devOcean Logo

What Does Dating and Solving Risks Have in Common?

Nimrod Lavi
Security Researcher

Think of the following scenario - You’re single and ready to mingle, so take out your phone and open a dating app. You scroll through the profiles and much to your surprise, everyone you see there is freaking perfect! We’re talking 10s across the board - every single one! You’ve swiped right 100’s of times now, and still more 10s! And wonders never cease- you match with all of them! Everyone wants to engage with you. Simply managing who to text next becomes a full time job.

Of course, nothing and no one is perfect (not even in this totally fictional scenario we are making up). The problem starts once you start talking to them, you realize more often than not that these “perfect 10s” turn out to be not so perfect after all - some are catfishers, some are already “off the market”, and others are so similar it’s like they are clones! But what can you do? You know some of these 10s are the real deal and you’re not giving up. But wouldn’t it be great if you could find a faster way to know which 10 is really a 10?

This is the best “real“ world example of how many security teams feel once they start looking into cloud risks and investigating alerts! While we can’t fix the dating problem, we’re happy to offer guidelines and a few examples of how automations and algorithms can solve the real and ever-evolving issue of “Prioritizing and Focusing on the Right Risk” in the world of cloud security.

Is it still relevant?

How many times have you started doing something you were really excited about and totally invested in only to find out it’s no longer relevant? This is a familiar phenomenon and never ending scenario for anyone who investigates cloud security risks because of the ever-changing and volatile nature assets in our cloud environments. So the first question you need to ask when starting an investigation is, “Is it still relevant?” We discovered that a lot of the alerts we see in different systems are on assets that don’t exist anymore. We de-prioritize them for our customers, based on the ongoing status of assets in the environment, keeping in mind that different assets have different statuses. We truly recommend that before you commit to a highly scored risk you verify it’s still around and relevant 😉.

What’s the impact?

Another element that should be taken into account when evaluating if a Level 10 risk is really a 10 is understanding what can be done if the risk is exploited, where can an attacker go from here? Can he get to one of my crown jewels? Can he escalate privileges?  Many times, risks are tagged as critical but once you start investigating you understand that the potential impact on your organization is close to none, and not even worth the investigation time. DevOcean takes a holistic view of your cloud environment in order to determine the real score of a risk based on its potential impact.  Part of our solution for this is to discover the accounts and applications in the account based on an ML(machine learning) algorithm that automatically add tags to the account and applications for us to take into consideration when calculating the real score of a risk. We create a blueprint of the environment to understand which accounts and applications post the most risk to the organization, and then instead of looking at a single alert we triage them and look for the possible paths and outcomes. Based on these two factors and many more we can decide the true impact a security risk can have on the organization.

Multiple risks - same root cause

DevOcean’s integrated platform collects data from as many security tools and products as possible. Part of the reason for that is that each of our customers have a unique stack of security tools, and we want to give them a “single source of truth”, but the main reason we do it is that we discover a lot of highly scored alerts have the same Root Cause! We focus a lot on Root Cause Analysis because we find that many times multiple alerts can be solved with the same fix even though they might not seem related at first glance. This can happen because the alerts are on different assets and the different tools reporting them are focused only solving the issue for the asset itself and not remediating the root cause! Here’s an example -

Say we have five security alerts on two different platforms regarding over-privileged assets in an AWS account. Now three of the alerts are on roles with unused permissions that came from AWS’s built-in IAM access advisor. The other two alerts are for over-privileged lambda functions, and they came from your CSPM solution. If you look at each alert separately, it would seem as though they are not connected, but once you start connecting the dots you understand they have the same Root Cause - an over-permissive policy that is attached to all of them in some way. Simply by editing the policy, you will solve all five alerts at once and save yourself a lot of precious time. This is just one example of many. A helpful tip for those of you working in an AWS organization - a lot of issues can be easily surfaced and solved across your whole organization if you just focus on the Root Cause and its potential impact, instead of focusing on singular alerts.

Dealing with duplications

Another issue causing alert overload is the high amount of duplicates, which create a lot of noise and make it very hard to know which alerts to focus on and how to prioritize them. In order to deal with the issue, we create automations to identify duplicates alerts based on what asset they are related to, their policies, remediation steps, and what they are trying to solve. We take these alerts and combine them to create a Consolidated Security Risk that aggregates all the different alerts from the different sources, and lists all the relevant assets to the risk and give it a proper score based on a real analysis of all the alerts together. This is just another way to deal with and understand what’s really a 10 even if it’s the same thing from different sources/applications 😊.

Summary

To conclude, risks are like dating app matches. You know going into it that not everything requires your immediate attention, but but simply prioritizing which matches or alerts are the urgent ones can be time-consuming and overwhelming. DevOcean might not be able to help you decide who to spend your Saturday night with - but we can help you decide which security events are most critical. We’ll help you dedupe and consolidate events, so you can fix the issue once at the root cause. And we’ll automatically add the context you need to determine how much impact an event has on your critical apps and accounts in production.  If you need help dealing with the issues presented above or would like to learn more about our team and our product, drop us a line at contact@devocean.security.