We have all likely been in situations where someone said something and it did not make much sense or it did not apply in the situation you were in at that time.
Same or different person saying the same thing in a different place or a different time and all is well, makes total sense.
Context matters!
“How does this apply to Cloud Security? I have also heard that ARGOS reduced cloud security alerts by almost 98% in some cases. How?”
This might be you, dear reader, asking yourself this.
ARGOS customers are telling us about their experiences with other cloud security products and the one thing cloud and security teams are telling us is that while those products are telling them the right things, they often do not make sense as they do not take context into account.
Examples for Context in Public Cloud
All Cloud Security Posture Management (CSPM) do a good job at telling you what misconfigurations they have found in one’s cloud environments. Some might even prioritise those findings based on severity. That is helpful.
As a cloud (security) engineer I want to know about potentially risky misconfigurations in the cloud environments I am responsible for. I want to know about the databases that are exposed to the internet and might leak data to unauthorised people. That is higher on my list than the “please add a tag on this resource” misconfiguration.
“We have 33,000 critical notifications in our environment according to our CSPM. Nobody believes that, so we stopped looking.”
Now, what if we told you that this quote is not the exception, but the rule, that most of our customers are telling us that they have hundreds, some thousands and tens of thousands of those highly critical misconfigurations? Are you surprised? Maybe, maybe not.
We were not. We have seen this so many times and we probably do not need to tell you about alert fatigue.
Eventually people will ignore those misconfigurations, without any bad intentions.
If it is not bad intentions, what is it then? We believe, and our customers actually tell us this, that people have checked a few of those critical misconfigurations, found that in the context of the overall cloud system the misconfigurations are actually not critical and extrapolated that the other hundreds or thousands of alerts are likely the same. This is what our human brain does. If something is true n times, then we assume it is also true n+1 times.
However, that is likely not the case.
ARGOS Applies Context
As a very unique capability amongst Cloud Security products ARGOS applies context to every single misconfiguration using its “Intelligent Exploitability Engine” or IEE, not just to a handful of findings only, due to time constraints usually and the sheer number of findings that a human would have to deal with.
This context is very complex. To give a few very common examples of what we have found in customer production deployments:
Exposed Firewall Ports
Exposing so-called management ports, these are port 22 and 3389 for SSH and RDP respectively, to the internet is considered a bad practice and has been used in many hacks or attacks in the past. However, in the cloud things work differently.
In the public cloud one can create a “Firewall rule” (they are called different things depending on which cloud), tell it to allow traffic on above ports inbound from the internet, but then not actually connect it to anything. That is absolutely doable.
Every CSPM will cry wolf at this point and call this a highly critical misconfiguration. A person will look at the alert and will say something like “this is pointless, it isn’t doing anything” and eventually stop responding to alerts.
ARGOS knows that the Firewall is not connected to anything, or that it is connected to something, but the network it is in does not allow any traffic from the internet because it is actively blocked.
On the other hand, ARGOS will know if the network this Firewall is in might not have direct internet connectivity, but the network is connected to another network which does.
Is this Database public?
Is a cloud database really only publicly accessible if it has a public IP assigned to it?
Every CSPM will say, yes.
If the database does not have a public IP assigned then they will not show any misconfiguration, because the database is inside a network. Well, yes and no.
What about that Virtual Machine that is in the same network which does have a public IP on it, has a Firewall rule assigned to it allowing SSH from the internet and where that network actually allows that traffic in and where the database accepts traffic from that VM?
Classic “jumpbox”, “management host” or “development machine” example.
ARGOS will tell you about this.
Context Really Does Matter
By applying a lot of context through IEE to our rule set ARGOS is able to reduce alerts drastically. ARGOS still displays all the misconfigurations it finds, but highlights the ones that are exploitable.
That is how for all our customers we have seen a much higher focus on issue resolution, faster response times to issues (ARGOS scans clouds continuously) and overall as a by-product a higher compliance score in other Cloud Compliance products.
Try For Free!
Try ARGOS for free for seven days, no credit card required, we do not trick you into annoying sales workflows, it will only take you 20 minutes max to set everything up and see results.
https://app.argos-security.io/register
If you rather want to have a chat to us, contact us at contactus@argos-security.io .