Release 2.10
May 13, 2024
What’s New?
TotalCloud 2.10 brings updates to Insights, CDR, mandates, and controls.
Common Features
Common features introduced to the TotalCloud application in this release.
Added Support of TruRisk Insights for Azure
With this release, we have extended the support for TruRisk Insights to Azure resources. Now, you can prioritize your critical threats based on the Insight findings. The Insight findings expand upon the risks involved with the threats and remediation methods to help you swiftly secure your Azure environment.
You can use the newly introduced Provider token to filter Azure findings.
Integrated Qualys Network Passive Sensor (NPS) with CDR Threat Sensor
With this release, we have integrated the AWS CDR threat sensor with Qualys network passive sensor. This integrations empowers CDR to achieve better management and secure control channel with Qualys Platform’s Security standards. Furthermore, you can find these improvements with CDR.
- Qualys approves OS Oracle Linux version 8.0.
- Improved di-sectors for network findings.
- CDR is now a FedRAMP-ready appliance.
With the addition of NPS, there are significant changes to the deployment of a threat scanners and setting up CDR. These changes would only impact new CDR deployment, existing deployments are not impacted.
For customers with existing deployments, you can find an AWS (Legacy) tab under the Threat Scanners tab to manage current deployments. The new AWS tab can run new deployments. The downloadable packages and CDR setup instructions have changed for the new deployments.
You can learn more about the changes in the deployment steps on the TotalCloud Online Help.
Amazon Web Services
Added Resources for Cloud Identity Entitlement Management (CIEM)
With this release, we have added new AWS Inventory resources to enable CIEM. These resources can help manage access and identities across your AWS environment. With CIEM, you can ensure that permissions granted to the identities in your cloud follow the principle of least privilege.
New Resources Introduced
The following are the newly introduced resources in the TotalCloud App.
Added Support for Gateway Load Balancers (GWLB) to AWS CDR
With this release, we are also introducing support for running Gateway Load Balancer endpoints for your CDR deployments. With GWLB support, you can obtain the high-availability, network load balancing and auto-scaling of Network Load Balancer (NLB) along with ensuring single traffic mirror session for the VPCs of all your accounts. You can save significant time from having to set up traffic mirroring on all your networks by setting up a GWLB.
New Insights
With this release, we have introduced support for new insight findings. These findings can greatly improve your threat prioritization.
| CID | Cloud Provider | Insight Title |
| 5000 | Azure | Public VM with TruRisk score > 800 |
| 5002 | Azure | Public VM with vulnerability type confirmed |
| 5005 | Azure | Suspicious communication on public VM |
| 5015 | Azure | Public VM with vulnerability detected in last 7 days |
| 5017 | Azure | Public VM with a critical exploitable vulnerability |
|
5019 |
AWS |
Critical exploitable vulnerability on Public VM with administrative privilege |
|
5020 |
AWS |
Publicly exposed VM with critical exploitable vulnerability has a risk of privilege escalation |
|
5021 |
AWS |
Suspicious communication on Publicly exposed VM with full access to RDS |
|
5022 |
AWS |
Critical exploitable vulnerability on public VM with destructive permissions for AWS KMS |
|
5023 |
AWS |
Risk of cloud log tampering on public VM with successful SSH brute-forcing |
|
5024 |
AWS |
Public Serverless Function with administrative privilege |
|
5025 |
AWS |
Public VM with the privilege to create IAM artifacts |
|
5026 |
AWS |
Risk of security group tampering on public and vulnerable VM with 'write' permission over security groups |
|
5027 |
AWS |
Malware detected on public and vulnerable VM with risky credential exposure permission |
|
5028 |
AWS |
IAM User with privilege escalation or administrative privilege have console access with MFA not enabled |
|
5029 |
AWS |
Public VM with data destructive permissions |
|
5030 |
AWS |
Public VM with elastic IP hijacking permissions |
|
5031 |
AWS |
Public VM allows access to decrypt secrets in Secrets Manager |
|
5032 |
AWS |
Public VM with AWS Organization management permissions |
|
5033 |
AWS |
Data breach risk due to a public serverless function with RDS database SQL query execution permissions |
|
5034 |
AWS |
Security group tampering risk due to a public serverless function |
New Tokens
With this release, we have introduced support for new tokens.
Provider and CID Tokens for Insights
You can find these tokens for finding Insights on the Insights tab.
Navigate to Insights and search for your required cloud provider.
|
Name |
Description |
Example |
|---|---|---|
|
Provider |
Displays Insight findings for AWS or Azure resources. |
Provider: Azure |
| CID | Displays Insights of the specific cloud resource CID | CID: 5017 |
AWS CIEM Resource Tokens
You can find these tokens for these Resources on the Inventory tab.
Navigate to Inventory, select AWS and open any of the new CIEM Resources (IAM Users, IAM Group, IAM Role, IAM Policy, VPC Endpoint, VPC Endpoint Services) to use these tokens.
