CloudHealth Secure State 2019 What's New | 09 DEC 2021

Check for additions and updates to these release notes.

Update to Explore Searches — Introducing Layers

December 5, 2019

VMware Secure State Explore was introduced to enable you to understand the topology of your cloud environments. Now we are introducing the ability to “layer” security information on top of the Explore searches so that you can quickly identify areas of greater risk. In this example query, you see two bucket objects with “FULL_CONTROL” permissions. Enabling Layers on these buckets provides additional context such as risk scores and change activity. With this context you can investigate further and determine the necessary remediation steps. To try Layers, navigate to Explore.

More background on Explore, please see the following blog: https://www.cloudhealthtech.com/blog/hunting-down-public-cloud-security-risks

Secure State Splunk App is available on Splunkbase

December 2, 2019

VMware Secure State for Splunk App combines the power of Secure State's revolutionary interconnected cloud security model with Splunk's comprehensive analytics and reporting engine, providing information security teams deep insight into their cloud security and compliance posture. With VMware Secure State API, you can export security findings and review them within the system of your choice. For e.g., users of VMware Secure State in the Security Operations Center often pipe rules and findings to SIEM solutions such as Splunk. This integration helps them aggregate insights across on-premises and public cloud environments and improve their understanding of public cloud security posture, without having to browse multiple platforms. We now offer a free Splunk app that takes away all the scripting effort and makes it possible to setup this integration within minutes.

To check out the new app on Splunkbase visit: https://splunkbase.splunk.com/app/4799/ To learn more about VMware Secure State APIs visit: https://api.securestate.vmware.com/findings

Custom Rules – Public Beta

November 25, 2019

VMware Secure State ships with hundreds of predefined rules that codify provider specific best practices, cloud-native security, and compliance checks. However, many organizations need to define custom rules to meet their business’ unique governance needs or target rules specific to their environment context.

The custom rules capability builds upon Explore, enabling you to define new rules that extend your organization's security and compliance policies not addressed by native VMware Secure State rules. The custom rule wizard can be kicked off from Explore or from the Rules Management Page.

Explore Asset Relationships and Build Custom Rules For Azure Cloud

November 7, 2019

Explore and Custom Rules capabilities were introduced as beta in late September for AWS. VMware Secure State now supports Microsoft Azure subscriptions in Explore. Create ad-hoc queries to search cloud infrastructure and turn them into custom rules to expand continuous monitoring for AWS and now Azure environments. Example below show a simple search query to discover all Azure virtual machines with unencrypted disks.

Object Risk Score now factors in AWS GuardDuty threats

November 7, 2019

AWS GuardDuty Rules have been updated to point to the appropriate corresponding cloud object (i.e. instance, user, etc.) The Object Risk Score now includes these threat findings in the calculation, further helping with identifying the highest risk objects. You may have noticed that the previously found findings have been set to resolved and new findings with the appropriate centering cloud object were created. Below are the rules impacted:

Rule Name (Rule ID)

  • An API was invoked from a Pentoo Linux EC2 instance (459a0ffb-e342-4019-a4ce-041cb568a327)
  • An instance is communicating with IP addresses that are involved in cryptocurrency activity (5c8c25bc7a550e1fb6560b79)
  • An instance is communicating with DNS addresses that are involved in cryptocurrency activity (5c8c25bd7a550e1fb6560b7a)
  • An EC2 instance is communicating with a black hole IP address (5c8c25bd7a550e1fb6560b7b)
  • An instance is querying DNS for a black hole IP address (5c8c25be7a550e1fb6560b7c)
  • An instance is querying DNS for the address of a known botnet command and control host (5c8c25bf7a550e1fb6560b7d)
  • A CloudTrail log has been deleted or disabled (5c8c25c07a550e1fb6560b7e)
  • An EC2 instance has been launched by a user who does not fit the established pattern (5c8c25c07a550e1fb6560b7f)
  • A user has logged in to the AWS console in a way that does not fit the established pattern (5c8c25c17a550e1fb6560b80)
  • A user has logged in to the AWS console from more than one location in a short period of time (5c8c25c27a550e1fb6560b81)
  • An EC2 instance has queried DNS for domain names that were algorithm-generated (5c8c25c37a550e1fb6560b82)
  • An EC2 instance has queried DNS for a known algorithm-generated domain name (5c8c25c47a550e1fb6560b83)
  • An EC2 instance has sent a DNS request that contains extraneous data (5c8c25c57a550e1fb6560b84)
  • An EC2 instance has queried DNS for a domain name that is associated with "drive-by" downloads (5c8c25c57a550e1fb6560b85)
  • An EC2 instance has attempted to communicate with a host that is a known malware drop point (5c8c25c67a550e1fb6560b86)
  • An EC2 instance has attempted to query DNS for a host that is a known malware drop point (

    5c8c25c77a550e1fb6560b87)

