Slide 1

Slide 1 text

@ramimacisabird Rami McCarthy Beyond the Baseline: Horizons in Cloud Security Programs 
 https://speakerdeck.com/ramimac/sect

Slide 2

Slide 2 text

I’m Rami 👋

Slide 3

Slide 3 text

I’m normally in Boston

Slide 4

Slide 4 text

I work on Security at Figma

Slide 5

Slide 5 text

@ramimacisabird https://tldrsec.com/p/securely-build-product-ai-machine-learning https://tldrsec.com/blog/cloud-security-orienteering/

Slide 6

Slide 6 text

@ramimacisabird What are we protecting against?

Slide 7

Slide 7 text

@ramimacisabird What are we protecting against?

Slide 8

Slide 8 text

@ramimacisabird What are we protecting against?

Slide 9

Slide 9 text

@ramimacisabird What are we protecting against? • Getting AWS creds via SSRF on rss.app • AWS takeover through SSRF in JavaScript • Yahoo Small Business ( Luminate) and the Not-So-Secret Keys • Bug Bounty Story: Escalating SSRF to RCE on AWS • A Nifty SSRF Bug Bounty Write Up • Mozilla Hubs Cloud: cloud api credentials exposure

Slide 10

Slide 10 text

@ramimacisabird How can we protect ourselves?

Slide 11

Slide 11 text

@ramimacisabird We do the basics, right.

Slide 12

Slide 12 text

@ramimacisabird Step 1 : We’ve done the basics.

Slide 13

Slide 13 text

@ramimacisabird Step 2 : We draw the rest of the f*ing owl @ramimacisabird

Slide 14

Slide 14 text

@ramimacisabird

Slide 15

Slide 15 text

@ramimacisabird Cloud-native technology companies where engineering is a value driver Not All Companies

Slide 16

Slide 16 text

@ramimacisabird Not All Cloud Security Programs • Engineering and Automation oriented • “Zero Trust” architecture • Maximalist on “Cloud Security” • Guardrails not Gatekeepers + Paved Roads

Slide 17

Slide 17 text

@ramimacisabird

Slide 18

Slide 18 text

@ramimacisabird

Slide 19

Slide 19 text

@ramimacisabird Build vs. Adopt vs. Buy

Slide 20

Slide 20 text

@ramimacisabird Build vs. Adopt vs. Buy Sabry Tozin (h/t Roy Rapoport) • Are we solving a problem unique to our company? • Are we solving a problem at a scale unique to our company? • Is the cost and effort of integrating an off-the-shelf solution so large that we may as well build one? • What are the purchasing/ongoing license costs of the product in comparison to building it ourselves?

Slide 21

Slide 21 text

@ramimacisabird Capabilities and Controls

Slide 22

Slide 22 text

@ramimacisabird Secrets Management A mechanism for engineers to easily and securely manage credentials and other secrets provided to services in your cloud environment. Adopt: Options Buy: Options • Hashicorp Vault • Doppler ( YC W19 ) • Infiscal ( YC W23 ) • AWS Secrets Manager / AWS KMS One Read: “Managing secrets is the biggest risk people aren't talking about”, Strategy of Security • mozilla / sops • square / keywhiz • pinterest / knox • lyft / confidant

Slide 23

Slide 23 text

@ramimacisabird Secrets Management Build: Adopt: Not recommended Recommended • Standardize as early as possible, generally with a thin 
 wrapper over CSP services. Focus on DevEx. • Revisit every ~year, and layer necessary capabilities • Before adopting, be very sure requirements and 
 practices 1 : 1 match • Be wary of premature purchase or deployment of a 
 heavy solution • Don’t ever roll your own crypto Buy: A mechanism for engineers to easily and securely manage credentials and other secrets provided to services in your cloud environment.

Slide 24

Slide 24 text

@ramimacisabird Asset Inventory Leverage the Cloud Service Provider’s control plane to discover and identify cloud assets, and to monitor their adherence to configuration standards. Adopt: Options Buy: Options • Firemon Cloud Defense (fka DisruptOps)* • Commercial versions of Steampipe and Cloudquery • turbot / steampipe • cloudquery / cloudquery One Read: What should you use - CloudQuery or Steampipe?, badshah

