$30 off During Our Annual Pro Sale. View Details »

Beyond the Baseline: Horizons for Cloud Security Programs

Rami McCarthy
September 15, 2023

Beyond the Baseline: Horizons for Cloud Security Programs

There is a definitive resource for cloud-native companies to build a security program and posture in AWS: Scott Piper’s AWS Security Maturity Roadmap. However, mature programs quickly progress past the end of Scott’s roadmap. In this talk, I’ll take you on a rapid fire tour beyond the end of the roadmap, focusing on the problems you’ll encounter scaling a cloud security program. A key framework will be “build versus buy,” and the talk will be opinionated about where cloud security teams can fall into the trap of undifferentiated work. The goal is to leave you with a clear view of the possibilities at the leading edge of cloud security, risk-informed guidance on priorities, and a crucial new reference for writing cloud security roadmaps.

Rami McCarthy

September 15, 2023
Tweet

More Decks by Rami McCarthy

Other Decks in Technology

Transcript

  1. @ramimacisabird
    Rami McCarthy
    Beyond the Baseline:


    Horizons in Cloud Security Programs

    https://speakerdeck.com/ramimac/sect

    View Slide

  2. I’m Rami
    👋

    View Slide

  3. I’m normally in Boston

    View Slide

  4. I work on Security at Figma

    View Slide

  5. @ramimacisabird
    https://tldrsec.com/p/securely-build-product-ai-machine-learning https://tldrsec.com/blog/cloud-security-orienteering/

    View Slide

  6. @ramimacisabird
    What are we protecting against?

    View Slide

  7. @ramimacisabird
    What are we protecting against?

    View Slide

  8. @ramimacisabird
    What are we protecting against?

    View Slide

  9. @ramimacisabird
    What are we protecting against?
    • Getting AWS creds via SSRF on rss.app


    • AWS takeover through SSRF in JavaScript


    • Yahoo Small Business
    (
    Luminate) and the Not-So-Secret Keys


    • Bug Bounty Story: Escalating SSRF to RCE on AWS


    • A Nifty SSRF Bug Bounty Write Up


    • Mozilla Hubs Cloud: cloud api credentials exposure

    View Slide

  10. @ramimacisabird
    How can we protect ourselves?

    View Slide

  11. @ramimacisabird
    We do the basics, right.

    View Slide

  12. @ramimacisabird
    Step 1
    :
    We’ve done the basics.

    View Slide

  13. @ramimacisabird
    Step 2
    :
    We draw the rest of the f*ing owl
    @ramimacisabird

    View Slide

  14. @ramimacisabird

    View Slide

  15. @ramimacisabird
    Cloud-native technology companies
    where


    engineering is a value driver


    Not All Companies

    View Slide

  16. @ramimacisabird
    Not All Cloud Security Programs
    • Engineering and Automation oriented


    • “Zero Trust” architecture


    • Maximalist on “Cloud Security”


    • Guardrails not Gatekeepers
    +
    Paved Roads

    View Slide

  17. @ramimacisabird

    View Slide

  18. @ramimacisabird

    View Slide

  19. @ramimacisabird
    Build


    vs. Adopt


    vs. Buy

    View Slide

  20. @ramimacisabird
    Build vs. Adopt vs. Buy
    Sabry Tozin (h/t Roy Rapoport)
    • Are we solving a problem unique to our company?


    • Are we solving a problem at a scale unique to our company?


    • Is the cost and effort of integrating an off-the-shelf solution so
    large that we may as well build one?


    • What are the purchasing/ongoing license costs of the product in
    comparison to building it ourselves?

    View Slide

  21. @ramimacisabird
    Capabilities and
    Controls

    View Slide

  22. @ramimacisabird
    Secrets Management
    A mechanism for engineers to easily and securely manage credentials and
    other secrets provided to services in your cloud environment.
    Adopt: Options Buy: Options
    • Hashicorp Vault


    • Doppler
    (
    YC W19
    )

    • Infiscal
    (
    YC W23
    )
    • AWS Secrets Manager / AWS KMS
    One Read: “Managing secrets is the biggest risk people aren't talking about”, Strategy of Security
    • mozilla / sops


    • square / keywhiz


    • pinterest / knox


    • lyft / confidant

    View Slide

  23. @ramimacisabird
    Secrets Management
    Build:
    Adopt:
    Not recommended
    Recommended
    • Standardize as early as possible, generally with a thin

    wrapper over CSP services. Focus on DevEx.


