At WWDC23 this week, Apple made some big announcements across its product lines and maintained its annual ritual of upgrading macOS, now to version 14 and tagged as macOS Sonoma. At SentinelOne, we’re already busy testing the new operating system and preparing for macOS 14 support.

With Apple’s mixed AR/VR kit Vision Pro predictably grabbing most of the headlines, the latest developments in macOS might have seemed a little underwhelming. However, our early look at the Sonoma beta suggests Apple has given the operating system and supporting services some much needed attention that should be welcome news to enterprise users.

Here’s a quick round-up of what’s new in the early preview released this week.

Sonoma Specs | macOS 14 Hardware Requirements

Apple continues its migration away from Intel architecture with macOS Sonoma dropping support for another year’s worth of hardware. Last year, Ventura dropped support for models earlier than 2017. This year, with the exception of the iMac 2017, Sonoma requires a Mac manufactured in or after 2018.

Notably, Sonoma drops support for the 2017 line of Intel MacBook Pros and iMacs. The ill-fated MacBook, first introduced in 2015 and not updated since 2017, is now entirely cut off from further macOS upgrades.

As for the rest of the Intel line, last updated in 2019, it’s not unimaginable that Sonoma could be the end of the line. Certainly, support for Intel Macs is unlikely to extend beyond next year’s macOS 15 as the company completes its ARM64 transition.

Safari Profiles | Apple Taking Work Seriously

In Safari 17, users can now take advantage of Profiles to help maintain that work-life separation, something that is increasingly important as more organizations move towards allowing hybrid use of “mobile” devices – think laptops not just smartphones – in the workplace.

Users can make as many Profiles as they wish – work, education, social, hobbies – and each gets its own bookmarks, favorites, history, cookies, and extensions. Identification of which profile you’re in is accomplished by a simple dropdown menu in the toolbar.

Video Conferencing | Zoom In on the Details

The pandemic unarguably changed the nature of work with video conferencing software suddenly becoming a necessity for pretty much everybody in the enterprise. Recognizing the centrality of video conferencing software to people’s workday, Sonoma introduces some enhancements that will work across third party apps. These include “Presenter Overlay” that allows the speaker to move independently of a display of their screen, allowing them to highlight different details.

The newly-introduced screen sharing picker will also ease fears about sharing unwanted details inadvertently. Instead of having to pick an entire display to share to the audience, Sonoma will allow the user to pick just the view from a particular app, multiple apps or an entire screen.

Passwords and Passkeys | Making Theft Harder, Sharing Simpler

Apple had previously announced Passkeys in Ventura as a long-term solution and replacement for passwords, but in Sonoma there’s a new emphasis on using passkeys in the workplace to help protect against cyber attacks from vectors such as phishing, credential theft and 2FA bypasses.

With Sonoma, passkeys are now supported across Managed Apple IDs. Moreover, admins can now control which devices users can sign in with and ensure that passkeys stay on work devices only.

Users can also create groups for passwords and passkeys such that they can be shared securely with others in the group. While this is touted primarily as a “family and friends” feature, it also has obvious benefits for small teams that need to share credentials for some common resources.

Safari 17 | Create a Web App from Any Webpage

In Sonoma, Safari adds the ability for users to create a web app from any web page simply by browsing to the site and choosing ‘Add to Dock’ from Safari’s File menu.

The web app isn’t just a short link to open the site in the browser – it’s a completely browser-independent application. Internal links will open within the web app, though this and some other ways the web app behaves can be customized by web site devs. By default, users should remain logged in to any accounts associated with the site, but there are some gotchas for devs to look out for. More information can be found here, but web apps could be a great feature for enterprises that want to provide a unique experience for either employees or customers.

For Mac Admins | Declarative Device Management

Away from the user interface, Apple is making improvements to the way IT admins manage their fleet of Macs with further development of “DDM” – Declarative Device Management. DDM works with the existing MDM (Mobile Device Management) but is ultimately intended to replace it.  DDM brings greater support for enforcing software updates, managing applications and securing devices through task monitoring and lockdown of system services. More information about DDM can be found in the WWDC session here.

Security and Privacy | Application Data Protection

macOS Sonoma brings some under the hood changes to data security which we will be keenly testing over the beta period. Among these are new restrictions designed to protect application data such as session cookies and other sensitive files like databases from messaging apps (e.g., Telegram, Signal, WhatsApp and others) that can be stolen by malware.

Up to now, sandboxing has been a one-way affair – sandboxed apps are prevented from reaching out to access data elsewhere, but there’s nothing to stop unsandboxed apps from reaching in to grab data held in a sandboxed app’s container.

