Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to 10X Your Cloud Security (Without the Ser...

Rami McCarthy
September 11, 2024
2.3k

How to 10X Your Cloud Security (Without the Series D)

I’ll summarize and distill the actionable guidance for scaling Cloud Security programs from the vast array of talks and blog posts our there. We'll blaze through a dense view of what cloud security is, how you can do it more effectively, and what the near future looks like. After the talk, you'll have practical takeaways, and a lengthy, curated bibliography to lean on.

Rami McCarthy

September 11, 2024
Tweet

Transcript

  1. 🇸🇪 I just moved from Boston to Stockholm 🇺🇸 @ramimacisabird

    🔗 ramimac.me Definitely not just to buff my fwd:cloudsec CFP…
  2. @ramimacisabird 🔗 ramimac.me Philosophy 1. Just do it at first,

    but automate as much as possible to scale
  3. @ramimacisabird 🔗 ramimac.me Philosophy 1. Do things that don’t scale,

    automate as much as possible to scale Phil Venables - Delivering Security at Scale: From Artisanal to Industrial
  4. @ramimacisabird 🔗 ramimac.me Philosophy 1. Do things that don’t scale,

    automate as much as possible to scale 2.High-signal, low-noise tools and alerting
  5. @ramimacisabird 🔗 ramimac.me Philosophy 1. Do things that don’t scale,

    automate as much as possible to scale 2.High-signal, low-noise tools and alerting • Simplicity & Signal > Capabilities • Distributed alerting and responsibility for security tasks
  6. @ramimacisabird 🔗 ramimac.me Philosophy 1. Do things that don’t scale,

    automate as much as possible to scale 2.High-signal, low-noise tools and alerting 3.Guardrails, not gatekeepers
  7. @ramimacisabird 🔗 ramimac.me Philosophy 1. Do things that don’t scale,

    automate as much as possible to scale 2.High-signal, low-noise tools and alerting 3.Guardrails, not gatekeepers 4.Security as partnership. Embed security in development process
  8. @ramimacisabird 🔗 ramimac.me Security-as-Partnership Jacob Salassi - Why shifting left

    doesn't work & asks too much from everyone • Security Champions are human crutches that prop up cumbersome processes that don’t scale • Every security consultation is a failure
  9. @ramimacisabird 🔗 ramimac.me Philosophy 1. Do things that don’t scale,

    automate as much as possible to scale 2.High-signal, low-noise tools and alerting 3.Guardrails, not gatekeepers 4.Security as partnership. Embed security in development process 5.Tools devs can build, others can operate
  10. @ramimacisabird 🔗 ramimac.me Philosophy 1. Do things that don’t scale,

    automate as much as possible to scale 2.High-signal, low-noise tools and alerting 3.Guardrails, not gatekeepers 4.Security as partnership. Embed security in development process 5.Tools devs can build, others can operate 6.The limits of desirable security Karsten Nohl - When Enough Is Enough: The Limits Of Desirable Security
  11. @ramimacisabird Security Program Invariants Vulnerability & Asset Management Identity &

    Access Management Detection ( Deployment Eight Seven Six sections Thirty-odd minutes
  12. @ramimacisabird 🔗 ramimac.me Security Program: All About Attack Surface 1.Account

    Architecture 2.Service & Action Allowlists 3.Zero Trust & Zero Touch 4.Identify a baseline, meet it, enforce with invariants, raise it The Path to Zero Touch Production Kane Narraway - How We Built Zero Trust
  13. @ramimacisabird 🔗 ramimac.me Security Program: Metrics Alex Smolen - Building

    Effective Security OKRs • Example metrics: • Time to detection of vulnerabilities • Time to remediation of vulnerabilities • Average vulnerabilities over time • Good vulnerability metadata allows for good vulnerability metrics
  14. @ramimacisabird 🔗 ramimac.me Security Program: Metrics Collin Green - Product

    security primitives • % of “really bad” bugs vs total security bugs • Classes of bugs going down with investment to prevent them Ryan McGeehan - A key performance indicator for infosec organizations, Killing “Chicken Little” : Measure and eliminate risk through forecasting • Probabilistic, risk-based KPIs with expert estimation
  15. @ramimacisabird 🔗 ramimac.me Security Program: Proactive Efficiency “why not ask

    ourselves how the team would cope if the workload went up another 30%, but bad financial results precluded any team growth? It's actually fun to think about such hypotheticals ahead of the time - and hey, if the ideas sound good, why not try them out today?“ lcamtuf - Getting Product Security Engineering Right
  16. @ramimacisabird 🔗 ramimac.me Security Program: Simple Evangelism 1. “Here’s how

    we’ll get hacked” 2. “Here’s why security matters"
  17. @ramimacisabird 🔗 ramimac.me Invariants Alex Smolen - What are Security

    Invariants? • Identify Scope -> Measure Adherence -> Document Exceptions -> Prevent Regressions Chris Farris - Defining Security Invariants • Preventing security risk comes at the expense of increasing operational risk
  18. @ramimacisabird 🔗 ramimac.me Invariants Service Allow Listing Reducing Attack Surface

    with AWS Allowlisting Kinnaird McQuade - Security Guardrails at Scale in Azure
  19. @ramimacisabird 🔗 ramimac.me VAM : Asset Inventory Current AND historic

    resource metadata Jake Berkowsky - Security Analytics with Wiz and Snowflake
  20. @ramimacisabird 🔗 ramimac.me VAM : Managing Vulnerabilities Cheatsheets •Trend Micro

    - CloudConformity Knowledge Base •Datadog - Cloud Security Atlas
  21. @ramimacisabird 🔗 ramimac.me VAM : Managing Vulnerabilities Jamie Finnigan -

