Tweet
Tweet

Slide 1

Slide 1 text

@ramimacisabird đź”— ramimac.me Rami McCarthy How to 10X Your Cloud Security ( Without the Series D )

Slide 2

Slide 2 text

@ramimacisabird đź”— ramimac.me Clint Gibler - How to 10X Your Security

Slide 3

Slide 3 text

@ramimacisabird đź”— ramimac.me

Slide 4

Slide 4 text

@ramimacisabird

Slide 5

Slide 5 text

I’m Rami 👋 @ramimacisabird 🔗 ramimac.me Sometimes I look like this online I’ve been on sabbatical

Slide 6

Slide 6 text

🇸🇪 I just moved from Boston to Stockholm 🇺🇸 @ramimacisabird 🔗 ramimac.me Definitely not just to buff my fwd:cloudsec CFP…

Slide 7

Slide 7 text

more on that later… @ramimacisabird 🔗 ramimac.me

Slide 8

Slide 8 text

@ramimacisabird đź”— ramimac.me Assumptions

Slide 9

Slide 9 text

@ramimacisabird 🔗 ramimac.me Assumptions You’re early, but investing (not drowning)

Slide 10

Slide 10 text

@ramimacisabird đź”— ramimac.me Assumptions: Dashboards full of problems

Slide 11

Slide 11 text

@ramimacisabird 🔗 ramimac.me Assumptions You won’t “buy your way out” David White - Success Criteria for your CSPM

Slide 12

Slide 12 text

@ramimacisabird đź”— ramimac.me Philosophy

Slide 13

Slide 13 text

@ramimacisabird đź”— ramimac.me Philosophy 1. Just do it at first, but automate as much as possible to scale

Slide 14

Slide 14 text

@ramimacisabird 🔗 ramimac.me Philosophy 1. Do things that don’t scale, automate as much as possible to scale Phil Venables - Delivering Security at Scale: From Artisanal to Industrial

Slide 15

Slide 15 text

@ramimacisabird 🔗 ramimac.me Philosophy 1. Do things that don’t scale, automate as much as possible to scale 2.High-signal, low-noise tools and alerting

Slide 16

Slide 16 text

@ramimacisabird 🔗 ramimac.me Philosophy 1. Do things that don’t scale, automate as much as possible to scale 2.High-signal, low-noise tools and alerting • Simplicity & Signal > Capabilities • Distributed alerting and responsibility for security tasks

Slide 17

Slide 17 text

@ramimacisabird 🔗 ramimac.me Philosophy 1. Do things that don’t scale, automate as much as possible to scale 2.High-signal, low-noise tools and alerting 3.Guardrails, not gatekeepers

Slide 18

Slide 18 text

@ramimacisabird 🔗 ramimac.me Philosophy 1. Do things that don’t scale, automate as much as possible to scale 2.High-signal, low-noise tools and alerting 3.Guardrails, not gatekeepers 4.Security as partnership. Embed security in development process

Slide 19

Slide 19 text

@ramimacisabird 🔗 ramimac.me Security-as-Partnership Jacob Salassi - Why shifting left doesn't work & asks too much from everyone • Security Champions are human crutches that prop up cumbersome processes that don’t scale • Every security consultation is a failure

Slide 20

Slide 20 text

@ramimacisabird 🔗 ramimac.me Philosophy 1. Do things that don’t scale, automate as much as possible to scale 2.High-signal, low-noise tools and alerting 3.Guardrails, not gatekeepers 4.Security as partnership. Embed security in development process 5.Tools devs can build, others can operate

Slide 21

Slide 21 text

@ramimacisabird 🔗 ramimac.me Philosophy 1. Do things that don’t scale, automate as much as possible to scale 2.High-signal, low-noise tools and alerting 3.Guardrails, not gatekeepers 4.Security as partnership. Embed security in development process 5.Tools devs can build, others can operate 6.The limits of desirable security Karsten Nohl - When Enough Is Enough: The Limits Of Desirable Security

Slide 22

Slide 22 text

@ramimacisabird đź”— ramimac.me Free trials & demos bets on startups Philosophy: Vendors

Slide 23

Slide 23 text

@ramimacisabird Security Program Invariants Vulnerability & Asset Management Identity & Access Management Detection ( Engineering) Deployment

Slide 24

Slide 24 text

@ramimacisabird Security Program Invariants Vulnerability & Asset Management Identity & Access Management Detection ( Deployment Eight Seven Six sections Thirty-odd minutes

