Cloud Security Accelerator and Cloud Defense for 24x7 ongoing security managed services.

Business Challenge 

A global company with a focus on automotive and industrial end-markets to build a better future is accelerating change in megatrends such as vehicle electrification and safety, sustainable energy grids, industrial automation, and 5G and cloud infrastructure.

As this organization looked to the future, they knew that they needed a global cloud implementation strategy and security managed services partner that could evolve with them as they continued to grow. They initially contacted Palo Alto Networks because they needed a specific security tool, however they realized that they did not have the expertise to design, implement or manage the security of their AWS environment.  Lightstream was engaged by Palo Alto Networks as the perfect solution for the organization’s needs, because of Lightstream’s expertise creating a robust security posture for companies through design, implementation, and managed services.

Like many companies, this customer was operating with a lean team after several recent developer, security, and infrastructure team departures. They needed a global security solution that provided consistent and responsive support to their lean on-site team so the organization could operate efficiently and on track with their future growth goals with as little downtime as possible.

Solution 

Lightstream knew this customer needed a specific solution to their unique circumstances. After reviewing the organization’s current needs and future goals, Lightstream pitched the Cloud Security Accelerator, which incorporates assessments, design and implementation along with Cloud Defense for 24x7 ongoing security managed services.

Lightstream is a full-service solution from implementation, deployment and ongoing support. The Lightstream Cloud Security Accelerator is a programmatic methodology to provide assessments, design, and implementation services quickly, while enabling a best of breed security posture.  The Security Accelerator focus on over 100 practice areas inclusive of network security, identity management, privileged access, data protection, asset management, logging & threat detection, incident response, posture & vulnerability management, endpoint security, backup & recovery, DevOps security and governance.

Lightstream also examined this customer’s team and provided additional support beyond implementation with Lightstream’s Cloud Defense, leveraging CSPM (Cloud Security Posture Management), CWP (Cloud Workload Protection), CIEM (Cloud Identity Enablement Management), WAAS (Web Application and API Security), Network and Code Security in a 24x7 Security Managed Services offering.  Lightstream utilizes Palo Alto Networks Prisma Cloud CNAPP (Cloud-Native Application Protection Platform) in concert with Lightstream’s purpose-built Security Platform for posture alignment, correlation, ticketing, and security remediation. These capabilities give this customer’s security team continued comprehensive visibility across its cloud infrastructure, as well as insight into new and existing assets and potential threats. Using Lightstream Cloud Defense, this customer has a solution that allows them to focus on their business with unmatched risk clarity and operational insight.​

Lightstream worked with this customer to determine appropriate staff to receive various levels of vendor training during the engagement. During the implementation, processes and procedures were evaluated and updated. At the end of the engagement, Lightstream held a workshop to review the integration and updated processes and procedures with the customer.

Solution Details 

Customizations

Application Security via WAF

Lightstream provides WAF solutions for customers, customized based upon their workload architecture.  Lightstream utilizes either the AWS WAF or Palo Alto Networks Prisma Cloud WAAS for edge application security.  OWASP Top 10 is utilized for all environments, along with additional customizations based upon their web service architecture and vulnerabilities.

Examples:

• Palo Alto Networks Prisma Cloud WAAS deployed on instance for all non-Kubernetes workloads
  • OWASP Top 10
  • Custom policy based on workload, primarily focused on vulnerable components
• Palo Alto Networks Prisma Cloud WAAS deployed within each node for multi-pod/container Kubernetes deployments
  • OWASP Top 10
  • Custom policy based on workload, primarily focused on injection and vulnerable components
• Palo Alto Networks Prisma Cloud WAAS deployed within each app for scalable container deployments across multiple Kubernetes nodes without pod/container overlap
  • OWASP Top 10

Lambda for Security

Lightstream incorporates Zero-Trust Postures into every security engagement via the definition of protect surfaces for all AWS workloads regardless of deployment (Native Kubernetes, EKS, Instance, RDS).  In order to facilitate this capability, Lightstream relies on Lambda to query all VPCs, Subnets, Security Groups and Network Firewall within the customers AWS account(s), sending that data to the Lightstream Security Platform wherein it is analyzed against the defined protect surfaces to ensure continuous alignment.

