Cloud 101CircleEventsBlog
Join top cybersecurity experts at the Raleigh, NC LevelBlue's cyber networking event June 20th!

Neutralizing the Threat with Cloud Remediation

Neutralizing the Threat with Cloud Remediation

Blog Article Published: 04/23/2024

Originally published by Tamnoon.

Written by Michael St.Onge, Principal Security Architect, Tamnoon.

Smooth remediation requires meticulous coordination across tools, teams, and schedules. The complexity and scale of the remediation process may suggest that only a manual or an automated process can deal with it. Ideally, an organization can leverage the best of each process where appropriate. With so many different dimensions to coordinate, intricate planning and cross-functional excellence is critical to be successful.

Additionally, integrating security checks into CI/CD pipelines is an important part of execution, allowing you to catch vulnerabilities early in the development lifecycle before they reach production.


The Security / DevOps Relationship

Your security and DevOps teams must work hand-in-hand during this process. And while each team has their distinct domains, they also have shared goals to safeguard data and maintain uptime, meaning that a tight partnership is paramount.

This collaboration does not always come easy. Some common scenarios that can strain relations and undermine progress might be:

  • Competing priorities
  • Siloed teams
  • Different mindsets
  • Technical disconnects
  • Lack of clear policies
  • Unrealistic demands
  • Blame culture
  • Poor monitoring
  • Lack of trust (or confidence)

Nevertheless, it’s critical that security and DevOps teams develop a common “language” to achieve their shared goals, which include:

  • Align on severity levels, compliance needs, and business justification.
  • Agree on optimal coordination model and cadence of communications.
  • Establish validation criteria to confirm successful remediation.
  • Maintain clear documentation of roles, responsibilities, and risks.

By regularly communicating their priorities, constraints, and risks from both perspectives, and emphasizing their unified mission, DevOps and Security can align on the best approach to streamline remediation while minimizing disruptions. The organizations that have been most successful at bridging the security/DevOps gap follow a framework like the one below for disambiguating roles and forging common ground.

TeamRole and required inputsKey questions to ask counterparts
Security
  • Gather intelligence to understand risks, impacts, and technical constraints related to remediation
  • Provide clarity on severity levels, compliance implications, and data exposure risks
  • Supply guidance to DevOps on safe remediation methods to mitigate risks
  • Recommend testing procedures to validate remediation before deployment
  • Collaborate with DevOps to optimize coordination and communication
  • What risks do you foresee that we need to mitigate?
  • What dependencies with other teams or resources do we need to map out?
  • How complex will rollback be if any issues do arise? Are there ways we can simplify it?
  • Are there any technical limitations that could complicate this fix? If so, are there ways we can work around them?
  • What testing procedures do you recommend before we deploy any changes?
DevOps
  • Share insights on potential system stability and uptime impacts
  • Map out dependencies with other teams and resources
  • Devise reliable rollback procedures in case issues arise
  • Outline technical limitations and, if any, options to work around them
  • Continuously monitor for early warning signs of emerging risks
  • How severe and what is the potential business impact of this vulnerability?
  • How urgent is remediation? Is there a deadline?
  • Will we violate any compliance requirements if this is not addressed?
  • Does this issue expose sensitive information?


Key Steps for Secure and Seamless Remediation

Follow the Plan

Smooth execution requires a detailed plan mapping out phases, steps, timelines and responsibilities:

  • Document the steps to be taken to address specific types of security findings (public storage accounts, exposed services, unencrypted volumes, unrotated keys, etc).
  • Define timelines for each phase to provide clarity on the order and pace of remediation.
  • Assign clear ownership and responsibilities for each step to ensure accountability.

It’s crucial that security and DevOps teams collaborate closely on constructing this plan. Security provides expertise on managing risk and prioritizing assets while DevOps offers insights on the potential impacts of any changes made.

With both perspectives, the plan can sequence remediation intelligently by starting with high-risk, mission-critical items before moving towards low-impact items. For example, addressing improperly configured S3 buckets exposing sensitive data in phase 1 before rotating IAM keys in phase 2. By tackling high risk issues first, well-planned remediation systematically strengthens security posture while minimizing disruptions through incremental progress.


