Use Cases for Root Cause Analysis

Use case #1: Address an Insecure Template Definition with a high health score impact

Insecure Template Definitions root cause discovers a single template (k8s deployment/k8s daemon set/any other template that creates instances) that has security issues in the template itself. Therefore all those issues are propagated to the template's instances (children), so the template is the same root cause for all issues (findings), and can be remediated by fixing the template.

How-to-use:

1. Go to Remediation Hub > Filters
2. Select Root Cause "Insecure Template Definition"
3. Click on the root cause with the highest impact on the health score
4. Review the findings
5. Assign or Dismiss

• Protip: you can also review the findings' related assets, and ticket status, assign or share the link with a Panoptica user

Use Case #2: Fix a Permissive Identity Object by applying right-size IAM

Permissive Identity Object root cause finds a single identity object, such as AWS IAM Policy or GCP Roles, with permissive access permissions and is connected to multiple other identities, such as Users/Groups/Roles, and gives them this permissive access. The policy/role that gives high permissions to all identities is the same root cause for all issues (findings), which can be remediated by updating the policy/ role, rather than each individual identity.

How-to-use:

1. Go to Remediation Hub > Filters
2. Select Root Cause "Permissive Identity Object"
3. Select the root of interest
4. Explore the findings
5. Assign, Create a Ticket, or Dismiss

Use Case #3: Segregate resources to avoid a Resource Overuse

Excessive use of computing resources such as CPU, memory, storage, and network bandwidth, can lead to performance issues, downtime, and increase costs. To remediate, use Panoptica's recommendations to segregate resources. Review the attack path and remediate the issue using a ready-made Terraform / JSON policy.

How-to-use:

1. Go to Remediation Hub > Filters
2. Select the Root Cause "Resource Overuse"
3. Select a root cause to investigate
4. Click "Investigate" and review the attack paths related to the resources
5. Remediate Assign or Dismiss

Use Case #4: Fix a permissive network access by restricting network access

Permissive Identity Object root cause finds a single identity object, such as AWS IAM Policy or GCP Roles, with permissive access permissions and is connected to multiple other identities, such as Users/Groups/Roles, and gives them this permissive access. The policy/role that gives high permissions to all identities is the same root cause for all issues (findings), which can be remediated by updating the policy/ role, rather than each individual identity.

How-to-use:

1. Go to Remediation Hub > Filters
2. Select the Root Cause "Permissive Network Access"
3. Click on the root cause
4. Review the attack paths related to the security group
5. Investigate > Remediate or Assign or Dismiss

Use Case #5: Patch a vulnerable image

Unpatched Image root cause reveals an image (can be compute Image such as AMI or docker image) that comes with vulnerabilities. Therefore, all compute assets or containers that use the vulnerable Image has all vulnerabilities as well. The vulnerable Image is the same root cause for all issues (vulnerabilities) which can be remediated by updating it with the latest security patches.

How-to-use:

1. Go to Remediation Hub > Filters
2. Select Root Cause "Unpatched Images"
3. Click on one of the root causes
4. Review findings
5. Remediate, Assign, or Dismiss

Use Case #6: Secure a Secret

Insecure Secret Store root cause locates a single secret value found as cleartext on multiple different assets; the secret itself is the root cause for all findings, which can be remediated by securing the single secret.

How-to-use:

1. Go to Remediation Hub > Filters
2. Select Root Cause "Insecure Secret Store"
3. Click on one of the root causes
4. Review findings
5. Secure the secret, Assign or Dismiss