In macOS 14, Sonoma requires user consent before any application can access data in a data container from a different developer. This protection only applies to apps that are sandboxed, so any unsandboxed app is still wide open for data theft from other unsandboxed applications or processes. Given that this entire process is an extension of Apple’s much-troubled TCC controls, we’ll be keeping a close eye on how this develops.

Meanwhile, Apple has also extended privacy protections in Safari 17’s Private Browsing mode, offering additional privacy by discarding history of visited pages, searches and AutoFill information when the private tab is closed – you’d be forgiven for thinking that it should have already been doing that. Alongside that, Safari in Sonoma now prevents known tracking and fingerprinting resources from being loaded during private browsing.

Finally, Apple announced a much-welcome improvement in App Extension privacy. Browser extensions can now be managed with more granularity, with users able to choose which webpages an extension can access on a per-site basis rather than having to grant wholesale access to every site or none at all.

SentinelOne Support for macOS Sonoma

Our dedicated Mac development team is already busy working on support for macOS 14 Sonoma. We will be announcing the release of Agent version 23.1 GA in the coming weeks for customers who wish to test Apple’s beta versions of Sonoma.

As always, we will officially support the new version of macOS after final testing of the public release later this year. In line with Apple’s own guidelines, SentinelOne recommends users not to test beta software in a production environment as beta versions can be unstable from one version to another.

Conclusion | “So That’s Sonoma”

Integration has been a theme of macOS development for some years now – making Macs work more seamlessly with iOS and other elements of Apple’s ecosystem – and much of that focus has been related to the idea of Macs being used in the home and for entertainment purposes. While Apple has a long history of marketing its line of computers to both enterprise and educational audiences, support for features that such users typically need hasn’t always been top of mind.

With Sonoma, Apple has put some much needed attention on to the fact that Macs are widely used in workplace and educational settings as well as for personal use. If Sonoma doesn’t bring any headline grabbing changes to “wow” new users, it nevertheless does a lot of good work around the edges and between the cracks to firm up the operating system as fit for use in professional settings.

From shared passkeys and smarter video conferencing to web apps and better device management, macOS Sonoma looks like Apple has understood and reacted to its ever increasing presence in the workplace. We look forward to testing Sonoma as it develops over the summer and we’ll be back with our final verdict when the public release drops later in 2023.

By Alex Delamotte and James Haughom

SentinelOne has observed in-the-wild (ITW) exploitation of CVE-2023-34362, a vulnerability in the MOVEit file transfer server application. The attack delivers a Microsoft IIS .aspx payload that enables limited interaction between the affected web server and connected Azure blob storage. On June 5, the Cl0p ransomware group claimed responsibility for these attacks, though SentinelOne notes the targeting of a file transfer application vulnerability resembles other exploitation conducted by financially motivated actors throughout early 2023.

In this post, we provide technical details of the attack chain along with hunting queries and a PowerShell script that can be used to scan for potential exploitation of the MOVEit Transfer vulnerability.

Overview

Through the last week of May and early June 2023, SentinelOne observed active exploitation of Windows servers running a vulnerable version of Progress Software’s MOVEit Transfer file server application. The attack delivers a minimal webshell that the attacker can use to exfiltrate the contents of files, including files hosted in Microsoft Azure when the targeted MOVEit instance is configured to use Azure’s blob storage service. As of June 5, the Cl0p ransomware group claimed responsibility for these campaigns.

While exploitation is likely opportunistic, SentinelOne observed attacks against more than 20 organizations in the following sectors, with Managed Security Service Providers (MSSP) and Managed Information Technology Service Providers (MSP) impacted most frequently:

• Aviation, Transportation & Logistics
• Entertainment
• Financial Services & Insurance
• Healthcare, Pharmaceuticals & Biotechnology
• Managed Information Technology Service Providers (MSP)
• Managed Security Service Providers (MSSP)
• Manufacturing & Building Materials
• Mechanical Engineering
• Print & Digital Media
• Technology
• Utilities & Public Services

The vulnerability impacts the following versions of MOVEit Transfer:

• MOVEit Transfer 2023.0.0: fixed in 2023.0.1
• MOVEit Transfer 2022.1.x: fixed in 2022.1.5
• MOVEit Transfer 2022.0.x: fixed in 2022.0.4
• MOVEit Transfer 2021.1.x: fixed in 2021.1.4
• MOVEit Transfer 2021.0.x: fixed in 2021.0.6

Technical Details

These attacks are conducted against Windows servers running a vulnerable version of the MOVEit file transfer application, which attackers can identify through port scanning or internet indexing services like Shodan.

