Beyond the AWS Security Maturity Roadmap

Transcript

1. @ramimccarthy
   Rami McCarthy
   Beyond the
   

   AWS Security Maturity
   Roadmap
   

   https://speakerdeck.com/ramimac/fwdcloudsec
   

   View Slide

2. $ get-caller-identity
   Security Engineer
   @
   Figma
   

   figma.fun/seceng
   
   
   

   

   Infrequent Contributor @ tl;drsec
   https://tldrsec.com/guides/sta
   ff
   eng-security/ https://tldrsec.com/blog/cloud-security-orienteering/
   

   View Slide

3. View Slide

4. @ramimccarthy
   Not All Cloud Security Programs
   • Engineering and Automation oriented
   
   
   • “Zero Trust” architecture
   
   
   • Software product
   
   
   • Maximalist cloud security
   
   
   • Guardrails not Gatekeepers
   +
   Paved Roads
   

   View Slide

5. View Slide

6. View Slide

7. @ramimccarthy
   Build
   
   
   vs. Adopt
   
   
   vs. Buy
   

   View Slide

8. @ramimccarthy
   Build vs. Adopt vs. Buy
   Sabry Tozin (via Roy Rapoport)
   • Are we solving a problem unique to our company?
   
   
   • Are we solving a problem at a scale unique to our company?
   
   
   • Is the cost and effort of integrating an off-the-shelf solution so large that we
   may as well build one?
   
   
   • What are the purchasing/ongoing license costs of the product in comparison to
   building it ourselves?
   

   View Slide

9. @ramimccarthy
   Capabilities and
   Controls
   

   View Slide

10. @ramimccarthy
    Secrets Management
    A mechanism for engineers to easily and securely manage credentials and
    other secrets provided to services in your cloud environment.
    Adopt: Options Buy: Options
    • Hashicorp Vault
    
    
    • Doppler
    (
    YC W19
    )
    
    • Infiscal
    (
    YC W23
    )
    • AWS Secrets Manager / AWS KMS
    One Read: “Managing secrets is the biggest risk people aren't talking about”, Strategy of Security
    • mozilla / sops
    
    
    • square / keywhiz
    
    
    • pinterest / knox
    
    
    • lyft / confidant
    

    View Slide

11. @ramimccarthy
    Secrets Management
    Build:
    Adopt:
    Not recommended
    Recommended
    • Standardize as early as possible, generally with a thin
    

    wrapper over CSP services. Focus on DevEx.
    
    
    • Revisit every ~year, and layer necessary capabilities
    • Before adopting, be very sure requirements and
    

    practices 1
    :
    1 match
    
    
    • Be wary of premature purchase or deployment of a
    

    heavy solution
    Buy:
    A mechanism for engineers to easily and securely manage credentials and
    other secrets provided to services in your cloud environment.
    

    View Slide

12. @ramimccarthy
    Asset Inventory
    Leverage the CSP control plane to discover and identify cloud assets, and to
    monitor their adherence to configuration standards.
    Adopt: Options Buy: Options
    • Firemon Cloud Defense (fka DisruptOps)*
    
    
    • Commercial versions of Steampipe and
    Cloudquery
    
    
    • turbot / steampipe
    
    
    • cloudquery / cloudquery
    One Read: What should you use
    -
    CloudQuery or Steampipe?, badshah
    

    View Slide

13. @ramimccarthy
    Asset Inventory
    Leverage the CSP control plane to discover and identify cloud assets, and to
    monitor their adherence to configuration standards.
    Build:
    Adopt:
    Not recommended
    Recommended
    • You can get far by adopting open source tools
    
    
    • You need something, early. Adopt inventory first,
    

    then add controls in incrementally
    
    
    • You probably don’t need a full CSPM
    

    until later than you’d expect
    • Don’t write anything that calls cloud APIs yourself,
    

    it’s been done (well)
    