Examples:

• This customer utilizes a multitude of Application Architectures within their AWS environment inclusive of monolithic and microservices (Kubernetes, EKS) requiring very specific protect surface definition for isolation between each tier on a per-workload basis for both security and regulatory compliance requirements
  • Design
    • VPC – Multi VPC Architecture (Environment Based)
    • Subnets – Per Tier and Per Workload
    • Security Groups – Focused Access/Per Workload
      • Web – Custom per workload, limited to WAF and App Tiers
      • App – Custom per workload, limited to Web and DB Tiers
      • DB – Custom per workload, no standard DB, limited to App Tier
    • Tagging – Per Workload Tags
  • Monitoring
    • Lambda checks executed every 300 seconds, sent via API to Lightstream Security Platform for verification
    • Secondary Lambda microservice for automated remediation of tagged Web, App, DB Tiers orchestrated by Lightstream SOAR

VPC Flow Logs

VPC Flow Logs are utilized in all security engagements as a strategic data point for advanced correlation of traffic flows into a customer’s AWS environment.  Source/Destination IP and Port/Protocol information is forwarded to Lightstream’s multi-tenant Palo Alto Networks Prisma Cloud environment, where Lightstream leverages a set of pre-defined RQL queries created through over 10 years of experience analyzing flow logs along with custom RQL queries specialized to the customer’s environment. 

Examples:

• RQL Query Types
  • Pre-Defined
    • Source/Destination IP not per Zero-Trust Posture Design
    • Port/Protocol not per Zero-Trust Posture Design
    • Outbound Internet Access not via NGFW
  • Custom
    • Source IP from known malicious IP Addresses
    • Source IP from very high risk non-export countries (North Korea, Russia)
    • Source IP from high risk countries (China, Confederation)
  • Monitoring
    • All queries are assigned a severity through custom rulesets defined by Lightstream in collaboration with the customer (Critical, High, Medium, Low) and are automatically ticketed in the Lightstream Security Portal and automatically remediated via the Lightstream SOAR if applicable

Config and CloudTrail for Regulatory Compliance

Lightstream utilizes AWS Config and CloudTrail to ensure compliance for our customers with best-practice, governance, and regulatory requirements.  Config and CloudTrail is analyzed by the Lightstream Palo Alto Networks Prisma Cloud multi-tenant environment as well as the Lightstream Security Platform in real-time for CloudTrail events and every 300 seconds for config changes.

Examples:

• Frameworks
  • Best-Practices
    • CIS v1.4
    • MITRE ATT&CK v10.0
    • CSA
  • Regulatory
    • NIST 800.53
    • GDPR
    • SOX
  • Monitoring
    • Frameworks are customized and assigned a severity level based upon their effect on the customer business. Compliance readouts are provided to the customer monthly during our security reviews, as well as 24x7 by our Cloud Defense managed services offering wherein we triage the events and remediate as necessary and applicable.

Security Tools

• Amazon CloudWatch
  • Ingestion of CloudWatch alarms into Palo Alto Networks Prisma Cloud and Lightstream Security Portal for correlation and response
• AWS CloudTrail
  • Ingestion of CloudTrail logs into Palo Alto Networks Prisma Cloud and Lightstream Security Portal for correlation and response
• AWS Config
  • Ingestion of Config changes into Palo Alto Networks Prisma Cloud and Lightstream Security Portal for correlation and response
  • Primarily used for Best-Practice, Risk Analysis and Compliance
• AWS Identity and Access Management (IAM)
  • CIEM for IAM entitlement management
  • Config and CloudTrail analysis for anomaly detection
• AWS Key Management Service (KMS)
  • All keys are stored in KMS for customer workload use and Lightstream use
• AWS Lambda for security resources
  • Zero-Trust Posture correlation
  • Configuration remediation via Lightstream SOAR
• AWS Single Sign-On
  • Active Directory integration for Single Sign-On access to all accounts
  • AWS Organizations
• AWS VPC Flow Logs
  • Source/Destination IP Analysis
  • Port/Protocol Analysis

Security Tooling

• AWS Account Security Assessment (Root Credential Storage, S3 Bucket Permissions, IAM Permissions, etc.)
• Identity, Access Control, and Federation (Secrets Management, SSO, Privileged User Management, Host/App AuthZ/AuthN)
• Web Application Firewall (WAF)
• DDoS protection
• Firewall and Networking Infrastructure (NGFW, Micro-Segmentation, Security Group Management, Network Analysis/Packet Capture)
• Remote Connectivity Infrastructure
• Endpoint, Host Security (EDR/EPP) and Container Security
• File Integrity Monitoring (FIM)
• Intrusion Detection and Prevention (IDS/IPS)
• Centralized Logging, Monitoring, and/or SIEM
• Proxies and Egress Access
• Encryption and Key/Secrets Management of S3, EBS, DynamoDB
• Data Loss Prevention (DLP)