IAM Users
|
Name |
Description |
Example |
|---|---|---|
| iamuser.group.name | Find IAM users with a certain group name |
iamuser.group.name: Admin |
| iamuser.policy.arn | Find Users with the Policy Amazon Resource Name (ARN) of interest. | iamuser.policy.arn: 'arn:aws:iam::383031258652:user/LOCAL_1234' |
| iamuser.boundaryPolicy | Find the IAM User based on the provided Boundary Policy | iamuser.boundaryPolicy: DelegatedBoundaries |
| iamuser.accesskey.id | Find the IAM User based on the provided Access Key ID | iamuser.accesskey.Id: AKIAIOSFODNN7EXAMPLE |
IAM Policy
|
Name |
Description |
Example |
|---|---|---|
|
policy.type |
Choose from the policy types AWS MANAGED, CUSTOMER MANAGED to find policies belonging to the specified type | policy.type: CUSTOMER MANAGED |
| policy.subType | Choose from the policy sub types GLOBAL, US_GOV to find policies belonging to the specified subtype ID |
policy.subType: GLOBAL |
IAM Group
|
Name |
Description |
Example |
|---|---|---|
| group.managedPolicy.arn | Find groups based on their policy ARN |
group.managedPolicy.arn: aws-policy |
| group.inlinePolicy.policyName | Find groups based on their Inline policy name | group.inlinePolicy.policyName: inline-aws-policy |
IAM Role
|
Name |
Description |
Example |
|---|---|---|
|
path |
Find roles based on their path | path: "/" |
| role.lastActivity.lastUsedDate | Use a date range or specific date to find when the role was used. | role.lastActivity.lastUsedDate:[2018-01-01 ... 2018-03-01] |
VPC Endpoint
|
Name |
Description |
Example |
|---|---|---|
| vpcendpoint.vpc | Find VPC Endpoints by providing VPC ID | vpcendpoint.vpc: vpc-7b955c06 |
| vpcendpoint.type | Find VPC Endpoints by providing VPC types such as 'Interface', 'Gateway', and 'Gateway Load Balancer'. | vpcendpoint.vpc: Interface |
| vpcendpoint.state | Find VPC Endpoints by providing the state such as 'Available', 'Deleted', 'Deleting', and 'Pending'. | vpcendpoint.state: Available |
| vpcendpoint.privatednsenabled | Find VPC Endpoints with Private DNS Enabled. | vpcendpoint.privatednsenabled: true |
| vpcendpoint.requestermanaged | Find VPC Endpoints with VPC manage set to true/false. | vpcendpoint.requestermanaged: true |
| vpcendpoint.ipaddresstype | Find VPC Endpoints by providing the state as ipv4 or ipv6 |
vpcendpoint.ipaddresstype: ipv4 |
VPC Endpoint Services
|
Name |
Description |
Example |
|---|---|---|
| vpcendpointservice.type | Find VPC Endpoints by providing VPC types such as 'Interface', 'Gateway', and 'Gateway Load Balancer'. | vpcendpointservice.type: Interface |
| vpcendpointservice.ipaddresstype | Find VPC Endpoints by providing the state as ipv4 or ipv6 | vpcendpointservice.supportedIpAddressTypee:ipv4 |
| vpcendpointservice.acceptancerequired | Find VPC Endpoints with acceptance set to required | vpcendpointservice.acceptancerequired: true |
| vpcendpointservice.owner | Find VPC Endpoint service based on the VPC owner | vpcendpointservice.owner:951386378875 |
Updated Mandates
With this release, we bring updates to a mandate.
| Doc ID | Document Name | Publisher | Version |
|---|---|---|---|
| 9685 | The NIST Cybersecurity Framework (CSF) | National Institute of Standards and Technology (NIST) | 2.0 |
Control Changes
Changes introduced to controls in this release.