    
    • Think critically about what controls matter, and watch out for
    

    toil and noise
    Buy:
    

    View Slide

14. @ramimccarthy
    ->
    CSPM
    Continuously assess the security posture by maintaining a current inventory of
    cloud assets, with risk assessment to detect any misconfigurations.
    Adopt: Options Buy: Options
    • Wiz
    
    
    • Aqua
    
    
    • Orca
    
    
    • Lacework
    
    
    • Ermetic
    
    
    • Lightspin
    (
    Cisco)
    
    
    • Prisma Cloud
    • cloud-custodian / cloud-custodian
    
    
    • prowler-cloud / prowler
    
    
    • Zeus-Labs / ZeusCloud
    One Talk: “Success Criteria for your CSPM”, David White (up next)
    

    View Slide

15. @ramimccarthy
    ->
    CSPM
    Continuously assess the security posture by maintaining a current inventory of
    cloud assets, with risk assessment to detect any misconfigurations.
    Build:
    Adopt:
    Not recommended
    Recommended
    • Think about extensibility and integrations
    
    
    • Evaluate options based on preset criteria, don’t let
    vendors sell you CNAPP
    + +
    
    • If you build, only do it on top of an adopted inventory
    platform. Don’t spend your engineer’s time building an
    open source CSPM. It’s undifferentiated and
    commoditized. It’s also a lot of work
    • Don’t let an opinionated CSPM dictate your security program
    
    
    • Be thoughtful about dispatching findings to other teams
    
    
    • Bundled CSPMs can be thoroughly mediocre
    Buy:
    

    View Slide

16. @ramimccarthy
    Automated Remediation
    In order to keep up with the rate of change in the cloud, teams reach for
    solutions to automate the immediate resolution of common misconfigurations.
    Adopt: Options Buy: Options
    • Native to your CSPM
    • AWS Config
    
    
    • twilio-labs / SOCless
    
    
    • cloudconformity / auto-remediate
    One Read: "The Dangers of Corrective Auto Remediation in Your Public Cloud”, Lightspin
    

    View Slide

17. @ramimccarthy
    Automated Remediation
    In order to keep up with the rate of change in the cloud, teams reach for
    solutions to automate the immediate resolution of common misconfigurations.
    Build:
    Adopt:
    Not recommended
    Recommended
    • When you’re unable to move to Infrastructure as Code
    
    
    • If you lack a chokepoint for changes
    • When preventative controls are feasible
    
    
    • As an early control for your program
    
    
    • Applied without sufficient context
    Buy:
    

    View Slide

18. @ramimccarthy
    Secure IAC Modules
    “Shift-left” secure configuration and empower your developers with secure-
    by-default IAC modules.
    Adopt: Options Buy: Options
    • asecure.cloud
    
    
    • Gruntwork AWS Infrastructure as Code Library
    
    
    • Resourcely
    • asecure.cloud
    
    
    • Terraform Registry
    Read more: "Why you should pave roads", Eric Hydrick
    

    View Slide

19. @ramimccarthy
    Secure IAC Modules
    “Shift-left” secure configuration and empower your developers with secure-
    by-default IAC modules.
    Build:
    Adopt:
    Not recommended
    Recommended
    • Pair with SAST to detect usage of “vanilla” resources
    
    
    • Steal undifferentiated examples
    
    
    • Commoditize secure architecture as modules
    • Wait for a need to surface before investing in a module
    Buy:
    

    View Slide

20. @ramimccarthy
    Infrastructure as Code Scanning
    Detect misconfigurations within your infrastructure as code, before they can
    be introduced to your environment
    Adopt: Options Buy: Options
    • Native to your CSPM
    
    
    • Native to your SAST
    • aquasecurity / tfsec
    
    
    • returntocorp / semgrep
    
    
    • turbot / steampipe-plugin-terraform
    
    
    • bridgecrew / checkov
    One Read: “Shifting Cloud Security Left
    —
    Scanning
    [
    IaC
    ]
    for Security Issues”, Christophe Tafani-Dereeper
    

