Melpomene - Fotolia

Prisma Cloud CSPM looks to mitigate DevSecOps conflicts

Palo Alto Networks' CSPM product uses machine learning to tackle a point of DevSecOps friction -- too many security alerts that aren't tied to imminent threats.

An update to Palo Alto Networks' Prisma Cloud CSPM this week includes new network visibility features meant to reduce the bombardment of security alerts for enterprise DevSecOps teams.

Cloud Security Posture Management (CSPM) tools such as Prisma Cloud are used to identify configuration errors and security policy breaches in cloud computing infrastructure. The number of tools in this market is growing, as container security vendors such as Sysdig add CSPM features.

Cloud-native security and IT automation tools also increasingly use AI and machine learning to quickly identify the root cause of problems in complex distributed infrastructures and cut down on the noise that IT platform operators deal with from security and performance monitoring tools.

In keeping with these trends, Palo Alto launched Prisma Cloud as it rebuilt its product line beginning in 2019 based on a string of acquisitions. Among the first of these acquisitions was CSPM startup RedLock, which Palo Alto bought in 2018, along with API security company, which it used as the basis for Prisma Cloud. Since then, the vendor has also added IP from the acquisitions of Twistlock for container security, PureSec for serverless security and microsegmentation vendor Aporeto in 2019, and Bridgecrew in March.

As Palo Alto integrates these companies under Prisma Cloud CSPM, enterprises are shifting to DevSecOps practices, and need CSPM tools to adapt to those workflows.

"Cloud security posture management [came from] the point of view that as development teams start adopting cloud ... security teams are struggling to understand and get visibility across different application teams," said Varun Badhwar, senior vice president of products and engineering for Prisma Cloud. "DevOps teams have the keys to create IAM roles and security groups ... and given the speed of change in the cloud ... lots of configuration errors can occur."

From rules to real DevSecOps threats

Rules-based CSPM tools can help standardize and automate security policy management with fewer hindrances to developer velocity, but this approach doesn't identify which policy violations represent real security threats in the IT infrastructure.

If security teams in large organizations forward all policy violation alerts from such systems to developers for patching, those developers may get fatigued and less responsive to urgent requests, Badhwar said.

Hence, the release of an update to Prisma Cloud CSPM this week, called True Internet Exposure. The feature compares machine learning analysis of cloud network paths against security policy rules, narrowing down the number of policy violation alerts to those most likely to involve real threats.

"A security group may allow traffic from the internet to a host, but if a developer has hardened the host so you're not even listening on [the right] port, there's no exposure per se," Badhwar said. "At scale, security teams were going to developers saying, 'Why is this security group open?' and developers were saying, 'Look, stop bothering me with stuff that's noise. If you only paid attention, you'd realize that's not a real security issue.'"

Similarly, a Data exfiltration detection feature added to Prisma Cloud CSPM this week looks at a broader set of metadata than in previous versions of the software, including network flow logs, audit logs and threat intelligence data, to uncover which misconfigurations are actually being exploited in an IT environment. Another new machine learning-based feature detects anomalies in compute resource provisioning, specifically to prevent cryptojacking by Bitcoin miners.

We need to evolve how we protect these environments ... beyond shipping hardened configurations.
Doug CahillAnalyst, ESG

Features such as these indicate that CSPM tools are becoming more critical for enterprise IT organizations, which are demanding that these products expand beyond just checking for misconfigurations, said Doug Cahill, an analyst at Enterprise Strategy Group (ESG), a TechTarget company.

"We need to evolve how we protect these environments ... beyond shipping hardened configurations," Cahill said. "We need to ensure that cloud-native data assets are appropriately protected and that the security operations center has good visibility into those environments as well."

DevSecOps products mature, cybersecurity still bleak

But while cloud-native security tools continue to add cutting-edge capabilities, the overall state of cybersecurity in the U.S. continues to be alarming.

As the country was still reeling from the SolarWinds supply chain attack that affected a wide swath of public and private-sector organizations, a ransomware attack on a major oil and gas pipeline also captured headlines, prompting new federal guidance on ransomware response and pipeline security requirements. And that's to say nothing of the smaller identity theft and other attacks that continue on a daily basis.

In general, enterprise cybersecurity defenses still have yet to gain an edge, or even catch up with, the sophistication of attackers.

Doug Cahill, analyst, Enterprise Strategy GroupDoug Cahill

Part of this disconnect is rooted in the amount of legacy infrastructure that still exists within enterprises that cloud-native security tools don't reach, according to Cahill.

"We just have a lot of old computers and old processes," he said. "And often they contain the critical assets that adversaries are going to target."

The good news is that the highest levels of government and corporate management are beginning to prioritize cybersecurity and app modernization as part of that effort, Cahill said. The COVID-19 pandemic also sped up migration to cloud computing services significantly, which means more corporate IT assets can use modernized security tools, Cahill said.

However, as enterprises are also learning, sophisticated IT security tools are only as effective as the way they're used, and that still leaves open the problems of malicious insiders and social engineering.

"Ultimately, DevOps and DevSecOps are really about culture and skill set," Cahill said. "If we truly see [cybersecurity] as a national emergency, everybody owns being vigilant and responsible for it."

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Dig Deeper on Systems automation and orchestration

Software Quality
App Architecture
Cloud Computing
Data Center