Custom Rules Aren't Just For Security

Author:
Nikhil Girdhar Product Line Marketing Manager, CloudHealth Secure State
Published: June 11, 2020
3 Min Read

When VMware Secure State introduced the ability to create custom rules, we wondered what rules some of our customers would build. Would they build rules looking for specific ports being open on a security group? Would they seek some misconfiguration that mapped to an internal framework? Actually, as you will see below, we have seen a wide range of custom rules made by our customers. 

Looking for some specific ports

One of the hardest tasks for security people is to find out which ports are open on their AWS security group. Looking at the lists of security group, per region, and trying to find a specific inbound port is not easy in AWS. 

aws-security-group.png

Being able to leverage the Explore feature of VMware Secure State, customers can find the specific open port they are looking for and create a rule based on that query. Below is an example of a rule looking for open port 5000 or 2379. As you can see, the IP range was not included in this search. All that was searched for was the ports. If you want to add the range variable, you can add it before the ip_permission object.  

explore-visual.png

Public IPs

Now, what if you want to see if any EC2 instances have an external IP? VMware Secure State has predefined rules around public IPs open to the world from specific port. But, what about public instances that have IP restrictions. This was a customer ask. 

This is the query they came up with: 

 ip_range HAS NOT (cidr_ip = "0.0.0.0/0") -> ip_permission -> security_group -> instance HAS NOT public_ip_address = "" -> vpc -> route_table -> route -> internet_gateway

This query is not really a security rule, it’s more of an inventory and visibility need. The query is looking for any security groups that do NOT have an IP range of 0.0.0.0 but are connected to an instance with a public IP.  The statement instance HAS NOT public_ip_address = ""  is basically looking for public IP value to be true, but we had to write it as a double negative.  

Here is the result:

public-IP.png

Visibility rules vs. security rules 

With all of the data that VMware Secure State captures about your cloud accounts, you can see how one could leverage this data to find things that may not be security issues. One of customer had a great custom rule that they wrote. They wanted to be alerted whenever their elastic IP was assigned to a new instance. They just wanted to track the changes. The query is below.

address -> instance 

address-instance.png

Not that difficult. But, enabling this rule, and then turning on alerts for this rule allowed the customer to stay on top of their elastic IP allocation.  

Query Away

We're continuing to enhance and build VMware Secure State’s query language and ability to build custom rules. Go ahead and query! Find new ways to use the tool and let us know—we'd love to hear what interesting rules you come up with. You can find more information about the VMware Secure State query language here. 

Image
Headshot Nikhil Girdhar
Nikhil Girdhar, Product Line Marketing Manager, CloudHealth Secure State

Nikhil is a seasoned product marketing professional with a focus on solving emerging multicloud challenges for customers. He specializes in taking new cloud services to market and establishing Go-To-Market fit. In his current role, he leads product marketing for CloudHealth Secure State, a cloud security and compliance service that helps businesses reduce risk while operating at the speed of cloud.

We Think You Might Like These: