Understand and Prioritize with Layered Context

Layered Context provides a holistic view of the most critical resources found in all environments that are connected to InsightCloudSec.

Explore Layered Context

In InsightCloudSec, navigate to Security > Layered Context to start viewing high risk resources and their impact on Insights in your environment.

Filter

Layered Context has filtering functionality to effectively narrow the scope of and navigate the data.

Add Filter

Filtering allows for narrowing the scope of the resources list using properties like cloud accounts, clusters, resource groups, etc. Some things to note about filtering behavior:

  • Each selected filter updates dynamically with options appropriate for the property selected.
  • After selecting an initial property, click + Add Filter to add an additional filter and further narrow the scope.
  • If filtering on a Resource Tag:
    • Searching for a tag is case insensitive.
    • New tags are harvested every 12 hours by the ResourceTypeTrigramsProcess background job (see System Settings for more information).

To add a filter:

  1. Click the Add Filters button to open the side panel.
  2. Select and configure a property to get started.
  3. After configuring your desired filters, click Apply to update the scope for the feature.
Save Filters (Optional)

After Adding a Filter, you can save it so that it can easily be reused the next time you access the feature. Saved filters are feature-specific (since options vary between features), i.e., a saved filter in Feature "A" will only be available in Feature "A" and will not be available in Feature "B".

To save a filter:

  1. Once filter(s) have been applied, ensure the filters list is expanded by clicking the arrow (>)
  2. Click the ellipsis (...) button, then click Save Filter.
  3. Provide a name for the filter and an optional description.
  4. Select the checkbox for Set as Default Filter to set this filter as the default for the feature.
  5. Select the checkbox for Make this a Public Filter to allow other users to see the filter.
  6. Click OK.

Once a filter has been successfully saved, it can be accessed (along with other saved filters) or edited from the same ellipsis menu.

Trend and Analytics

The Trend and Analytics section of Layered Context provides high-level visuals to summarize risk associated with your resources.

GraphDescription
Resource Risk SeverityA summary of the number of resources in your environments with a risk score severity that fall into each category:
  • Critical has a risk score above 900
  • High has a risk score in the range 700-899
  • Medium has a risk score in the range 400-699
  • Low has a risk score in the range 100-399
Click a risk severity (one of the bars) to automatically filter the view to the severity type.
Critical Risk Resource TypesDisplays a visual breakdown of the resource types with critical risk, including a count and overall percentage. For example: if you have 100 resources with critical risk and 20 of those resources share the same type, their portion of the graph would read <type> 20% (20) Critical Risk Resources

Data Display

This display contains all of the data analyzed within Layered Context, which can be grouped by cloud (account) or Application. The default view for Layered Context is filtered to show your highest risk severity resources. Combining grouping with filtering assists you with navigating to specific areas that you want to evaluate for risk. Some important features to look for:

  • Search - Type into the search bar and the list of resources will automatically filter to match the criteria. Currently, search is limited to the resource name and type metadata attributes.
  • Download - To save a copy of the information found in the resource list, click Download next to the search bar and select either CSV or JSON. The file will be prepared in the background until it is ready to be downloaded by your web browser. If the file preparation takes longer than 10 minutes, it will timeout, so it's best to narrow the scope prior to downloading.
  • Group By... - Use this drop-down menu group the list of resources by cloud (account) or application. After the list has been grouped, each account or application can be expanded using the + icon to reveal all resource associated with the group.
    • A grouped list is another table similar to the normal listing. This grouped list can be downloaded or have its columns adjusted.

Resources with 0 risk are not displayed

Resources with a risk score of 0, meaning no risk factors have been flagged, will not be displayed in Layered Context by default. If you wish to still display resources with 0 risk in Layered Context, contact support.