Progress Software recently published an advisory detailing a vulnerability in MOVEit Transfer that could enable privilege escalation and unauthorized access to the targeted environment. The advisory details the issue as a SQL injection vulnerability-reported as CVE-2023-34362–which can allow an unauthorized attacker to inject SQL commands and obtain information from the targeted database.

The attack chain leverages this vulnerability to conduct an arbitrary file upload via the moveitsvc service account to the server’s MOVEitTransferwwwroot directory. The system’s svchost.exe process launches w3wp.exe, a Microsoft Internet Information Service (IIS) worker process, which then writes several files to a new working directory in Temp. The working directory and subsequent files share the same 8-character, pseudo-random naming syntax, with one example writing the following files:

C:WindowsTemproyq2cir
C:WindowsTemproyq2cirroyq2cir.tmp
C:WindowsTemproyq2cirroyq2cir.0.cs
C:WindowsTemproyq2cirroyq2cir.dll
C:WindowsTemproyq2cirroyq2cir.cmdline
C:WindowsTemproyq2cirroyq2cir.out
C:WindowsTemproyq2cirroyq2cir.err

The w3wp.exe process launches csc.exe to compile the C# code into the payload, which is saved as human2.aspx. The payload is a minimal webshell that queries information about the database configuration, enabling the actor to:

• Connect to specified SQL databases
• Exfiltrate the contents of files hosted by MOVEit Transfer
• When MOVEit Transfer is connected to Azure blob storage, exfiltrate contents of specific files in Azure’s blob storage service

To exfiltrate files, the attacker can specify the targeted object’s File ID and Folder ID in HTTP headers of a request made to the webshell. The shell then returns the specified file’s content as a Gzip object in the server’s HTTP response. The shell also deletes the existing user named “Health Check Service” and creates a new user with the same username, likely as a means of persistence.

At the time of writing, SentinelOne has not observed subsequent activity following placement of the webshell.

Mitigation & Prevention

Organizations using MOVEit Transfer should upgrade affected systems immediately. In situations where upgrades cannot be performed, the system should be taken offline until it can be upgraded. Ensure your security team can access and analyze application logs from servers that run MOVEit Transfer, including Microsoft IIS logs.

Because exploitation occurs through interaction with MOVEit Transfer at the application level, detection opportunities for Endpoint Detection & Response (EDR) tooling are limited to later-stage activity. SentinelOne notes that each payload is dynamically compiled at runtime, resulting in a unique hash for each victim. While we are providing a list of hashes associated with payloads delivered through these campaigns, organizations should not rely on hashes alone to detect these attacks.

We recommend that organizations using MOVEit Transfer conduct threat hunts and log analysis using the resources provided below.

Hunting Queries

SentinelOne is providing the following queries that organizations can use to hunt for activity associated with these attacks. While these queries are not necessarily inclusive of all attack scenarios, the results should be investigated and triaged. Additionally, defenders should look for unusual activity initiated by the MOVEit Transfer service account: the default value is moveitsvc, though some instances may have a custom account name.

In addition to these queries, SentinelOne is providing a script to scan for potential exploitation of the MOVEit Transfer vulnerability.

Conclusion

Based on the activity observed by SentinelOne, we believe the attacker’s goal is to establish access to as many victim environments as possible to conduct file exfiltration at scale.

While the Cl0p ransomware group claimed credit for these attacks, SentinelOne notes that these techniques align with a broader trend of financially motivated attacks against web servers running vulnerable file transfer software. This category of activity includes attacks against Aspera Faspex software that delivered IceFire ransomware earlier in 2023, as well as attacks attributed to Cl0p that exploited a 0-day flaw in the GoAnywhere managed file transfer (MFT) application. Based on the relative increase in file transfer server attacks that use 0-day and N-day exploits, there is likely an abundant exploit development ecosystem focused on enterprise file transfer applications.

The actor’s choice to use the MOVEit flaw to target files in Azure cloud storage is notable, if this activity is solely associated with the Cl0p ransomware group. Cloud-focused extortion actors like Bianlian and Karakurt use multipurpose file management tools like Rclone and Filezilla. A bespoke webshell designed to steal Azure files through SQL queries specific to the targeted environment represents a notable departure from this established norm and suggests the tooling was likely developed and tested well in advance of ITW attacks.

Indicators of Compromise

Files associated with exploitation of vulnerable MOVEit Transfer instances include the following.