    • Revisit every ~year, and layer necessary capabilities
    • Before adopting, be very sure requirements and

    practices 1
    :
    1 match


    • Be wary of premature purchase or deployment of a

    heavy solution


    • Don’t ever roll your own crypto
    Buy:
    A mechanism for engineers to easily and securely manage credentials and
    other secrets provided to services in your cloud environment.

    View Slide

  24. @ramimacisabird
    Asset Inventory
    Leverage the Cloud Service Provider’s control plane to discover and identify
    cloud assets, and to monitor their adherence to configuration standards.
    Adopt: Options Buy: Options
    • Firemon Cloud Defense (fka DisruptOps)*


    • Commercial versions of Steampipe and
    Cloudquery


    • turbot / steampipe


    • cloudquery / cloudquery
    One Read: What should you use
    -
    CloudQuery or Steampipe?, badshah

    View Slide

  25. @ramimacisabird
    Asset Inventory
    Leverage the Cloud Service Provider’s control plane to discover and identify
    cloud assets, and to monitor their adherence to configuration standards.
    Build:
    Adopt:
    Not recommended
    Recommended
    • You can get far by adopting open source tools


    • You need something, early. Adopt inventory first,

    then add controls in incrementally


    • You probably don’t need a full CSPM

    until later than you’d expect
    • Don’t write anything that calls cloud APIs yourself,

    it’s been done (well)


    • Think critically about what controls matter, and watch
    out for toil and noise
    Buy:

    View Slide

  26. @ramimacisabird
    ->
    Cloud Security Posture Management
    Continuously assess the security posture by maintaining a current inventory of
    cloud assets, with risk assessment to detect any misconfigurations.
    Adopt: Options Buy: Options
    • Wiz


    • Aqua


    • Orca


    • Lacework


    • Prowler


    • Prisma Cloud


    • Ermetic
    (
    Tenable)


    • Lightspin
    (
    Cisco)
    • prowler-cloud / prowler


    • cloud-custodian / cloud-custodian


    • Zeus-Labs / ZeusCloud
    One Talk: “Success Criteria for your CSPM”, David White

    View Slide

  27. @ramimacisabird
    ->
    CSPM
    Continuously assess the security posture by maintaining a current inventory of
    cloud assets, with risk assessment to detect any misconfigurations.
    Build:
    Adopt:
    Not recommended
    Recommended
    • Think about extensibility and integrations


    • Evaluate options based on preset criteria, don’t let
    vendors sell you CNAPP
    + +

    • If you build, only do it on top of an adopted inventory
    platform. Don’t spend your engineer’s time building an
    open source CSPM. It’s undifferentiated and
    commoditized. It’s also a lot of work
    • Don’t let an opinionated CSPM dictate your security program


    • Be thoughtful about dispatching findings to other teams


    • Bundled CSPMs can be thoroughly mediocre
    Buy:

    View Slide

  28. @ramimacisabird
    Automated Remediation
    In order to keep up with the rate of change in the cloud, teams reach for
    solutions to automate the immediate resolution of common misconfigurations.
    Adopt: Options Buy: Options
    • Native to your CSPM


    • Gomboc
    • AWS Config


    • twilio-labs / SOCless


    • cloudconformity / auto-remediate
    One Read: "The Dangers of Corrective Auto Remediation in Your Public Cloud”, Lightspin

    View Slide

  29. @ramimacisabird
    Automated Remediation
    In order to keep up with the rate of change in the cloud, teams reach for
    solutions to automate the immediate resolution of common misconfigurations.
    Build:
    Adopt:
    Not recommended
    Recommended
    • When you’re unable to move to Infrastructure as Code


    • If you lack a chokepoint for changes


    • If you have SOAR-like capabilities, use them for this
    • When preventative controls are feasible


