Beyond the Baseline: Horizons for Cloud Security Programs

Transcript

1. @ramimacisabird Rami McCarthy Beyond the Baseline: Horizons in Cloud Security

   Programs 
 https://speakerdeck.com/ramimac/sect

2. I’m Rami 👋

3. I’m normally in Boston

4. I work on Security at Figma

5. @ramimacisabird https://tldrsec.com/p/securely-build-product-ai-machine-learning https://tldrsec.com/blog/cloud-security-orienteering/

6. @ramimacisabird What are we protecting against?

7. @ramimacisabird What are we protecting against?

8. @ramimacisabird What are we protecting against?

9. @ramimacisabird What are we protecting against? • Getting AWS creds

   via SSRF on rss.app • AWS takeover through SSRF in JavaScript • Yahoo Small Business ( Luminate) and the Not-So-Secret Keys • Bug Bounty Story: Escalating SSRF to RCE on AWS • A Nifty SSRF Bug Bounty Write Up • Mozilla Hubs Cloud: cloud api credentials exposure

10. @ramimacisabird How can we protect ourselves?

11. @ramimacisabird We do the basics, right.

12. @ramimacisabird Step 1 : We’ve done the basics.

13. @ramimacisabird Step 2 : We draw the rest of the

    f*ing owl @ramimacisabird

14. @ramimacisabird

15. @ramimacisabird Cloud-native technology companies where engineering is a value driver

    Not All Companies

16. @ramimacisabird Not All Cloud Security Programs • Engineering and Automation

    oriented • “Zero Trust” architecture • Maximalist on “Cloud Security” • Guardrails not Gatekeepers + Paved Roads

17. @ramimacisabird

18. @ramimacisabird

19. @ramimacisabird Build vs. Adopt vs. Buy

20. @ramimacisabird Build vs. Adopt vs. Buy Sabry Tozin (h/t Roy

    Rapoport) • Are we solving a problem unique to our company? • Are we solving a problem at a scale unique to our company? • Is the cost and effort of integrating an off-the-shelf solution so large that we may as well build one? • What are the purchasing/ongoing license costs of the product in comparison to building it ourselves?

21. @ramimacisabird Capabilities and Controls

22. @ramimacisabird Secrets Management A mechanism for engineers to easily and

    securely manage credentials and other secrets provided to services in your cloud environment. Adopt: Options Buy: Options • Hashicorp Vault • Doppler ( YC W19 ) • Infiscal ( YC W23 ) • AWS Secrets Manager / AWS KMS One Read: “Managing secrets is the biggest risk people aren't talking about”, Strategy of Security • mozilla / sops • square / keywhiz • pinterest / knox • lyft / confidant

23. @ramimacisabird Secrets Management Build: Adopt: Not recommended Recommended • Standardize

    as early as possible, generally with a thin 
 wrapper over CSP services. Focus on DevEx. • Revisit every ~year, and layer necessary capabilities • Before adopting, be very sure requirements and 
 practices 1 : 1 match • Be wary of premature purchase or deployment of a 
 heavy solution • Don’t ever roll your own crypto Buy: A mechanism for engineers to easily and securely manage credentials and other secrets provided to services in your cloud environment.

24. @ramimacisabird Asset Inventory Leverage the Cloud Service Provider’s control plane

    to discover and identify cloud assets, and to monitor their adherence to configuration standards. Adopt: Options Buy: Options • Firemon Cloud Defense (fka DisruptOps)* • Commercial versions of Steampipe and Cloudquery • turbot / steampipe • cloudquery / cloudquery One Read: What should you use - CloudQuery or Steampipe?, badshah

25. @ramimacisabird Asset Inventory Leverage the Cloud Service Provider’s control plane

    to discover and identify cloud assets, and to monitor their adherence to configuration standards. Build: Adopt: Not recommended Recommended • You can get far by adopting open source tools • You need something, early. Adopt inventory first, 
 then add controls in incrementally • You probably don’t need a full CSPM 
 until later than you’d expect • Don’t write anything that calls cloud APIs yourself, 
 it’s been done (well) • Think critically about what controls matter, and watch out for toil and noise Buy:

