The massive increase in cloud adoption has driven adversaries to focus their efforts on cloud environments — a shift that led to cloud intrusions increasing by 75% in 2023, emphasizing the need for stronger cloud security.

Larger scale leads to larger risk. As organizations increase their quantity of cloud assets, their attack surface grows. Each asset brings its own set of security concerns. Large cloud environments are prone to more cloud misconfigurations, which provide more opportunities for adversaries to breach the perimeter. Furthermore, when breaches do occur, tracing lateral movement to stop malicious activity is challenging in a complex cloud environment.

CrowdStrike, a proven cloud security leader, has enhanced its CrowdStrike Falcon® Cloud Security capabilities to ensure security analysts can easily visualize their cloud assets’ connections so they can better understand and prioritize risks. Today we’re expanding our asset graph to help modern organizations secure everything they build in the cloud.

Stop Adversaries with Attack Path Analysis

We continue to expand our attack path analysis capabilities. Today, we’re announcing support for key AWS services including EC2, S3, IAM, RDS and container images.

With this enhanced support, CrowdStrike customers can quickly understand where their cloud weaknesses would allow adversaries to:

• Gain initial access to their AWS environment
• Move laterally to access vital compute resources
• Extract data from storage buckets

Investigating cyberattacks can be a grueling, stressful task. The CrowdStrike Falcon® platform stops breaches and empowers security analysts to find the root cause of each attack. As Falcon’s attack path analysis extends further into the cloud, customers can leverage CrowdStrike® Asset Graph to more quickly investigate attacks and proactively resolve cloud weaknesses.

 

In this example, we are investigating an EC2 instance with a vulnerable metadata version enabled. We see the EC2 instance is open to global traffic, so we select “Asset Graph” to investigate.

In Asset Graph, an adversary’s potential entry point is automatically flagged for us. The access control list is misconfigured and accepts traffic from every IP address. Upon inspection, we quickly visualize how the adversary would move laterally to access our EC2 instance. To resolve this issue, we first restrict the access control list to company-specific IP addresses. Then, we update the metadata service version used by the EC2 instance.

 

Both indicators of attack (IOAs) and indicators of misconfiguration (IOMs) are available for each managed cloud asset. With this knowledge, security teams can quickly identify each asset that allows for initial access to their cloud. Furthermore, sensitive compute and storage assets are automatically traced to upstream security groups and network access lists that allow for initial access. Using Falcon’s attack path analysis, security teams quickly see the remediation steps required to protect their cloud from adversaries.

Investigate Findings with Query Builder

Speed and agility are massive cloud benefits. However, the ability to quickly spin up cloud resources can result in asset sprawl — an unexpectedly large number of cloud assets in a live environment. For example, in some environments, a single S3 bucket can be accessible to many IAM roles. Each of those IAM roles may contain access to a large quantity of other storage buckets. Security teams need a way to sift through massive cloud estates to find the services requiring attention.

 

The Falcon query builder capabilities allow security teams to ask questions like:

• Which EC2 instances are internet-facing and contain critical security risks?
• Have any IOAs appeared on my AWS assets in the last seven days?

 

With Falcon’s query builder, pinpointing cloud weaknesses becomes an efficient process. Graphical views of cloud assets can be daunting. Building queries with Falcon enables teams to focus their attention on the assets that matter most: those that are prone to exploitation by adversaries.

Delivered from the Unified CrowdStrike Falcon Platform

The expansion of cloud asset visualization is another step toward providing a single console that addresses every cloud security concern. By integrating IOAs and IOMs with a connected asset map, CrowdStrike offers a robust, efficient solution for investigating today’s cloud security challenges. 

Unlike other vendors that may offer disjointed security components, CrowdStrike’s approach integrates elements across the entire cloud infrastructure. From hybrid to multi-cloud environments, everything is managed through a single, intuitive console within the AI-native CrowdStrike Falcon platform. This unified cloud-native application protection platform (CNAPP) ensures organizations achieve the highest standards of security, effectively shielding against breaches with an industry-leading cloud security solution. The cloud asset visualization, while pivotal, is just one component of this comprehensive CNAPP approach, underscoring CrowdStrike’s commitment to delivering unparalleled security solutions that meet and anticipate the adversaries’ attacks on cloud environments.