Interacting with resources

Selecting an individual resource by clicking on the name opens a Context Detail pane where you can explore the properties of the resource, Insight Findings, view Related Resources, and download JSON for that individual resource (along with many other contextual details). For each individual resource available in Layered Context, the additional details (properties, actions, tag, etc) will vary. Areas that are not applicable and/or those that do not contain data will be inactive. Review the sections below for details on some of the most important information within the Context Detail panel.

Risk

The risk score for your resources is a proprietary calculation based on 7 factors:

FactorDescription
Public AccessibilityThe resource has been identified as publicly accessible. Public accessibility has a multiplier effect when found on a resource with other risk factors to ensure these resources get higher risk scores.
Business CriticalityApplications can be defined as business critical, which heightens the importance of the resources within that application. Business criticality has a multiplier effect when found on a resource with other risk factors to ensure resources within business critical applications get higher risk scores.
Attack PathsIf a resource is on an attack path, this will increase the risk score. The risk score will increase even more if the resource is on multiple attack paths.
VulnerabilitiesActive Risk score (from InsightVM) is used to determine the severity of a vulnerability. Active Risk uses the latest CVSS score with intelligence from threat feeds like AttackerKB, Metasploit, ExploitDB, Project Lorelei, CISA KEV list, and other third-party dark web sources to provide security teams with a threat-aware vulnerability risk score. Vulnerabilities with an active risk score above 700 have the most impact on the risk score assigned to the resource.
Insights (Misconfigurations)If a resource has misconfigurations (based on best practice Insights curated by InsightCloudSec), its risk score increases. Critical and High severity Insights adds the most risk.
Critical IaM InsightsCritical Identity and Management (IaM) Insight failures (or misconfigurations) contribute to an increased risk score.
Threat FindingsInsightCloudSec Threat Findings is a multi-cloud capability that curates runtime threat detections from your resources, any threat findings found on a resource increases risk score. High and Medium severity threats add the most risk.

In any risk factor section, click View Evidence to jump to the corresponding tab on the Context Details panel that outlines the details for the particular factor.

Public Access

Public Accessibility is a major security risk and as such has a huge impact on risk for a given resource. InsightCloudSec designates something as publicly accessible if a relevant Insight fails when checking a given resource. When you open the Context Details > Public Access tab, you'll find a table of all Public-related Insights for the given resource type as well as the first date the resource failed the Insight and the result (if the resource failed, it's Public; if it has not failed or the Insight does not apply, it's not Public). Click the + next to a Source to review detailed information about the Insight. If a resource has been marked as public but it is intentionally public, you should update the Public Accessibility Allow List.

Compute instances' public accessibility is calculated differently

As of InsightCloudSec version 24.5.21, the public accessibility of AWS, Microsoft Azure, and GCP Compute Instances is calculated differently, so you may see a reduction in the overall number of resources marked as public with a corresponding reduction in risk score. The following Insights are still active but will no longer be used to determine whether a resource is publicly accessible:

  • Compute Instance With Public IP Attached
  • Instance With Public IP Exposing SSH
  • Instance with Public IP Exposing RDP
  • Instance With Public IP Address And Any Port Exposure to 0.0.0.0/0
  • Instance Exposing Management Ports (Azure)
  • Compute Instance With Open Management Interface (OMI) Ports Exposed

There is a new Insight to check for public accessibility instead: Compute Instance Open to the Public

Source Data

For select Resources, there is an additional Context Details pane called Source Data that surfaces raw data about the resource harvested directly from the Cloud Service Provider (CSP). This additional context about your resources can help to further investigate configuration issues or provide deeper analysis. Click into the document viewing area, then use ⌘F (MacOS) or CTRL+F (Windows) to search through the data. For full support details, see Resources

Documents will only be stored if changes are detected for a resource or if new resources have been created, so some supported resources may not have any source documents.

Layered Context API

There are two endpoints to enable interacting with Layered Context programmatically.

  • Detail Resource: This endpoint details a resource, including parent account information and dependencies. Read more about in the InsightCloudSec API reference.
  • Export Source Data: This endpoint will export a given resource's source data.