Slide 25

Slide 25 text

@ramimacisabird Asset Inventory Leverage the Cloud Service Provider’s control plane to discover and identify cloud assets, and to monitor their adherence to configuration standards. Build: Adopt: Not recommended Recommended • You can get far by adopting open source tools • You need something, early. Adopt inventory first, 
 then add controls in incrementally • You probably don’t need a full CSPM 
 until later than you’d expect • Don’t write anything that calls cloud APIs yourself, 
 it’s been done (well) • Think critically about what controls matter, and watch out for toil and noise Buy:

Slide 26

Slide 26 text

@ramimacisabird -> Cloud Security Posture Management Continuously assess the security posture by maintaining a current inventory of cloud assets, with risk assessment to detect any misconfigurations. Adopt: Options Buy: Options • Wiz • Aqua • Orca • Lacework • Prowler • Prisma Cloud • Ermetic ( Tenable) • Lightspin ( Cisco) • prowler-cloud / prowler • cloud-custodian / cloud-custodian • Zeus-Labs / ZeusCloud One Talk: “Success Criteria for your CSPM”, David White

Slide 27

Slide 27 text

@ramimacisabird -> CSPM Continuously assess the security posture by maintaining a current inventory of cloud assets, with risk assessment to detect any misconfigurations. Build: Adopt: Not recommended Recommended • Think about extensibility and integrations • Evaluate options based on preset criteria, don’t let vendors sell you CNAPP + + • If you build, only do it on top of an adopted inventory platform. Don’t spend your engineer’s time building an open source CSPM. It’s undifferentiated and commoditized. It’s also a lot of work • Don’t let an opinionated CSPM dictate your security program • Be thoughtful about dispatching findings to other teams • Bundled CSPMs can be thoroughly mediocre Buy:

Slide 28

Slide 28 text

@ramimacisabird Automated Remediation In order to keep up with the rate of change in the cloud, teams reach for solutions to automate the immediate resolution of common misconfigurations. Adopt: Options Buy: Options • Native to your CSPM • Gomboc • AWS Config • twilio-labs / SOCless • cloudconformity / auto-remediate One Read: "The Dangers of Corrective Auto Remediation in Your Public Cloud”, Lightspin

Slide 29

Slide 29 text

@ramimacisabird Automated Remediation In order to keep up with the rate of change in the cloud, teams reach for solutions to automate the immediate resolution of common misconfigurations. Build: Adopt: Not recommended Recommended • When you’re unable to move to Infrastructure as Code • If you lack a chokepoint for changes • If you have SOAR-like capabilities, use them for this • When preventative controls are feasible • As an early control for your program • Applied without sufficient context Buy:

Slide 30

Slide 30 text

@ramimacisabird Secure Infra as Code Modules “Shift-left” secure configuration and empower your developers with secure- by-default IAC modules. Adopt: Options Buy: Options • asecure.cloud • Gruntwork AWS Infrastructure as Code Library • Resourcely • asecure.cloud • Terraform Registry Read more: "Why you should pave roads", Eric Hydrick

Slide 31

Slide 31 text

@ramimacisabird Secure Infra as Code Modules “Shift-left” secure configuration and empower your developers with secure- by-default IAC modules. Build: Adopt: Not recommended Recommended • Pair with SAST to detect usage of “vanilla” resources • Steal undifferentiated examples • Commoditize secure architecture as modules • Wait for a need to surface before investing in a module Buy:

Slide 32

Slide 32 text

@ramimacisabird Infrastructure as Code Scanning Detect misconfigurations within your infrastructure as code, before they can be introduced to your environment Adopt: Options Buy: Options • Native to your CSPM • Native to your SAST • aquasecurity / tfsec • returntocorp / semgrep • bridgecrew / checkov • turbot / steampipe-plugin-terraform One Read: “Shifting Cloud Security Left — Scanning [ IaC ] for Security Issues”, Christophe Tafani-Dereeper

Slide 33

Slide 33 text

@ramimacisabird IAC Scanning Detect misconfigurations within your infrastructure as code, before they can be introduced to your environment Build: Adopt: Not recommended Recommended • Develop rules based on your specific environment 
 and requirements • Surface detections, with context, at PR time • Rolling out rules in “block” mode • Turning on all possible rules Buy:

Slide 34

Slide 34 text

@ramimacisabird Deception Engineering ( Honeypots/tokens) Deploy high-signal, low noise tripwires in your environment. Make attackers think twice before using found credentials, and know when someone has tried. Adopt: Options Buy: Options • Thinkst Canary • Native to your CSPM • Thinkst Canarytokens.org • Basic AWS API Key + SIEM detection • spacesiren / spacesiren (inspired by Atlassian Project SPACECRAB ) One Read: “Zero Maintenance AWS Canary Tokens That Scale”, Will Bengston

Slide 35

Slide 35 text

@ramimacisabird Deception Engineering ( Honeypots/tokens) Build: Adopt: Not recommended Recommended • Deploy the quick and free version in high value targets. 
 Probably your CI/CD tooling • Think about what you’ll do if one goes off before it happens • Do your best to tightly each key to a single potential 
 vector for compromise • Don’t roll out Will’s architecture until you’ve killed 
 known attack vectors Buy: Deploy high-signal, low noise tripwires in your environment. Make attackers think twice before using found credentials, and know when someone has tried.

