“[On the cloud] what data lives where becomes a slightly different problem … the barrier to entry is so low. It is easy to spin up an instance or a windows VM in Azure … and it is important to have some visibility and governance, so you provide accountability for those things, relative to what your expectations are for persistent configuration.”
— Aaron Stanley, Head of Global Cybersecurity at Twilio
Today, Censys is thrilled to announce its new Cloud Security offering as part of the Censys Attack Surface Management (ASM) Platform. The suite of cloud security features includes discovery of exposed services in the cloud, unknown storage buckets, a centralized and complete cloud inventory across all providers, and daily scanning for all your cloud assets. One of the key benefits our customers value is discovering exposed cloud storage like S3 buckets and other cloud-specific risks such as database exposures or unnecessary exposed RDP services in your environment.
Like all Censys products, our Cloud Security offering is built on top of our industry-leading, freshest scan data, ensuring the best visibility of your attack surface, whether it is in the cloud, on-prem, or in a hybrid environment.
Cloud Security Offering and Features
The Censys Cloud Security offering for the Censys ASM Platform deploys in minutes, helping you and your team discover new or unmanaged cloud assets and accounts outside of any of your current security solutions.
How does it work?
The new Censys Cloud Security offering connects to your existing cloud accounts and continually analyzes your cloud configurations for Internet-facing assets. Using our discovery and attribution algorithms, we use these organizational and infrastructure insights of your attack surface in the cloud to mine our industry-leading Internet scan data and find cloud assets that are currently outside the purview of your IT and cloud monitoring solutions.
Key features of the new Cloud Security offering include:
Cloud Storage Bucket Discovery
We’ve added storage buckets as a new asset type and customers can now view their inventory of storage buckets and their associated risks and misconfigurations. In addition, our asset discovery algorithms now search for publicly exposed S3 buckets and our risk engine identifies publicly accessible buckets that may contain sensitive data like PII or other proprietary information. Additional cloud asset types are coming in future releases.
Cloud Connectors for AWS, Azure, and GCP
Cloud Connectors allow you to continually import public-facing cloud assets into your asset inventory, comprehensively check cloud assets for security problems, and contextualize what we’ve found. For example, Censys will label Internet assets with the cloud account they’re hosted in and the cloud service responsible for their configuration. Cloud connectors with Azure, AWS, and GCP can be instantly deployed using Terraform or for AWS, Cloud Formation. In addition, Cloud Connectors improve Censys Discovery by automatically incorporating cloud configuration data into the asset discovery process.
Centralized and Complete Cloud Inventory Across All Providers
Censys provides a centralized and complete cloud asset inventory by combining assets found through our cloud connectors, as well as our Internet-wide asset discovery process. Censys Inventory helps practitioners quickly understand assets’ configuration, ownership, history, and relationship to other organizational assets, history across IP addresses, as well as identify anomalies in the attack surface. Censys also breaks down assets and risks by cloud account and provider, while providing security teams with pointers to specific cloud configurations that result in security issues.
Censys API and Integrations
Censys Cloud Security continuously discovers unknown infrastructure that must be investigated in order to bring them into a managed state. This often takes the combined efforts of engineers, ops, and IT practitioners. Censys Cloud Security is designed from the ground up to seamlessly integrate with existing security workflows via robust integrations with ticketing solutions like JIRA and ServiceNow, as well as SIEMs like Splunk & SumoLogic. This saves Censys users precious time in operationalizing findings and ensuring that teams are working together to reduce the risk of forgotten assets.
Enhanced Cloud Visibility with Censys Data
The new Censys cloud security offering is a big step forward toward addressing modern cloud infrastructure security concerns. Censys harnesses its industry-leading asset discovery capabilities in combination with cloud provider integrations such as AWS, Azure, GCP to enable our customers to know their attack surface in the cloud from an attacker point of view. Unlike competitors, the Censys ASM Platform is built on top of the most accurate and comprehensive Internet-wide scan data (our Universal Internet DatSet), which is critical to cloud security. Our data cuts through the noise by addressing the ephemeral and elastic nature of cloud computing with twice daily scans of the top 100 ports.
“Most Fortune 500 companies have hundreds of cloud accounts. While some are managed through cloud security tools, many are simultaneously created by non-IT groups and don’t have technical controls to prevent a breach.”
— Censys Co-Founder Zakir Durumeric.
It’s no secret that unmanaged cloud accounts tend to contain an organization’s riskiest assets. “One of our customers thought they had just 800 hosts in their attack surface, but after connecting with their AWS accounts, we inventoried a total of 1,439. This discovery was important because we were able to reveal 60 exposed protocols and end-of-life software risks on otherwise unknown assets,” said Durumeric. “In order to maintain compliance and avoid security breaches, it is imperative to have comprehensive and continual cloud asset discovery for all assets regardless of the cloud account or provider.”
Extending Attack Surface Management in the Cloud
Using the new Censys Cloud Security offering, teams can finally gain a complete and centralized view of their cloud footprint, better manage cloud risk by reducing their attack surface and protecting critical cloud assets.
From data breaches to ransomware, cloud security is the new frontier in today’s rapidly expanding IT ecosystems. Cloud security research conducted by Censys Labs found nearly two million database exposures across the most common cloud providers, as well as 1.9 million RDP exposures. The results indicate a missing piece in the cloud security puzzle and practitioners need more support. Database exposures are leading to data breaches, and research conducted by the FBI has shown that RDP accounts for 70-80% of network breaches, which can result in things like successful ransomware attacks.
These findings are critical to understanding the speed at which we must tackle cloud security problems today. We know there is no silver bullet and it will take a combination of better processes, better practices, but also better technology and tooling to meet these industry needs.
For more information about the Censys ASM Platform and our new cloud security offering, sign up for a demo or contact us today!