See a 10-minute overview of the platform.

Search
Search

Share

Change for the sake of change

Change for the Sake of Change: Dealing with Dynamic AWS Hosts

“The only constant is change itself.”  Who would have thought words from two and a half millennia ago could ring so true in the world of cyber security and cloud computing in 2024?

Well, here we are, creating and inventing at an astronomical pace, and making sure we do so securely.  I’m afraid not.  A few of us thought “secure by design” was going to lead us to a new job, and move to another industry, but alas, we are busier than ever, and it is not relenting.

 

Change is All Around

The pace and, more importantly, “frequency” of change are now the new normal. Whether it is daily or hourly code pushes, virtual image refreshes, patching updates, or dynamic cloud asset refreshes, we are living with systems that are constantly moving and changing.

As both of these parameters increase across cloud environments, our need for the aforementioned creating and inventing becomes greater and greater. Yet our need for continuous visibility and monitoring and “proactive everything” has never been more necessary. Threats and vulnerabilities, or “exposures,” are out of control, and there is a never-ending production line of bad actors scooping up the free chips.

We were always told, “It is recommended you conduct a pen test following any significant change to your infrastructure.” So that’s daily, then!

In 2022, we were reliably informed by mega analysts Gartner that threat and vulnerability management programs are no longer working, they are failing drastically (I suppose the numbers of unfixed vulnerabilities lying around speak for themselves), and that they are no longer enough. We must “broaden the net” by implementing a CTEM approach, and take in greater scope and discovery, and then consequently “narrow the net” through prioritization and validation, before finally mobilizing the troops. All of which sounds very much like what we have been doing here at Edgescan for a while now.  But anyway… more change.

 

The Dynamic Cloud

With the continued adoption of more and more cloud services, the Edgescan team has been busy, beavering away to make AWS users’ lives a little easier. They are solving a significant problem that can be quite a pain, particularly when the audit and compliance police are knocking on your door looking for asset inventory reports and historical vulnerability reports from said dynamic cloud assets.

Many enterprises are benefitting wholesomely from the dynamic nature of cloud environments. While they are rightly utilizing best practices to manage and optimize their cloud assets, this does not always present as an ideal state for a third-party vendor or security partner to offer real value and insight from their solutions. The default status for security partners was as if they were looking from the outside in, preventing their ability to deliver the exact services and value they claim to provide.

Part of the Edgescan Platform today provides customers with the ability to see and monitor their external attack surface through an integrated ASM product. This gives the requisite “visibility and monitoring of change” on the external or perimeter of the enterprise, with API Discovery, Host Discovery, Domain Investigation, and custom alerting. This integrates beautifully with our risk-based vulnerability management offering across both the host layer and layer 7, for the kind of coverage those Gartner folks were speaking about three paragraphs ago.

When you move from external to internal or “private” IP space in the cloud, things tend to get a little trickier. This is why we have created the ability to tag AWS internal host infrastructure within the Edgescan Platform.

 

AWS Internal Host Infrastructure Tagging

AWS cloud tagging is an effective way to manage your cloud resources and gain best-practice insight into cloud operations and security. Due to the dynamic nature of cloud infrastructure, many AWS users rely on tags to identify their EC2 instances. Edgescan leverages this technology to utilize these tags instead of IP addresses as scan targets, enabling us to not only track vulnerabilities across multiple scans, but also provide a more descriptive approach for our user base.

What is This? Edgescan AWS tagging for internal AWS host infrastructure.

How does it work? We use a custom DNS server that automatically updates DNS records based on the tags on your EC2 instances in order allowing scanners to target them.

Who can use it? Any Edgescan customer who uses AWS internal host infrastructure.

What Problem does it solve? Dynamic cloud IP addresses are impossible to track using manual means. Continuity of historical data and consistent reporting from these cloud assets has always been a problem. Edgescan AWS tagging now resolves the problem of tracking and reporting on dynamic or ephemeral IP addresses in the AWS cloud.

 

Closing Remarks

In closing, it still looks like we are not that good at dealing with all this change, from a systematic cyber security perspective. We are undoubtedly coming up with solutions after the problems have been created. Will this ever change? Probably not. Do we want it to change? Probably not.