How Microsoft and Sonrai integrate to eliminate attack paths
Credit to Author: Eugene Tcheby and Tally Shea| Date: Tue, 13 Jun 2023 16:00:00 +0000
Cloud development challenges conventional thinking about risk. A “perimeter” was always the abstraction that security teams could start from—defining their perimeter and exposing the cracks in firewalls and network access. With more and more infrastructure represented as ephemeral code, protecting your perimeter is no longer a matter of software vulnerabilities and network checks. It’s a complex web of interconnected risks that can exacerbate network gaps or workload vulnerabilities.
When it comes to remediating risks, context is always king, and siloed pillars of cloud security—identity, data, platform, and workloads—kill context. Protecting a broad Microsoft Azure footprint means having a deep understanding of how these risks can combine to create unintended access to your company’s sensitive data, and then prioritizing threats based on potential business impact. This means understanding identity, workload, platform configuration, and data security through a single pane of glass providing visibility across the entire digital estate.
Sonrai integrates with Microsoft Sentinel and Microsoft Defender for Cloud to uncover and remediate sophisticated threats in a timely manner.
Microsoft released Defender for Cloud to protect across hybrid and multicloud environments. Sonrai works with Defender for Cloud’s infrastructure and operational controls for powerful event logging to ingest all information and bring context into one place. Sonrai’s patented analytics evaluate how identity and data risks compound with platform and workload risks to create access to sensitive data within Azure.
To help Azure customers understand the true blast radius of every vulnerability, Sonrai integrates with Microsoft Sentinel to monitor threats across vectors and automate responses by leveraging security orchestration, automation, and response (SOAR) playbooks, and Defender for Cloud to provide visibility across the entire digital estate by identifying possible attack paths and remediating vulnerabilities.
Backed by these insights, an organization can successfully operationalize a risk remediation practice. They are additionally able to enable DevOps and security teams to fully harness the digital transformation and time-to-delivery benefits that Azure can power, without worrying about sacrificing speed for security.
Identity as perimeter, data as prioritizer
A consistent research finding is that most cloud data breaches involve a compromised identity—one study cites 81 percent of breaches1 involve exploiting an overprivileged identity, while another claims that 74 percent of breaches2 surveyed started with privileged credential abuse. It’s clear that the way we use identity now in the cloud—as a de facto “perimeter” and locus of privileges and access—makes it imperative to put identity at the center of any enterprise security strategy.
The behavior and management of non-people identities (think: service principles) are conceptually much different than when we managed a list of users from Microsoft Azure Active Directory. The main reason? The majority of identities in a given cloud represent services, devices, and applications—not employees. For example, your cloud may have many identities representing Azure Serverless compute, which may only exist for a few minutes a day, rely on assuming access from a role, and being capable of cross-organization access. The privileges associated with this identity might be in a policy several degrees of separation away through a nested group. Using managed identities and, ideally, the enforcement of the Principle of Least Privilege, is a good place to start. The harder part is the hidden relationships that don’t show in a traditional identity management tool.
Especially as DevOps gets more sophisticated with infrastructure as code (IaC) provisioning, these complex relationships become commonplace. Templatized infrastructure means further nested rights and inheritances through complex relationships.
Continuous monitoring and analytics of identity trust chains become imperative for understanding what privileges any identity truly has. The most important thing is: How do these identities tie back to sensitive data?
Data is the pot of gold at the end of an attacker’s rainbow. In the cloud, identity is the stepping stone attackers can leverage to move laterally and find ways to your data. Exposed data and overprivileged identities are red flags organizations need to look for when considering vulnerabilities and posture misconfigurations. Sonrai Security’s Workload Protection Platform refers to these red flags as “Risk Amplifiers.” In the next section, we’ll address why understanding how threats tie back to identity and data risks matter.
Vulnerabilities: Which are relevant?
Cloud development has changed how we look at vulnerabilities. Distributed, rapid, and open source-fueled continuous integration and continuous delivery (CI/CD) pipelines can introduce more vulnerabilities to staging and production environments, lending enterprises to deal with thousands of common vulnerabilities and exposures (CVEs) regularly. If cloud innovation continues at such a rapid pace, and developers leverage public libraries and prioritize speed over security, CVEs will proliferate. The question is: which ones should we care about first?
Traditionally, information about the vulnerability itself would determine its priority for patching. A common vulnerability scoring system score, its age, and known exploits would give you a picture of how likely it was to lead to a breach. But this tells only half the story: the context of the workload that vulnerability is on tells you what the potential blast radius could be, and therefore gives you the true potential impact on the business.