Get a free Cloud Security Health Check and see Falcon Cloud Security in action for yourself.  

During the review, you will engage in a one-on-one session with a cloud security expert, evaluate your current cloud environment, and identify misconfigurations, vulnerabilities and potential cloud threats. 

Additional Resources

• See why Forrester named CrowdStrike a Leader in The Forrester Wave: Cloud Workload Security, Q1 2024. 
• Learn more about CrowdStrike’s approach to continuous discovery and visibility of cloud-native assets with Cloud Security Posture Management.
• Learn about ​​common cloud misconfigurations and find out how to minimize the adversaries’ opportunities to exploit them in this eBook: Seven Easily Exploited Cloud Misconfigurations.
• Check out Falcon Cloud Security’s Attack Path Analysis capability in action via a Demo Drill Down.

As organizations move more of their business-critical applications to the cloud, adversaries are shifting their tactics accordingly. And within the cloud, it’s clear that cybercriminals are setting their sights on software applications: In fact, industry data shows 8 out of the top 10 breaches in 2023 were related to applications.

The most valuable of these, known as business-critical applications, typically process large amounts of sensitive data including customer information, intellectual property and other critical data. These often have vulnerabilities or are poorly configured, leaving important information exposed to threat actors. Adversaries know this; as a result, many cybercrime groups focus their attacks on this type of software.

In this blog, we detail the steps to protecting your custom-developed business-critical applications to prevent your sensitive data from getting into the wrong hands.

Identify Your Business-Critical Applications

Business-critical applications are fundamental to a company’s operations. They typically process large amounts of sensitive information while creating revenue for the business.  

If a business-critical application is breached, the parent company will be forced to deal with fines, data loss, reputational damage, loss of customers and other concerns. Additionally, the company may see revenue fall if the software goes offline unexpectedly and customers cannot transact on the platform.

Common examples of critical applications include stock trading applications, e-commerce sites, healthcare software, and any other custom software that processes private information or business-critical data. Once custom-developed applications are deemed “business-critical,” they should be considered a top priority for security monitoring and reviews. 

Configure a Secure Digital Infrastructure

Protecting the machines that run business-critical applications is a complex task with many moving pieces. Consider each of the following infrastructure needs:

• Network segmentation
• Firewalls
• Operating system and virtual machine (VM) patching
• Cryptography
• Secrets management

Restricting an attacker’s ability to move laterally through the network goes a long way in stopping breaches. By isolating digital assets and requiring authorization to access critical applications, the likelihood of a successful attack is reduced. Furthermore, network packets can be rejected by access control lists and firewalls, including web application firewalls.

Operating systems and VMs must be patched regularly. These underlying systems provide the backbone on which all other software runs; as a result, they are appealing adversary targets and new vulnerabilities must be patched as they are found and disclosed. 

In some cloud configurations, known as “platform as a service” (PaaS), the cloud provider will automatically update the OS and VM to patch vulnerabilities. With on-premise deployments and other cloud configurations, known as “infrastructure as a service” (IaaS), the end user is responsible for patching their own systems.

Data can be stored securely to further protect it in the event of a breach. Ensuring sensitive data is encrypted, both at rest and in transit, and passwords are hashed both reduce the likelihood an attacker extracts valuable information. Additionally, secrets such as SSH keys and certificates must be protected. A secure digital infrastructure creates a safe environment to run business-critical applications. 

Restrict Access Permissions to Required Individuals

Most successful cyberattacks begin with stolen credentials. By limiting both general and administrative access to individuals with a business need for it, you can greatly reduce the risk of compromise. 

The nature of an application determines this access strategy. Internal business applications often use role-based access control (RBAC) to allow or disallow branches of an organization to access an application. For a business-to-consumer application, the access strategy is different. Applications serving a wide audience often grant access to any user who chooses to sign up. 

Regardless of who can access the application as a whole, in all cases it’s crucial to ensure users can only access portions of the application relevant to them. Often, common features are available to all users while specialized features are available to a limited audience. For example, administrative functions may be restricted to a small subset of people who work in the IT department and the parent organization. Business-critical applications should regularly revoke access from users who no longer require access to the system, such as terminated employees.