26. @ramimacisabird -> Cloud Security Posture Management Continuously assess the security

    posture by maintaining a current inventory of cloud assets, with risk assessment to detect any misconfigurations. Adopt: Options Buy: Options • Wiz • Aqua • Orca • Lacework • Prowler • Prisma Cloud • Ermetic ( Tenable) • Lightspin ( Cisco) • prowler-cloud / prowler • cloud-custodian / cloud-custodian • Zeus-Labs / ZeusCloud One Talk: “Success Criteria for your CSPM”, David White

27. @ramimacisabird -> CSPM Continuously assess the security posture by maintaining

    a current inventory of cloud assets, with risk assessment to detect any misconfigurations. Build: Adopt: Not recommended Recommended • Think about extensibility and integrations • Evaluate options based on preset criteria, don’t let vendors sell you CNAPP + + • If you build, only do it on top of an adopted inventory platform. Don’t spend your engineer’s time building an open source CSPM. It’s undifferentiated and commoditized. It’s also a lot of work • Don’t let an opinionated CSPM dictate your security program • Be thoughtful about dispatching findings to other teams • Bundled CSPMs can be thoroughly mediocre Buy:

28. @ramimacisabird Automated Remediation In order to keep up with the

    rate of change in the cloud, teams reach for solutions to automate the immediate resolution of common misconfigurations. Adopt: Options Buy: Options • Native to your CSPM • Gomboc • AWS Config • twilio-labs / SOCless • cloudconformity / auto-remediate One Read: "The Dangers of Corrective Auto Remediation in Your Public Cloud”, Lightspin

29. @ramimacisabird Automated Remediation In order to keep up with the

    rate of change in the cloud, teams reach for solutions to automate the immediate resolution of common misconfigurations. Build: Adopt: Not recommended Recommended • When you’re unable to move to Infrastructure as Code • If you lack a chokepoint for changes • If you have SOAR-like capabilities, use them for this • When preventative controls are feasible • As an early control for your program • Applied without sufficient context Buy:

30. @ramimacisabird Secure Infra as Code Modules “Shift-left” secure configuration and

    empower your developers with secure- by-default IAC modules. Adopt: Options Buy: Options • asecure.cloud • Gruntwork AWS Infrastructure as Code Library • Resourcely • asecure.cloud • Terraform Registry Read more: "Why you should pave roads", Eric Hydrick

31. @ramimacisabird Secure Infra as Code Modules “Shift-left” secure configuration and

    empower your developers with secure- by-default IAC modules. Build: Adopt: Not recommended Recommended • Pair with SAST to detect usage of “vanilla” resources • Steal undifferentiated examples • Commoditize secure architecture as modules • Wait for a need to surface before investing in a module Buy:

32. @ramimacisabird Infrastructure as Code Scanning Detect misconfigurations within your infrastructure

    as code, before they can be introduced to your environment Adopt: Options Buy: Options • Native to your CSPM • Native to your SAST • aquasecurity / tfsec • returntocorp / semgrep • bridgecrew / checkov • turbot / steampipe-plugin-terraform One Read: “Shifting Cloud Security Left — Scanning [ IaC ] for Security Issues”, Christophe Tafani-Dereeper

33. @ramimacisabird IAC Scanning Detect misconfigurations within your infrastructure as code,

    before they can be introduced to your environment Build: Adopt: Not recommended Recommended • Develop rules based on your specific environment 
 and requirements • Surface detections, with context, at PR time • Rolling out rules in “block” mode • Turning on all possible rules Buy:

34. @ramimacisabird Deception Engineering ( Honeypots/tokens) Deploy high-signal, low noise tripwires

    in your environment. Make attackers think twice before using found credentials, and know when someone has tried. Adopt: Options Buy: Options • Thinkst Canary • Native to your CSPM • Thinkst Canarytokens.org • Basic AWS API Key + SIEM detection • spacesiren / spacesiren (inspired by Atlassian Project SPACECRAB ) One Read: “Zero Maintenance AWS Canary Tokens That Scale”, Will Bengston

35. @ramimacisabird Deception Engineering ( Honeypots/tokens) Build: Adopt: Not recommended Recommended

    • Deploy the quick and free version in high value targets. 
 Probably your CI/CD tooling • Think about what you’ll do if one goes off before it happens • Do your best to tightly each key to a single potential 
 vector for compromise • Don’t roll out Will’s architecture until you’ve killed 
 known attack vectors Buy: Deploy high-signal, low noise tripwires in your environment. Make attackers think twice before using found credentials, and know when someone has tried.

