Jonathan Lalou's Blog

Posts Tagged ‘ExposureManagement’

Lecturer

Steve Clark serves as Director of Cloud Alliances at Armis, orchestrating partnerships that extend cyber exposure management across cloud and edge environments. His expertise centers on asset intelligence platforms that provide real-time visibility into managed, unmanaged, and IoT devices.

Abstract

The presentation positions Armis Centrix as a cloud-native platform for comprehensive asset protection, demonstrating integration with AWS services to identify, prioritize, and remediate risks across the attack surface. Through customer examples in transportation, healthcare, and aviation, it establishes proactive exposure management as essential for modern threat defense.

Asset Discovery Beyond Traditional Boundaries

Modern environments contain thousands of unmanaged devices—IoT sensors, medical equipment, building controllers—that evade conventional inventory tools. Armis Centrix discovers assets through passive traffic analysis and active querying:

Network Traffic → Behavioral Fingerprint → Device Classification
                                  ↓
                            Risk Scoring Engine

The platform identifies device type, manufacturer, firmware version, and operational context without requiring agents.

Risk Prioritization and Business Context

Raw asset data becomes actionable intelligence through contextual scoring:

{
  "device": "GE MRI Scanner",
  "vulnerabilities": ["CVE-2023-4567"],
  "connectivity": "Internet-facing",
  "business_unit": "Radiology",
  "priority_score": 9.8
}

Integration with ServiceNow CMDB enriches discovery with ownership and criticality metadata, enabling precise remediation workflows.

Integration Patterns with AWS Services

Armis ingests VPC Flow Logs and GuardDuty findings to extend visibility:

connectors:
  - aws_vpc_flow_logs
  - aws_guardduty
  - servicenow_cmdb
  - palo_alto_firewall

EventBridge rules trigger automated responses—quarantining compromised IoT devices, creating Jira tickets, or notifying device owners.

Real-World Deployment Outcomes

Case studies demonstrate operational impact:

• Transportation Provider: Discovered 40% more assets than ServiceNow inventory; achieved regulatory compliance ahead of DoT mandates
• Healthcare System: Reduced mean time to patch critical medical devices from 90 to 14 days
• Airport Authority: Identified rogue Wi-Fi access points and unauthorized Bluetooth beacons

These organizations leverage Armis within AWS environments, processing petabytes of traffic data with sub-second query response.

Proactive Exposure Management Framework

The platform implements continuous assessment:

1. Discovery: Passive and active techniques
2. Classification: ML-based device fingerprinting
3. Risk Scoring: CVSS + business context
4. Remediation: Automated playbooks and orchestration
5. Verification: Continuous validation of control efficacy

This cycle operates 24/7, adapting to asset churn and emerging threats.

Conclusion: Comprehensive Asset Protection

Armis Centrix transforms asset visibility from periodic audits into real-time intelligence. By combining passive discovery, behavioral analysis, and AWS integration, organizations gain comprehensive protection across IT, OT, and IoT environments. The platform enables security teams to move from reactive incident response to proactive risk elimination.

Links:

• Lecture Video

Lecturer

Leor Hasson functions as Director of Cloud Security Advocacy at Tenable, where he directs initiatives promoting exposure management via integrated platforms that consolidate visibility and remediation across diverse environments.

Abstract

This rigorous academic treatment explores the conceptual evolution and operational implementation of cloud-native application protection platforms (CNAPP), positioning them as sophisticated syntheses transcending fragmented tools like CSPM, CWPP, CIEM, and DSPM. The analysis delineates emergent security challenges within cloud ecosystems—novel attack surfaces, expertise scarcity, tool proliferation, and intensified cross-functional collaboration—while highlighting concomitant opportunities derived from programmatic accessibility. A meticulously articulated ten-phase iterative progression guides practitioners from foundational inventory compilation to sophisticated automated remediation, emphasizing contextual risk prioritization and hybrid infrastructure correlation through Tenable One.

Contextual Challenges and Emergent Opportunities in Cloud Security Posture

The advent of cloud computing has introduced transformative paradigms accompanied by distinct protective imperatives. Compared to traditional on-premises infrastructures, cloud environments manifest expanded attack vectors, a relative paucity of seasoned practitioners given the technology’s recency, an overwhelming array of specialized instruments lacking cohesive strategy, and significantly amplified requirements for interdepartmental cooperation. These dynamics collectively complicate systematic defense.

Concurrently, cloud paradigms afford unprecedented advantages: configurations and telemetry become programmatically accessible in structured formats, enabling automation at scale. Moreover, broadened access democratizes responsibility, permitting operational teams to assume ownership of their security obligations—an approach that, while introducing management complexity, harbors substantial potential for distributed resilience.