Slide 36

Slide 36 text

@ramimacisabird 1. Scaling Granular Access Support role-based, least-privileged access across an explosion of roles. Adopt: Options Buy: Options (“CIEM”) • salesforce / cloudsplaining • Netflix / repokid • iann0036 / iamlive • common-fate / iamzero • noqdev / iambic Read more: “ConsoleMe: A Central Control Plane for AWS Permissions and Access”, Netflix • Ermetic • Native to your CNAPP? • ???

Slide 37

Slide 37 text

@ramimacisabird 2. Scaling Access Management Enable a user friendly roll out of granular access by making it easy to understand available access and leverage it. Adopt: Options Buy: Options • Common Fate Cloud • Leapp Cloud • Netflix / consoleme • Noovolari / leapp • common-fate / granted Read more: “Access Service: Temporary Access to the Cloud”, Segment

Slide 38

Slide 38 text

@ramimacisabird 3. Scaling Temporary Access Remove risky ambient permissions and allow step-up and break-glass authorization. Adopt: Options Buy: Options • ConductorOne • Indent • Opal • Sym • aws-samples / aws-iam-temporary-elevated- access-broker , iam-identity-center-team • GoogleCloudPlatform / jit-access • ??? Read more: “Common uses of just-in-time access in the cloud”

Slide 39

Slide 39 text

@ramimacisabird Scaling … Access Build: Adopt: Not recommended Recommended • Build incrementally, and always keep an eye on 
 the user experience • Right now, ~ JIT access is about where you should 
 really consider buying • Partner with other internal stakeholders on a unified 
 source of truth for identity and role • Centralizing all creation of IAM • Trying to preemptively define necessary IAM in a bubble Buy: 1. Support role-based, least-privileged access across an explosion of roles. 2. Enable a user friendly roll out of granular access by making it easy to understand available access and leverage it. 3. Remove risky ambient permissions and allow step-up and break-glass authorization.

Slide 40

Slide 40 text

@ramimacisabird Scaling Account Management Taking advantage of the inherent blast radius boundary of an Account rapidly turns into toil to stand up new accounts and juggle their lifecycle. Adopt: Options Buy: Options • Substrate • ??? • org-formation / org-formation-cli • rebuy-de / aws-nuke • AWS Control Tower One Talk: “Reimagining multi-account deployments for security and speed”, Netflix

Slide 41

Slide 41 text

@ramimacisabird Scaling Account Management Taking advantage of the inherent blast radius boundary of an Account rapidly turns into toil to stand up new accounts and juggle their lifecycle. Build: Adopt: Not recommended Recommended • Rightsize your investment in automation, “human cron” 
 can be a good place to start • Find good internal development partners with strong cases for investment • Don’t wait too long to split out use cases with different 
 threat models or administration patterns. Migration across 
 accounts is painful, and data gravity can be a blocker. Buy:

Slide 42

Slide 42 text

@ramimacisabird Control Validation / Attack Simulation Test and validate your controls and detections on an automated, ongoing basis. Adopt: Options Buy: Options • AttackIQ • Cymulate • SCYTHE • Randori • awslabs / aws-cloudsaga • DataDog / stratus-red-team • WithSecureLabs / leonidas One Talk: “Adversary emulation for incident-response readiness”, Anna McAbee / Brandon Baxter / Chris Farris

Slide 43

Slide 43 text

@ramimacisabird Control Validation / Attack Simulation Test and validate your controls and detections on an automated, ongoing basis. Build: Adopt: Not recommended Recommended • Consider leveraging internal frameworks and tools for QA • Validation at time of creation is likely sufficient for 
 commodity controls and medium program maturity • Keep a close eye on relative investment in “breaking” 
 vs. “building • Be deeply skeptical of “automated red teaming” as a product • Finding issues is only useful as an effective 
 input to mitigation Buy:

