Advanced Cloud Workload Protection customized for their Kubernetes deployment

Business Challenge 

This customer provides consumer financing solutions for automobile dealerships, servicing a wide range of borrower types.  They are recognized throughout their industry for their innovative lending programs.  Utilizing artificial intelligence, they look beyond a borrower’s credit score, factoring in additional external criteria to uncover financing solutions.  This approach allows dealers to offer competitive financing on new and used vehicles to customers who might otherwise qualify only for high-down-payment loans.​

Crucial to the success of their business, they needed a sophisticated security solution that could detect and prevent threats across its complex multi-cloud resources. Furthermore theyneeded a consistent solution to protect applications as part of an ever-changing environment. In addition, their diverse architecture restricted visibility, threatening the risk of blind spots in its security and creating numerous protection challenges.​

Adding to its challenges, this customer recently had undergone a change in leadership, the team discovered a lack of visibility into their current capabilities and infrastructure. This prompted them to begin sourcing a comprehensive cloud security Managed Service that supported all their requirements, while enabling them to continually innovate. ​

Solution 

Lightstream met with this customer’s leadership to help them gain visibility into the current state of their ecosystem and guide them through the different security offerings available to them within Lightstream Cloud Defense, our 24x7 Cloud Security Managed Services offering portfolio.

Lightstream’s Cloud Defense, leverages CSPM (Cloud Security Posture Management), CWP (Cloud Workload Protection), CIEM (Cloud Identity Enablement Management), WAAS (Web Application and API Security), Network and Code Security in a 24x7 Security Managed Services offering.  Lightstream utilizes Palo Alto Networks Prisma Cloud CNAPP (Cloud-Native Application Protection Platform) in concert with Lightstream’s purpose-built Security Platform for posture alignment, correlation, ticketing, and security remediation. These capabilities give this customers security team continued comprehensive visibility across its cloud infrastructure, as well as insight into new and existing assets and potential threats. Using Lightstream Cloud Defense, they unmatched risk clarity and operational insight.​

The workloads deployed by this customer utilize a wide combination of cloud services and application architectures, running a complex environment susceptible to blind spots in security. To address this constantly changing environment, they required advanced Cloud Workload Protection customized for their advanced Kubernetes deployment, safeguarding their applications from unwanted activity and threats.

Lightstream worked with this customer to determine appropriate staff to receive various levels of vendor training during the engagement. During the implementation, processes and procedures were evaluated and updated. At the end of the engagement, Lightstream held a workshop to review the integration and updated processes and procedures with the customer.

Solution Details 

Customizations

Lambda for Security

Lightstream incorporates Zero-Trust Postures into every security engagement via the definition of protect surfaces for all AWS workloads regardless of deployment (Native Kubernetes, EKS, Instance, RDS).  To facilitate this capability, Lightstream relies on Lambda to query all VPCs, Subnets, Security Groups and Network Firewall within the customers AWS account(s), sending that data to the Lightstream Security Platform wherein it is analyzed against the defined protect surfaces to ensure continuous alignment.

Examples:

• This customer utilizes a 3-Tier Application Architecture (Web, App, DB) requiring isolation between each tier on a per-workload basis for both security and regulatory compliance requirements
  • Design
    • VPC – Single VPC Architecture
    • Subnets – Per Tier and Per Workload
    • Security Groups – Focused Access/Per Workload
      • Web – Access from WAF via TCP 443 and App Tier via TCP 443
      • App – Access from Web via TCP 443 and DB via TCP 5432
      • DB - Access from App via TCP 5432
    • Tagging – Per Workload Tags
  • Monitoring
    • Lambda checks executed every 300 seconds, sent via API to Lightstream Security Platform for verification
    • Secondary Lambda microservice for automated remediation of tagged Web, App, DB Tiers orchestrated by Lightstream SOAR

VPC Flow Logs

VPC Flow Logs are utilized in all security engagements as a strategic data point for advanced correlation of traffic flows into a customer’s AWS environment.  Source/Destination IP and Port/Protocol information is forwarded to Lightstream’s multi-tenant Palo Alto Networks Prisma Cloud environment, where Lightstream leverages a set of pre-defined RQL queries created through over 10 years of experience analyzing flow logs along with custom RQL queries specialized to the customer’s environment. 

Examples:

• RQL Query Types
  • Pre-Defined
    • Source/Destination IP not per Zero-Trust Posture Design
    • Port/Protocol not per Zero-Trust Posture Design
    • Outbound Internet Access not via NGFW
  • Custom
    • Source IP from known malicious IP Addresses
    • Source IP from very high-risk countries (North Korea, Russia, China, Confederation)
  • Monitoring
    • All queries are assigned a severity through custom rulesets defined by Lightstream in collaboration with the customer (Critical, High, Medium, Low) and are automatically ticketed in the Lightstream Security Portal and automatically remediated via the Lightstream SOAR if applicable

Config and CloudTrail for Regulatory Compliance

Lightstream utilizes AWS Config and CloudTrail to ensure compliance for our customers with best-practice, governance and regulatory requirements.  Config and CloudTrail is analyzed by the Lightstream Palo Alto Networks Prisma Cloud multi-tenant environment as well as the Lightstream Security Platform in real-time for CloudTrail events and every 300 seconds for Config changes.

Examples:

• Frameworks
  • Best-Practices
    • CIS v1.4
    • MITRE ATT&CK v10.0
  • Regulatory
    • FFIEC
    • PCI DSS v4.0
    • NYDFS
  • Monitoring
    • Frameworks are customized and assigned a severity level based upon their effect on the customer business. Compliance readouts are provided to the customer on a monthly basis during our security reviews, as well as 24x7 by our Cloud Defense managed services offering wherein we triage the events and remediate as necessary and applicable.

Security Tools Used

• Amazon CloudWatch
  • Ingestion of CloudWatch alarms into Palo Alto Networks Prisma Cloud and Lightstream Security Portal for correlation and response
• AWS CloudTrail
  • Ingestion of CloudTrail logs into Palo Alto Networks Prisma Cloud and Lightstream Security Portal for correlation and response
• AWS Config
  • Ingestion of Config changes into Palo Alto Networks Prisma Cloud and Lightstream Security Portal for correlation and response
  • Primarily used for Best-Practice, Risk Analysis and Compliance
• AWS Identity and Access Management (IAM)
  • CIEM for IAM entitlement management
  • Config and CloudTrail analysis for anomaly detection
• AWS Key Management Service (KMS)
  • All keys are stored in KMS for customer workload use and Lightstream use
• AWS Lambda for security resources
  • Zero-Trust Posture correlation
  • Configuration remediation via Lightstream SOAR
• AWS Single Sign-On
  • Active Directory integration for Single Sign-On access to all accounts
  • AWS Organizations
• AWS VPC Flow Logs
  • Source/Destination IP Analysis
  • Port/Protocol Analysis