How to 10X Your Cloud Security (Without the Series D)

Transcript

1. @ramimacisabird 🔗 ramimac.me Rami McCarthy How to 10X Your Cloud

   Security ( Without the Series D )

2. @ramimacisabird 🔗 ramimac.me Clint Gibler - How to 10X Your

   Security

3. @ramimacisabird 🔗 ramimac.me

4. @ramimacisabird

5. I’m Rami 👋 @ramimacisabird 🔗 ramimac.me Sometimes I look like

   this online I’ve been on sabbatical

6. 🇸🇪 I just moved from Boston to Stockholm 🇺🇸 @ramimacisabird

   🔗 ramimac.me Definitely not just to buff my fwd:cloudsec CFP…

7. more on that later… @ramimacisabird 🔗 ramimac.me

8. @ramimacisabird 🔗 ramimac.me Assumptions

9. @ramimacisabird 🔗 ramimac.me Assumptions You’re early, but investing (not drowning)

10. @ramimacisabird 🔗 ramimac.me Assumptions: Dashboards full of problems

11. @ramimacisabird 🔗 ramimac.me Assumptions You won’t “buy your way out”

    David White - Success Criteria for your CSPM

12. @ramimacisabird 🔗 ramimac.me Philosophy

13. @ramimacisabird 🔗 ramimac.me Philosophy 1. Just do it at first,

    but automate as much as possible to scale

14. @ramimacisabird 🔗 ramimac.me Philosophy 1. Do things that don’t scale,

    automate as much as possible to scale Phil Venables - Delivering Security at Scale: From Artisanal to Industrial

15. @ramimacisabird 🔗 ramimac.me Philosophy 1. Do things that don’t scale,

    automate as much as possible to scale 2.High-signal, low-noise tools and alerting

16. @ramimacisabird 🔗 ramimac.me Philosophy 1. Do things that don’t scale,

    automate as much as possible to scale 2.High-signal, low-noise tools and alerting • Simplicity & Signal > Capabilities • Distributed alerting and responsibility for security tasks

17. @ramimacisabird 🔗 ramimac.me Philosophy 1. Do things that don’t scale,

    automate as much as possible to scale 2.High-signal, low-noise tools and alerting 3.Guardrails, not gatekeepers

18. @ramimacisabird 🔗 ramimac.me Philosophy 1. Do things that don’t scale,

    automate as much as possible to scale 2.High-signal, low-noise tools and alerting 3.Guardrails, not gatekeepers 4.Security as partnership. Embed security in development process

19. @ramimacisabird 🔗 ramimac.me Security-as-Partnership Jacob Salassi - Why shifting left

    doesn't work & asks too much from everyone • Security Champions are human crutches that prop up cumbersome processes that don’t scale • Every security consultation is a failure

20. @ramimacisabird 🔗 ramimac.me Philosophy 1. Do things that don’t scale,

    automate as much as possible to scale 2.High-signal, low-noise tools and alerting 3.Guardrails, not gatekeepers 4.Security as partnership. Embed security in development process 5.Tools devs can build, others can operate

21. @ramimacisabird 🔗 ramimac.me Philosophy 1. Do things that don’t scale,

    automate as much as possible to scale 2.High-signal, low-noise tools and alerting 3.Guardrails, not gatekeepers 4.Security as partnership. Embed security in development process 5.Tools devs can build, others can operate 6.The limits of desirable security Karsten Nohl - When Enough Is Enough: The Limits Of Desirable Security

22. @ramimacisabird 🔗 ramimac.me Free trials & demos bets on startups

    Philosophy: Vendors

23. @ramimacisabird Security Program Invariants Vulnerability & Asset Management Identity &

    Access Management Detection ( Engineering) Deployment

24. @ramimacisabird Security Program Invariants Vulnerability & Asset Management Identity &

    Access Management Detection ( Deployment Eight Seven Six sections Thirty-odd minutes