SHA1
d013e0a503ba6e9d481b9ccdd119525fe0db7652
34d4b835b24a573863ebae30caab60d6070ed9aa
c8e03cb454034d5329d810bbfeb2bd2014dac16d
eee9451901badbfbcf920fcc5089ddc1ee4ec06d
73f19114d61bd09789788782f407f6fe1d6530b9
7d91f5b03932793ff32ad99c5e611f1e5e7fe561
a2f74b02f29f5b1a9fe3efe68c8f48c717be45c2
c756c290729981d3804681e94b73d6f0be179146
11608a031358817324568db9ece1f09e74de4719
b8704c96436ffcbd93f954158fa374df05ddf7f6

Enterprise businesses continue to undergo digital transformations, finding new ways to connect with their client base, embracing hybrid and work-from-home strategies, and scaling their operations through innovative technologies. Though cloud adoption has been a key driver for these transformations, the unique challenges of securing cloud environments remains a top concern amongst enterprise leaders and security professionals.

Most recently, Fortinet’s 2023 Cloud Security Report found that most global respondents across various industries expressed a moderate to high level of concern regarding cloud security. 43% of those surveyed believed that risks associated with using a public cloud far surpassed those tied to traditional, on-prem environments. One of the top risks identified highlighted the unique challenge of meeting cloud-specific compliance requirements.

This post provides an overview of the various regulations and requirements that impact cloud security and focuses on practical cyber best practices enterprises can implement to ensure compliance and continue benefiting from the cloud.

Changing Landscapes | How Cloud Security Needs Are Evolving

In a report covering data security in an era of hybrid work, ransomware, and accelerated cloud transformation, researchers examined the momentum that cloud adoption continues to see. Of those surveyed, a third of companies stated that they had 41% to 60% of all their corporate data stored in an external cloud. Another 22% of those participants indicated that over 60% of their business critical data was based in the cloud.

With so much of the world’s data now held in the cloud, enterprises are expected to meet set standards for cloud usage and security in accordance with industry-specific guidelines as well as local, state, federal, and international laws. Regulations and compliance controls serve to protect businesses and their clients; however, shifts in the greater threat landscape mean that they are frequently subject to change.

Even in terms of obtaining cyber liability insurance coverage, modern enterprises based in the cloud must be certain that their cloud infrastructure meets all applicable controls and regulations. Insurance carriers, particularly those that serve high risk industries like IT, finance, and healthcare, all require advanced cybersecurity measures in order to bind their insurance policies. Since the cloud surface is faced with many inherent risks, security strategies are now a hard requirement for any kind of coverage.

Addressing the Challenges of Securing Modern Clouds

Cloud computing has long evolved from just a means of storing data. The past decade has seen cloud bloom into a full-scale computing solution and enable an entire generation of organizations to share, optimize, manage, and scale information like never before.

Though powerful and very beneficial, the features that make cloud services so useful to enterprises are the same ones that make data in the cloud a challenge to regulate and secure. Security leaders defending their organization’s cloud environment take into consideration the following dimensions of cloud security:

• Data security – Cloud infrastructures and the use of multiple cloud services leave a wide surface for cyberattack. As vast amounts of sensitive data and workloads continue to be deployed to the cloud, the task to secure them all grows.
• Automated and continuous monitoring – Some security regulations and laws require cloud-based enterprises to monitor their cloud infrastructure. Depending on what solutions an enterprise uses for threat monitoring, this can create a large burden on small, in-house security teams or organizations that are still building up their security staff.
• Network visibility – For those who have deployed a hybrid network, establishing full network visibility can be daunting. Security teams working in hybrid networks face a more complex challenge since they need to keep eyes on a range of topologies, varying features, and data discrepancies.
• Fleet visibility – Similar to network visibility, cloud environments pose a unique challenge for asset and inventory monitoring. The different composition of cloud assets, from virtual machines to containerized workloads or the orchestration services that host them, are inherently more difficult to track than physical assets.
• Multi-cloud workflows – Multi-cloud architectures allow enterprises to stay agile, but they make workflow management more complex. The more workflows there are, the harder it is to ensure compliance across them all since there are many people making changes and accessing data.

How to Build a Stronger Cloud Security Compliance Posture

Cloud compliance describes the process and act of meeting regulatory standards, industry guidelines, and applicable legal requirements for using cloud technology. Compliance in cloud environments starts in the planning and initial deployment stage with the right settings, policies, and best practice frameworks in place to guide ongoing use.

Since many cyberattacks on the cloud surface are the result of poor implementation of cloud security measures, insider threats, and misconfigurations, focusing on cloud compliance management can help security leaders prioritize what needs to be done to achieve a stronger security posture.