A vulnerability on a deadened workload shouldn’t be prioritized before one with a Service Principal on it that can self-escalate privileges and access sensitive data. This prioritization is critical, otherwise, your security operations center (SOC) team might be chasing alerts that would never impact the business, but meet the traditional definition of a risk. Fixing it will close a ticket, but “tickets closed” is a poor stand-in for real risk reduction.
Connecting the dots: Analyzing an Azure attack path
Let’s piece this story together by examining an example of a typical path that a bad actor might take to access data.
We’ll start with a vulnerability, let’s say one from Microsoft Defender for Cloud’s agentless vulnerability scanner in Microsoft Defender Cloud Security Posture Management.
Figure 1. Sonrai platform displaying a vulnerability with risk amplifiers including network and identity risks.
There are a few things to review examining Figure 1. First, Sonrai has detected multiple network-related risk amplifiers, showing a path into the environment from an exposed Azure Virtual Machine open to the internet.
This basic risk aggregation is critical to have network issues detected and remediated through Defender Cloud Security Posture Management (or through Sonrai). You can see a visualization of the “Azure Port 22 Host with Ingress from Internet” in Figure 2.
Figure 2. Sonrai platform permission chain showing how a machine identity connects to a network misconfiguration.
Next, this alert is rated with critical severity, but it’s on a sandbox account. Normally, a vulnerability in a sandbox environment without sensitive data wouldn’t trigger critical severity, so there must be something deeper. Looking further at Figure 1, there’s an “additionally impacted swimlane” (Sonrai’s grouping mechanism for cloud environments) named “creditapp-production.” Now, looking at the identity-related risk amplifiers from Figure 1, we see there are several sources for this.
One of the identity amplifiers listed is “Compute has access to sensitive data in Azure.” How is it possible that Compute in a sandbox account ends up accessing Production data? Let’s examine Figure 3. There are multiple complex potential routes that could be leading this Compute to sensitive data. Once the Compute is attached to the user, or service principle, it has access to several nested groups and policies. To learn exactly where Sonrai finds data access, let’s go a step further.
Figure 3. Sonrai platform complex permission chaining, revealing how a machine identity holds covert privileges.
By examining the piece of Compute in the Sonrai Security Platform “Node” view, the platform tells us exactly the subscriptions the Compute has access to, among them being “creditapp-production”—what we’re concerned with currently. Within prod, we can see in Figure 4, all the data accessible to the Compute and what actions it can take.
Figure 4. Sonrai platform data node view displaying every asset a particular identity can access.
Finally, we see in Figure 5 an exact path of how the Compute ended up accessing production data. You can consider this an Azure attack path waiting to be exploited.
Figure 5. Sonrai platform permission chain revealing how compute access data through nested groups and policies.
Ultimately, we have a typical vulnerability on our hands, but what’s impactful is knowing how both an identity and platform misconfiguration severely exacerbate the severity of this vulnerability and created an exploitable attack path.
This is useful when you consider the scale of vulnerabilities and security tickets your typical environment is experiencing. It begs the question of how security and cloud ops teams can keep up with remediating them all. When you can understand each security threat’s risk amplifiers and how they tie back to platform, identity, and data risks, your team can chip away at the highest priority threats based on potential business impact.
Microsoft and Sonrai Security make cloud security better together.
About Sonrai Security
Sonrai offers a total public cloud security solution for Microsoft Azure. Sonrai has been a MISA member since 2021 and works with Microsoft Defender for Cloud, Advanced Data Security, Microsoft Sentinel, Azure Active Directory, and many other Azure Services.
The Sonrai Security Platform is available on the Azure Marketplace and offers a Shared Responsibility Model with Azure.
Sonrai Security has offices in New York and New Brunswick, Canada and is backed by ISTARI, Menlo Ventures, Polaris Partners, and TenEleven Ventures. For more information, visit their website.
Learn more
Learn more about Microsoft Sentinel and Microsoft Defender for Cloud.
To learn more about the Microsoft Intelligent Security Association (MISA), visit the website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.
1IBM’s 2018 Data Breach Study Shows Why We’re In A Zero Trust World Now, Louis Columbus. July 27, 2018.
274% Of Data Breaches Start With Privileged Credential Abuse, Louis Columbus. February 26, 2019.
The post How Microsoft and Sonrai integrate to eliminate attack paths appeared first on Microsoft Security Blog.