25. @ramimacisabird 🔗 ramimac.me Security Program

26. @ramimacisabird 🔗 ramimac.me Security Program: All About Attack Surface 1.Account

    Architecture 2.Service & Action Allowlists 3.Zero Trust & Zero Touch 4.Identify a baseline, meet it, enforce with invariants, raise it The Path to Zero Touch Production Kane Narraway - How We Built Zero Trust

27. @ramimacisabird 🔗 ramimac.me Security Program: Metrics Alex Smolen - Building

    Effective Security OKRs • Example metrics: • Time to detection of vulnerabilities • Time to remediation of vulnerabilities • Average vulnerabilities over time • Good vulnerability metadata allows for good vulnerability metrics

28. @ramimacisabird 🔗 ramimac.me Security Program: Metrics Collin Green - Product

    security primitives • % of “really bad” bugs vs total security bugs • Classes of bugs going down with investment to prevent them Ryan McGeehan - A key performance indicator for infosec organizations, Killing “Chicken Little” : Measure and eliminate risk through forecasting • Probabilistic, risk-based KPIs with expert estimation

29. @ramimacisabird 🔗 ramimac.me Security Program: Scorecarding https://ramimac.me/scorecarding

30. @ramimacisabird 🔗 ramimac.me Security Program: Proactive Efficiency “why not ask

    ourselves how the team would cope if the workload went up another 30%, but bad financial results precluded any team growth? It's actually fun to think about such hypotheticals ahead of the time - and hey, if the ideas sound good, why not try them out today?“ lcamtuf - Getting Product Security Engineering Right

31. @ramimacisabird 🔗 ramimac.me Security Program: Simple Evangelism 1. “Here’s how

    we’ll get hacked” 2. “Here’s why security matters"

32. @ramimacisabird 🔗 ramimac.me Invariants

33. @ramimacisabird 🔗 ramimac.me Invariants Alex Smolen - What are Security

    Invariants? • Identify Scope -> Measure Adherence -> Document Exceptions -> Prevent Regressions Chris Farris - Defining Security Invariants • Preventing security risk comes at the expense of increasing operational risk

34. @ramimacisabird 🔗 ramimac.me Invariants Service Control Policies rami.wiki/scps

35. @ramimacisabird 🔗 ramimac.me Invariants Service Control Policies rami.wiki/scps

36. @ramimacisabird 🔗 ramimac.me Invariants Service Allow Listing Reducing Attack Surface

    with AWS Allowlisting Kinnaird McQuade - Security Guardrails at Scale in Azure

37. @ramimacisabird 🔗 ramimac.me Vulnerability & Asset Management ( VAM )

38. @ramimacisabird 🔗 ramimac.me VAM : Asset Inventory Current AND historic

    resource metadata Jake Berkowsky - Security Analytics with Wiz and Snowflake

39. @ramimacisabird 🔗 ramimac.me VAM : Hygiene • Cleanup unused assets

    • Cleanup ownership ramimac.me/finops

40. @ramimacisabird 🔗 ramimac.me VAM : Managing Vulnerabilities Cheatsheets •Trend Micro

    - CloudConformity Knowledge Base •Datadog - Cloud Security Atlas

41. @ramimacisabird 🔗 ramimac.me VAM : Managing Vulnerabilities Jamie Finnigan -

    Severity ratings should mean something •Confidence ratings are an important modifier on vulnerability severity

42. @ramimacisabird 🔗 ramimac.me VAM : Getting Bugs Fixed Collin Greene

    - Fixing security bugs •Is prioritization correct? Is the bug clear? •Explain why security matters •Empathize, avoid Nagging •Escalating to a manager •“I want to make sure you are aware of this and I would like it to be fixed” not “engineer $foo has dropped this task n times” •“you are in the small minority of people who have not fixed your open security bug” •Visualization, leaderboards, gamification

