Cracking the Complexities of Cloud Compliance

Want to know more about this topic? Watch the Webinar Cracking the Complexities of Cloud Compliance, with Kaholo and Lacework.

Use Auto Remediation with Lacework and Kaholo to easily fulfill your Cloud Security requirements.

What is Auto Remediation?

In order to understand what Auto Remediation is and how it can help you, we need to start with a definition of Auto Remediation itself:

Auto Remediation is the concept to automate the response to events and alerts with automated steps that are able to fix or remediate underlying conditions and misconfigurations without the need of interaction from anyone. Auto Remediation itself can trigger a CLI command, serverless function, terraform run or an API call to remediate alerts detected by Lacework. Automation of Remediation can be easy or complex depending on the alert and context correlated with the necessary remediation steps.

It is important to point out that Auto Remediation is difficult to deploy in highly complex, highly dynamic cloud environments. The chance that an automated process will break the build process is real and unexpected downtime is costly. Being able to implement Auto Remediation correctly is a maturity stage that organizations reach for well-defined use cases by automating a workflow that not just remediates, but uses code, and notifications, and of course, solid data to power it.

Why should I use auto remediation?

We live in a complex world of multi cloud environments. The cloud itself isn’t as easy as it was sold to us. With the adoption of cloud and cloud native applications and using modern technology like Kubernetes, Containers and Serverless applications you automatically adopt endless complexity with many potential security risks. All of the services need to fulfill your security and compliance regulations. Your personal target should be to secure as much and as best as possible, independent of the industry and compliance regulations you need to fulfill.

Auto Remediation means to automate the necessary steps to correct the alert event detected by Lacework without any human interaction. Remediation can be partially or fully automated in order to help fix specific alerts.

The MTTR (Mean Time to Recover or Restore) should be as fast as possible to not increase the risk. A misconfiguration or bad behaviour of your application(s) can lead to outages, stolen customer data and a headline story of your company in the newspaper.

Why Lacework and Kaholo?

Lacework and Kaholo is a perfect match!

Lacework itself is using Data warehouse technology (Snowflake) and Machine Learning technology to reduce the number of false positive events and create high quality alerts (events). These events, alerts and compliance reports from Lacework in general have a lot of high quality contextual information included that can be used to automate the necessary remediation steps.

Kaholo is an easy and intuitive low code workflow engine that makes it easy to create almost any automation processes, including advanced ones. On top of that you get central visibility into all automation processes with “Kaholo Maps”, A visual representation of the automation. Instead of simply triggering a single CLI command or single API calls and serverless functions it allows the creation of complex workflows that might be necessary for specific auto remediation steps.

How does it work?

We created two Kaholo Plugins to enable the Integration between Lacework and Kaholo:

  1. The Lacework Trigger Plugin enables Kaholo to listen for Lacework specific alerts. It then filters and selects which automation map needs to be started inside of Kaholo based on the information sent via the Lacework Webhook channel.
  2. The Lacework Plugin enables Kaholo to Get Details about Events sent by the Lacework Webhook channel and also enables Kaholo users to get Compliance Report details for remediation.

With these two plugins the following integration examples are possible;

Auto Remediation via Webhook alerts

Lacework and Kaholo - AutoRemediation via Webhook

  1. The Lacework Platform is collecting the necessary Cloud and Workload Data.
  2. The Lacework Machine Learning algorithms learn the normal behaviour of cloud user and workload activity by using the Polygraph technology and comparing cloud resources against compliance frameworks.
  3. In case of an Alert Lacework sends the necessary event details via the Webhook Alert channel.
  4. The Kaholo Lacework Trigger is reading out the event_source and
  5. The Kaholo Map triggered is reading out the specific Event Data and Context by using the Method “Get event details” of the Lacework Plugin. This data can be used within the triggered map.
  6. The Kaholo Map is doing all the necessary Auto Remediation steps by using the CLI commands of the cloud providers and Kaholo objects.

Auto Remediation via Compliance reports

Lacework Kahlo Webinar - Auto Remediation via Compliance

  1. The Lacework Platform is collecting the necessary Cloud and Workload Data.
  2. The Lacework Machine Learning algorithms learn the normal behaviour of cloud user and workload activity by using the Polygraph technology and comparing cloud resources against compliance frameworks.
  3. A Kaholo user can trigger any of the Kaholo Maps that are using the Lacework Plugin at any time or schedule them within Kaholo.
  4. The Kaholo Lacework Trigger is reading out the Report Data via the Method GetLatest AWSComplianceReportDetails that allows to collect the latest Compliance Report for a specific AWS account id. It supports to get all the details of the latest compliance reports for:
    • AWS NIST 800-171 Report
    • NIST_800-171_Rev2
    • AWS NIST 800-53 Report
    • AWS HIPAA Report
    • AWS SOC 2 Report
    • AWS PCI DSS Report
  5. The Kaholo Map is using the information about the compliance report, executing all the necessary Auto Remediation steps for the specific map by using the CLI commands of the cloud providers and Kaholo objects.

How to start? And how can I contribute?

First of all you need to have a Lacework and Kaholo instance. For Lacework support please contact us here and the Kaholo team is available here. Lacework is a Saas offering only. Kaholo can be used both On Premise or as Saas deployment.

  1. First step is to setup the Webhook channel inside Lacework to forward Alerts to Kaholo.
  2. Inside the Kaholo instance you need to install the Kaholo Lacework Trigger and the Lacework Plugin.
  3. The Kaholo Plugin itself needs to be configured with:
  4. Create a new Project inside Kaholo (example Lacework – AutoRemediation) as a collection for the different auto remediation maps.
  5. Start to import the necessary maps from the maps available.

The example maps are available as part of a private Github repository that is managed as a community project and will be published in the future. If you need to get access to it please reach out to the Lacework or Kaholo team.

Automate SOC 2 Compliance
GUIDED TOUR

Automate SOC 2 Compliance

See how to save hours and achieve SOC 2 compliance with automation.

Take Guided Tour