Google Cybersecurity Action Team (GCAT) has today released an updated version of their Threat Horizons Report and we have had the opportunity to review its findings in relation to how the overall threat “horizon” is changing. This report is based on particular security threats that Google has purposely tracked over the last 6 months and it’s worth pointing out how well the report examines each threat, with accurate contexts and clear recommendations and advice for security engineers.
Using least privilege and best practice to repel threats
The report is divided into two categories; the first category covers the threat trends that the Google team believes are growing in their capacity to exploit vulnerable software and security processes. The latest phishing trends, the impact of the war in Ukraine on cybersecurity, the growing threat of brute-force attack software, and the general trend in different types of abuse tactics are all referenced in the threat trends.
As part of Venafi, we have a high focus on cybersecurity and a strong internal understanding on threats posed by phishing and how to identify and deal with phishing schemes. We apply this ethos when working very closely with our customers by setting up their Cloud Native environments with the principle of least privilege and using best-practice configuration to resolve potential threats such as brute-force attack vectors. We work directly with our customers to proactively remove listed Common Vulnerabilities and Exposure (CVEs) in images by using scanning tools or generating SBOMs of images and matching it against vulnerability databases. This work is highly involved and requires a very close working partnership with our customer’s security engineering teams.
Defensive strategies for modern Cloud Native
The second part of the report covers defensive strategies to improve enterprise security posture and manage threat prevention. It is worth highlighting 2 key points in the report that are especially relevant to our customers since they relate directly to our own product offerings.
Perhaps unsurprisingly, a highly important defensive strategy is improving the Software Supply Chain Security and validating the provenance of each software artefact throughout the entire supply chain. Work on this matter from the OpenSSF and the SLSA Framework are referenced in this report. In line with what GCAT are reporting, our team has developed its popular Software Suppy Chain Toolkit that covers the most up to date recommendations and advice across a range of security frameworks including the SLSA framework as well as the CNCF Security whitepaper and Venafi’s own security blueprint. The toolkit is designed in a “radar” format to help security engineers self-assess then strengthen the supply chain by combining the recommendations from the different frameworks in a format that helps to prioritise the most important security requirements. The Jetstack Consult team is currently actively working with customers who have helped to develop the toolkit and who are now working with us to improve their Software Supply Chain Security by applying the guidance provided by the toolkit.
A further defensive strategy from the report that is closely aligned with Jetstack’s strategy and product is Zero Trust. Using a Zero Trust approach means it is essential to be able to determine who is authorised to access what data using which devices. TLS Protect for Kubernetes is purposely built to help organisations deploying cloud native infrastructure to manage their machine identities and build an effective security posture which gives security and platform teams detailed visibility and status monitoring of all certificate configurations across multiple clusters. Machine identity management is foundational to building Zero Trust for cloud native production environments. For many larger organisations, the Zero Trust concept now incorporates the need to deploy popular service mesh service solutions like Istio, Linkerd and others. In addition, Many service mesh implementations have adopted implementations of the SPIFFE specification. TLS Protect for Kubernetes is built with cert-manager and provides native support for service mesh as well as for SPIFFE, the de facto open standard for identity in the cloud.
We’d certainly recommend reading the full report. Please reach out to us directly if you are interested in finding out more about Software Supply Chain Security and Zero Trust in Cloud Native environments.