    View Slide

21. @ramimccarthy
    IAC Scanning
    Detect misconfigurations within your infrastructure as code, before they can
    be introduced to your environment
    Build:
    Adopt:
    Not recommended
    Recommended
    • Develop rules based on your specific environment
    

    and requirements
    
    
    • Surface detections, with context, at PR time
    • Rolling out rules in “block” mode
    
    
    • Turning on all possible rules
    Buy:
    

    View Slide

22. @ramimccarthy
    Deception Engineering
    (
    Honeypots/tokens)
    Deploy high-signal, low noise tripwires in your environment. Make attackers
    think twice before using found credentials, and know when someone has tried.
    Adopt: Options Buy: Options
    • Thinkst Canary
    
    
    • Native to your CSPM
    • Thinkst Canarytokens.org
    
    
    • Basic AWS API Key
    +
    SIEM detection
    
    
    • spacesiren / spacesiren (inspired by Atlassian
    Project SPACECRAB
    )
    One Read: “Zero Maintenance AWS Canary Tokens That Scale”, Will Bengston
    

    View Slide

23. @ramimccarthy
    Deception Engineering
    (
    Honeypots/tokens)
    Build:
    Adopt:
    Not recommended
    Recommended
    • Deploy the quick and free version in high value targets.
    

    Probably your CI/CD tooling
    • Think about what you’ll do if one goes off before it happens
    
    
    • Do your best to tightly each key to a single potential
    

    vector for compromise
    
    
    • Don’t roll out Will’s architecture until you’ve killed
    

    known attack vectors
    Buy:
    Deploy high-signal, low noise tripwires in your environment. Make attackers
    think twice before using found credentials, and know when someone has tried.
    

    View Slide

24. @ramimccarthy
    1. Scaling Granular Access
    Support role-based, least-privileged access across an explosion of roles.
    Adopt: Options Buy: Options (“CIEM”)
    • salesforce / cloudsplaining
    
    
    • Netflix / repokid
    
    
    • iann0036 / iamlive
    
    
    • common-fate / iamzero
    
    
    • noqdev / iambic
    Read more: “ConsoleMe: A Central Control Plane for AWS Permissions and Access”, Netflix
    • Ermetic
    
    
    • Native to your CNAPP?
    
    
    • ???
    

    View Slide

25. @ramimccarthy
    2. Scaling Access Management
    Enable a user friendly roll out of granular access by making it easy to
    understand available access and leverage it.
    Adopt: Options Buy: Options
    • Common Fate Cloud
    
    
    • Leapp Cloud
    • Netflix / consoleme
    
    
    • Noovolari / leapp
    
    
    • common-fate / granted
    Read more: “Access Service: Temporary Access to the Cloud”, Segment
    

    View Slide

26. @ramimccarthy
    3. Scaling Temporary Access
    Remove risky ambient permissions and allow step-up and break-glass
    authorization.
    Adopt: Options Buy: Options
    • ConductorOne
    
    
    • Indent
    
    
    • Opal
    
    
    • Sym
    • aws-samples / aws-iam-temporary-elevated-
    access-broker
    
    
    • ???
    Read more: “Common uses of just-in-time access in the cloud”
    

    View Slide

27. @ramimccarthy
    Scaling … Access
    Build:
    Adopt:
    Not recommended
    Recommended
    • Build incrementally, and always keep an eye on
    

    the user experience
    
    
    • Right now,
    ~
    JIT access is about where you should
    

    really consider buying
    
    
    • Partner with other internal stakeholders on a unified
    

    source of truth for identity and role
    • Trying to preemptively define necessary IAM in a bubble
    
    
    • Centralizing all creation of IAM
    Buy:
    1. Support role-based, least-privileged access across an explosion of roles.
    