Control Title Changes
AWS
|
CID |
Old Title |
New Title |
|---|---|---|
|
2 |
Ensure console credentials unused for 90 days or greater are disabled |
Ensure console credentials unused for 45 days or greater are disabled |
|
14 |
Ensure no root account access key exists |
Ensure no root user account access key exists |
|
15 |
Ensure MFA is enabled for the root account |
Ensure MFA is enabled for the root user account |
|
50 |
Ensure IAM policies that allow full administrative privileges are not created |
Ensure IAM policies that allow full *:* administrative privileges are not attached |
|
55 |
Ensure auto minor version upgrade is enabled for a RDS Database Instance |
Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances |
|
433 |
Ensure EC2 Instances are using IAM Roles |
Ensure IAM instance roles are used for AWS resource access from instances |
Azure
|
CID |
Old Title |
New Title |
|---|---|---|
|
50004 |
Ensure that Automatic provisioning of monitoring agent is set to On |
Ensure that Auto provisioning of Log Analytics agent for Azure VMs is set to On |
|
50015 |
Ensure that Azure Defender is set to On for Servers |
Ensure that Microsoft Defender for Servers is set to On |
|
50035 |
Ensure that Azure Active Directory Admin is configured for a SQL Server |
Ensure that Microsoft Entra authentication is configured for SQL Servers |
|
50050 |
Ensure that Register with Azure Active Directory is enabled on web App Service |
Ensure that Register with Entra ID is enabled on App Service |
|
50073 |
Ensure that no custom subscription owner roles are created |
Ensure that no custom subscription Administrator Roles exist |
|
50079 |
Ensure that Azure Defender is set to On for Azure SQL database servers |
Ensure that Microsoft Defender for Azure SQL Databases is set to On |
|
50080 |
Ensure that Azure Defender is set to On for App Service |
Ensure that Microsoft Defender for App Services is set to On |
|
50081 |
Ensure that Azure Defender is set to On for App Service |
Ensure that Microsoft Defender for Storage is set to On |
|
50099 |
Ensure that Azure Cosmos DB accounts have firewall rules |
Ensure that Azure Cosmos DB accounts Firewalls and Networks is limited to use Selected Networks instead of All Networks |
|
50140 |
Ensure that Azure Defender is set to On for Container Registries |
[LEGACY] Ensure that Microsoft Defender is set to On for Container Registries |
|
50141 |
Ensure that Azure Defender is set to On for Key Vault |
Ensure that Microsoft Defender for Key Vault is set to On |
|
50172 |
Ensure that Azure Defender is set to On for Open-Source Relational Databases |
Ensure that Microsoft Defender for Open-NSource Relational Databases is set to On |
|
50197 |
Ensure that Azure Defender for DNS is enabled |
[LEGACY] Ensure that Microsoft Defender for DNS is set to On |
|
50226 |
Ensure that Azure Defender for Resource Manager is enabled |
Ensure that Microsoft Defender for Resource Manager is set to On |
|
50231 |
Ensure that Azure Defender is set to On for SQL servers on machines |
Ensure that Microsoft Defender for SQL Servers on Machines is set to On |
|
50240 |
Ensure that PostgreSQL server has infrastructure encryption enabled |
Ensure Infrastructure double encryption for PostgreSQL Database Server is Enabled |
|
50360 |
Ensure that Azure Defender is set to On for Azure Cosmos DB |
Ensure that Microsoft Defender for Azure Cosmos DB is set to On |
New Controls in CIS Microsoft Azure Foundation Benchmark Policy
|
CID |
Title |
Service |
Resource |
|---|---|---|---|
|
40049 |
Ensure Compute Instance Legacy Metadata service endpoint is disabled |
COMPUTE |
INSTANCE |
|
40042 |
Ensure customer created Customer Managed Key (CMK) is rotated at least annually |
VAULT |
KEY |
|
50461 |
Ensure that Public Network Access is Disabled for storage accounts |
STORAGE_ACCOUNT |
STORAGE_ACCOUNT |
|
50462 |
Ensure that Allow Blob Anonymous Access is set to Disabled |
STORAGE_ACCOUNT |
STORAGE_ACCOUNT |
New controls in GCP Best Practices Policy
|
CID |
Title |
Service |
Resource |
|---|---|---|---|
|
52139 |
Ensure Dataproc Clusters are not using Default VPC |
DATAPROC |
DATAPROC_CLUSTER |
New controls in CIS Oracle Cloud Infrastructure Foundation Benchmark Policy
|
CID |
Title |
Service |
Resource |
|---|---|---|---|
|
40049 |
Ensure Compute Instance Legacy Metadata service endpoint is disabled |
COMPUTE |
INSTANCE |
|
40042 |
Ensure customer created Customer Managed Key (CMK) is rotated at least annually |
VAULT |
KEY |
Control Migrations
|
Controls |
Source Policy |
Destination Policy |
|
CID 50013, 50044, 50221, 50349, 50350 |
Azure Best Practice Policy |
Azure Database Policy |
|
CID 50058, 50227, 50341 |
Azure Best Practice Policy |
Azure Function App Policy |
|
CID 21, 22 |
CIS AWS Foundations Benchmark |
AWS Best Practice Policy |
|
CID 50458 |
Azure Best Practices Policy |
CIS Microsoft Azure Foundations Benchmark |
|
CID 50240 |
Azure Database Service Best Practices Policy |
CIS Microsoft Azure Foundations Benchmark |
|
CID 50012, 50049, 50076, 50082, 50083 |
CIS Microsoft Azure Foundations Benchmark |
Azure Best Practices Policy |
Issues Addressed
- We updated the detection logic of the following controls to resolve false postive cases- CID 26, 53, 187, 231, 294, 438, 50082, 50325.
- We have updated the control logic of CID 231 to comply to the latest AWS Best Practices standards.
- We have updated the control logic of CID 52116 to ensure following the recommended remediation steps will result in PASS result.
- We fixed an issue where CID 52002 continued to evaluate a deleted service account showed FAIL results for its controls.
- We fixed an issue where the assessment reports for Azure, GCP and OCI resources returned empty CSV files when the search query contained resourceType token.
- We fixed an issue where there "TotalCloud with FlexScan" widget from the widget library produced 404 errors when clicked for detailed view.
- We fixed an issue where the vulnerabilities view from the Insights listing screen failed to display data.
- We fixed an issue where IAM users where falsely associated with North Virgina region. We have updated this to Global region.