The world is a graph: How Fix reimagines cloud security using a graph in ArangoDB
'Guest Blog'
Estimated reading time: 5 minutes
In 2015, John Lambers, a Corporate Vice President and Security Fellow at Microsoft wrote “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.ˮ
The original problem in cloud security is visibility into my assets. If security engineers donʼt know what cloud services are running, they canʼt protect an environment. Unfortunately, first generation cloud security products were built with a list mindset, i.e. “rows and columnsˮ. They generate a list of assets and their configurations – but show no context of the relationships between connected cloud services, such as as a connection that would allow lateral movement between two disparate cloud assets.
Cloud security as a graph
A graph database like ArangoDB provides a powerful way to represent and analyze complex relationships in cloud security.
A graph is the easiest way to understand how one entity in my cloud interacts with another. By representing cloud assets as nodes in a graph and the relationships between them as vertices, I can now gain a better understanding of the nested connections in my cloud infrastructure.
By thinking about cloud resources in terms of ancestors and descendants, a cloud security engineer can solve problems in a way a table canʼt. The graph is an easier way to visualize the relationships between users and any of my cloud resources such as compute instances, functions, storage buckets and databases.
- Ancestors: The graph helps me understand the root of a security issue. What is the highest ancestor where an issue was introduced? Because I need to go all the way up and fix the problem at its origin.
- Descendants: The other way around is understanding descendants and blast radius. If I have an Internet-exposed compute instance, where an attacker is maybe able to get credentials off that instance, how many hops can that attacker go in? How much of my infrastructure is exposed due to this initial compromise?
In a cloud-native world, these graph traversal capabilities are fundamental for cloud security. Going forward, any operating model for cloud security should be built on a graph. With Fix, weʼre building such a modern cloud security tool, and weʼre building it with ArangoDB.
But first, a list!
Now that we covered the benefits of using a graph for cloud security, letʼs start with a list. Yes, a list – because sometimes, viewing my cloud assets in a graph might not be the most intuitive or useful thing.
For example, I may just want a list of my compute instance inventory across my AWS accounts. As a cloud security engineer, I want a baseline inventory of resources. I don’t really need a picture for that, I just want the list. And maybe I want to download it in a spreadsheet so I can slice and dice it, with metadata for each particular instance like create date, number of vCPUs and memory. A list is the best way to represent that information.
But if a list is enough, why collect data in a graph in the first place?
Because transformation from a graph to a table is trivial. The other way around, not so much. The graph lets you express things in a way that if you had the same data in a flat table, it would become intractable, with many different tables, foreign key relationships, and creating all kinds of joints all over the place. It just becomes too difficult to reason about.
The hard part is collecting data from cloud APIs and putting it into a graph form. Thatʼs much harder, takes time and is easy to get wrong. There are enough opportunities to make mistakes along the way, and create a representation thatʼs not correct or has bugs. Thatʼs why we believe transparency in how a cloud security product collects data matters. Both ArangoDB and Fix are open source. Our code shows how we collect and store data from cloud APIs in ArangoDB.
Graph-based analysis of cloud resources
The analysis layer of a graph is powerful because it can provide insights that tables cannot. One recent trend in security is that software engineers also take on security engineering tasks. They look after the security of their infrastructure, beyond infrastructure-as-code templates.
While Fix offers out-of-the-box visualizations and pre-built checks of compliance rules, weʼve also built a search syntax on top of the ArangoDB Query Language (AQL). With ArangoDB and AQL, I can store and query rich nested JSON-like document together with their vertices. Itʼs also easier to add and query metadata to the vertices – such as configuration data for a cloud resource. By building our syntax on top of AQL, weʼve made Fix human-friendly. Developers can easily run ad-hoc checks of the security posture of their infrastructure.
For example, activating flow logs in your VPCs is considered a security best practice by AWS. The search below finds all AWS VPCs where flow flogs are deactivated.
is(aws_vpc) with(empty, --> is(aws_ec2_flow_log))
Breaking it down, the search:
- first, finds all resources of the kind “aws_vpcˮ, no matter in which account or region they may run.
- then, filters for the VPCs without a direct relationship (successor) to an “aws_ec2_flow_logˮ resource.
A simple one line statement.
The same query expressed in SQL would require joining different tables with nested select statements, multiple where-clauses and case statements. It would be dozens of lines long and require an engineer to have knowledge of the table architecture and column names.