  • An API call was made from outside EC2 using temporary credentials (5c8c25c87a550e1fb6560b88)
  • An API call was made to your account from a Kali Linux system (5c8c25c97a550e1fb6560b89)
  • A user made logging configuration changes to your AWS account (5c8c25c97a550e1fb6560b8a)
  • An API call was made from an IP address that Amazon has previously identified as a threat (5c8c25ca7a550e1fb6560b8b)
  • AWS GuardDuty MaliciousIPCaller - Unauthorized IAMUser (5c8c25cb7a550e1fb6560b8c)
  • An API call was made from an IP address that you previously identified as a threat (5c8c25cc7a550e1fb6560b8d)
  • An EC2 instance communicated with an IP address that you previously identified as a threat (5c8c25cd7a550e1fb6560b8e)
  • An IAM modification API call was made from an IP address that you previously identified as a threat (5c8c25cd7a550e1fb6560b8f)
  • A user has made network configuration changes in a way that does not fit the established pattern (5c8c25ce7a550e1fb6560b90)
  • A user has made API calls to read network configurations in a way that does not fit the established pattern (5c8c25cf7a550e1fb6560b91)
  • An EC2 instance has communicated on an unusual port (5c8c25d07a550e1fb6560b92)
  • The AWS account password policy was deleted or weakened (5c8c25d17a550e1fb6560b93)
  • An EC2 instance has queried DNS for a domain name associated with phishing activity (5c8c25d27a550e1fb6560b94)
  • An EC2 instance has an open port that is being probed by a known malicious host (5c8c25d37a550e1fb6560b95)
  • An EC2 instance appears to have performed a port scan (5c8c25d37a550e1fb6560b96)
  • An EC2 instance appears to have been targeted in a Remote Desktop brute force attack (5c8c25d47a550e1fb6560b97)
  • A user without a history of similar activity has modified IAM user permissions (5c8c25d57a550e1fb6560b98)
  • A user without a history of similar activity has read the permissions of an IAM user (5c8c25d67a550e1fb6560b99)
  • An EC2 instance has communicated on the SMTP port (5c8c25d77a550e1fb6560b9a)
  • An EC2 instance appears to have been targeted in a Secure Shell brute force attack (5c8c25d87a550e1fb6560b9b)
  • An EC2 instance is communicating with a Tor gateway (5c8c25d97a550e1fb6560b9c)
  • An EC2 instance has received traffic from the Tor network (5c8c25da7a550e1fb6560b9d)
  • An EC2 instance has received an API call from the Tor network requesting configuration information (5c8c25da7a550e1fb6560b9e)
  • An EC2 instance has received an API call from the Tor network (5c8c25db7a550e1fb6560b9f)
  • An EC2 instance is generating traffic that suggests that it is acting as a Tor relay (5c8c25dc7a550e1fb6560ba0)
  • An EC2 instance has generated an unusual amount of network traffic (5c8c25dd7a550e1fb6560ba1)
  • A user has made changes to IAM users, groups, or policies in a manner inconsistent with prior activity (5c8c25df7a550e1fb6560ba3)
  • A user has made an API call to read permissions data in a manner inconsistent with prior activity (5c8c25e07a550e1fb6560ba4)
  • An EC2 instance has communicated with an IP address associated with XorDDoS malware (5c8c25e17a550e1fb6560ba5)
  • An EC2 instance is behaving in a manner that may indicate it is being used to perform a Denial of Service (DoS) attack using the DNS protocol (64968c2d-570f-4120-812d-12b6ad5ee8ae)
  • An API was invoked from a Parrot Security Linux EC2 instance (8352c2fa-7d2f-43f1-8a4f-6aadf7155835)
  • An EC2 instance is behaving in a manner that may indicate it is being used to perform a Denial of Service (DoS) attack using an unusual protocol (9d7ca87e-1855-4b7a-9922-03bf18042707)
  • An EC2 instance is behaving in a manner that may indicate it is being used to perform a Denial of Service (DoS) attack using the TCP protocol (9d8f976e-b176-41ce-a508-893dfe5683ad)
  • EMR-related sensitive port on an EC2 instance has an unprotected port that is being probed by a known malicious host (ad3b8e5b-ccdb-4fbf-8ef0-e7669c11a566)
  • An EC2 instance is behaving in a manner that may indicate it is being used to perform a Denial of Service (DoS) attack using the UDP protocol (b49aa37a-0a1c-4f72-bc2f-cb5e8c844d42)
  • An EC2 instance is behaving in a manner that may indicate it is being used to perform a Denial of Service (DoS) attack using the UDP protocol on a TCP port (b97fef10-549f-46c8-b6fc-397fffd88d9a)
  • A principal has attempted to assign a highly permissive policy to themselves. This behavior is associated with a privilege escalation attack (d114cb8e-516f-4770-a181-67092937c798)
  • An API was invoked using root credentials (fb55db19-fd87-44f5-a696-b51c137b62ad)

Compliance Dashboard Now Supports Filtering by Cloud Accounts & Tags

November 7, 2019

The Compliance Dashboard provides a helpful overview of cloud’s compliance posture across multiple frameworks. VMware Secure State now supports filtering on the Compliance Dashboard. This is a simple way to see the compliance posture of a specific account, set of accounts, or by cloud tag. From the dashboard, user can continue to drill down to specific findings. Try it here: https://app.securestate.vmware.com/main/compliance

New Rules To Monitor S3 Encryption Settings

October 22, 2019

Introducing three new rules to monitor encryption settings on your Amazon S3 buckets. Please login to VMware Secure State and refer to the rules list for more details.

