Stopping Cloud Breaches

Transcript

1. @teriradichel Cloud Breaches What you need to know and what

   you can do

2. @teriradichel Hello. What we are doing is not working.

3. @teriradichel What are we doing wrong?

4. @teriradichel How can I make a difference?

5. @teriradichel Our backgrounds influence our thinking 25 years of tech

   and business ~ diverse companies #Software #Cybersecurity #Cloud #Business (on my third company) #pentesting #research #writing #training

6. @teriradichel Some certs and things…

7. @teriradichel My own data breach https://medium.com/cloud-security

8. @teriradichel Book Pretty much free …write in my “spare” time

   @2ndSightLab

9. @teriradichel Training

10. @teriradichel Pentesting & Research How are companies being attacked? How

    do we fix it??

11. @teriradichel Cloud Threats Old and new… Credentials Phishing Misconfigurations OWASP

    Top 10 Vulnerabilities Ransomware Cryptominers Architecture Flaws

12. @teriradichel Capital One ~ SSRF

13. @teriradichel How is the Capital One breach different?

14. @teriradichel The Black Swan Just because you haven’t seen it…

    More to come?

15. @teriradichel Capital One wasn’t the only ONE!

16. @teriradichel What people told me…. [This page intentionally left blank]

17. @teriradichel Is that technical stuff really the problem? People knew…

    Things they told me I was there But not just there…it happens almost everywhere.

18. @teriradichel The Five Whys (somewhat hypothetically) Why did Capital One

    get breached? An attacker used an SSRF attack on a WAF to access S3 buckets. Why could the attacker use an SSRF flaw? The WAF was vulnerable. Why could the WAF (or a machine behind it) get to so much data? An IAM role had excessive permission. Why would they give a single role all those permissions? People told they not to. They did it anyway. Why did they do it anyway? The decision makers didn’t understand (or care about) the risk.

19. @teriradichel Decision makers need to know security! Things like….security architecture

    and risk assessments VPN attacks, RDP and SSH Brute force, CVEs, Zero Days, botnets Three-tier architectures, network security, encryption key management How malware works, cyber kill chain, threat modeling How your machine will be the pivot point into or within the cloud Why systems exposed to Internet is a serious risk, segregation of duties How attackers hide in network traffic – C2 tunnels, web shells, proxies IDS / IPS, SIEM, DFIR, chain of custody, governance, Etc. Etc. Etc.

20. @teriradichel Would you let a developer perform surgery on you?

21. @teriradichel Why developers don’t believe security people Developers need to

    know why. Security people tell developers to do things. Developers think it’s a big waste of time. Developers need cybersecurity training. Developers ARE your security team now! Train them so they make the right decisions. Developers are your cyber warriors.

22. @teriradichel Why execs don’t believe security people Many execs don’t

    know basic cybersecurity. Even if they did they don’t have a way to measure it. Cybersecurity at the end of the data is about risk. How can you measure risk if you don’t know what the risks are? How can you measure risk if you don’t have metrics? Executives understand complex financial reports. They can understand basic cyber well enough to evaluate risk. In addition – where to invest to effectively reduce risk.

23. @teriradichel You still need your security team! Focused on security

    full time and security awareness. Threat research, intelligence, and hunting. Security monitoring. Incident handling and response. Evaluating and auditing systems and architectures. Pentesters, red teams, bug bounties. And hopefully….security automation.

24. @teriradichel Why compliance doesn’t work… Measuring what you did: How

    many bricks you laid Not the risk: How many holes exist in the wall We need better metrics.

25. @teriradichel Security Automation Governance Access Monitoring Forensics Remediation Reporting [Quantifiable

    Risk]

26. @teriradichel Need Investment: Time and Money Security automation Costs money

    Takes time Govern what people can do Create alerts and auto-remediation Build in metrics to executives who understand what they mean Return on investment – lower cost of data breach

27. @teriradichel We do this for other business processes

28. @teriradichel Measure cyber risk (exposures)

29. @teriradichel In Summary Everyone making decisions that impact cybersecurity needs

    to understand what increases cybersecurity risk. Use security automation to prevent and detect errors and attacks. Measure cyber risk to understand where it exists within your organization and your level of exposure - so you can reduce it!

30. @teriradichel Thank you! Follow me on Twitter @teriradichel Blog posts

    only @2ndsightlab Cloud Security Blog https://medium.com/cloud-security