Once users are authenticated, they are typically provided an application access token. These tokens uniquely identify an individual and allow the software to authorize user requests, rather than repeatedly requiring a username and password. Attackers attempt to steal access tokens so they can impersonate valid users and steal sensitive data from software. Special care must be taken to protect access tokens from attackers. Requiring HTTPS connections for token issue and enforcing token expiration are common defense mechanisms.

Additionally, user permissions should be tested at every server request. Every application programming interface (API) should require that the user’s identity is authenticated and they’re authorized to access the requested information. Establishing effective access permissions for business-critical applications is essential to prevent unwanted users in software and stop breaches.

Proactively Monitor for Suspicious Activity

Business-critical applications have great appeal to adversaries. Implementing a robust monitoring solution to detect attacks and stop suspicious data access is essential.

Every software application is hosted somewhere. By adding a runtime protection agent to servers that run business-critical applications, security teams can halt dangerous activity. Common indicators of attack such as persistence, lateral movement and enumeration should trigger alerts to the organization. Real-time insights allow detection and response teams to intercept suspicious activity before data exfiltration occurs. On-premises software benefits from endpoint detection and response solutions, while cloud-native applications use cloud workload protection to stop attacks in real time.

Improve Security Testing in the Software Development Pipeline

Implementing security controls early in the development process helps reduce risk in production. By “shifting security left” and integrating vulnerability scanners in the software development pipeline, development teams can find and fix security bugs early. Security teams that already measure security posture in production can quantify how efforts to shift left reduce risk to the business over time. Integrating vulnerability scanning tools is particularly useful in net-new development, since vulnerabilities are easier to mitigate during initial development.

Custom software applications contain native code and third-party code, often known as “open source.” The owner of the custom software is always responsible for ensuring imported packages do not contain common vulnerabilities and exposures (CVEs). Additionally, the development team can introduce vulnerabilities in their code built in-house. It is the organization’s responsibility to ensure their developers are shipping secure code regardless of deployment location.

Resolve Immediate Risks in Production

Application risk posture is a combination of infrastructure misconfigurations, security vulnerabilities, trust boundaries, business logic and data sensitivity. Analyzing the current risk posture of business-critical applications should be a priority. 

Misconfigurations and vulnerabilities are distinct from one another but introduce similar security concerns. Misconfigurations are insecure infrastructure settings that increase the likelihood of unwanted access. Common misconfigurations include default credentials, unrestricted inbound traffic, public storage buckets and plaintext SSH keys. Software vulnerabilities, on the other hand, are security flaws in code that an attacker can exploit. 

Weakness must be paired with accessibility to be exploitable. For example, a CVE enabling remote code execution is substantially more dangerous when it exists in a public-facing microservice. Trust boundaries, which are theoretical “boundaries,” define where incoming data from an unreliable source appears. Business-critical applications are more likely to be exploited when their vulnerabilities exist on the edge of a trust boundary. Production risk increases where applications communicate with the public internet or a third-party-owned software.

Understanding data flows and APIs is crucial when quantifying business risk. Security teams can make more informed decisions when they understand the data processed at various stages of a business-critical application. APIs transmitting sensitive payloads are a bigger concern than those without sensitive data. Similarly, databases with personally identifiable information present a greater risk than those without. Correlating business logic with sensitive data allows security teams to make more informed decisions.

Monitor Changes to Production

As code changes alter custom applications, it’s imperative to track changes to their risk posture. 

Newly introduced dataflows and APIs can have a massive influence on the likelihood of sensitive data exposure. Even more challenging to manage are changes to existing data flows and APIs — small updates can present massive risk, such as accidentally removing authentication from an API or returning sensitive data in an API’s payload for the first time.

Most code is not created in-house. In fact, open source software accounts for more than 80% of the lines of code in modern software applications. As library versions change, and new libraries are imported for the first time, the CVEs present in an application will change. Understanding both the business impact and likelihood of exploitation for each CVE in production allows security teams to prioritize their efforts.

Maintaining a constant measurement of the production risk posture empowers security teams to stay in sync with their software development counterparts and respond to dangerous changes quickly.

How CrowdStrike Helps Secure Business-Critical Applications

Business-critical applications are valuable assets that require a comprehensive protection plan. The AI-native CrowdStrike Falcon® platform helps you at every step of the journey, from cloud misconfiguration detection to application security posture management and runtime protection.