  • An S3 bucket default encryption is not enabled
  • An S3 bucket does not enforce Server-Side Encryption (SSE)
  • An S3 bucket is not encrypted with customer provided KMS key

Now Send Security Alerts To Amazon SQS

October 22, 2019

Secure State now supports sending alerts to Amazon’s message queuing service, Amazon SQS. This can be configured by logging into the Integration page in VMware Secure State portal. The SQS integrations expands beyond the existing slack and email integration available within VMware Secure State today. With SQS, now you can communicate at near real-time speed with other applications and take actions when a new security finding is discovered within the service.

API Updates To Simplify Investigation and Sharing of Findings Results

October 22, 2019

A second version of the Findings API is now available. In version 2, the “cloudAccountId” property now refers to the cloud provider’s given cloud account ID versus Secure State’s internal ID. We have also added a new “id” field that represents the unique ID of a finding. These changes make it easier to quickly identify the cloud accounts associated with security findings, investigate issues and share results. Support for version 1 of the Findings API ends on December 2, 2019. Please refer to the API documentation (login not necessary) for more details.

Updated Command Line Interface (CLI) v0.0.48 Now Available

October 22, 2019

For CLI users, an updated CLI version 0.0.48 is now available. This version includes bug fixes and updates the bulk onboarding script. CLI versions prior to 0.0.47 will no longer be supported. Please download the latest at https://github.com/CloudCoreo/cli/releases.

AWS GuardDuty Update – New Findings Types

October 8, 2019

VMware Secure State ingests AWS GuardDuty threat findings to allow users to raise immediate alerts, correlate threats with violations native to the service, and provide additional context (e.g., object relationships and meta data) necessary for investigating issues. This update adds ten new GuardDuty findings to the existing rule set.

New Rules:

  • A principal has attempted to assign a highly permissive policy to themselves. This behavior is associated with a privilege escalation attack
  • EMR-related sensitive port on an EC2 instance has an unprotected port that is being probed by a known malicious host
  • An API was invoked using root credentials

Backdoor findings:

  • An EC2 instance is behaving in a manner that may indicate it is being used to perform a Denial of Service (DoS) attack using the DNS protocol
  • An EC2 instance is behaving in a manner that may indicate it is being used to perform a Denial of Service (DoS) attack using an unusual protocol
  • An EC2 instance is behaving in a manner that may indicate it is being used to perform a Denial of Service (DoS) attack using the TCP protocol
  • An EC2 instance is behaving in a manner that may indicate it is being used to perform a Denial of Service (DoS) attack using the UDP protocol
  • An EC2 instance is behaving in a manner that may indicate it is being used to perform a Denial of Service (DoS) attack using the UDP protocol on a TCP port

Penetration Test findings:

  • An API was invoked from a Parrot Security Linux EC2 instance
  • An API was invoked from a Pentoo Linux EC2 instance

Visit VMware Secure State rules page for more information.

Cloud Account Settings Update

October 8, 2019

“Cloud Accounts” page under the VMware Secure State “Settings” tab allows you to add or remove AWS and Azure accounts, manage account settings, and monitor the connectivity with the cloud providers. In this update, we’ve added a new cloud account error state to highlight accounts where VMware Secure State is unable to get inventory updates due to missing permissions. Other minor enhancements to this page include reorganization of cloud account fields to improve user experience. Visit VMware Secure State cloud accounts page to see all updates.

Explore – Public Beta

September 24, 2019

Explore, a new module within VMware Secure State, enables you to discover and navigate multicloud infrastructure in a visual manner that is easy to interpret and delivers real-time results. Today, VMware Secure State uses an Interconnected Cloud Security approach and a pre-defined set of native rules to deliver real-time security insights. With the availability of Explore, we are now giving you direct access to this data model, enabling you to collaborate and investigate security issues in a more flexible way.

With typeahead search, you can write new queries to search cloud inventory, explore asset relationships and investigate the complex security posture of your AWS and Azure cloud accounts. Visual results show a neatly mapped graph of objects, their relationships, configurations, meta data and activity logs. You can also share these infrastructure views with other users in the team to build a shared understanding of security issues and speed up investigation.

Updated Cloud Account status and user interface

July 31, 2019

The cloud accounts detail page has been refreshed to simplify management and health visibility of a specific account.

Public API is now available

July 21, 2019

VMware Secure State has begun to expose API endpoints to allow users to extract a specific security finding or query for lists of security findings. Details on how to use the API can be found below.

Cloud Object level risk

June 30, 2019

To assist with prioritizing finding investigations and increase visibility to higher risk objects, the Findings by Object page has been extended to show the finding count and aggregate risk score by cloud object.

check-circle-line exclamation-circle-line close-line
Scroll to top icon