A Bird’s-Eye View of Cloud Security with FireEye Cloudvisory

Launched earlier this year, FireEye Cloudvisory has already been making waves in the industry. The Vision caught up with Martin Holste, Cloud CTO and Greg Smith, Senior Product Marketing Manager, Cloud Visibility and Operations at FireEye to learn more about Cloudvisory and why it is leading the field in cloud security solutions.


When was Cloudvisory launched and why was it developed?


MARTIN: Cloudvisory was available for general purchase by FireEye on June 8 of this year. We launched an early access program at RSA in February, so we've had a phased approach to its introduction.

Cloudvisory launched for a lot of different reasons, the biggest of which is that we have seen a real need for our customers to figure out how they secure multiple cloud environments. We've addressed some of those needs with FireEye Helix, but those are more focused on detection and we wanted something more preventative. We also saw our customers spending a lot of time handling things like compliance so they could prove to auditors that they're secure.

Being able to prove security to auditors is mandatory for our customers. It doesn't necessarily keep the bad guys out, but as someone who led a team for seven years, I know that they have to do it. However, they want to get their people back to finding bad guys as much as possible and Cloudvisory helps by making that as easy as possible.

Video preview

How does it work?

MARTIN: We can have you up and running in just a few minutes. That's the great thing about cloud, there's no shipping involved; it's all cloud-to-cloud interactions. In just a few minutes an organization will be able to fully understand what's running in their cloud environments—this is usually the first thing they want to know. Even with mature environments, an organization may have so much sprawl that simply understanding where everything is could be a real challenge.

A few minutes later we'll have the first reports ready so teams can spot any immediate problems. Cloud providers themselves have a lot of built-in security, but it's at a basic level and while it can be helpful, it doesn’t flag the most important elements in the way that we would. Cloudvisory immediately surfaces the critical findings that cloud providers cannot. Certain pieces of data are only accessible to the cloud provider themselves; Azure Security Center GuardDuty on AWS or the Google Security Command Center will all have little bits and pieces of potentially very important information and Cloudvisory can help aggregate and surface that data for security teams to take action.

What is the difference between Cloudvisory and Helix and how do they work together?

MARTIN: Cloudvisory is the active component or preventative and Helix is the passive detection component. Together, they provide a complete cloud security solution. I would say most teams spend the majority of their time doing preventative work. Helix is the analytic component amongst other things. Cloudvisory actively queries an environment to completely enumerate all the assets, look at how they're configured and then raise any problems that may occur with their configuration.

This is important because one of the biggest problems in cloud security is configurations. Time and again, we've seen this from our own Mandiant response teams. When they are called to an incident, it's usually because somebody has, unfortunately, made a mistake. While everyone's first instinct is to blame the person that made the mistake, even in a very mature environment there's just so many potential opportunities to make a mistake. No-one is perfect, so you need all the help that you can get with automation to find any misconfiguration before attackers do.

Sometimes an attacker can get through the front door with phished credentials. That's where Helix comes in with its passive detection components. It can flag suspicious activity to the security team.


Do teams need both Cloudvisory and Helix?

MARTIN: I would say everyone does need both. Cloudvisory helps organizations prove to auditors that they are compliant and places guardrails around the environment to protect against any misconfigurations.

If anything slips through the net, Helix takes over, analyzes the activity and correlates all the data. Both Cloudvisory and Helix are central to an organization's security posture.

How does Cloudvisory perform against it's competitors?

MARTIN: On the surface, competitors have comparable offerings and at a very high level, both do things such as compliance checks. Cloudvisory outperforms them in several ways. The main difference is that it handles the remediation for any perceived firewall rules that are too loose. We call this micro segmentation. What that means is it will use various models to look at all the different network configurations and make specific recommendations for improvements.

Very few organizations are willing to allow tools to make changes to critical environments. In many cases, the lack of a robust test plan is what prevents real security change from occurring.

Cloudvisory addresses this with automated testing. Cloudvisory can use security telemetry, such as network flows that are natively in the cloud provider, to test against a proposed change. A team can let that test run for a day or a week and be very confident after a specified amount of time that the proposed change will work. An organization can then use the results as part of their overall change management policy and procedures, proving that they have a documented test plan to lock down any open network policies.

The flexibility you get with Cloudvisory and Helix is really important. Even if an organization has an existing system or workflow management in use, Cloudvisory and Helix can plug into that seamlessly. Most organizations do not have a mature toolset, although they may use a SIEM or on-premise tool. We can plug Cloudvisory and Helix directly into existing tools, removing the need for re-training or a giant shift in the way the organization operates.

Another differentiator is that Cloudvisory supports public cloud, private cloud and on-premise solutions with OpenStack and Kubernetes. Cloudvisory can be operated either as a fully managed SaaS platform where you log into a web page (and I'd say about 80 to 90 percent of the market prefers it that way), or in completely air-gapped on-premise networks for certain sectors such as the government, so they can get Cloudvisory as a virtual appliance and run it wherever they want. We have the only solution in the market that can ensure that the configuration of OpenStack is secure—many large institutions run on-premises OpenStack installations, a private cloud solution we can help secure.

On the container front, our solution can also hook directly into the Kubernetes control plane to help with network configuration policies, an important security element that is generally not natively accessible.

Is a multi-cloud environment an inevitability, not a choice?


GREG: Enterprise organizations that believe they aren't living the multi-cloud life yet are likely in denial or soon will be. What we have found through research and talking to customers at events like RSA is that cloud sprawl is a real thing. Security teams have had to onboard new cloud solutions such as Dropbox and Office 365 or a similar repository and very soon, their organizations end up with a multi-cloud life.

If you have Cloudvisory, even before you've started to formally onboard different cloud solutions, you'll be ready for the visibility and the compliance check points that Martin was alluding to before.

Organizations will miss out on the opportunity to protect themselves and be able to do any kind of defensive, proactive and passive detection protection if they don't address the fact that they have a multi-cloud organization.

MARTIN: Cloud doesn't just mean Amazon and Azure, it's also all the other software as a service platforms. We have over 60 different plugins now for various web services such as; Druva for backup, Okta for single sign on, Workday, ADP, Salesforce, Gerard, GitHub, Box, SharePoint and Slack. All of those count as cloud, so there are no organizations with everything on premise. Even the biggest organizations with very large in-house IT teams still operate these services.

To add complexity, many organizations are big enough to have subsidiaries, which also use a variety of cloud applications. For example, one company might be very heavily invested in Microsoft and they acquire a company that's on AWS. They immediately have a significant multi-cloud environment which needs to be effectively managed.

For more information on Cloudvisory and our full suite of cloud security products, visit: www.fireeye.com/cloudvisory