To learn more, request a demo.

Additional Resources

• Learn how Bionic, a CrowdStrike company, can expose threats on every application attack surface.
• Read the press release on CrowdStrike’s acquisition of Bionic.
• See why Forrester named CrowdStrike a Leader in The Forrester Wave: Cloud Workload Security, Q1 2024. 

Cybercriminals work around the clock to discover new tactics to breach systems. Each time a digital ecosystem changes, it can introduce a weakness for a threat actor to quickly discover and exploit. As technological innovation progresses rapidly, and organizations expand their infrastructure, this weakness may take shape in the form of architecture drift. 

Today, we explore the concept of architecture drift: what it is, why it matters and how application security posture management (ASPM) can help.

Why Architecture Drift Is a Problem for DevSecOps

The rise of continuous integration and continuous delivery (CI/CD) and infrastructure-as-code (IaC) means apps, clusters and environments are constantly changing across organizations. Architecture drift occurs when an app, microservice or infrastructure “drifts” out of its intended configuration or approved operating boundaries.

Drift is difficult to detect and it introduces risk, which often isn’t seen or managed until something serious happens, such as an outage, incident or breach. It can happen in a variety of places, including:

• Infrastructure
• Network
• Container orchestration
• Application runtime
• Business logic
• Data flow

Architecture drift may affect infrastructure, for example, when IaC scripts such as Terraform or CloudFormation get out of sync with what’s running in the environments. For example, a development team might use a CloudFormation script to provision a new environment that declares all EC2 instances should be “t2.small.” Meanwhile, an engineer decides to manually add a “c4.large” instance to the same environment. Because C4 compute instances cost significantly more than T2 instances, this change will increase the company’s cloud bill and possibly create problems with reliability and performance.

Business Logic and Data Flows Can Drift Too

Continuous development means code, business logic, data flows and application architecture can change hourly in your environments. Depending on the level of automation and guardrails in your CI/CD pipelines, engineers might deploy code changes on demand or be required to follow a review process should a change be significant. These code changes can cause assets to drift, potentially interacting with one another and creating new risks.

A single code change can introduce new:

• Services
• APIs
• Dependencies
• Libraries
• Third-party service calls
• Datastore or database connections
• Data flows
• Risks you might not have considered or thought about

Even tiny changes can have a big impact. For example, several years ago, a small code change resulted in a personally identifiable information (PII) exposure at an enterprise. The risk made its way into production because the engineer who committed the code change didn’t know their code touched PII and stated this in their change request questionnaire. As a result, they caused code to drift and interfere with data it shouldn’t have been near, unintentionally exposing the sensitive data.

We detect and observe drift frequently among customers of Bionic, a CrowdStrike company. More often than not, that drift is related to business logic, architecture and data flows. You can’t eliminate all risks in applications or the business, but you can start to go beyond what you know and think differently about what could impact your business.

Applications are complex beasts to tame, encompassing hundreds or thousands of components and dependencies. Every code change introduces potential risk. The question is: Do you see these risks and know their potential impact?

How to Detect Architecture Drift

With application security posture management, you can detect and manage application drift in real time. ASPM allows teams to quickly baseline and lock in their application architectures, so they have drift policies that can notify them in real time, should an architecture change. For example, ASPM can detect things like new services, APIs, new libraries, ports, connections, dependencies or even data flows that an application might start to exhibit following CI/CD deployments or code changes.

ASPM flags these drifts and provides full business and application context so your teams can prioritize the cruciality of critical services or data flows that are impacted. They can also visualize where each drift is occurring so teams see the full picture and catch drift before it causes a problem.

ASPM at CrowdStrike

CrowdStrike acquired Bionic in September 2023 to bring market-leading application security to CrowdStrike’s leading cloud-native application protection platform (CNAPP). With ASPM, CrowdStrike delivers comprehensive risk visibility and protection across the entire cloud estate, from cloud infrastructure to the applications and services running inside of them.

Stay tuned for more educational blogs on this important topic! 

Additional Resources

• Learn how Bionic, a CrowdStrike company, can expose threats on every application attack surface.
• Read the press release on CrowdStrike’s acquisition of Bionic.
• See why Forrester named CrowdStrike a Leader in The Forrester Wave: Cloud Workload Security, Q1 2024.