1 – Get to Know the Compliance Security Frameworks

The following is a list of the most widely-used government and industry-specific security regulations that pertain to cloud-based organizations.

HIPAA (Health Insurance Portability & Accountability Act) federal standards seek to protect sensitive health information from being disclosed without the knowledge and consent of the patient it belongs to. The HIPAA Security Rule is a subset of requirements that supports these standards and covers all individually identifiable health information created, received, maintained, or transmitted in electronic form.

Organizations that create, receive, maintain, and or transmit electronic protected health information (e-PHI) through a cloud platform must:

• Ensure the confidentiality, integrity, and availability of all e-PHI
• Detect and safeguard against anticipated threats to the security of the information
• Protect against anticipated impermissible uses or disclosures that are not allowed by the rule
• Certify compliance by their workforce
• Use PHI-compliant vendors for services that may expose PHI

SOX (Sarbanes-Oxley Act) is a federal law enforcing auditing and financial regulations upon public companies to improve the reliability of their financial reporting and foster investor confidence in the age of high-profile corporate crime. To comply with SOX, companies are required to:

• Implement strong digital safeguards in place to prevent data tampering
• Have verifiable controls to monitor all data access
• Establish policies to disclose data breaches to SOX auditors and other applicable parties

Public companies adhering to SOX guidelines are only permitted to work with cloud service providers that themselves follow the Statement on Auditing Standards No. 70 or the Statement on Standards for Attestation Engagements No. 16 auditing guidelines.

PCI DSS (Payment Card Industry Data Security Standard) was developed to protect all payment account data throughout the payment lifecycle. Any organization, merchant, service provider, or institution that processes card payment transactions are required to abide by PCI DSS controls. These controls focus on building and maintaining a secure network and system to protect cardholder data through robust access controls.

Cloud-specific PCI DSS controls to be followed include:

• Physical firewalls and network segmentation at the infrastructure level
• Firewalls at the hypervisor and VM level
• VLAN tagging or zoning in addition to firewalls
• Intrusion-prevention systems at the hypervisor and/or VM level to detect and block unwanted traffic
• Data-loss-prevention tools at the hypervisor and/or VM level
• Controls to prevent out-of-band communications occurring via the underlying infrastructure
• Isolation of shared processes and resources from client environments
• Segmented data stores for each client
• Strong, two-factor authentication (MFA/2FA)
• Separation of duties and administrative oversight
• Continuous logging and monitoring of perimeter traffic, and real-time response

The NIST (National Institute of Standards & Technology) framework is a risk-based approach to managing cybersecurity risks through a repeatable and measurable process. NIST Special Publication 800-144 (“Guidelines on Security and Privacy in Public Cloud Computing) outlines recommendations organizations can follow when outsourcing data, applications, and infrastructure to a public cloud environment. Other special publications geared specifically towards cloud computing include:

• NIST SP 500-291 – Compiles available cloud computing standards and identifies gaps.
• NIST SP 500-293 – Provides a detailed cloud infrastructure security framework for government use.
• NIST SP 800-53 Rev. 5 (2020) – A commonly used information system security standard, also relevant to cloud environments.
• NIST SP-800-210 (2020) – Details cloud security and access controls, providing guidance to help secure Paas and IaaS services.

ISO 27001 is recognized internationally as an information security standard for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving Information Security Management Systems (ISMS).

Under this main umbrella of standards, ISO 27017 is a set of security controls specific to cloud computing and ISO 27018 set of privacy controls for managing personal data in cloud environments.

FedRAMP (Federal Risk & Authorization Management Program) is a federally recognized and government-wide compliance program promoting the adoption of secure cloud services. It standardizes the security assessment and authorization of any cloud products and services used by U.S. federal agencies.

2 – Understand Roles & Responsibilities of Cloud Service Providers

The responsibility of securing a cloud environment is not shifted from an enterprise to their cloud service provider (CSP) – rather, it is shared. This starts with an understanding between all associated parties with access to the cloud through frameworks such as the Cloud Shared Responsibility Model.

The model clearly defines the areas of control and protection that each party must handle to ensure a secure and reliable cloud environment. In this model, the CSP is responsible for securing the underlying cloud infrastructure, including servers, networks, and physical facilities. On the other hand, the enterprise is accountable for managing their data, applications, user access, and configurations.

The significance of the Cloud Shared Responsibility Model lies in establishing clear boundaries and expectations for both CSPs and customers. It helps organizations understand the division of responsibilities and assists in making informed decisions about implementing additional security measures to protect their data and applications. By clarifying the shared responsibilities, the model promotes collaboration, risk mitigation, and effective security management in the cloud.

