Meet the new CloudGuard: Risk Management in Action

A critical CVE or Common Vulnerability and Exposure is identified every day. Security teams need to plan the measures (mitigation strategies) taken to reduce the harmful effects of a CVE, to ensure that the applications they are managing remain secure while business availability is not affected, and developers can continue with their day-to-day activities.

Check Point CloudGuard transforms the workflow of the security team by transitioning a frustrating, time-consuming situation into an easily managed and well-triaged list of high-priority assets based on the context of the specific cloud environment. Then, patching efforts can be executed gradually, offering both higher business value and stronger cloud security.

In this blog post we will touch on the nature of common vulnerabilities and how to handle them. We will examine how to implement a successful remediation strategy and explain how contextual data and risk management can help organizations manage vulnerabilities effectively.

Understanding common vulnerabilities and how to handle them

CVE is a system for identifying, assigning, and tracking vulnerabilities in software systems. The CVE system provides a standardized way to reference and uniquely identify vulnerabilities and exposures, making it easier to share data across different cybersecurity databases and tools.

According to a report by Statista, in 2022 alone, over 25,000 new CVEs were discovered by internet users worldwide – the highest reported annual figure to date. From January to April 2023, this number reached 7,489 – averaging out to 62 critical vulnerabilities per day.

When a new vulnerability is discovered relevant details about the vulnerability are recorded in the CVE database. This information is then used by security teams to ensure a collective understanding of the security issues and to take appropriate measures to address or mitigate the vulnerabilities.

To better understand the process of handling a CVE, let us look at standard CVE-2023-46127 which affects a widely used full-stack web app that was found vulnerable to HTML injections.

Let’s look at the example above as it would be initially analyzed by SecOps:

• Description of the vulnerability – the CVE description allows SecOps team to identify the vulnerable resource. In our example, the vulnerability is caused when Frappe uses Python & MariaDB.
• Description of the potential exploitation – the CVE description gives the SecOps team information about exploitation methods. In our case, the vulnerability allows HTML Injection by creating HTML files which contain malicious payloads.
• Description of the remediation action – the CVE description provides the SecOps teams with available remediation actions. In this case, they will need to patch Frappe and upgrade it to version 14.49.0

Theoretically the SecOps team will just need to identify all instances of Frappe across their cloud application and upgrade them to the requested version (14.49.0 and above). However, they might have thousands of instances that need to be patched. Furthermore, patching a component is not a straightforward process, it requires many development resources and often entails dependency compatibility, adjusting configurations, or handling additional unexpected issues. Let’s learn how organizations do it in practice.

How to Implement a Successful Remediation Strategy

Having a critical vulnerability within your environment makes cloud application an easy target for attackers. Organizations need to formulate mitigation strategy starting at the time the vulnerability is discovered and continue until the security team is confident that the environment is no longer at risk.

When formulating a mitigation strategy, organizations can move from approaches centered on closing the vulnerability window (exposure time) as soon as possible to strategies aimed at minimizing the business impact of the fix on the development team.

In strategies that centered on closing the exposure time as soon as possible, organization do first and analyze later. They use all their resources to contain the issue as quickly as possible. However, this approach is not always the best course of action, because it can involve inconsistent service availability and wasted investment on resources on unnecessary fixes. This approach is quick but can consume substantial business resources.

On the other hand, a mitigation strategy that focus on minimizing the business impact starts with a deep analysis of the vulnerability and its risks. The security team analyzes the root cause of the security problem and the potential paths to exploit the vulnerability. Then, it builds a remediation plan and provides it to the development team. This approach minimizes the development efforts, but slow and might lead to long exposure time (vulnerability window).

4 Steps Vulnerability Migration Strategy: Response-Investigation-Implementation-Resolution

A structured way to combine between these two approaches, achieving both short vulnerability window and low impact on the business, is to follow a mitigation process with the following 4 steps:

In the first step the security team reduces exposure by patching the most critical risks, followed by a second step in which the security team analyzes the high risks to provide a wider remediation with lower development effort. In the third step, R&D gets the remediation projects and implements them. In the final step the security team confirms that the patching process is successful, resolved the issue, and security operations goes back to normal.

Executing Vulnerability Mitigation Strategy with CloudGuard

CloudGuard helps security teams to operationalize vulnerability mitigation strategies by periodizing CVEs based on their cloud context, offering a remediation guideline for security risks, and drilling-down to investigate specific security issues. Let’s examine how CloudGuard assists organizations in executing the four steps vulnerability mitigation strategy:

Step 1: Response

CloudGuard helps security teams with identifying and patching the critical vulnerable assets. It calculates a comprehensive risk score for each vulnerable asset taking into accounts factors such as related misconfigurations, public exposure, excessive permissions, sensitive data, and the asset’s business importance. This method of prioritization prioritizes critical vulnerable assets that need to be assigned to the development team immediately. This allows the security team to effectively manage the CVE risks: reducing the exposure time while assigning the development team to only the most critical risks.

Step 2: Investigation

Once the security team remediated the vulnerable assets with critical risks, they left with high ones. Usually, there are many of them and the team needs to investigate and prepare them for patching. CloudGuard helps the security team to investigate the vulnerable assets and group them into remediation projects. For example, the team can decide that they fix first asset with high business priority, then assets with sensitive data and finally assets that are publicly exposed. CloudGuard also allows the team to drill-down to investigate some of the risks more deeply understanding the root-cause of the risks.

Reduce time to remediation by quickly addressing high priority risks and reducing the attack surface, acting on remediation paths based on the minimal effective dose.

CloudGuard provides a complete perspective across the entire cloud environment to gain a deep understanding of threats most risky to your business.

Step 3: Implementation

The security team extracts the prioritization & remediation guidelines from CloudGuard and then assign it the development teams. The process can be done automatically through CloudGuard integration with ticketing systems such as ServiceNow or Jira. The development gets the information about the assets that need to be remediated and also remediation suggestions and then execute the remediation process.

Step 4: Resolution

CloudGuard continuously monitors the cloud environment and once the remediation plan is fully applied the Security team can track CloudGuard dashboards and confirm that the environment is no longer at risk from the new vulnerability.

Conclusions

Critical CVEs are identified every day, organizations must prepare a mitigation strategy that will help them manage the vulnerability remediation process to both shorten the exposure time and minimize the impact on the business activities. CloudGuard helps organizations to execute mitigation strategy effectively by helping the team to prioritize risk, investigate them, and create a remediation plan. Businesses that use CloudGuard can achieve both remediating new CVEs while running their business effectively.

Getting Ready for Action

Learn more about our unique cloud security in action approach and how you can build a winning cloud strategy together with Check Point CloudGuard by contacting your Check Point account team or scheduling a demo.