43. @ramimacisabird 🔗 ramimac.me Identity & Access Management

44. @ramimacisabird 🔗 ramimac.me Identity and Access: Scaling IAM Will Bengtson,

    Devon Powley - Bumps in the Road While Scaling Cloud Access •Direct federation •Zero access by default •Auto-approval Peter Collins, Elisa Guerrant - Heard you liked access, so we built Access to manage your access for Access JIT Cloud Access

45. @ramimacisabird 🔗 ramimac.me Identity and Access: Least Privilege Absolute minimal

    privilege is not desirable security

46. @ramimacisabird 🔗 ramimac.me Desirable Least Privilege for Humans 1. Service

    level least privileging (carveouts for “crown jewels”) 2. Chris Farris - Sensitive IAM Actions • CredentialExposure • DataAccess • PrivEsc • ResourceExposure

47. @ramimacisabird 🔗 ramimac.me Identity and Access: Infra Access The Path

    to Zero Touch Production

48. @ramimacisabird 🔗 ramimac.me Identity and Access: Service Identity 1. Cleanup

    unused access: Steampipe + Access Advisor 2.Make sure you’re on IMDSv2 : rami.wiki/imdsv2

49. @ramimacisabird 🔗 ramimac.me Detection ( Engineering)

50. @ramimacisabird 🔗 ramimac.me • Allyn Stott - How I Learned

    to Stop Worrying and Build a Modern Detection & Response Program • & The Fault in Our Metrics: Rethinking How We Measure Detection & Response Detection (Eng)

51. @ramimacisabird 🔗 ramimac.me Detection (Eng) Ryan McGeehan - Prioritizing Detection

    Engineering

52. @ramimacisabird 🔗 ramimac.me Detection (Eng) Ryan McGeehan - Lessons Learned

    in Detection Engineering • Great teams •… are aware of where, and how, analysis work is being created. •… don’t pass bad alerts from one on-call to the next. •… don’t pretend that every alert is worth being paged.

53. @ramimacisabird 🔗 ramimac.me Detection (Eng): Distributed Alerting • SOC Automation

    Capability Matrix •Alert handling •Issue tracking •Enrichment •User Interaction •Response •Continuity •Procedural •Matt Knight - AI Cyber Challenge DefCon talk •singe/tidcli Tips for SOCLess Oncall

54. @ramimacisabird 🔗 ramimac.me Detection ( Engineering): Detections chronicle/detection-rules elastic/detection-rules panther-labs/panther-analysis

    SigmaHQ/sigma/.../cloud

55. @ramimacisabird 🔗 ramimac.me Detection ( Engineering): Canaries The Security Canary

    Maturity Model 1. Coverage: Diversity and Distribution 2. Impact: Signal and Cost Imposition 3. Management: Deployment and Maintenance 4. Program: Discoverability, Publicity, and Response Planning

56. @ramimacisabird 🔗 ramimac.me Deployment

57. @ramimacisabird 🔗 ramimac.me Deployment … is how red teams are

    currently winning

58. @ramimacisabird 🔗 ramimac.me Deployment Mike Ruth • Attacking and Defending

    Infrastructure with Terraform: How we got admin across cloud environments • Attacking & Defending Supply Chains. How we got Admin in your Cloud, Again

59. @ramimacisabird 🔗 ramimac.me 30 - 60 - 90 Plan

60. @ramimacisabird 🔗 ramimac.me 30 - 60 - 90 Plan •Assess

    •Build relationships •Establish baseline

61. @ramimacisabird 🔗 ramimac.me 30 - 60 - 90 Plan •Do

    one thing better •Nail it •Add invariants for your baseline

62. @ramimacisabird 🔗 ramimac.me 30 - 60 - 90 Plan •Plan

    for scale •Reproducible process •Security ROI •Kill a class of risk

63. @ramimacisabird 🔗 ramimac.me How to 10X Your Cloud Security (

    With the Series D )

64. @ramimacisabird 🔗 ramimac.me Security Platform Engineering Team Cadillac CDR w/