3 – Lay Down Corporate Cloud Policies & Cloud Governance

Developing cloud security policies that make sense for a unique business begins with assessing risks. Since there are inherent risks to consider, security leaders will need to look at what information is shared to the cloud, how it is being stored, and what requires business-critical levels of control and access.

Post risk assessment, design policies and controls around the cloud risks and then establish cloud governance to disseminate and manage those policies to the rest of the organization. Having a formal governance model in place reduces friction between various teams when the new cloud policies are implemented and refined. Both cloud adoption and governance champions should be in regular contact to evaluate and adjust corporate cloud policies to fit the evolving needs of the business.

4 – Establish Cloud-Related Change Management

In cloud computing, changes to the systems, services, or configurations will need to be tightly controlled involving workflows to review, approve, and even document any modifications and updates made to any part of the cloud infrastructure or applications.

While cloud solutions and services enable flexibility and speed, these benefits can also make managing change a challenge for security teams. Improperly established change control can result in misconfigurations early on in the cloud deployment process, leaving the environment exposed to opportunistic threat actors.

To establish proper change management processes for cloud:

• Continuously monitor any administrator and root accounts for indications of unauthorized access.
• Implement role-based access and group-level privileges. Only grant access based on an individual’s tasks and workflows and work off of a least privilege principle for all users in the cloud.
• Offboard dormant or obsolete accounts to remove the changes of account takeover by threat actors.
• Enable logging on critical resources held in the cloud and protect logs through encryption.

Conclusion

Growing cloud adoption rates reaffirm its popularity amongst organizations of all sizes. Used to increase scalability, flexibility, and operational efficiency, cloud computing has risen as a driving force behind many modern businesses. As more businesses migrate to cloud as part of their ongoing digital transformations, cloud compliance will remain a keystone within the overarching cybersecurity strategy.

Building a strong cloud strategy focused on achieving compliance means understanding what legal and regulatory requirements are required for specific industries and locations of operation. Also, taking time to perform a detailed risk assessment allows security teams to design policies and governance models that are streamlined to the business and support the ongoing use of innovative cloud technologies.

Learn about how SentinelOne’s Singularity Cloud solution protects the cloud surface from advanced cyberattacks, allowing business leaders to focus on their operations and clients. Improve your cloud security strategy through a combination of endpoint detection and response (EDR) capability, autonomous threat hunting, and runtime solutions that can defeat cloud-based threats without compromising agility or availability. Contact us today or book a demo for more details.

Cloud security remains front of mind for global enterprise leaders as more businesses migrate to public, private, hybrid, or multi-cloud environments. While the return on investment for using this technology is clear, embedding adequate security in all aspects of cloud applications, infrastructure, and data can prove to be a moving target.

The reason for this? As adoption of the cloud reaches higher rates, so too is the challenge of securing these increasingly complex cloud environments. In fact, Gartner reports that enterprises have spent more than $1.3 trillion on cloud technology and that this number could rise to $1.8 trillion by 2025. Other findings on cloud use note that over 60% of all corporate data worldwide is stored in the cloud as of 2022.

In response to this complexity, cloud-native security has emerged as a way to best secure cloud-first apps and infrastructure. This post discusses how modern businesses can best design a cloud-native security strategies and use cloud-native application protection platforms (CNAPPs) to deploy their applications at scale and securely.

The Emergence of Cloud-Native Security

Traditional security approaches were not designed to address the unique characteristics of cloud environments, including its dynamic infrastructure, microservices, and containerization.

To address this gap in protection, security practices and tools were developed to align with the cloud-native paradigm and tailored specifically for complex architectures. These practices encompassed securing containerized applications, managing access controls, implementing security automation, and leveraging cloud-native monitoring and logging solutions.

Cloud-native security refers to the set of practices, technologies, and tools designed to protect cloud-native applications and infrastructure. It focuses on securing applications and data that are built and deployed in cloud environments, such as public, private, or hybrid clouds, using the principles of cloud-native development.

Most significantly, a cloud-native security approach is one where security is not an added afterthought – it’s built directly into the application and infrastructure. It centers around a fundamental shift from traditional security strategies, which often focus on the network perimeter. Instead, a cloud-native strategy emphasizes identity and access management, container security and workload security, and continuous monitoring and response.

