Securing Your Public Cloud Deployments with Qualys

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] good day everyone and thank you for joining this breakout session i am shawn nicholson security solution architect and today we're going to be talking about how qualis can help you secure your multi-cloud deployments to be successful in securing your multi-cloud deployments you're going to need unified visibility across your cloud assets you're going to need automations of assessments you're going to need a unified vulnerability knowledge base and finally you're going to need integrations that provide those assessment findings into the tool sets your teams are using i want to start by summarizing some of the common customer environments and architectures that we see and the associated problems that we can help solve this is the hybrid multi-cloud environment for many of you you have to account for on-premise resources as well as mobile workstations and mobile workforce devices we also have to account for multiple cloud assets for this talk we're going to focus primarily on those cloud assets and how we can address securing those cloud assets deploy in a variety of ways from auto scaling environments that deploy based on pre-configured launch templates to infrastructures code deployments that destroy and recreate entire infrastructures each time they're deployed we also have to account for workloads being deployed from golden images on a per bay per task basis these environments while providing flexibility and reduced time frames for deploying assets in these environments also dramatically increase complexity because of this we need unified solutions to have a successful vulnerability and compliance program here's a typical customer environment that is in the middle of an on-premise data center migration into aws on the right due to a recent m a they also now have to account for gcp resources on the left we have resources deployed across multiple accounts in various regions around the world on the right we have a cloud native microservices deployment that is utilizing containers running on gke to secure the gcp environment we have to consider securing the entire life cycle of the containers this will be covered in alex mandernach's talk on the need to shift left and how qualis can help you secure your container pipelines for our talk today we'll focus more on the environment on the left so the problem is once we have a multi-cloud deployment we have various tools in those environments that in turn account for visibility compliance and management we need to unify those across a single platform with a single set of assessment criteria having this unified vulnerability knowledge base allows us to assess all of the assets on the same scale we also have to account for providing this information into the tools that our teams use to do this we need flexibility in how we collect security telemetry the qualis platform today has a variety of sensors that can be used to collect data from various resources whether that's our virtual scanner appliances running inside the cloud environments to our cloud agents being deployed on the actual workloads we also have cloud connectors that interface with the cloud api and pull back inventory and compliance or configuration assessment data additionally we have a container sensor that can deploy into the container runtimes and perform vulnerability assessments of both images and containers as well as collect inventory across a diverse environment and finally we have our api the api allows you to integrate these assessment findings and push them into the tool sets that your teams are using the goal of today's demo will be able to show you how to automate connectors to gain visibility across the environments we'll also look at how we can automate the deployment of the cloud agents and finally we can empower our teams by providing the assessment findings into the the tools that they are using from a visibility standpoint we're going to cover connectors for azure aws and gcp and for an agent deployment we're going to cover a cloud native solution for for deploying your agents into azure and gcp utilizing azure security center in the gcp marketplace and then finally will provide unified visibility by feeding the qualis assessments back into the cloud provider security platforms such as azure security center aws security hub and google's cloud security command center now give me just a moment while we switch over to the demo all right let's go ahead and get started here i've logged into my cloudview application we're going to start off by creating a connector for aws so i'll come in here to configuration i'm going to click on create connector from there i'm going to name it for this one we're just going to call it qsc 2020. we're going to select our account type for this it's going to be global but we do support govcloud as well as the china region the next thing to configure would be the polling frequency here you can set this between 1 hours and 24 hours depending on how you want to query for assets in your environment at this screen will be provided the qualis account id as well as an external id so now i'm going to jump over after copying this into my aws account i'm going to go into iam here's where i'm going to provision the role that i need for this connector to be able to query the aws api so i'm going to click on create role and then i'm going to say add an aws account because this is a cross account role and trust i'm going to paste in the value that i had copied from the previous screen and then i'm going to require an external id back to the qualis platform i will copy this external id here this is uniquely generated per customer per connector this isn't able to to prevent the confused deputy problem so back to the role here i'm going to paste in my external id and i'm going to click next for permissions in here we're going to attach the security audit policy this will give the connector the ability to query the aws api using read-only credentials in order to pull back inventory about the assets so next i'm going to click on add tags here you would adhere to your organization's tagging requirements for the creation of resources in aws for this demo i'm just going to add a name tag here and say qsc 2020. now i'm going to click next for review and at this point i'm going to name it so i'm going to call this one the qualis connector 2020. same thing for the roll description here qualis connector for aws correct my typo there and finally i'm going to say create role at this point i'm going to grab that role arn so i'm going to say qualis here i have my qualis connector 2020 i'm going to copy the arn and back over here in the koala subscription i'm going to paste that in now if you wanted to enable remediation here's where you would do it you would check this box here and but you'd have to also make sure that you've assigned the proper write permissions for