    • As an early control for your program


    • Applied without sufficient context
    Buy:

    View Slide

  30. @ramimacisabird
    Secure Infra as Code Modules
    “Shift-left” secure configuration and empower your developers with secure-
    by-default IAC modules.
    Adopt: Options Buy: Options
    • asecure.cloud


    • Gruntwork AWS Infrastructure as Code Library


    • Resourcely
    • asecure.cloud


    • Terraform Registry
    Read more: "Why you should pave roads", Eric Hydrick

    View Slide

  31. @ramimacisabird
    Secure Infra as Code Modules
    “Shift-left” secure configuration and empower your developers with secure-
    by-default IAC modules.
    Build:
    Adopt:
    Not recommended
    Recommended
    • Pair with SAST to detect usage of “vanilla” resources


    • Steal undifferentiated examples


    • Commoditize secure architecture as modules
    • Wait for a need to surface before investing in a module
    Buy:

    View Slide

  32. @ramimacisabird
    Infrastructure as Code Scanning
    Detect misconfigurations within your infrastructure as code, before they can
    be introduced to your environment
    Adopt: Options Buy: Options
    • Native to your CSPM


    • Native to your SAST
    • aquasecurity / tfsec


    • returntocorp / semgrep


    • bridgecrew / checkov


    • turbot / steampipe-plugin-terraform
    One Read: “Shifting Cloud Security Left

    Scanning
    [
    IaC
    ]
    for Security Issues”, Christophe Tafani-Dereeper

    View Slide

  33. @ramimacisabird
    IAC Scanning
    Detect misconfigurations within your infrastructure as code, before they can
    be introduced to your environment
    Build:
    Adopt:
    Not recommended
    Recommended
    • Develop rules based on your specific environment

    and requirements


    • Surface detections, with context, at PR time
    • Rolling out rules in “block” mode


    • Turning on all possible rules
    Buy:

    View Slide

  34. @ramimacisabird
    Deception Engineering
    (
    Honeypots/tokens)
    Deploy high-signal, low noise tripwires in your environment. Make attackers
    think twice before using found credentials, and know when someone has tried.
    Adopt: Options Buy: Options
    • Thinkst Canary


    • Native to your CSPM
    • Thinkst Canarytokens.org


    • Basic AWS API Key
    +
    SIEM detection


    • spacesiren / spacesiren (inspired by Atlassian
    Project SPACECRAB
    )
    One Read: “Zero Maintenance AWS Canary Tokens That Scale”, Will Bengston

    View Slide

  35. @ramimacisabird
    Deception Engineering
    (
    Honeypots/tokens)
    Build:
    Adopt:
    Not recommended
    Recommended
    • Deploy the quick and free version in high value targets.

    Probably your CI/CD tooling
    • Think about what you’ll do if one goes off before it
    happens


    • Do your best to tightly each key to a single potential

    vector for compromise


    • Don’t roll out Will’s architecture until you’ve killed

    known attack vectors
    Buy:
    Deploy high-signal, low noise tripwires in your environment. Make attackers
    think twice before using found credentials, and know when someone has tried.

    View Slide

  36. @ramimacisabird
    1. Scaling Granular Access
    Support role-based, least-privileged access across an explosion of roles.
    Adopt: Options Buy: Options (“CIEM”)
    • salesforce / cloudsplaining


    • Netflix / repokid


    • iann0036 / iamlive


    • common-fate / iamzero


    • noqdev / iambic
    Read more: “ConsoleMe: A Central Control Plane for AWS Permissions and Access”, Netflix
    • Ermetic


    • Native to your CNAPP?


    • ???