Slide 25

Slide 25 text

@ramimacisabird đź”— ramimac.me Security Program

Slide 26

Slide 26 text

@ramimacisabird đź”— ramimac.me Security Program: All About Attack Surface 1.Account Architecture 2.Service & Action Allowlists 3.Zero Trust & Zero Touch 4.Identify a baseline, meet it, enforce with invariants, raise it The Path to Zero Touch Production Kane Narraway - How We Built Zero Trust

Slide 27

Slide 27 text

@ramimacisabird 🔗 ramimac.me Security Program: Metrics Alex Smolen - Building Effective Security OKRs • Example metrics: • Time to detection of vulnerabilities • Time to remediation of vulnerabilities • Average vulnerabilities over time • Good vulnerability metadata allows for good vulnerability metrics

Slide 28

Slide 28 text

@ramimacisabird 🔗 ramimac.me Security Program: Metrics Collin Green - Product security primitives • % of “really bad” bugs vs total security bugs • Classes of bugs going down with investment to prevent them Ryan McGeehan - A key performance indicator for infosec organizations, Killing “Chicken Little” : Measure and eliminate risk through forecasting • Probabilistic, risk-based KPIs with expert estimation

Slide 29

Slide 29 text

@ramimacisabird đź”— ramimac.me Security Program: Scorecarding https://ramimac.me/scorecarding

Slide 30

Slide 30 text

@ramimacisabird 🔗 ramimac.me Security Program: Proactive Efficiency “why not ask ourselves how the team would cope if the workload went up another 30%, but bad financial results precluded any team growth? It's actually fun to think about such hypotheticals ahead of the time - and hey, if the ideas sound good, why not try them out today?“ lcamtuf - Getting Product Security Engineering Right

Slide 31

Slide 31 text

@ramimacisabird 🔗 ramimac.me Security Program: Simple Evangelism 1. “Here’s how we’ll get hacked” 2. “Here’s why security matters"

Slide 32

Slide 32 text

@ramimacisabird đź”— ramimac.me Invariants

Slide 33

Slide 33 text

@ramimacisabird 🔗 ramimac.me Invariants Alex Smolen - What are Security Invariants? • Identify Scope -> Measure Adherence -> Document Exceptions -> Prevent Regressions Chris Farris - Defining Security Invariants • Preventing security risk comes at the expense of increasing operational risk

Slide 34

Slide 34 text

@ramimacisabird đź”— ramimac.me Invariants Service Control Policies rami.wiki/scps

Slide 35

Slide 35 text

@ramimacisabird đź”— ramimac.me Invariants Service Control Policies rami.wiki/scps

Slide 36

Slide 36 text

@ramimacisabird đź”— ramimac.me Invariants Service Allow Listing Reducing Attack Surface with AWS Allowlisting Kinnaird McQuade - Security Guardrails at Scale in Azure

Slide 37

Slide 37 text

@ramimacisabird đź”— ramimac.me Vulnerability & Asset Management ( VAM )

Slide 38

Slide 38 text

@ramimacisabird đź”— ramimac.me VAM : Asset Inventory Current AND historic resource metadata Jake Berkowsky - Security Analytics with Wiz and Snowflake

Slide 39

Slide 39 text

@ramimacisabird 🔗 ramimac.me VAM : Hygiene • Cleanup unused assets • Cleanup ownership ramimac.me/finops

Slide 40

Slide 40 text

@ramimacisabird 🔗 ramimac.me VAM : Managing Vulnerabilities Cheatsheets •Trend Micro - CloudConformity Knowledge Base •Datadog - Cloud Security Atlas

Slide 41

Slide 41 text

@ramimacisabird 🔗 ramimac.me VAM : Managing Vulnerabilities Jamie Finnigan - Severity ratings should mean something •Confidence ratings are an important modifier on vulnerability severity

Slide 42

Slide 42 text

@ramimacisabird 🔗 ramimac.me VAM : Getting Bugs Fixed Collin Greene - Fixing security bugs •Is prioritization correct? Is the bug clear? •Explain why security matters •Empathize, avoid Nagging •Escalating to a manager •“I want to make sure you are aware of this and I would like it to be fixed” not “engineer $foo has dropped this task n times” •“you are in the small minority of people who have not fixed your open security bug” •Visualization, leaderboards, gamification