this role to be able to make those changes i'm also going to say create the connector and asset view here and i'm going to say test connector this will verify that everything that we've done so far works properly we're able to query the aws api and we've returned a list of the available regions now i'm going to say create connector excellent so that is in a processing state so we're going to move on to creating the microsoft azure connector so the microsoft azure connector uses a web app uh an application id in order to query the azure service management api so we're gonna call this one qsc 2020 azure now we need a couple pieces of information here we need the application id we need the directory id as well as an authentication key and a subscription id so i'm going to go ahead and hop over to my azure account to go ahead and create that so in here i'm going to go into azure active directory then from there i'm going to go down to app registrations i'm going to say create a new registration for this example i'm going to call this one of course qsc2 azure and i'm going to say this can work for any tenant that we have now this bottom piece here is optional this is if you wanted to specify a url that this was good for so i'm going to go ahead and click register on that now in here i need to make sure that we have assigned the appropriate api api permissions so i'm going to come in here and i'm going to say add permission and here's where i want to add the azure service management api this will allow me to query for all of the infrastructure in azure and pull that back using read-only permissions okay so now that we've added that we're going to create a secret so down here under client secrets i'm going to say create a new secret i'm going to call this qsc key now i can specify one year to year never this will be dependent on your organization security standards for this example i'll leave it at one year now i'm going to copy this value because once you leave this screen this will no longer be visible and we'll place this over in a wordpad or notepad for use in a few minutes all right so we've created our secret we've added our api permissions now the next thing we need to do is we need to take this and copy the application id so we're going to go ahead and copy that as well i'm going to need the directory id so i'm going to copy that and we copied the key already now the last thing we need is the subscription id before we copy that we're going to need to make sure we assign the permissions for qsc 2020 to the subscription that we're going to query so we're going to copy that and we're going to go to subscriptions all right we have our qual solution architect subscription here go ahead and click into that and here we're going to go over to iam we're going to click on add role we're going to say add role assignment so we're going to select the reader role and then we're going to add qsc so qsc azure 2020 and now we've added that role with reader permissions to this subscription now back here in the qual subscription we're going to paste in that information oh i went a little too fast there we'll grab the subscription id now back in the qual subscription we'll paste in our subscription id and now we're going to paste in those other values that we copied out so i have my application id i need to grab my directory id and finally the authentication key again we're going to set the polling frequency to 4 hours we're specifying global here we also support globe cod for these and we're going to say enable remediation as well and we're going to say test connector and here again this was successful and this is ready to go so we're going to hit close on that and we're going to hit create connector and that is processing all right now we're going to go check on that aws one that one's already done it's pulled back 431 assets the azure one is running and now we're going to move on to the google cloud platform so we're going to create the connector as well here and we're going to call this one qsc 2020 and i'm going to call this gcp so now we're going to go over to our gcp platform okay we'll go into our console on gcp now we need to go to iam because we need to create a service account to allow access for this for this connector to pull back information so we're going to say create service account we're in we're going to select a different subscription here and we're going to say create service account and we're going to call this qsc 2020 gcp and now we're going to create so at this point we need to add a role so we're going to need viewer for the project and then we're also going to need a security role so we're going to need security reviewer so security reviewer and we're going to click continue and we're going to click done now let's go ahead and find that we'll click on name and we'll say qsc and we're going to grab that qsc gcp one that we just set up here now we're going to add a key this is where we're going to get the json file that we're going to use so we're going to say create new key we're going to download that json file excellent so now back to our console here we're going to say we have our gcp connector named we set our polling frequency and now we're going to go ahead and paste in that key or drop in that key and we're going to say test connector so excellent that was successful so now we can go ahead and create that connector okay that is processing there let's just double check over here on azure azure's done as well we'll let that finish here for a few minutes and let's go ahead and dive into the resource monitor here so the resource is going to show us a listing of all of the infrastructure that we're pulling in via these connectors so showing us all of our instance our vpcs our rds instances as well as things associated with the vpc so subnets security groups route tables things like that so i'm going to show you a couple pieces of information here that you might find valuable so inside our instances here we can say all right i want to filter this for instance state running and i'm going to go ahead and filter those so right now i've said okay i don't care if something's stopped or terminated i want to focus on what is running and then from there i want to see what has an inbound security group of public so show me everything that has a public or a security group that is allowing public ingress so very quickly i can filter this list down okay show me everything that's running show me everything that has public ingress and what this does is help me prioritize what vulnerabilities i need to address in my environment so you can see here in this list i have 59 instances that are listed with having a public ip 71 of those are without agents and i have six with vulnerabilities so i'm going to add some vulnerability context here so i'm going to say you don't show me anything with a vulnerability severity of five and there we go we have a instance in a running state that has a public security