Sample Remediation Plan

In this sample plan, security teams have identified a high-risk misconfiguration; open-access S3 buckets which expose sensitive data. Unencrypted RDS instances are generating a moderate risk, threatening a service disruption during cutover. Lastly, IAM keys need to be rotated, which could cause minor operational delays if left undone.

Intelligent remediation prioritizes the reconfiguration of S3 bucket permissions; AWS-authenticated threat actors can read, write, and manipulate objects within the bucket, creating a high-severity risk to the asset and the business.

Armed with guidance on prioritization, the remediation team plans three 2-week sprints to tackle these misconfigurations.

During these six weeks, Security and DevOps should meet weekly to review:

  • Overall progress and timeline
  • Blockers needing resolution
  • Emerging risks and mitigations
  • Next steps and action items

Security and DevOps should also have contingency plans ready to adapt to changes in the remediation plan. To handle plan deviations:

  • Have risk mitigation strategies ready. Being prepared with contingency plans for potential issues prevents being caught off guard.
  • Replan dynamically if any issues emerge. If surprises come up, be ready to quickly adjust the plan and timelines. Don’t rigidly stick to outdated plans.
  • Adjust timelines as needed. Related to above, update schedules and phases if delays or changes occur.
  • Document all modifications. Track all changes to the plan in a central place for visibility.


Integrate Security into CI/CD Pipeline

Remediation should integrate security checks into existing CI/CD pipelines early to catch issues before they reach production. Scrambling to fix problems right before deployment creates unnecessary risk and delays.

Shifting security left in the pipeline provides multiple touchpoints to rapidly surface and resolve vulnerabilities at each stage of the development lifecycle.

Key techniques include:

  • Execute infrastructure scans during continuous delivery to catch misconfigurations around encryption, permissions, network rules, and more. This surfaces risks before they impact customers.
  • Trigger security scans at multiple stages, not just end — failures early in CI are cheaper to fix.
  • Gate releases if critical vulnerabilities are detected, failing the build. This prevents broken code from being promoted.
  • Automate scans as much as possible to save time and money.


Role of the expert vs. automation

Finding the right balance between manual and automated approaches is crucial for effective cloud security. Teams often have to choose between a solely automatic solution, or solely manual. However, relying only on manual processes leaves the majority of risks unaddressed, while automation without oversight risks destabilizing your environment.


The Bottom Line

Effective remediation requires careful orchestration across tools, processes, and teams to address security issues.

Consider just some of the challenges:

  • Prioritizing the flood of daily alerts and signatures from various tools
  • Mapping dependencies between affected resources
  • Predicting impacts on operations, budgets, and compliance
  • Assigning fixes to the right teams
  • Crafting customized playbooks
  • Monitoring effectiveness and identifying patterns

When addressing complex remediation, teams often face a tradeoff between relying solely on manual fixes or full automation. Manual remediation allows for nuanced human judgment but is inconsistent and doesn’t scale. Automation provides speed and consistency but lacks oversight. The most balanced approach likely integrates automation and human guidance based on the situation. By playing to the strengths of both skills and software, the potential rewards are substantial: robust security, streamlined operations, and improved compliance.


For Practitioners

For security and DevOps practitioners, an optimized remediation process improves efficiency, reduces disruption, and clarifies responsibilities. By automating repetitive tasks and detailing procedures, practitioners complete remediation faster with less overhead. They can focus their expertise on higher-value initiatives. Shared playbooks also minimize business impact and reduce friction between teams. Smooth remediation increases practitioner productivity and effectiveness.


For Management

For leadership, balanced remediation strengthens cloud security posture while optimizing IT operations. Instead of slow and inconsistent manual fixes, scalable automation remediates issues rapidly and consistently. Metrics like remediation times, security ticket backlog, and audit findings improve. Compliance assurance also increases through automated policy enforcement. Leadership gains confidence that both existing and emerging threats will be addressed quickly and effectively through mature remediation practices.

Share this content on your favorite social network today!