Open Raven Platform Release: Policy Violations When Data Is the Endpoint
Historically, security teams have primarily relied on alerts from their infrastructure and endpoints to identify potential areas of data exposure. The downside of this infrastructure-centric approach is that it assumes knowledge of the data present on the system－an increasingly dangerous and often inaccurate assumption as data reaches massive scale and sprawl. As a result, when an organization becomes data-mature, relying on infrastructure originated alerts rapidly starts to have negative implications for their security posture. Ransomware has brought this problem into clear focus: in the event of an incident, you need to know exactly what data is involved as it has a profound impact on how you respond.
Solving this increasingly common security problem, Open Raven automatically discovers exposed data across your AWS estate by monitoring and alerting for mismatches between your data and infrastructure configurations.
In this post, we’ll describe how Open Raven pinpoints and helps you manage these data-driven alerts in our new “Violations” UX.
Data Exposure Alerting
Managing cloud risk without any data context leaves only vulnerability severity and threat modeling to drive risk. This approach often leaves you missing some problems and other times chasing false alarms. For instance, an S3 bucket open to the Internet is either expected if it holds marketing collateral for the company website… or a drop-everything problem if instead it houses a trove of unencrypted customer data. The data context that Open Raven uses to assess these critical data security criteria allows stretched security teams to do more in less time.
In the new Violations page, Open Raven provides a manageable and prioritized list of data and infrastructure misconfigurations, and includes details often missed by other security tools. With quick access to assets in the AWS Console and straightforward integrations into your workflow, you will now be able to remediate urgent problems faster than ever before.
How does it work?
After selecting or creating a policy, Open Raven monitors your AWS estate and builds a list of alerts with rich, data-driven context to help you focus on what matters most. The Violations page shows you a list of problematic assets prioritized by severity. In a single glance, you can focus on specific accounts or across multiple regions. Summary points like sensitive data findings and the violation scope help identify misconfiguration and drive next steps quickly.
Click on any violation row alerts to view a list of assets and details that explain what needs attention. A direct link to the AWS Console makes navigating to the asset in question straightforward.
In the screenshot below, you’ll see an S3 bucket that has been previously scanned against the out-of-the-box policy named “Open Raven Security Policy.” One of the rules in that policy, “No unencrypted Personal Data,” was triggered, generating a “High Risk Violation.” This rule monitors for the presence of sensitive personal information (e.g. US Social Security numbers, credit card numbers, bank account numbers, etc.) in S3 buckets.
It appears that the “benchmarking-bucket-1” S3 bucket is in violation. The alert details show that the bucket contains US Social Security numbers and sensitive personal data belonging to individuals based in the EU. You will also notice that this bucket is located in the us-west-2 AWS region, which implies a possible compliance breach of the EU’s GDPR. This is extremely problematic as compliance violations like these may be fined on a per-record basis.
Clicking on the asset row (the S3 bucket) reveals a details panel that contains the list of objects in violation of the rule. The list here makes it easy to prioritize remediation depending on the data or misconfiguration findings. Again, a direct AWS Console link to the object is provided for immediate action or further investigation. This makes it even easier to secure your assets and reach your compliance goals.
Furthermore, you can track the workflow state using Violation Status. Open Raven sets violations to “Open” by default and closes them automatically when the issues are resolved in a subsequent policy evaluation. If a violation status is manually set to “Closed,” Open Raven will reevaluate the policy to confirm that the remediation actually occurred and the issue was solved. In instances where you believe a violation was raised by mistake, you can mark it as “False Positive” (we promise not to spam you with these－we hate false positives too).
Closing the loop
We know every organization has its own workflow when it comes to taking action on alerts. As a result, we’ve designed Open Raven to be a highly flexible security solution.
If you prefer to move quickly and via the AWS Console, our violation events have deep-linking to the affected asset to make manual resolution as quick as possible. If you use Slack or email alerting, Open Raven has several built-in integrations for popular services. And if you have a custom or automated workflow, Webhook and AWS Eventbridge integrations are configurable within the UI so that alerts can be sent wherever you need them most.