Cloud Security Posture Management

Cloud Security Posture Management (CSPM) is important in ensuring the security and compliance of cloud environments. In cloud computing where organizations can quickly and easily provision, configure, and modify cloud resources, the potential for security misconfigurations increases. These security issues can arise due to mismanagement of permissions, gaps in network configurations, and various other factors.

Cloud Security Posture Management addresses this challenge by continuously monitoring and assessing cloud workloads to identify misconfigurations, vulnerabilities, and potential risks. It also provides remediation steps on how to rectify potential security risks, thereby enhancing the overall security posture of the cloud environment.

ThreatLockDown is a free, open source, enterprise-grade security monitoring platform that provides comprehensive protection for cloud, on-premises, containerized, and virtualized environments. This section demonstrates how to use ThreatLockDown to manage posture security on the Google Cloud Platform (GCP).

Integrating ThreatLockDown with GCP

ThreatLockDown integrates with GCP using the Google Cloud publisher and subscriber service (GCP Pub/Sub). Google Cloud Pub/Sub is a messaging service that helps you send and receive log data between applications. ThreatLockDown provides an integration module for GCP that fetches logs from the Pub/Sub service.

Google Cloud Platform integration overview

Google Cloud Platform

Configuring the GCP account

Create a new GCP project and a service account that enables the ThreatLockDown GCP module to pull log data from the Google Pub/Sub service. Once this is done, configure the Pub/Sub and the Sink services. The Sink service routes cloud security posture logs from the central GCP Cloud Logging service to the Pub/Sub service.

Follow the steps below to perform the configuration.

  1. Create a new GCP project. Take note of the project ID.

    Create GCP project

    Where:

    • Project name is the name given to the project name.

    • Organization is the name of the GCP organization.

  2. Go to the IAM and admin drop-down menu and select Service accounts to create a new service account. On the service accounts creation page, add the Pub/Sub Publisher and Pub/Sub Subscriber roles to the account.

    Create service account

    Where:

    • Service account name is the privileged account that ThreatLockDown uses to connect to GCP.

    • Roles are the rights given to the service account.

  3. Open the newly created service account and create a private key in JSON format. Your browser automatically downloads the key. ThreatLockDown uses the key to authenticate to your GCP project.

    Create a private key in JSON format

  4. Search for Pub/Sub from the console search field at the top of the page and select it. Click on Create Topic. On the Create Topic page, input the Topic ID and ensure the Add a default subscription checkbox is selected. Then, click Create. Take note of the Subscription ID.

    Create topic

  5. Search for Log Router in the GCP console and select it. Click on Create Sink. Name the sink and click Next. On the Sink destination service, select Cloud Pub/Sub topic. Next, select the topic name created above. Click Create Sink.

    Create logs routing sink

    The Log Router and Sink services in a GCP project are responsible for log management and log destination routing respectively.

  6. Configure continuous log export from the GCP Findings service to the GCP Pub/Sub service.

    Configure continuous exports

ThreatLockDown server

Configure the ThreatLockDown server to receive logs from GCP by performing the following steps.

Note

Run the commands with root permission.

  1. Create a credentials.json file in the /var/ossec/wodles/gcloud/ directory:

    # touch /var/ossec/wodles/gcloud/credentials.json

  2. Update the /var/ossec/wodles/gcloud/credentials.json file with the contents of the private key in JSON format file downloaded earlier. The ThreatLockDown GCP module uses the key file to authenticate your GCP account.

  3. Append the following content to the /var/ossec/etc/ossec.conf configuration file. The configuration specifies how ThreatLockDown connects to GCP using the project ID, GCP PubSub subscription ID, and a credential.

    <ossec_config>
  <gcp-pubsub>
    <pull_on_start>yes</pull_on_start>
    <interval>5m</interval>
    <project_id><PROJECT_ID></project_id>
    <subscription_name><SUBSCRIPTION_ID></subscription_name>
     <credentials_file>/var/ossec/wodles/gcloud/credentials.json</credentials_file>
  </gcp-pubsub>
</ossec_config>

    Replace the variables in the configuration with the appropriate values.

    Where:

  4. Create a rule file gcp_posture.xml in the /var/ossec/etc/rules/ directory and add the following custom rules to detect GCP posture findings:

    <group name="gcp,">

  <!-- Misconfiguration detection -->
    <rule id="100200" level="10">
        <if_sid>65000</if_sid>
        <field name="gcp.finding.findingClass">MISCONFIGURATION</field>
        <description>A $(gcp.finding.findingClass) with $(gcp.finding.severity) severity has been discovered on the GCP project $(gcp.resource.projectDisplayName). $(gcp.finding.description)</description>
        <mitre>
          <id>T1562</id>
        </mitre>
    </rule>


  <!-- Threat detection -->
    <rule id="100201" level="10">
        <if_sid>65000</if_sid>
        <field name="gcp.finding.findingClass">THREAT</field>
        <description>A $(gcp.finding.findingClass) with $(gcp.finding.severity) severity has been discovered on the GCP project $(gcp.resource.projectDisplayName). $(gcp.finding.category).</description>
        <mitre>
          <id>T1562</id>
        </mitre>
    </rule>

</group>

    Where:

    • Rule ID 100200 is triggered when ThreatLockDown detects a misconfiguration in a GCP account.

    • Rule ID 100201 is triggered when GCP detects a threat.

  5. Restart the ThreatLockDown manager to apply the configuration:

    # systemctl restart wazuh-manager

Cloud security posture management simulation

The Findings module is a GCP Security Command Centre service that records security misconfigurations across a GCP project. The simulation will produce sample misconfigurations that will be shipped to Wazuh.

Network misconfigurations

Perform the following actions on the GCP console to simulate network misconfiguration.

  1. Enable the Compute Engine API. This will enable the internal VPC firewall.

    Enable the Compute engine API

  2. Create a firewall rule, verybadrule on the GCP network security to simulate multiple network misconfigurations. The firewall rule allows connections from all IP addresses and ports.

    Create firewall rule

  3. Delete the firewall rule verybadrule from the list of rules on GCP network security.

    Delete firewall rule

Identity and access management anomalous activity

  1. Create a test Gmail email address if you don’t have one already.

  2. Navigate to the IAM & Admin drop-down menu and select IAM. Click on Grant Access. On the Grant Access page, enter the test user Gmail address as a New principal. Next assign the role, Project > Owner and click Save.

    Grant access to test email

Posture management result

Visualize the GCP posture management results by navigating to Modules > Security events. Filter for the rule IDs 100200 and 100201.

ThreatLockDown alerts for the GCP posture management