Speeding Investigations and Uncovering Risky Misconfigurations Using Maps
Data breaches are an ever present, costly problem facing all types of organizations. Data breaches in the cloud can occur for a multitude of reasons, most commonly from misconfigurations, malware, insecure APIs and poor IAM policies. While the root causes are often easy to see in retrospect, they are notoriously difficult to spot in the moment.
When performing post-mortem analysis, incident responders often find that the signs of a breach were present long before the breach was actually identified. Mandiant’s 2022 M-Trends report showed that attackers are present for 21 days, on average, before defenders are able to identify and disrupt them. Why do intrusions go unnoticed for so long, even in organizations with mature cybersecurity programs? Causes will vary depending on the incident and organization, however, alert fatigue is a common issue.
Too often, analysts must wade through hundreds or thousands of relatively benign alerts and other telemetry from their security tools in order to identify something actionable. This task can be overwhelming, especially when analysts lack context to fully understand the alerts in their queue, making it easy to overlook the early signs of an intrusion or vulnerability.
The Map feature in the Open Raven Data Security Platform helps reduce alert fatigue by representing security data in an intuitive and interactive 3D map. Displaying alerts and security telemetry in this manner provides deep context, helping analysts to quickly zero in on what’s most important and act before a breach can occur.
Maps Deliver Fast Insights
The Open Raven Map provides our customers a bird’s eye view of all the assets in their cloud infrastructure. The assets shown on the map are automatically populated once an account is connected to Open Raven. Open Raven discovers assets continuously, so the map visualization will change over time as new assets are added and old ones are decommissioned. The size of each region is automatically adjusted based on the number of assets discovered, giving you a quick summary of where you have most of your assets.
Maps have been part of Open Raven’s solution since Q2 2021. Let’s examine a few scenarios.
Discovering Rogue Assets in an Unexpected Region
Have you ever wondered if assets from a completed project were properly decommissioned? Running periodic discovery scans can reveal these rogue assets and help companies avoid potential compliance violations and unplanned compute costs.
Zombie External Connections
Need to audit all external connections to cloud accounts? External connections are displayed within the Map, making the review quick and simple. The map instantly reveals security issues including open ports that allow access from a specific IP address. Security teams can use this information to map the IP address and determine if the access is required, has been exploited, or if it should be shut down.
High Risk VPC Peering
Would you like to see the data risk posed by VPC peering connections? Open Raven Map also shows Virtual Private Cloud (VPC) peering between security groups across their various regions. VPC peering allows network traffic to travel from one VPC to another, as if they were on the same network. With this information, security teams can identify risky connections including those with bi-directional connectivity or hub-and-spoke configurations.
Streamlined Alert Investigations and Threat Hunting
Need to quickly analyze sensitive data at risk? The Map feature is the perfect solution. When an analyst zooms in on a region of the map, Open Raven displays icons flagging important assets for review. A user can quickly click on an asset from the map to get to more details on the data classes we’ve identified in that data store, any violations the store has triggered, and relevant context to help the analyst prioritize and act on findings.
Conclusion
The Open Raven Map provides a fast and efficient mechanism to collect all the relevant context from the affected asset with just a click or two. It also gives analysts a powerful workbench to proactively hunt for related data stores that could potentially lead to similar alerts in the future.