36. @ramimacisabird 1. Scaling Granular Access Support role-based, least-privileged access across

    an explosion of roles. Adopt: Options Buy: Options (“CIEM”) • salesforce / cloudsplaining • Netflix / repokid • iann0036 / iamlive • common-fate / iamzero • noqdev / iambic Read more: “ConsoleMe: A Central Control Plane for AWS Permissions and Access”, Netflix • Ermetic • Native to your CNAPP? • ???

37. @ramimacisabird 2. Scaling Access Management Enable a user friendly roll

    out of granular access by making it easy to understand available access and leverage it. Adopt: Options Buy: Options • Common Fate Cloud • Leapp Cloud • Netflix / consoleme • Noovolari / leapp • common-fate / granted Read more: “Access Service: Temporary Access to the Cloud”, Segment

38. @ramimacisabird 3. Scaling Temporary Access Remove risky ambient permissions and

    allow step-up and break-glass authorization. Adopt: Options Buy: Options • ConductorOne • Indent • Opal • Sym • aws-samples / aws-iam-temporary-elevated- access-broker , iam-identity-center-team • GoogleCloudPlatform / jit-access • ??? Read more: “Common uses of just-in-time access in the cloud”

39. @ramimacisabird Scaling … Access Build: Adopt: Not recommended Recommended •

    Build incrementally, and always keep an eye on 
 the user experience • Right now, ~ JIT access is about where you should 
 really consider buying • Partner with other internal stakeholders on a unified 
 source of truth for identity and role • Centralizing all creation of IAM • Trying to preemptively define necessary IAM in a bubble Buy: 1. Support role-based, least-privileged access across an explosion of roles. 2. Enable a user friendly roll out of granular access by making it easy to understand available access and leverage it. 3. Remove risky ambient permissions and allow step-up and break-glass authorization.

40. @ramimacisabird Scaling Account Management Taking advantage of the inherent blast

    radius boundary of an Account rapidly turns into toil to stand up new accounts and juggle their lifecycle. Adopt: Options Buy: Options • Substrate • ??? • org-formation / org-formation-cli • rebuy-de / aws-nuke • AWS Control Tower One Talk: “Reimagining multi-account deployments for security and speed”, Netflix

41. @ramimacisabird Scaling Account Management Taking advantage of the inherent blast

    radius boundary of an Account rapidly turns into toil to stand up new accounts and juggle their lifecycle. Build: Adopt: Not recommended Recommended • Rightsize your investment in automation, “human cron” 
 can be a good place to start • Find good internal development partners with strong cases for investment • Don’t wait too long to split out use cases with different 
 threat models or administration patterns. Migration across 
 accounts is painful, and data gravity can be a blocker. Buy:

42. @ramimacisabird Control Validation / Attack Simulation Test and validate your

    controls and detections on an automated, ongoing basis. Adopt: Options Buy: Options • AttackIQ • Cymulate • SCYTHE • Randori • awslabs / aws-cloudsaga • DataDog / stratus-red-team • WithSecureLabs / leonidas One Talk: “Adversary emulation for incident-response readiness”, Anna McAbee / Brandon Baxter / Chris Farris

43. @ramimacisabird Control Validation / Attack Simulation Test and validate your

    controls and detections on an automated, ongoing basis. Build: Adopt: Not recommended Recommended • Consider leveraging internal frameworks and tools for QA • Validation at time of creation is likely sufficient for 
 commodity controls and medium program maturity • Keep a close eye on relative investment in “breaking” 
 vs. “building • Be deeply skeptical of “automated red teaming” as a product • Finding issues is only useful as an effective 
 input to mitigation Buy:

