Automate Your Cloud Remediation Using Serverless Functions

Jan 11, 2021
5 minutes
... views

Gaining visibility into your cloud environment is a critical step in assessing your overall cybersecurity posture; however, the value in visibility is realized when you actually utilize those insights and take action. In other words, you must define a cloud remediation process: now that you know what’s going wrong, what will you do to fix it?

Today, Prisma Cloud helps minimize the average “time-to-resolution” for cloud SOC teams by offering command line interface (CLI) based auto-remediation, where common misconfigurations can be resolved in just one click – or better yet, automatically whenever they are detected.

 

Why Auto-Remediation is Important

Many cybersecurity vendors fail to provide a comprehensive solution with regards to cloud remediation. These solutions may show all of your misconfigurations and vulnerabilities through a single pane of glass, but no simple way to go about resolving all of them. 

To make matters worse, in a world where resources and data are created, deployed and modified so quickly, it is basically impossible for cloud SOC teams to address security issues quickly and effectively. In other words, manual remediation is not enough: the only way to address cloud vulnerabilities at scale is with automation.

However, since every company is unique in its internal remediation processes, it is sometimes difficult to come up with a one-size-fits-all solution. For example, what if you have an approval process in place to double-check whenever production resources are modified? What if you want to send a notification to Slack or Jira whenever a misconfiguration is automatically resolved? A CLI simply does not have such capabilities (or at the very least, the capabilities to do it at scale, automatically). This means the average time-to-resolution will still be relatively high due to the fact that there are still many manual steps involved to resolve a security issue.

Another problem lies with permissions: any sort of remediation solution that a security vendor offers will involve granting that vendor additional permissions (typically write/execute permissions) to go into your cloud environment and change resources. This creates issues, especially for users in industries with strict privacy and security compliance requirements – such as HIPAA in the healthcare industry – and makes external remediation solutions less feasible.

This is why we’re launching Prisma Cloud Enhanced Remediation: a free, flexible way to create custom auto-remediation solutions using serverless functions, all within your own cloud environment.

 

What are Serverless Functions?

Serverless computing is a service offered by cloud service providers (CSPs) such as Amazon Web Services (AWS) that abstracts away all underlying infrastructure that your code runs on. This effectively lets you run code without worrying about provisioning or managing servers, while only paying for the execution time and resources these functions take to run.

 

Why Remediate Using Serverless?

The ability to quickly deploy and execute code makes serverless the perfect platform for remediation “runbooks” – short remediation plans of action – which involve doing quick, one-off tasks to resolve misconfigurations, vulnerabilities and other issues within your own environment. This also means you can focus more on the remediation plan itself, rather than worrying about how to deploy and manage the system within your cloud environment.

 

How Serverless Remediation Works

At a high level, Prisma Cloud generates an alert and sends it to be processed by a serverless function we help you deploy. This function then parses the alert, figures out which runbook to execute and remediates accordingly.

Runbooks are what we call the out-of-the-box Python scripts that we provide as example auto-remediation solutions. Today, we ship 47 runbooks for AWS, most of which map one-to-one with Prisma Cloud’s out-of-the-box policies.

Diagram showing the architecture for Prisma Cloud Enhanced Remediation
Prisma Cloud Enhanced Remediation architecture.

Using built-in integrations to CSPs (e.g. AWS Simple Queue Service, or SQS), Prisma Cloud can help quickly and easily remediate misconfigurations in your cloud environment with the flexibility of a full-fledged coding environment.

Deployment is quick and easy: following our step-by-step setup guide, deploy the AWS Lambda and SQS using our CloudFormation template. This installs all of our out-of-the-box runbooks and connects the SQS to the Lambda function. Then, connect the SQS queue to Prisma Cloud using our built-in integration. That’s it! You are now ready to auto-remediate alerts.

Prisma Cloud Enhanced Remediation also supports multi-account setups. This means you only deploy a single Lambda function that can then remediate multiple AWS accounts (i.e., all accounts in your AWS organization). All you have to do is deploy an additional CloudFormation template that grants the necessary permissions to the “parent” account’s Lambda function. This greatly simplifies the workflow as you now only need to add, remove or modify the Lambda’s runbooks and permissions in one place.

Note that this is all happening within your cloud environment – no external write permissions required. Furthermore, everything you deploy is under your control: if you don’t want to grant this Lambda access to your Amazon Simple Storage Service (S3) buckets, for example, you can simply modify its identity access management (IAM) policy accordingly. This is also covered in our setup guide above.

 

Start Using Prisma Cloud Enhanced Remediation Today

With Prisma Cloud Enhanced Remediation, you can now resolve alerts automatically within minutes, while adhering to any and all custom processes you may have in place. This gives you more time to focus on the most important and involved tasks, improving your overall security posture and minimizing alert fatigue.

Finally, combined with our other auto-remediation offerings – basic remediation via CLI and advanced remediation via Cortex XSOAR – Prisma Cloud truly unlocks the power of automation while giving you just the right amount of flexibility all in one, integrated platform.

This feature is currently available for AWS environments, with support for other major CSPs currently under development. For more information on how to get started, check out our open-source GitHub repository. Within this repo, you can find relevant documentation and resources such as the AWS step-by-step setup guide, runbooks we support out-of-the-box, and the custom runbook development guide.

 


Subscribe to Cloud Native Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.