CNAPP architectures address these dualities by furnishing unified observational planes encompassing workloads, underlying infrastructure, identity entitlements, network topologies, and sensitive data classifications. Tenable Cloud Security exemplifies this integration, ingesting telemetry from native AWS accounts, multi-cloud deployments, identity providers, continuous integration pipelines, and ancillary third-party systems to orchestrate comprehensive risk governance.

Iterative Ten-Phase Maturity Progression for CNAPP Implementation

Framed metaphorically as “ten steps” to underscore non-linearity and iterative refinement, this progression structures organizational advancement:

Initial phases establish asset inventory discovery, revealing the operational landscape and preempting blind spots that adversaries exploit. Subsequent risk exposure assessment introduces contextual evaluation—distinguishing, for instance, publicly exposed S3 buckets containing personally identifiable information from equivalently configured but isolated resources. Remediation orchestration follows, translating insights into executable corrections.

Advanced stages encompass identity least-privilege enforcement, identifying excessively permissive policies or dormant credentials; network segmentation visualization, graphing potential exposure pathways; sensitive data classification, cataloging regulated information; vulnerability prioritization, correlating exploitability with internet-facing status; infrastructure-as-code security scanning, examining Terraform modules both in isolation and upon instantiation where parameters may introduce vulnerabilities; malicious code detection, flagging external data blocks capable of unauthorized execution during planning phases; and automated response integration, progressing from manual ticketing to conditional webhooks executing predefined resolutions when confidence thresholds are satisfied.

module "high_risk_storage" {
  source = "./modules/secure_s3"
  bucket_acl = "public-read-write"  # Instantiation parameter triggers CNAPP alert
  encryption_enabled = false
}

Maturity escalation reflects organizational confidence: rudimentary manual interventions evolve into sophisticated automation conditioned upon verified criteria. Tenable One amplifies this trajectory by amalgamating cloud-derived intelligence with endpoint vulnerability management, constructing end-to-end attack path visualizations—from developer workstations harboring pilfered access keys to the sensitive datasets those credentials could compromise.

Strategic Ramifications and Organizational Implications of CNAPP Adoption

Contextual intelligence emerges as the paramount differentiator, enabling precise allocation of defensive resources to threats possessing material impact. Hybrid visibility across cloud and on-premises domains mitigates lateral movement risks, while automated remediation compresses mean-time-to-resolution.

Broader organizational consequences include accelerated security posture maturation, optimized resource utilization through noise reduction, and enhanced regulatory compliance via auditable contextual evidence. The framework’s iterative nature accommodates evolving threat landscapes, positioning CNAPP not merely as a toolset but as an adaptive governance philosophy.

Links:

• Video: Cloud security novice to expert in 10 steps

Lecturer

Leor Hasson serves as Director of Cloud Security Advocacy at Tenable, guiding organizations toward unified exposure management across cloud-native environments.

Abstract

This analytical treatment conceptualizes cloud-native application protection platforms (CNAPP) as evolutionary synthesis beyond CSPM, CWPP, CIEM, and DSPM fragmentation. It articulates cloud-specific security challenges—novel attack vectors, expertise scarcity, tool proliferation, collaboration intensity—and programmatic opportunities. A structured ten-phase iterative progression guides advancement from inventory to automated remediation, emphasizing contextual risk prioritization through Tenable One’s hybrid attack path visualization.

Cloud Security Challenges and Programmatic Opportunities

Cloud computing introduces unprecedented attack surfaces, nascent practitioner expertise, overwhelming toolsets, and intensified cross-functional requirements. Yet programmatic access to configurations and logs, combined with delegated responsibility, unlocks automation potential.

CNAPP unifies visibility across workloads, infrastructure, identities, networks, and sensitive data. Tenable integrates AWS, multi-cloud, identity providers, CI/CD pipelines, and third-party systems.

Ten-Phase Iterative Maturity Pathway

The non-linear progression includes:

1. Asset Inventory – Comprehensive discovery
2. Contextual Exposure – Risk differentiation (public PII vs. isolated)
3. Actionable Remediation – Executable fixes

Advanced phases: IAM Least Privilege (over-permission detection), Network Exposure Graphing, Data Classification, Vulnerability-Exploitability Correlation, IaC Scanning (Terraform instantiation risks), Malicious Code Detection, Automated Ticketing/Webhooks.

\# IaC risk example
resource "aws_s3_bucket" "sensitive" {
  bucket = "confidential-data"
  acl    = "public-read"

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }
}

Tenable One correlates cloud findings with endpoint vulnerabilities, tracing access keys from developer machines to sensitive data.

Organizational Implications

Contextual prioritization compresses exposure; hybrid visibility prevents lateral movement. Implications include accelerated maturity, resource optimization, and regulatory alignment.

Links:

• Video: Cloud security novice to expert in 10 steps