Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stopping Cloud Breaches

Teri
September 16, 2019

Stopping Cloud Breaches

What can we do to stop or minimize cloud (or any) data breaches?

Teri

September 16, 2019
Tweet

More Decks by Teri

Other Decks in Technology

Transcript

  1. @teriradichel Our backgrounds influence our thinking 25 years of tech

    and business ~ diverse companies #Software #Cybersecurity #Cloud #Business (on my third company) #pentesting #research #writing #training
  2. @teriradichel Cloud Threats Old and new… Credentials Phishing Misconfigurations OWASP

    Top 10 Vulnerabilities Ransomware Cryptominers Architecture Flaws
  3. @teriradichel Is that technical stuff really the problem? People knew…

    Things they told me I was there But not just there…it happens almost everywhere.
  4. @teriradichel The Five Whys (somewhat hypothetically) Why did Capital One

    get breached? An attacker used an SSRF attack on a WAF to access S3 buckets. Why could the attacker use an SSRF flaw? The WAF was vulnerable. Why could the WAF (or a machine behind it) get to so much data? An IAM role had excessive permission. Why would they give a single role all those permissions? People told they not to. They did it anyway. Why did they do it anyway? The decision makers didn’t understand (or care about) the risk.
  5. @teriradichel Decision makers need to know security! Things like….security architecture

    and risk assessments VPN attacks, RDP and SSH Brute force, CVEs, Zero Days, botnets Three-tier architectures, network security, encryption key management How malware works, cyber kill chain, threat modeling How your machine will be the pivot point into or within the cloud Why systems exposed to Internet is a serious risk, segregation of duties How attackers hide in network traffic – C2 tunnels, web shells, proxies IDS / IPS, SIEM, DFIR, chain of custody, governance, Etc. Etc. Etc.
  6. @teriradichel Why developers don’t believe security people Developers need to

    know why. Security people tell developers to do things. Developers think it’s a big waste of time. Developers need cybersecurity training. Developers ARE your security team now! Train them so they make the right decisions. Developers are your cyber warriors.
  7. @teriradichel Why execs don’t believe security people Many execs don’t

    know basic cybersecurity. Even if they did they don’t have a way to measure it. Cybersecurity at the end of the data is about risk. How can you measure risk if you don’t know what the risks are? How can you measure risk if you don’t have metrics? Executives understand complex financial reports. They can understand basic cyber well enough to evaluate risk. In addition – where to invest to effectively reduce risk.
  8. @teriradichel You still need your security team! Focused on security

    full time and security awareness. Threat research, intelligence, and hunting. Security monitoring. Incident handling and response. Evaluating and auditing systems and architectures. Pentesters, red teams, bug bounties. And hopefully….security automation.
  9. @teriradichel Why compliance doesn’t work… Measuring what you did: How

    many bricks you laid Not the risk: How many holes exist in the wall We need better metrics.
  10. @teriradichel Need Investment: Time and Money Security automation Costs money

    Takes time Govern what people can do Create alerts and auto-remediation Build in metrics to executives who understand what they mean Return on investment – lower cost of data breach
  11. @teriradichel In Summary Everyone making decisions that impact cybersecurity needs

    to understand what increases cybersecurity risk. Use security automation to prevent and detect errors and attacks. Measure cyber risk to understand where it exists within your organization and your level of exposure - so you can reduce it!
  12. @teriradichel Thank you! Follow me on Twitter @teriradichel Blog posts

    only @2ndsightlab Cloud Security Blog https://medium.com/cloud-security