Cloud-Native Security Best Practices | Understanding the Three R’s

Cloud-native applications leverage serverless functions and containers, making them highly dynamic. The “Rotate, Repave, and Repair”, or “Three R’s” framework emphasizes proactive security practices, including regular credential rotation, immutable infrastructure, and rapid vulnerability management. Security teams protecting cloud-native environments use this framework to reduce the attack surface, minimizing the impact of potential compromises, and maintaining a known and secure state of infrastructure and applications.

Rotate

Security teams are tasked with regularly rotating or changing credentials, keys, and secrets used for accessing resources within the cloud environment. This involves rotating API keys, passwords, encryption keys, database credentials, and other access credentials/tokens on a predefined schedule or in response to security incidents or vulnerabilities. Regularly rotating credentials helps minimize the impact of a potential compromise by limiting the window of opportunity for unauthorized access. Since credential values are not kept for long, rotation makes it difficult for attackers to gain access or perform lateral movement.

Tip : Implementing secure key management practices and leveraging automation tools can simplify the rotation process. 

Repave

This refers to the practice of rebuilding or recreating infrastructure components from scratch instead of attempting to fix or patch them when security issues arise. In the context of cloud-native security, this concept is closely tied to the concept of an “immutable infrastructure”, where infrastructure components and configurations are treated as unchanging and are replaced rather than modified.

When security vulnerabilities or incidents occur, the affected components are entirely replaced with fresh instances or containers, ensuring that any compromised or potentially compromised elements are removed.This approach helps ensure that the infrastructure remains in a known good state and reduces the risk of lingering security issues or hidden compromises.

Repair

A crucial element of a strong cloud defense is the capability of identifying and addressing security vulnerabilities in the infrastructure or applications efficiently. This involves promptly applying patches, updates, and security fixes to address known vulnerabilities. Security teams can shorten their mean time to discovery through regular security assessments, vulnerability scanning, penetration testing, and code reviews – all vital aspects in identifying areas that require repair.

Tip : Staying informed about security updates and advisories, and having a defined process for applying patches and updates can help in detecting and responding to security incidents, allowing for timely repairs. 

Adopting a Layered Approach | The 4 C’s of Cloud-Native Security

Cloud-native security can be represented by four core principles: cloud (servers or data centers), cluster, container, and code. These principles can be thought of as layers of a whole in which each layer informs the next. Known as the 4 C’s, they allow security teams to consider security holistically across all parts of a cloud-native environment.

The Cloud Layer

The outermost layer in this approach, the cloud layer represents the infrastructure hosting and executing the applications in the environment. Enterprises can select a reputable cloud service provider (CSP) to help them develop a structured cloud strategy. CSPs should have a strong security track record and a robust set of security features and services. To achieve cloud security:

• The CSP and the enterprise both understand the shared responsibility model and clearly define the security responsibilities between them.
• Implement strong access controls, enforce multi-factor authentication (MFA), and regularly review and update permissions to ensure only authorized access to cloud resources.
• Encrypt sensitive data at rest and in transit, leveraging encryption services provided by the CSP.
• Regularly monitor and review CSP security notifications and updates to stay informed about any changes or vulnerabilities that may impact a cloud environment.

The Cluster Layer

The cluster layer focuses on securing the container orchestration platform, such as Kubernetes, and the cluster of nodes running the containerized applications. Best practices for securing clusters are to:

• Follow secure cluster configuration practices, such as using strong authentication mechanisms and securely managing cluster access credentials.
• Implement network segmentation and firewall rules to restrict traffic and communication between different components of the cluster.
• Regularly update and patch cluster components, including the control plane and worker nodes, to address known vulnerabilities.
• Leverage secure networking and service mesh solutions to enhance network security within the cluster.
• Implement container image scanning and runtime security measures to detect and prevent malicious activity within the cluster.

The Container Layer

The container layer consists of resources in a containerized application – one of the most critical elements in setting up a cloud-native environment. Since container images are often marred with security vulnerabilities or are associated with content from untrusted sources, being able to close security gaps at the container level keeps the greater cloud-native architecture safe. To do so:

• Use trusted and validated container images from reputable sources, and regularly update them to include the latest security patches and fixes.
• Employ secure container runtime configurations, such as limiting container privileges, implementing resource constraints, and utilizing namespaces and seccomp profiles.
• Implement container isolation mechanisms, such as running containers within secure sandboxes or leveraging virtualization technologies for added security.
• Regularly scan container images for vulnerabilities and apply appropriate remediation actions.
• Implement secure container orchestration practices, such as pod security policies and admission controllers, to enforce security policies during container deployment.

