This post will discuss Orca Security, a cloud security tool I have used in the past. Orca Security fulfills the roles of multiple tools, including cloud security posture management, vulnerability management, and malware detection. Orca scans workloads out of band and integrates that data with information from the control plane. This allows Orca to prioritize alerts very effectively in a way that tools without context from the control plane cannot. Orca provides a powerful query lanuage, Sonar, for querying data models that Orca maintains about the state of the infrastructure. I will discuss the Sonar queries for some of my favorite use cases below.
A great example of this context-aware prioritization was during the response to CVE-2021-44228, known as Log4Shell. With an extremely severe RCE vulnerability, it makes sense to prioritize remediation of workloads that are directly exposed to the internet. Without the control plane context, a vulnerability management tool would rank all findings for this CVE as equally high priority. This would not be as helpful to defenders because our internet exposed workloads will receive direct exploitation attempts and should be addressed first.
In my opinion, the biggest advantage of agentless tooling is the ability to provide instant, 100 percent coverage. Especially when teams have challenges deploying and updating agents but need to obtain data about their cloud environments, agentless tooling is a big win. With Orca Security, deployment means creating an IAM role that Orca assumes in each subject account. If using AWS Organizations, this can be done with a little extra work in the AWS Organizations root account to automatically onboard any account added to the Organization.
Additionally, infrastructure and service owners are often worried about performance impacts that agents will have on their workloads. With agentless scanning, there is no performance impact to workloads.
Orca scans the storage of workloads out of band. While this model gives us the advanages above, it is also the root cause of the main disadvantage to agentless workload scanning. The scan takes time to complete and the results only represent a point in time for that workload. This scanning method also means that the tool will not be able to detect anything that does not write to disk; Orca is unable to detect fileless malware or other malicious in-memory only processes (reverse shells, etc.).
In my opinion, if the choice is between missing coverage and delayed results, I believe having data provides a lot of value. As an organization matures and other processes, such as providing and enforcing the use of standardized base images, are able to adapt, the team can reassess if tooling is still appropriate. Additionally, Orca Security is taking steps to improve scanning and response times and I’m excited to see how that improves our ability to get faster results.
Orca Security Examples
The following examples show the power of combining data from the control plane and from workloads across IaaS accounts.
One challenge common to security teams tasked with managing PKI is awareness of all TLS certificates used across the infrastructure so that renewals can be managed to prevent service outages. Orca builds models based on data from the control plane and data read from individual instances, such as TLS certificates used by Nginx or Apache. From these models, Orca can provide data on what certificates are in use, and which certificates are expiring soon.
To answer the question “where is this certificate used?”, the following queries show how you can find those across all accounts onboarded to Orca:
AwsCertificate with SubjectName like "app.example.com" or SubjectAlternativeNames like "app.example.com" AwsEc2Elbv2Listener with Certificate.DomainName like "app.example.com" WebServerSslCertificate with SubjectName like "app.example.com"
These results help ensure that endpoints using the certificate are not missed; this can be very useful in a legacy environment where not all assets are managed by infrastructure as code.
Next, to manage certificates nearing expiration, the following queries easily shows certificates that need attention.
AwsCertificate with DaysToExpire < 60 AwsEc2Elbv2Listener with Certificate with DaysToExpire < 60
Another common issue that security teams are tasked with preventing is data leaks via misconfigured S3 buckets.
The following query is very powerful during initial assessments for identifying any bucket open to the internet. The results directly give a list of buckets to follow up on and determine whether they should be public.
AwsS3Bucket with IsInternetFacing
More mature organizations might mandate certain server side encryption controls for S3. In the following example queries, Orca can show buckets without encryption, buckets not using KMS, and buckets not using a KMS Customer Managed Key. These queries show that no matter the maturity level, Orca can detect resources not in compliance with the organization’s standards.
AwsS3Bucket with encryption['encryption_missing'] = true AwsS3Bucket without KmsKey AwsS3Bucket with KmsKey.KeyManager != "CUSTOMER"
By combining control plane and workload data, Orca is able to provide a wealth of data to defenders. Depsite some disadvantages inherent to the agentless model, I believe that the agentless onboarding and instant coverage makes Orca a win for security teams in cloud environments, especially when there are challenges deploying agents to all workloads.