group or a security group with allowing public ingress which also has a severity five okay from this point we're going to dive into looking at how to automate the deployments of cloud agents in your environments and then we'll follow that up with a integration of feeding these vulnerability findings back into the cloud service providers so be let me switch over to another account okay so the next piece we need to do to set up these azure security center integrations is we need to go to cloud agent and we need to get the key that we'll need for that integration so i'm going to go in here to this key i'm going to say in activation key new key i'm going to call this one qsc2020 demo i'm going to activate all of the modules for it i'm going to click generate that key now i'm going to go to my go into that key and then you'll see here azure info so we're going to copy that information off and we're going to put that in our azure solution so back here let's go to security center and we're going to go under recommendations then under recommendations you will see remediate vulnerabilities and then underneath there you'll see vulnerability assessment solution should be installed on your virtual machines so i'm going to go ahead and select that one there i'm going to go down here and here's a listing of the instances in this environment which are currently not associated with a solution and are not or do not have a vulnerability assessment solutions taught so i'm going to select this first one here now one of the things here is you can multi-select here or you can just select a single instance for subscription and then turn on auto deploy which is what we're going to do here so we're going to click on remediate and then from here we're going to select the configure a new third-party vulnerability scanner bring your own license and here's where we're going to select qualis and we're going to say proceed now we're going to name this up here qsc 2020. we're going to select a resource group here this is immaterial it's required for the setup but it's not really used our location and now we have our license code so flipping back over here we're going to copy our license code and we're going to paste that in and then we're going to grab our public key we're going to copy that and we're going to paste that in and then we're going to set auto deploy to on and we're going to say ok now that's all we have to do for this subscription now of course there is an api option available for azure that will allow you to automate the creation of these but for right now we're just going through the ui applications here so that's all we had to do and what this will do is any of the instances within the subscription will automatically get a cloud agent pre-configured to talk back to our call subscription here deployed to them now the other benefit of this is any of the cloud agents that are deployed via this security center integration will automatically have the findings reported within security center so this will help you place with your teams the vulnerability assessment solutions utilizing one of the tools they're utilizing in their environment which helps ease the delivery of those results okay back over here it's your qual subscription we're going to take this key and the next thing we're going to set up is an auto deploy for gcp similar to azure we have a capability via the gcp marketplace to in turn go in and set up an auto deploy of the koalas cloud agents so what i'm going to need out of here is my i'm going to need my customer id and my activation code so i'm going to copy those out and i'm going to place those over in a wordpad for use in just a few minutes so we're going to say back on here we're going to close this out and now we're going to go over to our gcp environment so here in gcp i'm going to select my subscription here and then i'm going to say i want to go to the marketplace select marketplace and from here i'm going to search for qualis so qualisquad agent here's my solution here there's some prerequisite information listed here as well and if you're not already signed up for calls this will direct you back over but clicking that's going to take me to the setup page let's select that subscription okay so here i'm going to call this qsc 2020 qca integration now that customer id and application id or activation id that we copied out we're going to need to place that in here so i'm going to grab that from my wordpad now from here i'm going to select the my qualis platform so i was on uso2 select that there now here's where you get to decide how this will be deployed so you can either choose to deploy based on a label that's applied to those instances or you can choose to deploy based on a naming prefix now most customers that i work with have a standard naming convention for instances deployed in gcp so that's what i'm going to select here and i'm going to save just for this one of course i'm going to select demo again so that's going to say any instance deployed in this environment that has demo as the first four part four letters of its name will get the qualis agent automatically deployed now the other piece here is i have to specify where to deploy from so i'm deploying the uso2 so i'm going to select the us storage bucket here for deploying those agents and i'm going to say deploy and that's all we have to do at this point any instance that comes up in this subscription that has the required naming convention match will in turn get that agent auto deployed to it and you'll see here that three packages were made available for to support this we have one supporting windows and we have one each for the versions of linux that we support whether they be rpm rail based or debian based all right we have one last piece to go over here and that's going to be the integration with aws security hub so i already have this configured i figured you didn't want to see me run a bunch of curl commands but i'll get into that in just a moment so give me just a moment to swap over to the subscription where that's configured okay so here we are in the aws management console and i'm going to show you what it looks like to have qualis vulnerability assessment findings directly feed into aws security hub so i'm going to select security hub here as my application and then inside security hub i'm going to go into insights and from the insights i'm going to select koalas and you'll see here we have four pre-configured insights that are deployed automatically as a part of this integration so i'm going to go in here ami's with the highest number of clause vulnerabilities and you'll see here in this environment in this region i have five different amis that are showing up here i have my instance breakdown over here on the right so i have an instance here that has 73 critical vulnerabilities and that is built off of this ami here so we're going to go ahead and grab this ami and we're going to go back over to our qual subscription