The Code Layer

More traditional strategies are often used to secure the code layer, such as endpoint monitoring and regular scans. This layer is affected by all of its outer layers: cloud, cluster, and container. Code-based security risks grow when developers use third-party software to develop apps, have an irregular schedule for risk assessments, or allow insecure or untested code.

The code layer can provide the most granular level of security control in a cloud-native security strategy. Security teams will need to:

• Follow secure coding practices, such as input validation, output encoding, and proper handling of sensitive data, to mitigate common application-level vulnerabilities.
• Conduct regular code reviews and security testing to identify and address potential security issues.
• Implement robust authentication and authorization mechanisms within your application code to ensure only authorized access to sensitive data and functionalities.
• Use secure software development frameworks and libraries, keeping them updated with the latest security patches.
• Leverage secure deployment pipelines, including vulnerability scanning and static code analysis, to detect and address security issues during the build and deployment process.

Unifying Cloud Security Capabilities | How Cloud-Native Application Protection Platforms (CNAPP) Come Into Play

Patchwork security solutions don’t work for securing modern, complex clouds. While some businesses may combine several separate cloud security capabilities into a working tech stack, these point solutions often create more management work for security teams, limit the team’s visibility, and sow inconsistencies in development, deployment, and runtime.

To tackle the risks associated with cloud-native apps and workloads, many modern businesses rely on a cloud-native application protection platform, or CNAPP. These end-to-end platforms are designed specifically to provide a singular, central plane that unifies multiple security measures to protect the overall cloud. CNAPPs are a combination of multiple cloud security functionalities usually found in individual tools, including:

• CSPM (Cloud Security Posture Management) – CSPM combines two main considerations regarding how security teams monitor for, identity, and remediate cloud-based risks: code security and regulatory compliance. Here, CSPM aims to detect misconfigurations early in the software development lifecycle to prevent runtime risks. Governance helps enterprises manage compliance requirements and statuses across multi-cloud ecosystems.
• CWPP (Cloud Workload Protection Platform) – CWPP provides holistic visibility and control over virtual machines (VMs), containers, serverless workloads, and physical machines in hybrid and multi-cloud ecosystems.

• CIEM (Cloud Infrastructure Entitlements Management) – CIEM helps security teams mitigate the risk of data breaches through continuous monitoring of permissions and activity within the cloud.

• KSPM (Kubernetes Security Posture Management) –  KSPM leverages security automation tools to identify human-based errors, enforce Kubernetes compliance, manage security as clusters evolve, and validate third-party configurations.

Shift Left with SentinelOne’s Cloud-Native Capabilities

Traditionally, security has been treated as a separate and isolated process that occurs towards the end of the development cycle or during the deployment phase. However, in cloud-native environments, where continuous integration and continuous deployment (CI/CD) practices are common, addressing security concerns right at the onset helps mitigate risks and ensure robust security throughout the entire application lifecycle.

By “shifting left”, businesses are able to identify and address security vulnerabilities and risks as early as possible, ideally during the development phase or even during the design phase. This is a proactive approach meaning faster detection and remediation of security issues, and significantly reducing the chances of vulnerabilities reaching production environments.

SentinelOne provides these shift-left capabilities needed to detect, prevent, investigate, and respond to cloud security threats, allowing modern business leaders to dramatically reduce their organization’s cloud-based risks.

Offering a joint cloud-native solution with Wiz, SentinelOne provides businesses with enhanced visibility and protection of their cloud workloads, streamlined procurement, and simplified deployment. This guides teams to better securing their cloud infrastructure and workloads without hampering the speed or agility of their application development teams.

Learn more about how SentinelOne’s AI-powered Cloud Workload Protection Platform (CWPP) and the Wiz Cloud-Native Application Protection Platform (CNAPP) allows businesses to improve their operations in the cloud and protect their cloud workloads from build time to run time here.

Conclusion

With so many organizations reliant on clouds to hold their sensitive data, the cloud attack surface has widened, continuing to be a critical issue for modern businesses. As threat actors hone their attacks on cloud-based enterprises, cloud-native security strategies address the unique security considerations introduced by the technology’s containerization and microservices architectures.

Building a cloud-native security strategy is a keystone in addressing modern cloud threats. By addressing container and microservices security, aligning with automation practices, facilitating both shared responsibility and rapid incident response, these strategies empower organizations to build secure, resilient, and compliant cloud-native environments in the face of rapidly evolving cloud threats.

SentinelOne can help organizations improve their cloud security strategy through a combination of endpoint detection and response (EDR) capability, autonomous threat hunting, and runtime solutions that can defeat cloud-based threats without compromising agility or availability. Contact us for a demo on how to build a robust cloud security strategy today.