Tamnoon

I see it every day: cloud security teams drowning in alerts and struggling to fix them. And almost every time, these same three issues pop up: Too many tools adding unnecessary complexity. Too many alerts for your teams to keep up. Too few hands available to help In our latest blog, I share how we flipped the script, helping our customers carry out effective CTEM programs that turn reds into greens. See the exact steps we take to help our customers break up with red once and for all–because the grass really is greener on the other side (we promise) 👇 https://lnkd.in/gNaqm2un

I will be heading to Texas next week and will bring my best boots — or at least my best boot energy. I'll be in Dallas for #CISOXC and couldn't be more excited for a few days of security insights, warm weather, and (hopefully) zero Zoom calls. If you're around, let's meet in person — nothing beats good conversations, especially when there's BBQ involved. 🍖 To wrap up the event in proper Texas style, join us for Boots, Booze, & BBQ at Lucchese alongside the stellar folks from Upwind Security and OX Security. 🎉 Think: top-notch security people, smoky brisket, and maybe even some questionable two-stepping. Space is tight, so giddy-up and RSVP now 👇 https://lnkd.in/gNChk6xE #CISOCXC #TexasStyle #CybersecurityCommunity #HappyHourVibes #IRLNetworking #BootsBoozeBBQ

Howdy y'all, you don't want to miss this! Join us for Boots, Booze, & BBQ at Lucchese after CISO XC Dallas with our friends at Upwind Security and OX Security! Space is extremely limited. RSVP today 👇

More danger lurks in your high alerts than you know (and here’s why). I’ve seen a lot of chatter online about a specific threat actor exploiting IMDSv1 in the wild. Here’s what was happening: -> The threat actor sends a packet to a vulnerable and exposed application, causing it to make a web call that looks like it originated from EC2. -> The EC2 instance makes the web call to Instance Metadata Service to retrieve information, including credentials.  -> The response is then sent to the attacker, giving them access to the (now) compromised credentials. Why? Because IMDSv1 is unauthenticated. This same exploit was used to breach a major financial services company in the past. But there’s good news. Amazon Web Services (AWS) created IMDSv2 to solve this problem. It introduces authentication to the call and adds a much-needed layer of security. There are a few lessons to learn here: 1. Look for public endpoints vulnerable to SSRF. 2. Patch the vulnerability or put mitigating controls in place. 3. Inspect any permissions associated with your public-facing resources. You never know what you’ll find. Most CNAPPs will rate this as a high or below alert, not critical. But an exploit like this, left unchecked, can quickly become a terrible, horrible security event. Looking for more insights like these? See what my team discovered after analyzing millions of alerts by downloading Tamnoon’s State of Cloud Remediation report (link in comments).

Brewed for zero burnout. The first-ever beverage designed exclusively for cloud security teams. There are drinks for athletes. There are drinks for gamers. But until now, nothing for the folks fighting the good fight in the cloud. Introducing Tamnoonweizen! Your drink for wiping away critical misconfigurations and reclaiming your sanity. 🔶 No Sugar (don’t ask how) 🔷 100 Calories 🟢 0 Critical Alerts Left Hanging

I talk a lot about how the SOC is not equipped to handle misconfiguration alerts from a CNAPP, and I'm grateful my friend Joseph Barringhaus 🐙 at Tamnoon sent some data over from their State of Cloud Remediation report to help me prove it. According to their data set, these are the top 5 most common alerts coming out of CNAPPs. As I suspected, there's not a single thing a SOC analyst can do about any of these! Is a SOC analyst going to be: 1. Turning on IMDSv2 2. Migrating EBS volumes to encrypted datastores 3. Managing SSM compliance issues? 4. Implementing health checks for containers? 5. Turn off automatic public IP assignment for subnets? These tools are fundamentally not built for the SOC, they're built for engineers. Any tool that tries to emphasize the SOC responding to misconfiguration alerts is going the wrong way - the SOC is there for incident response to active threats, not fixing misconfigurations. What does MTTR even look like for an alert that will take a 6 month engineering project to fix? The SOC is built for responding to active threats, not misconfigurations and theoretical exploitations.

It all started with this alert: “You have AWS EC2 instances with a public IP address that are behind a load balancer.” Strange. You’d expect traffic to pass through the load balancer and for the load balancer to determine which EC2 instance to send it to. With a public IP, you can bypass the load balancer entirely. From a security standpoint, this wasn’t good. Threat actors can hit the EC2 instance directly, attacking every exposure on the server. However, with a load balancer, they can only attack the application, narrowing the surface quite a bit. At Tamnoon, we have playbooks for our customers for this exact scenario: examining VPC Flow Logs to verify that removing the public IPs wouldn’t impact production. The logs revealed something very weird: hundreds of IP addresses likely originating from a botnet barbarian battering at the digital doors of democracy. You catch my drift (and literary skills). This discovery warranted an immediate change in priority. 1. We removed the public IPs so traffic could go through the load balancer. 2. We implemented a web application firewall in front of the customer’s firewall. 3. We configured WAF to block the malicious traffic. Problem solved. What can we learn from this? -> Not everyone knows how to do this, but we do, and we’re here to help our customers with challenges like these. -> Having detailed playbooks ready to go enables operational excellence for your remediation program. -> Cloud security is hard — you want proven experts by your side to help you make sense of everything. That’s where Tamnoon comes in. Trust the CloudPros to do it right.

Somehow, we beat the submission fatigue. Now we’re flying high with a Silver Globee Award in Cloud Security 🥈 Massive shoutout to our incredible CloudPros, AI copilots, and leadership crew (Marina S., Ran Nahmias, Idan Perez, Joseph Barringhaus 🐙, and Michael St.Onge) and to everyone who’s ever said, “Wow, this should be easier.” (We agreed. So we made it happen.) Big congrats to the other winners in our category. Check Point Software Point (Gold 🥇) Microsoft (Silver twins 🥈) To quote Doc Brown: “Roads? Where we’re going, we don’t need roads.” 🚀 Tamnoon is taking off, no roads required. 🕶️

Rule #1: Just because you can, doesn’t mean you should. In AWS, Resource Control Policies (RCPs) enforce that rule. These deny policies act as organization-wide guardrails, preventing unwanted actions even if IAM or resource policies allow them. What makes RCPs special? ✔️ They override other policies when necessary ✔️ They protect sensitive resources with an extra layer of security ✔️ They reduce risk by preventing accidental misconfigurations Don’t leave your AWS security up to chance. Learn how RCPs can help in our latest blog. https://hubs.ly/Q03c6LL00

Please join us in welcoming Mike Bjellos to Team Tamnoon! 👏 Mike brings 16 years of experience in technology infrastructure, SaaS, cloud, and cybersecurity sales. Before joining Tamnoon, he was part of the Prisma Cloud business at Palo Alto Networks, and prior to that, he spent 13 years at Oracle in sales and sales leadership roles. Known for his customer-centric and consultative approach, Mike is passionate about solving complex challenges and building long-term partnerships. Outside of work, Mike’s world revolves around his family and their many adventures. 🏡🎉 So excited to have you join the community of Tamnooners! 🐙