In this blog, we’re going to discuss and demonstrate how to use Panoptica to protect your business from data exposure, and even more importantly, data breaches.

To begin with, let us do a brief recap of the forensic analysis of one of the most publicized data breaches from last year: the Pegasus Airlines data breach. This breach occurred on a publicly exposed Amazon Simple Storage Service (S3) bucket that contained over 23 million files of confidential, proprietary, and even Personally Identifiable Information (PII). Everything you needed to fly one of their aircraft was in there, as well as passwords and secret keys to gain further access to sensitive files. Not only that, but 1.6M files of personally identifiable information was breached, including employee photos and signatures.

As shocking as this breach was, it’s even more astonishing to realize that this attack vector is actually a very common one. According to a recent study, approximately 72% of organizations possess at least one Amazon S3 Bucket that has been configured for public read access. As dramatically exemplified by the Pegasus Airlines incident, this vulnerability presents a significant risk to businesses, often serving as a primary factor in various data breaches. Despite the default privacy setting for an S3 bucket being "private," inadvertent misconfigurations and human error may inadvertently expose these to the public.

Additionally, to make matters worse, the same study showed that 33% of organizations have unencrypted sensitive data, including secrets and PII, within their cloud assets. Such a posture significantly exacerbates the damage and expense caused by such data breaches. In fact, according to IBM, the current global average cost of a data breach is now $4.45M.

So how can you protect your business from such data exposure and breaches? Panoptica, the Cisco Cloud Application Security solution, makes this easy. Let’s take a look at how.

If, as an operator, I happen to know the specific attack vector of a given data breach, I can search Panoptica’s powerful graph database for this. For example, I can enter “S3” directly into a Search query box as shown below:

This returns all vulnerabilities relating to Amazon S3 buckets within my cloud infrastructure, including the specific vector we have been discussing, as highlighted below:

Clicking on the highlighted header provides me more details about this vulnerability, as shown below.

These details not only tells me what the exposure is and where I have this exposure in my environment, but also how to remediate it. Remediation details are presented both as a summary of steps to be taken as well as the corresponding command-line interface (CLI) needed to patch it. For example in this case, the manual steps to be taken include:

1. Sign into the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/
2. In the buckets list, choose demo-s3-bucket-public-and-unencrypted-demo-panoptica.
3. Choose Permissions.
4. Choose Edit to change the public access settings for the bucket.
5. Set all to True, and then choose Save.
6. When you're asked for confirmation, enter confirm. Then choose Confirm to save your changes.

However, to expedite remediation, Panoptica also provides me with dynamically-generated and custom-tailored commands to quickly address the vulnerability, which in this case translates to:

aws s3api put-public-access-block --bucket demo-s3-bucket-public-and-unencrypted-demo-panoptica --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

At this point, I can create a ticket with a single click, which captures all the context, details and remediation-steps relating to this exposure.

Another approach I can take to get to the same result is to simply select “Data Security” from my Security Posture page, as shown below. This approach is helpful if either I’m unsure of the specific attack vector used or if I want to broaden my search beyond a single type of database (e.g. beyond just Amazon S3 database vulnerabilities).

Finally, a third approach (which happens to be my personal favorite) is to use Attack Path Analysis. Attack Path Analysis contextually correlates threats and vulnerabilities and presents these to me from an attacker’s point-of-view. For example, from Panoptica’s Dashboard I can view the Prioritization Funnel and select “Configuration Risks” that lead to “Data Exposure”, as shown below:

This takes me to specific Attack Paths that meet this criteria; which, in this case, includes the exact attack path that was used against Pegasus Airlines, as shown below.

As before, I have not only the threat presented, but also all the necessary remediation steps and CLI.

There you have it. Within just a few minutes, we’ve shown multiple ways how Panoptica can protect your business from expensive data breaches. A five-minute video demonstrating this can also be viewed here: https://www.youtube.com/watch?v=D1StPtoqga0