in just a moment i want to click into this and then we'll go back over here so let's go ahead and go into cloud view we'll select that from the application picker here and then in resources we'll need to select instance and now i'm going to grab that instance image id and i'm going to paste in my value here so here we go this matches up i'm going to click into this here and this is going to give me more information so for me this is the security team utilizing their qual subscription to gather more information about the vulnerabilities that they're seeing in their environment so here we see a summary of what's been found about this we have the ec2 information the metadata over here on the right let's go ahead and click into those vulnerabilities real quick you'll see here that we're matching there now one of the things we're we're doing as a part of this integration is we're only sending over the severity three four and five so we have 71 confirmed vulnerabilities and two potential sev3s over here which equates to that 73 number we saw for this ami so we can click into some of these and see you know what are the severity 5 vulnerabilities here and we have a number of windows updates that need to be installed on this lots of missing patches here and if you are utilizing our patch management solution you would be able to then deploy patches directly from this but since we're talking about cloud instances here we're probably going to want to go ahead and patch those amis so we'll use this to create information to provide back to our teams so that they could go and turn patch the same eye and then redeploy this instance now i want to highlight here the power of the quals platform via this one tool inside of cloud view which is my gateway to my my cloud assets i'm able to glean lots of information about this instance so to help my teams understand what this instance is doing what are the applications on it how is it configured and is this a risk in my environment so as a part of the information that we collect here i'm able to see the public i p as well as the private i p what subnet it's on i can see the associations for this so i can see i have six other instances utilizing the same security group so if i had multiple instances here with a common vulnerability i'd be able to easily assess what my exposure is on that as well as providing the cloud tags for this now i'm going to look at the asset summary this is going to say here it's deployed in mumbai here's some of the tags that were either auto-generated by qualis itam or were assigned based on your cloud asset search tagging engine rules i can look at the system information and say here's the operating system the hardware what is the the storage on this system what processor is it utilizing as well as the running services and the users that are configured on that i can also look at the network information again this is going to provide my mac address that's being utilized what is my default gateway i can look at the installed software now here's where again the power of the platform where we're overlaying additional information that we're able to gather with our sensors so for this instance this one having cloud agent on it and we're using itam or our global i.t asset management which has the end of life or end-of-service information for some of either the hardware software that we detect we're able to easily see here we have end of service chrome on this which presents a significant security risk given all the number of drive-bys as well as potentially other exploits for different service types or different programs so we'll come back to that in a minute i'll show you how we can highlight that in the aws security hub to show their teams exactly what they need to do additionally we're going to go down here to vulnerabilities and we already went over that we have access to our vmdr prioritization where we'll be able to help you provide or prioritize the vulnerabilities in your environment as well as patch management i can get a listing of all the patches that are missing on this system i can look at edr so my endpoint detection and response real-time indicators things like that and then finally down here under policy compliance i can get a visibility into is the system adhering to the benchmarks that are part of our requirements for our cloud assets so very quickly able to identify are they adhering to the cis benchmarks i have a disa policy on here so do the stigs apply things like that and then finally we can look at our agent summary here which is going to show us the agent that's installed when it last reported in things like that all right let's go ahead and hop over to security hub here and let's get some additional information about that so i'm going to want to look here by the title and i want to see what am i seeing in security hub that would line up to the information that was provided as a part of qualis and i'm going to say starts with google so i reach out to my teams you have a critical vulnerability on this system you have end of service software i need you to go and remediate that instead of them having to go and log into calls or you to send them a report you can say just go in and look in security hub for this asset id they can come in here they can find it very quickly and here's all the google related vulnerabilities for google chrome for that end of service software so again we're showing them exactly what they need to fix on their instances in the tool sets that they're using to manage their environment all right that'll do it for the demo uh give me a moment to swap back over to our presentation and close out i really appreciate your time today and thank you i hope you all enjoyed the demo here you can clearly see that we are able to automate the creation of the connectors providing a single platform to provide visibility of all of our assets across multiple cloud environments we're able to perform assessments by automating the deployment of the cloud agents and assessing all of these resources using a common vulnerability knowledge base and then finally we were able to feed those findings back into the security platforms of the cloud service providers providing our teams the information at their fingertips that they need to resolve these vulnerabilities and make sure that they follow the compliance and security guidance of our organization i want to take the time to thank you today for attending this breakout session please make sure you attend the other breakout sessions of my teammates where badri will be talking about container runtime protection using crs santosh will be talking about reducing your multi-cloud attack surface utilizing cloud view and alex will be addressing the need to shift left thank you and have a great day [Music] you

Info

Channel: Qualys, Inc.

Views: 666

Rating: 5 out of 5

Keywords:

Id: sZPFGmPosdg

Channel Id: undefined

Length: 32min 20sec (1940 seconds)

Published: Fri Feb 12 2021