    
    2. Enable a user friendly roll out of granular access by making it easy to understand available access and leverage it.
    
    
    3. Remove risky ambient permissions and allow step-up and break-glass authorization.
    

    View Slide

28. @ramimccarthy
    Scaling Account Management
    Taking advantage of the inherent blast radius boundary of an Account rapidly
    turns into toil to stand up new accounts and juggle their lifecycle.
    Adopt: Options Buy: Options
    • ???
    • org-formation / org-formation-cli
    
    
    • rebuy-de / aws-nuke
    
    
    • AWS Control Tower
    One Talk: “Reimagining multi-account deployments for security and speed”, Netflix
    

    View Slide

29. @ramimccarthy
    Scaling Account Management
    Taking advantage of the inherent blast radius boundary of an Account rapidly
    turns into toil to stand up new accounts and juggle their lifecycle.
    Build:
    Adopt:
    Not recommended
    Recommended
    • Rightsize your investment in automation, “human cron”
    

    can be a good place to start
    
    
    • Find good internal development partners with strong cases
    

    for investment
    • Don’t wait too long to split out use cases with different
    

    threat models or administration patterns. Migration across
    

    accounts is painful, and data gravity can be a blocker.
    Buy:
    

    View Slide

30. @ramimccarthy
    Control Validation / Attack Simulation
    Test and validate your controls and detections on an automated, ongoing
    basis.
    Adopt: Options Buy: Options
    • AttackIQ
    
    
    • Cymulate
    
    
    • SCYTHE
    
    
    • Randori
    • awslabs / aws-cloudsaga
    
    
    • DataDog / stratus-red-team
    
    
    • WithSecureLabs / leonidas
    One Talk: “Adversary emulation for incident-response readiness”, Anna McAbee / Brandon Baxter / Chris Farris
    

    View Slide

31. @ramimccarthy
    Control Validation / Attack Simulation
    Test and validate your controls and detections on an automated, ongoing
    basis.
    Build:
    Adopt:
    Not recommended
    Recommended
    • Consider leveraging internal frameworks and tools for QA
    
    
    • Validation at time of creation is likely sufficient for
    

    commodity controls and medium program maturity
    • Keep a close eye on relative investment in “breaking”
    

    vs. “building
    
    
    • Be deeply skeptical of “automated red teaming” as a product
    
    
    • Finding issues is only useful as an effective
    

    input to mitigation
    Buy:
    

    View Slide

32. @ramimccarthy
    Egress Monitoring and Filtering
    Make attackers lives harder post-compromise by filtering egress traffic from
    your services and alerting on anomalous destinations.
    Adopt: Options Buy: Options
    • AWS Network Firewall
    
    
    • Chaser Systems DiscrimiNAT Firewall
    
    
    • Aviatrix
    • stripe / smokescreen
    One Read: “Internet Egress Filtering of Services at Lyft”
    

    View Slide

33. @ramimccarthy
    Egress Monitoring and Filtering
    Make attackers lives harder post-compromise by filtering egress traffic from
    your services and alerting on anomalous destinations.
    Build:
    Adopt:
    Not recommended
    Recommended
    • Consider when modifying network architecture
    
    
    • “Monitor” mode can be cheap to deploy
    • Reliability is huge if you place this on the critical path
    
    
    • A hamster wheel of pain is likely if you’re not thoughtful
    

    about how new, valid connections will be
    

    identified and allowlisted
    Buy:
    

    View Slide

34. @ramimccarthy
    Infrastructure Access
    Adopt: Options Buy: Options
    • Teleport
    
    
    • StrongDM
    
    
    • BastionZero
    
    
    • Cloudflare Access
    
    
    • Tailscale (and other
    Wireguard-based
    VPNs)
    • AWS SSM
    +
    IAM Authentication for
    <
    SERVICE
    >
    
    • Tailscale (and other Wireguard-based VPNs)
    
    
    • Teleport (open source)
    One Talk: “Zero Touch Prod: Towards Safer and More Secure Production Environments”
    Move beyond pervasive raw-SSH access to patterns for getting shells in services that provide
    least privilege, auditability, support dual control, and can constrain data ingress and egress.
    