Slide 43

Slide 43 text

@ramimacisabird đź”— ramimac.me Identity & Access Management

Slide 44

Slide 44 text

@ramimacisabird 🔗 ramimac.me Identity and Access: Scaling IAM Will Bengtson, Devon Powley - Bumps in the Road While Scaling Cloud Access •Direct federation •Zero access by default •Auto-approval Peter Collins, Elisa Guerrant - Heard you liked access, so we built Access to manage your access for Access JIT Cloud Access

Slide 45

Slide 45 text

@ramimacisabird đź”— ramimac.me Identity and Access: Least Privilege Absolute minimal privilege is not desirable security

Slide 46

Slide 46 text

@ramimacisabird 🔗 ramimac.me Desirable Least Privilege for Humans 1. Service level least privileging (carveouts for “crown jewels”) 2. Chris Farris - Sensitive IAM Actions • CredentialExposure • DataAccess • PrivEsc • ResourceExposure

Slide 47

Slide 47 text

@ramimacisabird đź”— ramimac.me Identity and Access: Infra Access The Path to Zero Touch Production

Slide 48

Slide 48 text

@ramimacisabird 🔗 ramimac.me Identity and Access: Service Identity 1. Cleanup unused access: Steampipe + Access Advisor 2.Make sure you’re on IMDSv2 : rami.wiki/imdsv2

Slide 49

Slide 49 text

@ramimacisabird đź”— ramimac.me Detection ( Engineering)

Slide 50

Slide 50 text

@ramimacisabird 🔗 ramimac.me • Allyn Stott - How I Learned to Stop Worrying and Build a Modern Detection & Response Program • & The Fault in Our Metrics: Rethinking How We Measure Detection & Response Detection (Eng)

Slide 51

Slide 51 text

@ramimacisabird đź”— ramimac.me Detection (Eng) Ryan McGeehan - Prioritizing Detection Engineering

Slide 52

Slide 52 text

@ramimacisabird 🔗 ramimac.me Detection (Eng) Ryan McGeehan - Lessons Learned in Detection Engineering • Great teams •… are aware of where, and how, analysis work is being created. •… don’t pass bad alerts from one on-call to the next. •… don’t pretend that every alert is worth being paged.

Slide 53

Slide 53 text

@ramimacisabird 🔗 ramimac.me Detection (Eng): Distributed Alerting • SOC Automation Capability Matrix •Alert handling •Issue tracking •Enrichment •User Interaction •Response •Continuity •Procedural •Matt Knight - AI Cyber Challenge DefCon talk •singe/tidcli Tips for SOCLess Oncall

Slide 54

Slide 54 text

@ramimacisabird đź”— ramimac.me Detection ( Engineering): Detections chronicle/detection-rules elastic/detection-rules panther-labs/panther-analysis SigmaHQ/sigma/.../cloud

Slide 55

Slide 55 text

@ramimacisabird đź”— ramimac.me Detection ( Engineering): Canaries The Security Canary Maturity Model 1. Coverage: Diversity and Distribution 2. Impact: Signal and Cost Imposition 3. Management: Deployment and Maintenance 4. Program: Discoverability, Publicity, and Response Planning

Slide 56

Slide 56 text

@ramimacisabird đź”— ramimac.me Deployment

Slide 57

Slide 57 text

@ramimacisabird 🔗 ramimac.me Deployment … is how red teams are currently winning

Slide 58

Slide 58 text

@ramimacisabird 🔗 ramimac.me Deployment Mike Ruth • Attacking and Defending Infrastructure with Terraform: How we got admin across cloud environments • Attacking & Defending Supply Chains. How we got Admin in your Cloud, Again

Slide 59

Slide 59 text

@ramimacisabird đź”— ramimac.me 30 - 60 - 90 Plan

Slide 60

Slide 60 text

@ramimacisabird 🔗 ramimac.me 30 - 60 - 90 Plan •Assess •Build relationships •Establish baseline

Slide 61

Slide 61 text

@ramimacisabird 🔗 ramimac.me 30 - 60 - 90 Plan •Do one thing better •Nail it •Add invariants for your baseline

Slide 62

Slide 62 text

@ramimacisabird 🔗 ramimac.me 30 - 60 - 90 Plan •Plan for scale •Reproducible process •Security ROI •Kill a class of risk

Slide 63

Slide 63 text

@ramimacisabird đź”— ramimac.me How to 10X Your Cloud Security ( With the Series D )

