerabilities, this type of program enables consistency across both cloud and on-premises workloads. Implementing fragmented tools for individual workloads just doesn’t make sense in today’s landscape. Indeed, each company will have its own way of implementing its own solution. The consistent thread is that all organizations must be flexible and able to work with their security-technology partners to align on the best way to leverage cloud services.

The future of vulnerability management

Traditional VM has typically been focused on vulnerabilities within the host. In the not-too-distant future, we’re likely to see a big uptick in the role containers and serverless frameworks play in application development. It follows that organizations must develop a game plan for securing those functions. In lock-step with these processes, teams must ensure automation is working to the benefit of the security organization, enabling good hygiene and a quicker pace when production kicks into gear.  

As business scales, so must a holistic sense of security and amplification of the tools that make it all work. Want more insights on the future of VM? Attend our upcoming Cloud Security Executive Summit March 9 to learn more from the experts leading the industry and discuss the critical issues affecting security today. Register here.