    View Slide

  37. @ramimacisabird
    2. Scaling Access Management
    Enable a user friendly roll out of granular access by making it easy to
    understand available access and leverage it.
    Adopt: Options Buy: Options
    • Common Fate Cloud


    • Leapp Cloud
    • Netflix / consoleme


    • Noovolari / leapp


    • common-fate / granted
    Read more: “Access Service: Temporary Access to the Cloud”, Segment

    View Slide

  38. @ramimacisabird
    3. Scaling Temporary Access
    Remove risky ambient permissions and allow step-up and break-glass
    authorization.
    Adopt: Options Buy: Options
    • ConductorOne


    • Indent


    • Opal


    • Sym
    • aws-samples / aws-iam-temporary-elevated-
    access-broker , iam-identity-center-team


    • GoogleCloudPlatform / jit-access


    • ???
    Read more: “Common uses of just-in-time access in the cloud”

    View Slide

  39. @ramimacisabird
    Scaling … Access
    Build:
    Adopt: Not recommended
    Recommended
    • Build incrementally, and always keep an eye on

    the user experience


    • Right now,
    ~
    JIT access is about where you should

    really consider buying


    • Partner with other internal stakeholders on a unified

    source of truth for identity and role
    • Centralizing all creation of IAM


    • Trying to preemptively define necessary IAM in a bubble
    Buy:
    1. Support role-based, least-privileged access across an explosion of roles.


    2. Enable a user friendly roll out of granular access by making it easy to understand available access and leverage it.


    3. Remove risky ambient permissions and allow step-up and break-glass authorization.

    View Slide

  40. @ramimacisabird
    Scaling Account Management
    Taking advantage of the inherent blast radius boundary of an Account rapidly
    turns into toil to stand up new accounts and juggle their lifecycle.
    Adopt: Options Buy: Options
    • Substrate


    • ???
    • org-formation / org-formation-cli


    • rebuy-de / aws-nuke


    • AWS Control Tower
    One Talk: “Reimagining multi-account deployments for security and speed”, Netflix

    View Slide

  41. @ramimacisabird
    Scaling Account Management
    Taking advantage of the inherent blast radius boundary of an Account rapidly
    turns into toil to stand up new accounts and juggle their lifecycle.
    Build:
    Adopt:
    Not recommended
    Recommended
    • Rightsize your investment in automation, “human cron”

    can be a good place to start


    • Find good internal development partners with strong
    cases for investment
    • Don’t wait too long to split out use cases with different

    threat models or administration patterns. Migration across

    accounts is painful, and data gravity can be a blocker.
    Buy:

    View Slide

  42. @ramimacisabird
    Control Validation / Attack Simulation
    Test and validate your controls and detections on an automated, ongoing
    basis.
    Adopt: Options Buy: Options
    • AttackIQ


    • Cymulate


    • SCYTHE


    • Randori
    • awslabs / aws-cloudsaga


    • DataDog / stratus-red-team


    • WithSecureLabs / leonidas
    One Talk: “Adversary emulation for incident-response readiness”, Anna McAbee / Brandon Baxter / Chris Farris

    View Slide

  43. @ramimacisabird
    Control Validation / Attack Simulation
    Test and validate your controls and detections on an automated, ongoing
    basis.
    Build:
    Adopt:
    Not recommended
    Recommended
    • Consider leveraging internal frameworks and tools for QA


    • Validation at time of creation is likely sufficient for

    commodity controls and medium program maturity
    • Keep a close eye on relative investment in “breaking”

    vs. “building


    • Be deeply skeptical of “automated red teaming” as a
    product


    • Finding issues is only useful as an effective

    input to mitigation
    Buy:

    View Slide

  44. @ramimacisabird
    Egress Monitoring and Filtering
    Make attackers lives harder post-compromise by filtering egress traffic from
    your services and alerting on anomalous destinations.
    Adopt: Options Buy: Options
    • AWS Network Firewall


    • Chaser Systems DiscrimiNAT Firewall


    • Aviatrix
    • stripe / smokescreen
    One Read: “Internet Egress Filtering of Services at Lyft”

    View Slide

  45. @ramimacisabird
    Egress Monitoring and Filtering
    Make attackers lives harder post-compromise by filtering egress traffic from
    your services and alerting on anomalous destinations.
    Build:
    Adopt:
    Not recommended
    Recommended
    • Consider when modifying network architecture


    • “Monitor” mode can be cheap to deploy
    • Reliability is huge if you place this on the critical path


