How Open Raven Complements CSPMs - Real World Examples
Security teams have access to many tools, with some focused on their cloud infrastructure and the configurations of the components found in AWS, GCP, Azure, and the like. Therefore, it's not uncommon that when we talk to our customers, they're already heavily invested in cloud security posture management CSPM services.
According to Gartner, CSPM consists of offerings that continuously manage IaaS and PaaS security posture through prevention, detection, and response to cloud infrastructure risks.
Open Raven works in parallel to CSPM offerings and often bolsters the information provided to end users in a few different ways.
Visualizing Assets in Maps
In a previous blog, we explained how the Map allows for easy exploration of data assets. A real-world example involves the unexpected discovery by the Open Raven Data Security Platform of sensitive data in a cloud region outside of the United States. This discovery was against company policy and not identified by a CSPM. While rules and filters in CSPM solutions assist with identifying assets in all regions, having a picture, or a map, with sensitive data context is far more valuable.
At Open Raven, rather than first building rules, our customers often spend time first exploring the Map. Map exploration gives them ideas of what rules to build - whether those rules reside in the Open Raven Data Security Platform or other security products.
Enriching CSPM Alerts with Data Context
In speaking to customers with CSPM tooling in place, there does seem to be a gap in the context provided for alerts related to data stores. For example, when alerted to an improperly configured AWS S3 bucket or RDS instance, the next question customers often ask is, "What is in that bucket or database?"
Yes, in some cases, data store names reveal important context regarding either the purpose or owner or the type of data inside, but having a standard naming convention across data stores is often the exception rather than the rule, especially in larger organizations with geographically distributed teams where ownership of cloud accounts and projects adds further complexity.
Therefore, the need to scan data stores before or after receiving alerts is still required to answer the questions I posed above. This is where Open Raven comes into play. Magpie, our open-source CSPM tool, powers our discovery engine and provides security posture details based on resource configuration data. Our data classification engine then enriches that information with data-specific context, including types and quantities of sensitive data.
Furthermore, Open Raven provides APIs for the programmatic scanning of assets based on workflow conditions. For example, once a customer receives an alert or results from their CSPM regarding a data store, they can automatically scan the asset with some additional options:
- Determining the list of data classes to scan for
- Including / Excluding certain file types
- Individual file scanning, if necessary
- Applying a scan budget
- Setting a sampling rate
Scanning a data store and checking for personal, financial, healthcare, or developer secrets adds much-needed context to alerts. Organizations prioritize data types differently based on their business model and security concerns. Still, one thing that remains true is the presence of sensitive data changes the narrative of the follow-on remediation steps and raises the risk level of the alert.
When a data risk is identified, we often see our customers sending the information to relevant data owners over email, but it's not uncommon for them to also create integrations with JIRA, a ticketing system, and/or SIEM / SOAR / XDR products.
Understanding Data Exposure when Responding to an Incident
(Hypothetical) Security identified a potential breach. The team in the war room is nearing the end of the incident, and a crafty senior security engineer finally determines the identity of the compromised user and what data store they last accessed. The incident commander asks the room, "Does anyone know if there is anything sensitive in this data store?" Everyone looks around, looks at each other, and there's a moment of silence, maybe even shrugs.
If you're reading this, there's a good chance you've been in a similar situation. At this point, understanding the configurations of the data store isn't the primary objective. Security teams then pivot towards using Open Raven to help understand the data types that may have been exposed. Security teams can query the Data Catalog for the compromised data store and gather details on types and quantities of sensitive information contained inside for remediation and further analysis. If the query does not return results, which can be the case if a data store wasn't previously scanned, a user can easily opt to create a scan on the fly for a single data store or even for a specific file. As mentioned, querying the Data Catalog and creating a scan can be done using Open Raven's APIs.
In Summary
Open Raven complements CSPM alerts by providing additional value to security teams in a few key areas. Firstly, the Map enables easy exploration of assets, allowing customers to discover data findings, violations, backup status, and unexpected assets outside their designated locations, providing a visual representation beyond rule-based identification. Secondly, Open Raven enriches alerts with data context, addressing the gap in the information supplied by CSPM tools when alerted to potential issues with data stores. By scanning assets and providing data context, Open Raven helps answer crucial questions about content and risk. Finally, in incident response scenarios, the Data Catalog and our APIs allow for quick filtering and analysis of compromised data stores, providing insights into sensitive data that may have been exposed.
With these capabilities, Open Raven enhances the effectiveness of security teams, helping them gain a deeper understanding of their cloud infrastructure and respond effectively to security incidents.