    View Slide

35. @ramimccarthy
    Infrastructure Access
    Build:
    Adopt:
    Not recommended
    Recommended
    • Move from SSH to SSM (or equivalent) early
    
    
    • Get alignment on “what good looks like”
    • You won’t get anywhere stopping your coworkers
    

    from doing their jobs
    
    
    • Think about what it will take to get logging to a place
    

    that could power real-time detections
    Buy:
    Move beyond pervasive raw-SSH access to patterns for getting shells in services that provide
    least privilege, auditability, support dual control, and can constrain data ingress and egress.
    

    View Slide

36. @ramimccarthy
    Data Perimeter
    Install guardrails that only allow access for trusted identities, accessing trusted
    resources, on expected networks.
    Adopt: Options Buy: Options
    • InstaSecure
    • Native services
    One Read: “Building a Data Perimeter on AWS”
    

    View Slide

37. @ramimccarthy
    Data Perimeter
    Install guardrails that only allow access for trusted identities, accessing trusted
    resources, on expected networks.
    Build:
    Adopt:
    Not recommended
    Recommended
    • Start small - one example would be “we never call
    

    s3
    :
    PutObject outside our organization”
    • Make sure to test your controls, edge cases
    

    on condition support can create surprise gaps
    
    
    • Be careful, AWS doesn’t offer safe ways to roll out SCPs
    Buy:
    

    View Slide

38. @ramimccarthy
    Cut for time
    •Vulnerability Management
    
    
    •Detection Engineering & Security Data Lakes
    
    
    •Continuous Compliance / Compliance Automation
    
    
    •DFIR preparedness
    
    
    •Runtime Security
    
    
    •Service to Service Authentication
    
    
    

    View Slide

39. @ramimccarthy
    • Prioritization is inherently custom to your risk and business
    
    
    • Don’t do everything, everywhere, all at once
    
    
    • But, conversely, uneven application of controls can be ineffective
    and impractical
    
    
    • Scaling program requires increasing investment to maintain and avoid
    regression in current controls
    Keep in Mind
    

    https://speakerdeck.com/ramimac/fwdcloudsec
    

    View Slide

40. @ramimccarthy
    Cut for time (speed round)
    • Vulnerability Management
    
    
    • Shared concern with AppSec, generally
    
    
    • ASPMs are rapidly bringing in cloud context
    
    
    • Detection Engineering
    
    
    • Security Data Lakes are an emerging trend
    
    
    • See: brex / substrate, BSidesSF 2023’s “To Normalized Logs, and Beyond,"
    
    
    • Continuous Compliance / Compliance Automation
    
    
    • Vanta / Drata on one end, JupiterOne on the other
    
    
    • DFIR preparedness
    
    
    • Netflix-Skunkworks / diffy, google / cloud-forensics-utils, awslabs / aws-automated-
    incident-response-and-forensics
    
    
    • Cado, Mitiga
    

    View Slide

41. @ramimccarthy
    Cut for time (speed round)
    • Runtime Security
    
    
    • auditd [blog], OSQuery, Falco, or cilium / tetragon, GuardDuty Runtime
    Monitoring
    (
    EKS
    )
    
    • Sysdig or Isovalent, or whatever comes with your CNAPP
    
    
    • Chainguard for a different part of the problem
    
    
    • Service to Service Authentication
    
    
    • Start with: A Child’s Garden of Inter-Service Authentication Schemes, Latacora
    
    
    • If you can get this for free with a Service Mesh, you probably should
    
    
    • This gets talked about more than it gets implemented (well)
    
    
    • Basic shared secrets can provide initial answers here
    

    View Slide