    • A hamster wheel of pain is likely if you’re not thoughtful

    about how new, valid connections will be

    identified and allowlisted
    Buy:

    View Slide

  46. @ramimacisabird
    Infrastructure Access
    Adopt: Options Buy: Options
    • Teleport


    • StrongDM


    • BastionZero


    • Cloudflare Access


    • Tailscale (and other
    Wireguard-based
    VPNs)
    • AWS SSM
    +
    IAM Authentication for
    <
    SERVICE
    >

    • Tailscale (and other Wireguard-based VPNs)


    • Teleport (open source)
    One Talk: “Zero Touch Prod: Towards Safer and More Secure Production Environments”
    Move beyond pervasive raw-SSH access to patterns for getting shells in services that provide
    least privilege, auditability, support dual control, and can constrain data ingress and egress.

    View Slide

  47. @ramimacisabird
    Infrastructure Access
    Build:
    Adopt:
    Not recommended
    Recommended
    • Move from SSH to SSM (or equivalent) early


    • Get alignment on “what good looks like”
    • You won’t get anywhere stopping your coworkers

    from doing their jobs


    • Think about what it will take to get logging to a place

    that could power real-time detections
    Buy:
    Move beyond pervasive raw-SSH access to patterns for getting shells in services that provide
    least privilege, auditability, support dual control, and can constrain data ingress and egress.

    View Slide

  48. @ramimacisabird
    Data Perimeter
    Install guardrails that only allow access for trusted identities, accessing trusted
    resources, on expected networks.
    Adopt: Options Buy: Options
    • InstaSecure
    • Native services
    One Read: “Building a Data Perimeter on AWS”

    View Slide

  49. @ramimacisabird
    Data Perimeter
    Install guardrails that only allow access for trusted identities, accessing trusted
    resources, on expected networks.
    Build:
    Adopt:
    Not recommended
    Recommended
    • Start small - one example would be “we never call

    s3
    :
    PutObject outside our organization”
    • Make sure to test your controls, edge cases

    on condition support can create surprise gaps


    • Be careful, AWS doesn’t offer safe ways to roll out SCPs
    Buy:

    View Slide

  50. @ramimacisabird
    What else?
    •Vulnerability Management


    •Detection Engineering


    •Continuous Compliance / Compliance Automation


    •DFIR preparedness


    •Runtime Security


    •Service to Service Authentication

    View Slide

  51. @ramimacisabird
    More??
    •AI


    •Confidential computing


    •Security data lakes

    View Slide

  52. @ramimacisabird
    • Prioritization is inherently custom to your risk and business


    • Don’t do everything, everywhere, all at once


    • But, conversely, uneven application of controls can be ineffective and
    impractical


    • Scaling program requires increasing investment to maintain and avoid
    regression in current controls
    Keep in Mind
    https://speakerdeck.com/ramimac/sect

    View Slide

  53. @ramimacisabird
    Cut for time (speed round)
    • Vulnerability Management


    • Shared concern with AppSec, generally


    • ASPMs are rapidly bringing in cloud context


    • Detection Engineering


    • Security Data Lakes are an emerging trend


    • See: brex / substrate, BSidesSF 2023’s “To Normalized Logs, and Beyond,"


    • Continuous Compliance / Compliance Automation


    • Vanta / Drata on one end, JupiterOne on the other


    • DFIR preparedness


    • Netflix-Skunkworks / diffy, google / cloud-forensics-utils, awslabs / aws-
    automated-incident-response-and-forensics


    • Cado, Mitiga

    View Slide

  54. @ramimacisabird
    Cut for time (speed round)
    • Runtime Security


    • auditd [blog], OSQuery, Falco, or cilium / tetragon, GuardDuty Runtime
    Monitoring
    (
    EKS
    )

    • Sysdig or Isovalent, or whatever comes with your CNAPP


    • Chainguard for a different part of the problem


    • Service to Service Authentication


    • Start with: A Child’s Garden of Inter-Service Authentication Schemes,
    Latacora


    • If you can get this for free with a Service Mesh, you probably should


    • This gets talked about more than it gets implemented (well)


    • Basic shared secrets can provide initial answers here

    View Slide