44. @ramimacisabird Egress Monitoring and Filtering Make attackers lives harder post-compromise

    by filtering egress traffic from your services and alerting on anomalous destinations. Adopt: Options Buy: Options • AWS Network Firewall • Chaser Systems DiscrimiNAT Firewall • Aviatrix • stripe / smokescreen One Read: “Internet Egress Filtering of Services at Lyft”

45. @ramimacisabird Egress Monitoring and Filtering Make attackers lives harder post-compromise

    by filtering egress traffic from your services and alerting on anomalous destinations. Build: Adopt: Not recommended Recommended • Consider when modifying network architecture • “Monitor” mode can be cheap to deploy • Reliability is huge if you place this on the critical path • A hamster wheel of pain is likely if you’re not thoughtful 
 about how new, valid connections will be 
 identified and allowlisted Buy:

46. @ramimacisabird Infrastructure Access Adopt: Options Buy: Options • Teleport •

    StrongDM • BastionZero • Cloudflare Access • Tailscale (and other Wireguard-based VPNs) • AWS SSM + IAM Authentication for < SERVICE > • Tailscale (and other Wireguard-based VPNs) • Teleport (open source) One Talk: “Zero Touch Prod: Towards Safer and More Secure Production Environments” Move beyond pervasive raw-SSH access to patterns for getting shells in services that provide least privilege, auditability, support dual control, and can constrain data ingress and egress.

47. @ramimacisabird Infrastructure Access Build: Adopt: Not recommended Recommended • Move

    from SSH to SSM (or equivalent) early • Get alignment on “what good looks like” • You won’t get anywhere stopping your coworkers 
 from doing their jobs • Think about what it will take to get logging to a place 
 that could power real-time detections Buy: Move beyond pervasive raw-SSH access to patterns for getting shells in services that provide least privilege, auditability, support dual control, and can constrain data ingress and egress.

48. @ramimacisabird Data Perimeter Install guardrails that only allow access for

    trusted identities, accessing trusted resources, on expected networks. Adopt: Options Buy: Options • InstaSecure • Native services One Read: “Building a Data Perimeter on AWS”

49. @ramimacisabird Data Perimeter Install guardrails that only allow access for

    trusted identities, accessing trusted resources, on expected networks. Build: Adopt: Not recommended Recommended • Start small - one example would be “we never call 
 s3 : PutObject outside our organization” • Make sure to test your controls, edge cases 
 on condition support can create surprise gaps • Be careful, AWS doesn’t offer safe ways to roll out SCPs Buy:

50. @ramimacisabird What else? •Vulnerability Management •Detection Engineering •Continuous Compliance /

    Compliance Automation •DFIR preparedness •Runtime Security •Service to Service Authentication

51. @ramimacisabird More?? •AI •Confidential computing •Security data lakes

52. @ramimacisabird • Prioritization is inherently custom to your risk and

    business • Don’t do everything, everywhere, all at once • But, conversely, uneven application of controls can be ineffective and impractical • Scaling program requires increasing investment to maintain and avoid regression in current controls Keep in Mind https://speakerdeck.com/ramimac/sect

53. @ramimacisabird Cut for time (speed round) • Vulnerability Management •

    Shared concern with AppSec, generally • ASPMs are rapidly bringing in cloud context • Detection Engineering • Security Data Lakes are an emerging trend • See: brex / substrate, BSidesSF 2023’s “To Normalized Logs, and Beyond," • Continuous Compliance / Compliance Automation • Vanta / Drata on one end, JupiterOne on the other • DFIR preparedness • Netflix-Skunkworks / diffy, google / cloud-forensics-utils, awslabs / aws- automated-incident-response-and-forensics • Cado, Mitiga

54. @ramimacisabird Cut for time (speed round) • Runtime Security •

    auditd [blog], OSQuery, Falco, or cilium / tetragon, GuardDuty Runtime Monitoring ( EKS ) • Sysdig or Isovalent, or whatever comes with your CNAPP • Chainguard for a different part of the problem • Service to Service Authentication • Start with: A Child’s Garden of Inter-Service Authentication Schemes, Latacora • If you can get this for free with a Service Mesh, you probably should • This gets talked about more than it gets implemented (well) • Basic shared secrets can provide initial answers here