The power of a graph is that it lets you explore many-to-many relationships in a very easy way, in a way that a traditional row-based database just canʼt. By making security data from cloud resources available in a graph, software engineers with security responsibilities can gain visibility into the environment and reduce risks.
A graph provides context, context is king
The partnership between Fix and the ArangoDB team has brought our customers new security insights only made possible by the multi-dimensional relations of cloud resources stored in a graph. With ArangoDB, using graphs is no longer a complex computer science and operational challenge. For Fix, ArangoDB provides a graph database as a building block that makes it easy to store and query the relationships in your data.
Fix uses ArangoDB to analyze billions of relationships – in every cloud. With ArangoDB, weʼve been able to build a system that can ingest data at scale. One of our retail users ingests data from tens of thousands of cloud accounts in minutes, and then runs any type of analytics in a fraction of a second. The context of the graph helps security engineers to precisely answer questions and identify, prioritize and remediate risks – the “trifectaˮ of cloud security.
The precision, speed, and explainability of finding risks to your business is simply not possible without using a graph. When defenders can think in graphs, attackers lose.
Opening the ArangoDB ArangoGraph API & Terraform Provider
Estimated reading time: 0 minutes
ArangoDB ArangoGraph, the cloud service of ArangoDB, has been available for a few months now and is growing quickly. The ArangoGraph team got a lot of requests to provide more ways to manage deployments, access policies and other aspects of ArangoGraph.
After adding support for Azure earlier this year, we’re now opening up the ArangoGraph API for all supported cloud providers like Google Cloud and AWS. Read more
Public Preview of Microsoft Azure Now Available on ArangoDB Oasis
Estimated reading time: 3 minutes
Today we are excited to invite everybody to take the first public preview of Azure on ArangoDB Oasis for a test ride. In case you haven’t joined Oasis yet, please find more details about our offering and a 14-day free trial on cloud.arangodb.com. Just choose Microsoft Azure as your cloud provider and choose from the many regions we already support.
You can share all feedback with us about regions you’d love to see added or other improvements on slack. Please use the #oasis channel on Community Slack or raise an issue via the “Request Help” button in the bottom right corner of Oasis.
Please note that this is a public preview and not meant to be run in production.
Big Thanks to the Microsoft Azure Team
Before we dive into the details of the public preview for Azure on Oasis, we’d like to take a minute to send a big “Thank You!” to the Microsoft Azure team. The responsiveness and quality of their support as well as motivation to help us succeed has been exemplary. When building complex systems everything can’t be perfect but the support of the many different people at Azure has been. Thanks for making it possible to share the Oasis Azure offering so quickly with our community!
Azure on ArangoDB Oasis: That’s in
In this public preview, you can test the full feature set of ArangoDB Oasis on Azure for your projects. We already support a range of Azure regions including
- East US, Virginia: eastus2
- West US, Washington: westus2
- Central Canada, Toronto: canadacentral
- West Europe, Netherlands: westeurope
- UK, London: uksouth
We based the initial regions on customer feedback and can easily add more if you require them. Just use the “Request Help” button in the bottom right corner of Oasis and raise an issue for your preferred region.
Azure Pricing on Oasis
Azure will have a similarly low prices to get started with as ArangoDB Oasis on Google Cloud or AWS. You can get started with as little as $0,27/hour for a 3 node, highly available OneShard setup with 4GB memory and 10GB storage per node.
Please see detailed prices for various setups on the pricing page within Oasis.
Limitations within the Public Preview
Until we can declare Azure on Oasis production-ready, there is still one thing to be fixed. Currently, it is not possible to change the disk size after a deployment has been created. This is something which we want to fix within the next couple of weeks. In case you have an account of type “professional”, you can use a slider to configure the disk size. We also recommend that you only choose well-known values for the disk size.
You can get started with Oasis easily and for free. Just sign-up for Oasis and create your first deployment with just a few clicks. The first 14 days are on the house. No credit card needed. Test-run ends automatically after 14 days of use.
Get started with Oasis on Azure, Google Compute or AWS
Continue Reading
An Introduction to Geo Indexes and their performance characteristics: Part I
ArangoDB 3.3 GA
DC2DC Replication, Encrypted backup, Server-Level Replication and more
Get the latest tutorials,
blog posts and news:
Thanks for subscribing! Please check your email for further instructions.