CSPM Auto remediation for GCP

  • 27 April 2022
  • 0 replies
  • 36 views

Badge +7

In this article we’ll demonstrate how you can implement automatic remediation for security posture violation findings discovered by Netskope Cloud Security Posture Management (CSPM).

 

Netskope CSPM continuously assesses public cloud deployments to mitigate risk, detect threats, scan and protect sensitive data and monitor for regulatory compliance. Netskope simplifies the discovery of security misconfigurations across your clouds. Netskope Auto-Remediation framework for GCP enables you to automatically mitigate the risk associated with these misconfigurations in your GCP cloud environment.

 

Netskope CSPM security assessment results for such security benchmark standards as NIST, CIS, PCI DSS, as well as for your custom rules are available via the View Security Assessment Violations Netskope API.

 

Netskope auto-Remediation solution for GCP deploys the set of GCP Cloud functions that query the above Netskope API on the scheduled intervals and mitigates supported violations automatically.

 

You can deploy the framework as is or customize it to mitigate other security violations and to meet your specific organization’s security requirements.

 

See Netskope's Github page for more details - https://github.com/netskopeoss/CSPM-GCP-AutoRemediation

Auto-remediation Workflow

 

 

Workflow Overview:

 

  • Cloud scheduler will trigger Pub/Sub(1) topic with payload/message after every interval.
  • Payload/message will have two parameters:
  1. rule_name: Name of the Rule for which remediation is required.
  2. rule_short_name: This will be the Pub/Sub(2) topic name that will be used by GetNetskopeCSPMResults Cloud Function to push alert details to Remediation Cloud Function.
  • Pub/Sub(1) will trigger the GetNetskopeCSPMResults cloud function which will perform the below steps:
    • Pull payload/message from pub/sub(1) topic.
    • Call Netskope Security Assessment Violation API for given rule_name. If the rule is violated then, extract parameters GCP ProjectID, Resource ID, and Region Name from the alert.
    • Trigger Pub/Sub(2) topic and push extracted parameters. Pub/Sub(2) topic will pass these parameters to the Remediation cloud function of specified rule_name.
  • The remediation cloud function will pull information from Pub/Sub(2) and perform remediation.
  • Check logs of remediation functions in cloud logging.

Currently Supported GCP Auto-remediation Rules

No.

Profile

Service

Rule Name

Action

1

CIS-GCPFND-1.0.0

Compute Engine

Ensure the default network does not exist in a project

The auto-remediation cloud function deletes the default VPC network.

2

CIS-GCPFND-1.0.0

Compute Engine

Ensure "Block Project-wide SSH keys" enabled for VM instances

The auto-remediation cloud function set “block-project-ssh-keys” meta-data value of VM instance to True.

3

CIS-GCPFND-1.0.0

IAM

Identities and credentials: Ensure user-managed/external keys for service accounts are rotated every 90 days or less

The auto-remediation cloud function disables the Service Account keys that are created before 90 days

4

CIS-GCPFND-1.0.0

IAMPolicy

Identities and credentials: Ensure that ServiceAccount has no Admin privileges.

The auto-remediation cloud function removes Service Account entries from members for owner/editor/*Admin role

5

CIS-GCPFND-1.2.0

Identity

Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level

The auto-remediation cloud function removes role binding from policy having role as “Service Account User” or “Service Account Token Creator”

6

CIS-GCPFND-1.0.0

Kubernetes

Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters

The auto-remediation cloud function set the logging service as “logging.googleapis.com/kubernetes” if not set

7

CIS-GCPFND-1.0.0

Logging

Ensure that Cloud Audit Logging is configured properly across all services and all users from a project

The auto-remediation cloud function removes exempted members from audit logging service configurations and enable audit logging for all services with log types: DATA_READ,  DATA_WRITE, ADMIN_READ, ADMIN_WRITE

8

CIS-GCPFND-1.0.0

SQL

Ensure that Cloud SQL database Instances are not open to the world

The auto-remediation cloud function removes a network which has an IP value of “0.0.0.0/0“ from Cloud SQL Instance.

9

CIS-GCPFND-1.0.0

SQL

Ensure that Cloud SQL database instance requires all incoming connections to use SSL

The auto-remediation cloud function set “requireSsl” property of cloud SQL instance to True.

10

CIS-GCPFND-1.0.0

Storage

Identities and credentials: Ensure that Cloud Storage bucket is not anonymously or publicly accessible

The auto-remediation cloud function removes “allUsers” and “allAuthenticatedUsers” principles from the bindings of bucket policy. 

11

CIS-GCPFND-1.0.0

VPCnetwork

Ensure that SSH access is restricted from the internet

The auto-remediation cloud function removes the entry for source “0.0.0.0/0” from firewall rule source ranges if present

12

CIS-GCPFND-1.0.0

VPCnetwork

Ensure VPC Flow logs is enabled for every subnet in VPC Network

The auto-remediation cloud function enables flow logging for each subnet region-wise

 


0 replies

Be the first to reply!

Reply