Cloud Visibility and Misconfiguration Detection

Not so long ago, banks were brick and mortar physical structures. They employed human tellers and housed private vaults and lock boxes for printed money, sensitive records, and personal valuables. These vaults and lock boxes were stored at the back of a building, behind multiple layers of security, including reinforced steel or cast iron doors and a wide array of alarms. To get to them, a patron would have to enter the premises and pass an armed security guard stationed at the door. Surveillance cameras would be pointed at the entryways and at each teller, providing a secondary layer of security. After passing through the monitored lobby, anyone requiring access to the vaults and boxes would need to pass through additional authorization and identification checks. The vaults where physical money was stored had the highest levels of access controls, making it very hard (though not impossible) for all but authorized personnel and savvy criminals to access them.

Today, effective cyber security programs are built on this same model of layered security. We’ve got endpoint security, network security, identity and access management security, device security, and the list goes on. Reinforcing security at each layer makes it harder and harder for cyber criminals to access sensitive data, be it digital bank account details, personal data, or intellectual property. Going back to our physical bank example, imagine, if you will, what would happen if the front door of the bank was misconfigured, meaning, no security guards, surveillance cameras, or bank tellers were keeping an eye on the place. What would happen if someone left the master key to all the vaults lying on a table, accessible to anyone inside this now-unprotected bank? Or if additional ways to access the safe—through ventilation, water supply, or sewer systems—were also unprotected?

This depiction seems a bit ridiculous, yet it’s exactly what happens with the cloud. According to research by Threat Stack, approximately 73% of companies have critical AWS security misconfigurations[i] which would allow an attacker to easily access sensitive data or take command and control of the user’s console. While cloud has been around for a while, and security solutions both in and of the cloud are improving continually, many of these technologies aren’t uniformly deployed, don’t scale well, or add complexity, cost, and latency, which is what the cloud is meant to combat.

Cloud-native approach

Orca Security, a fledgling security provider out of Israel, offers a cloud-native security scanning and visibility tool to help companies identify cloud misconfigurations and other vulnerabilities in the deployed software security stack. Avi Shua, CEO and Co-Founder, said he and his fellow 7 co-founders, all former Check Point technology executives and architects, started the company because they had a deep-seeded belief that “security must be delivered seamlessly. It can’t impact business processes or rely on multiple teams to push it through. This is antithetical to cloud usage, yet it’s how most cloud security technologies work. We developed Orca Security to give customers full stack visibility—from the cloud infrastructure to the OS to applications and data, where PII and sensitive data reside.”

To accomplish full visibility, Orca uses something they call SideScanning, which collects configuration information, assesses network layout, and integrates with the cloud infrastructure to read into virtual machines run-time block storage, databases, and datastores and cloud logs. It then analyzes all the data collected to assess risk and assign a risk score to the different issues it detects. Inputs for the alerts are derived from Orca internal research as well as technology integrations, which, as an aggregated methodology, provides context based on a user’s individual environment and data sensitivity. “Our forté is combining data and putting it in context. Without context, threats are meaningless,” said Shua.

Agentless, read-only integration

Orca is deployed as a service with read-only access and works in AWS, Azure, and Google Cloud Platform. It is an agentless technology, which, Shua says, results in no operational impact, no increase in operating costs, and provides deep breadth and depth of visibility across the entire stack. The system can be up and running in 15 minutes or less and starts prioritizing alerts based on risk score immediately thereafter.

While today’s agents are lightweight and may not be encumbered by the “agent fatigue” of yesteryear, scalability is a problem—every agent must be deployed, managed, and updated regularly—and agents may be incompatible with some asset types like native cloud storage and cloud databases. Most of all, however, agents cannot detect cloud-level misconfigurations that would leave the door open for attackers because they cannot scan cloud infrastructure. To compensate for this, organizations deploy additional third-party tools, which Shua says, work well but add more complexity than operations teams need to manage. Further, “since SideScanning doesn’t rely on the scanned machine, it can detect rootkits and malware, which agents cannot, no matter where they’re deployed—on the endpoint or at the kernel.”

Future plans

At present, Orca works only in cloud environments. When asked why the company took this approach, especially considering that most of the world’s companies have hybrid environments, Shua iterated that the company is only one year old and that they wanted to “start where most companies are headed,” i.e., the cloud. Because the company doesn’t have a legacy in bare metal environment, and because they chose to focus on cloud, the design is “faster, better, and cheaper,” just like the cloud itself.

Orca has plans to extend its platform in the coming months, but in the meantime, they have landed some large clients who are using the technology to gain full visibility into their cloud environments. “Customers are most impressed with how easy it is to install, how quickly they get a full scan of their environment, and how easy it is to triage vulnerabilities,” Shua says. “Even paused or stopped machines are fully assessed.”

Shua demonstrated the dashboard during our call and I was immediately impressed with how much information Orca collects but how easy it is to navigate. The design is sleek and user friendly, even for someone like me who’s never worked in a SOC. The name “Orca Security” isn’t well known yet, but based on what I saw and heard, I expect great things to come out of this company in the near term.