Slide 64

Slide 64 text

@ramimacisabird 🔗 ramimac.me Security Platform Engineering Team Cadillac CDR w/ IR Retainer Cadillac “CNAPP” Actioning expensive log sources Data Perimeter How to 10X Your Cloud Security ( With the Series D ) Asset Graph lyft/cartography

Slide 65

Slide 65 text

@ramimacisabird đź”— ramimac.me Takeaways

Slide 66

Slide 66 text

@ramimacisabird 🔗 ramimac.me Takeaways 1. Build guardrails, establish invariants, offer secure defaults, and kill areas of risk - don’t add to dashboards full of problems 2. IAM, Vulnerability Management, and Detection Engineering are prime candidates for limitation to desirable security 3. Collect the minimum viable data to inform investments and report upwards & outwards https://speakerdeck.com/ramimac/scale-cloud-security

Slide 67

Slide 67 text

@ramimacisabird 🔗 ramimac.me https://speakerdeck.com/ramimac/scale-cloud-security One last thing … I’m new to Europe and will be looking for a new role (and friends) shortly If you know of any cool companies or people, in Sweden and beyond, let me know! Thank you! https://www.linkedin.com/in/ramimac/

Slide 68

Slide 68 text

@ramimacisabird đź”— ramimac.me Additional Slides ( Cut for time)

Slide 69

Slide 69 text

@ramimacisabird 🔗 ramimac.me Philosophy Some things just don’t work: • Absolute least privilege • Centralized security review • Centralized security authorship Jacob Salassi - Appsec Development: Keeping it all together at scale

Slide 70

Slide 70 text

@ramimacisabird đź”— ramimac.me Account Architecture

Slide 71

Slide 71 text

@ramimacisabird 🔗 ramimac.me Account Architecture Richard Crowley - You should have lots of AWS accounts Richard Crowley - One giant AWS account is technical debt you can’t afford Corry Haines - AWS Account Layout Brandon Sherman - What I wished someone told me before going multi- account

Slide 72

Slide 72 text

@ramimacisabird đź”— ramimac.me Account Architecture: Migrations Houston Hopkins - aws_organizations_migration_notes.md Matthew Fuller - Moving AWS Accounts and OUs Within An Organization - Not So Simple!

Slide 73

Slide 73 text

@ramimacisabird 🔗 ramimac.me Account Architecture: Baseline •David Levitsky, Olivia Hillman ( Benchling) - Launch Control - Automating a Security Baseline in the Cloud at Scale •nozaq/terraform-aws-secure-baseline •Chris Farris - primeharbor/org-kickstart

Slide 74

Slide 74 text

@ramimacisabird 🔗 ramimac.me Account Architecture: Handling Root •Scott Piper - Managing AWS root passwords and MFA •Greg Kerr, Brett Caley, & Matt Jones - yubidisaster: Building Robust Emergency Admin Access to AWS Accounts •Rich Mogull - OUs, SCPs, and a Root User Account Recovery

Slide 75

Slide 75 text

@ramimacisabird 🔗 ramimac.me VAM : Secrets Scanning •Source Code •Terraform State •Image file systems •CI/CD Systems • … ramimac/aws-customer-security-incidents gitleaks/gitleaks Allan Reyes - Keeping secrets out of logs

Slide 76

Slide 76 text

@ramimacisabird đź”— ramimac.me Configuration as Code

Slide 77

Slide 77 text

@ramimacisabird 🔗 ramimac.me Configuration as Code: Secure by Default • Semgrep for Terraform Security: Secure-by-default modules • asecure.cloud • Semgrep for Terraform Security: Use Semgrep to evangelize secure-by-default modules

Slide 78

Slide 78 text

@ramimacisabird 🔗 ramimac.me Configuration as Code: Scanning • Christophe Tafani-Dereeper - Scanning Infrastructure as Code for Security Issues • Adam Cotenoff - Standardizing Terraform Linting • Scan plans, not just HCL • Brad Geesaman - Pipeline Precognition: Predicting Attack Paths Before Apply

Slide 79

Slide 79 text

@ramimacisabird đź”— ramimac.me Configuration as Code: Manual Actions Arkadiy Tetelman - Detecting Manual AWS Actions: An Update!

Slide 80

Slide 80 text

@ramimacisabird đź”— ramimac.me Runtime

Slide 81

Slide 81 text

@ramimacisabird đź”— ramimac.me Minimize patching Runtime

Slide 82

Slide 82 text

@ramimacisabird đź”— ramimac.me Runtime if k8s: EKS/AKS/GKE rami.wiki/eks