Palo Alto Redlock and Public Cloud Threat Defense

6872-RL_Logo_Original

With more and more organizations moving towards multi-cloud approach, it often requires some changes in our toolbox to ensure security, governance and compliance across different cloud providers. Within this market there is also a growing set of vendors which want to provide this cross-cloud security ecosystem, such as some I’ve written about previously such as Nutanix Beam https://msandbu.org/walktrough-of-nutanix-beam-and-features/.

NOTE: This is mostly on using Redlock against Microsoft Azure

One of the good sides with Beam is that they also cover cost usage, but they did support Google Cloud among other things. Therefore I wanted to take a closer look at Palo Alto’s latest acquisition RedLock.

Red Lock labels themself as Cloud Threat Defense product. Which integrates into the three big vendors, Azure, Google Cloud and AWS.

For me the simplest was to integrate into Azure. It required a wider set of credentials to gain access to audit logs, network flow logs and such (docs: https://support.redlock.io/hc/en-us/articles/360001007751-Manual-Azure-account-onboarding ) after giving it the right access it started to populate with the resources that is in the subscription. As part of Red Lock it also comes with a set of predefined policies and configurations that it looks for.

An example for GCP Kubernetes Policy Check

But it also comes with predefined compliance reports based upon CIS, GDPR and such

After connecting it directly with one of my test subscriptions it will automatically detect any mismatches in the configuration and creates an alert. based upon the default Azure Policies that are defined.

For each of the alerts it does also contain a set of steps for remediation, where some can be configured with Automatic Remediation. Out of the box RedLock has a large set of extra policies/alerts that Azure Advisor / Security Center does not provide yet.

Now besides integration with Azure, GCP and AWS. Redlock also has some integration with other products, such as Slack, Qualsys, Splunk and so on. This is for alert forwarding, logging and such.

And with the inregration with Qualsys for instance we can get alerts on the vulnerability data from Qualsys and correlate that with  resources that are receiving traffic from the Internet or Suspicious IPs AND have critical host vulnerabilities.

Qualys Network RQL

And this is of the more nifty features is that it can process NSG Flow Logs from Azure and based upon that create a visualization of the traffic pattern. In this example I have a honeypot which is for some reason quite popular from ASIA

What’s missing?

Even though Red Lock is not an SIEM tool, I would love for it to have audit history as an option to be able to see in detail on changes on resources that has happened in a cloud enviroment. Secondly I would like some more integrations with ITSM tools like Service Now to forward alerts that occur and not everything inside the portal itself.

Secondly I was a bit suprised when I was looking into resources that was discovered that it did not detect resources that was deleted from the subscription. This was a resource group that I deleted but was not reflected inside the dashboard when I was looking at the Audit Trail

Also I would like some better integrations with Azure Security Center or Security Graph API (From a Microsoft perspective) so we can get all those security events into one place. Now looking at their release notes they have had a steady pace of new functionality that has been added to the platform, and my opinion is that this will only be increased now after the acquisition of Palo Alto, where RedLock will be placed into something that Palo Alto didn’t have before namely a Cloud Based / Cloud Native security platform.

//Stay tuned for more.

You May Also Like

About the Author: Marius Sandbu

Leave a Reply

Your email address will not be published. Required fields are marked *