    IR Retainer Cadillac “CNAPP” Actioning expensive log sources Data Perimeter How to 10X Your Cloud Security ( With the Series D ) Asset Graph lyft/cartography

65. @ramimacisabird 🔗 ramimac.me Takeaways

66. @ramimacisabird 🔗 ramimac.me Takeaways 1. Build guardrails, establish invariants, offer

    secure defaults, and kill areas of risk - don’t add to dashboards full of problems 2. IAM, Vulnerability Management, and Detection Engineering are prime candidates for limitation to desirable security 3. Collect the minimum viable data to inform investments and report upwards & outwards https://speakerdeck.com/ramimac/scale-cloud-security

67. @ramimacisabird 🔗 ramimac.me https://speakerdeck.com/ramimac/scale-cloud-security One last thing … I’m new

    to Europe and will be looking for a new role (and friends) shortly If you know of any cool companies or people, in Sweden and beyond, let me know! Thank you! https://www.linkedin.com/in/ramimac/

68. @ramimacisabird 🔗 ramimac.me Additional Slides ( Cut for time)

69. @ramimacisabird 🔗 ramimac.me Philosophy Some things just don’t work: •

    Absolute least privilege • Centralized security review • Centralized security authorship Jacob Salassi - Appsec Development: Keeping it all together at scale

70. @ramimacisabird 🔗 ramimac.me Account Architecture

71. @ramimacisabird 🔗 ramimac.me Account Architecture Richard Crowley - You should

    have lots of AWS accounts Richard Crowley - One giant AWS account is technical debt you can’t afford Corry Haines - AWS Account Layout Brandon Sherman - What I wished someone told me before going multi- account

72. @ramimacisabird 🔗 ramimac.me Account Architecture: Migrations Houston Hopkins - aws_organizations_migration_notes.md

    Matthew Fuller - Moving AWS Accounts and OUs Within An Organization - Not So Simple!

73. @ramimacisabird 🔗 ramimac.me Account Architecture: Baseline •David Levitsky, Olivia Hillman

    ( Benchling) - Launch Control - Automating a Security Baseline in the Cloud at Scale •nozaq/terraform-aws-secure-baseline •Chris Farris - primeharbor/org-kickstart

74. @ramimacisabird 🔗 ramimac.me Account Architecture: Handling Root •Scott Piper -

    Managing AWS root passwords and MFA •Greg Kerr, Brett Caley, & Matt Jones - yubidisaster: Building Robust Emergency Admin Access to AWS Accounts •Rich Mogull - OUs, SCPs, and a Root User Account Recovery

75. @ramimacisabird 🔗 ramimac.me VAM : Secrets Scanning •Source Code •Terraform

    State •Image file systems •CI/CD Systems • … ramimac/aws-customer-security-incidents gitleaks/gitleaks Allan Reyes - Keeping secrets out of logs

76. @ramimacisabird 🔗 ramimac.me Configuration as Code

77. @ramimacisabird 🔗 ramimac.me Configuration as Code: Secure by Default •

    Semgrep for Terraform Security: Secure-by-default modules • asecure.cloud • Semgrep for Terraform Security: Use Semgrep to evangelize secure-by-default modules

78. @ramimacisabird 🔗 ramimac.me Configuration as Code: Scanning • Christophe Tafani-Dereeper

    - Scanning Infrastructure as Code for Security Issues • Adam Cotenoff - Standardizing Terraform Linting • Scan plans, not just HCL • Brad Geesaman - Pipeline Precognition: Predicting Attack Paths Before Apply

79. @ramimacisabird 🔗 ramimac.me Configuration as Code: Manual Actions Arkadiy Tetelman

    - Detecting Manual AWS Actions: An Update!

80. @ramimacisabird 🔗 ramimac.me Runtime

81. @ramimacisabird 🔗 ramimac.me Minimize patching Runtime

82. @ramimacisabird 🔗 ramimac.me Runtime if k8s: EKS/AKS/GKE rami.wiki/eks