Slide 44

Slide 44 text

@ramimacisabird Egress Monitoring and Filtering Make attackers lives harder post-compromise by filtering egress traffic from your services and alerting on anomalous destinations. Adopt: Options Buy: Options • AWS Network Firewall • Chaser Systems DiscrimiNAT Firewall • Aviatrix • stripe / smokescreen One Read: “Internet Egress Filtering of Services at Lyft”

Slide 45

Slide 45 text

@ramimacisabird Egress Monitoring and Filtering Make attackers lives harder post-compromise by filtering egress traffic from your services and alerting on anomalous destinations. Build: Adopt: Not recommended Recommended • Consider when modifying network architecture • “Monitor” mode can be cheap to deploy • Reliability is huge if you place this on the critical path • A hamster wheel of pain is likely if you’re not thoughtful 
 about how new, valid connections will be 
 identified and allowlisted Buy:

Slide 46

Slide 46 text

@ramimacisabird Infrastructure Access Adopt: Options Buy: Options • Teleport • StrongDM • BastionZero • Cloudflare Access • Tailscale (and other Wireguard-based VPNs) • AWS SSM + IAM Authentication for < SERVICE > • Tailscale (and other Wireguard-based VPNs) • Teleport (open source) One Talk: “Zero Touch Prod: Towards Safer and More Secure Production Environments” Move beyond pervasive raw-SSH access to patterns for getting shells in services that provide least privilege, auditability, support dual control, and can constrain data ingress and egress.

Slide 47

Slide 47 text

@ramimacisabird Infrastructure Access Build: Adopt: Not recommended Recommended • Move from SSH to SSM (or equivalent) early • Get alignment on “what good looks like” • You won’t get anywhere stopping your coworkers 
 from doing their jobs • Think about what it will take to get logging to a place 
 that could power real-time detections Buy: Move beyond pervasive raw-SSH access to patterns for getting shells in services that provide least privilege, auditability, support dual control, and can constrain data ingress and egress.

Slide 48

Slide 48 text

@ramimacisabird Data Perimeter Install guardrails that only allow access for trusted identities, accessing trusted resources, on expected networks. Adopt: Options Buy: Options • InstaSecure • Native services One Read: “Building a Data Perimeter on AWS”

Slide 49

Slide 49 text

@ramimacisabird Data Perimeter Install guardrails that only allow access for trusted identities, accessing trusted resources, on expected networks. Build: Adopt: Not recommended Recommended • Start small - one example would be “we never call 
 s3 : PutObject outside our organization” • Make sure to test your controls, edge cases 
 on condition support can create surprise gaps • Be careful, AWS doesn’t offer safe ways to roll out SCPs Buy:

Slide 50

Slide 50 text

@ramimacisabird What else? •Vulnerability Management •Detection Engineering •Continuous Compliance / Compliance Automation •DFIR preparedness •Runtime Security •Service to Service Authentication

Slide 51

Slide 51 text

@ramimacisabird More?? •AI •Confidential computing •Security data lakes

Slide 52

Slide 52 text

@ramimacisabird • Prioritization is inherently custom to your risk and business • Don’t do everything, everywhere, all at once • But, conversely, uneven application of controls can be ineffective and impractical • Scaling program requires increasing investment to maintain and avoid regression in current controls Keep in Mind https://speakerdeck.com/ramimac/sect

Slide 53

Slide 53 text

@ramimacisabird Cut for time (speed round) • Vulnerability Management • Shared concern with AppSec, generally • ASPMs are rapidly bringing in cloud context • Detection Engineering • Security Data Lakes are an emerging trend • See: brex / substrate, BSidesSF 2023’s “To Normalized Logs, and Beyond," • Continuous Compliance / Compliance Automation • Vanta / Drata on one end, JupiterOne on the other • DFIR preparedness • Netflix-Skunkworks / diffy, google / cloud-forensics-utils, awslabs / aws- automated-incident-response-and-forensics • Cado, Mitiga

Slide 54

Slide 54 text

@ramimacisabird Cut for time (speed round) • Runtime Security • auditd [blog], OSQuery, Falco, or cilium / tetragon, GuardDuty Runtime Monitoring ( EKS ) • Sysdig or Isovalent, or whatever comes with your CNAPP • Chainguard for a different part of the problem • Service to Service Authentication • Start with: A Child’s Garden of Inter-Service Authentication Schemes, Latacora • If you can get this for free with a Service Mesh, you probably should • This gets talked about more than it gets implemented (well) • Basic shared secrets can provide initial answers here