    Severity ratings should mean something •Confidence ratings are an important modifier on vulnerability severity
  22. @ramimacisabird 🔗 ramimac.me VAM : Getting Bugs Fixed Collin Greene

    - Fixing security bugs •Is prioritization correct? Is the bug clear? •Explain why security matters •Empathize, avoid Nagging •Escalating to a manager •“I want to make sure you are aware of this and I would like it to be fixed” not “engineer $foo has dropped this task n times” •“you are in the small minority of people who have not fixed your open security bug” •Visualization, leaderboards, gamification
  23. @ramimacisabird 🔗 ramimac.me Identity and Access: Scaling IAM Will Bengtson,

    Devon Powley - Bumps in the Road While Scaling Cloud Access •Direct federation •Zero access by default •Auto-approval Peter Collins, Elisa Guerrant - Heard you liked access, so we built Access to manage your access for Access JIT Cloud Access
  24. @ramimacisabird 🔗 ramimac.me Desirable Least Privilege for Humans 1. Service

    level least privileging (carveouts for “crown jewels”) 2. Chris Farris - Sensitive IAM Actions • CredentialExposure • DataAccess • PrivEsc • ResourceExposure
  25. @ramimacisabird 🔗 ramimac.me Identity and Access: Service Identity 1. Cleanup

    unused access: Steampipe + Access Advisor 2.Make sure you’re on IMDSv2 : rami.wiki/imdsv2
  26. @ramimacisabird 🔗 ramimac.me • Allyn Stott - How I Learned

    to Stop Worrying and Build a Modern Detection & Response Program • & The Fault in Our Metrics: Rethinking How We Measure Detection & Response Detection (Eng)
  27. @ramimacisabird 🔗 ramimac.me Detection (Eng) Ryan McGeehan - Lessons Learned

    in Detection Engineering • Great teams •… are aware of where, and how, analysis work is being created. •… don’t pass bad alerts from one on-call to the next. •… don’t pretend that every alert is worth being paged.
  28. @ramimacisabird 🔗 ramimac.me Detection (Eng): Distributed Alerting • SOC Automation

    Capability Matrix •Alert handling •Issue tracking •Enrichment •User Interaction •Response •Continuity •Procedural •Matt Knight - AI Cyber Challenge DefCon talk •singe/tidcli Tips for SOCLess Oncall
  29. @ramimacisabird 🔗 ramimac.me Detection ( Engineering): Canaries The Security Canary

    Maturity Model 1. Coverage: Diversity and Distribution 2. Impact: Signal and Cost Imposition 3. Management: Deployment and Maintenance 4. Program: Discoverability, Publicity, and Response Planning
  30. @ramimacisabird 🔗 ramimac.me Deployment Mike Ruth • Attacking and Defending

    Infrastructure with Terraform: How we got admin across cloud environments • Attacking & Defending Supply Chains. How we got Admin in your Cloud, Again
  31. @ramimacisabird 🔗 ramimac.me 30 - 60 - 90 Plan •Assess

    •Build relationships •Establish baseline
  32. @ramimacisabird 🔗 ramimac.me 30 - 60 - 90 Plan •Do

    one thing better •Nail it •Add invariants for your baseline
  33. @ramimacisabird 🔗 ramimac.me 30 - 60 - 90 Plan •Plan

    for scale •Reproducible process •Security ROI •Kill a class of risk
  34. @ramimacisabird 🔗 ramimac.me Security Platform Engineering Team Cadillac CDR w/

    IR Retainer Cadillac “CNAPP” Actioning expensive log sources Data Perimeter How to 10X Your Cloud Security ( With the Series D ) Asset Graph lyft/cartography
  35. @ramimacisabird 🔗 ramimac.me Takeaways 1. Build guardrails, establish invariants, offer

    secure defaults, and kill areas of risk - don’t add to dashboards full of problems 2. IAM, Vulnerability Management, and Detection Engineering are prime candidates for limitation to desirable security 3. Collect the minimum viable data to inform investments and report upwards & outwards https://speakerdeck.com/ramimac/scale-cloud-security
  36. @ramimacisabird 🔗 ramimac.me https://speakerdeck.com/ramimac/scale-cloud-security One last thing … I’m new

    to Europe and will be looking for a new role (and friends) shortly If you know of any cool companies or people, in Sweden and beyond, let me know! Thank you! https://www.linkedin.com/in/ramimac/
  37. @ramimacisabird 🔗 ramimac.me Philosophy Some things just don’t work: •

    Absolute least privilege • Centralized security review • Centralized security authorship Jacob Salassi - Appsec Development: Keeping it all together at scale
  38. @ramimacisabird 🔗 ramimac.me Account Architecture Richard Crowley - You should

    have lots of AWS accounts Richard Crowley - One giant AWS account is technical debt you can’t afford Corry Haines - AWS Account Layout Brandon Sherman - What I wished someone told me before going multi- account
  39. @ramimacisabird 🔗 ramimac.me Account Architecture: Migrations Houston Hopkins - aws_organizations_migration_notes.md

    Matthew Fuller - Moving AWS Accounts and OUs Within An Organization - Not So Simple!
  40. @ramimacisabird 🔗 ramimac.me Account Architecture: Baseline •David Levitsky, Olivia Hillman

    ( Benchling) - Launch Control - Automating a Security Baseline in the Cloud at Scale •nozaq/terraform-aws-secure-baseline •Chris Farris - primeharbor/org-kickstart
  41. @ramimacisabird 🔗 ramimac.me Account Architecture: Handling Root •Scott Piper -

    Managing AWS root passwords and MFA •Greg Kerr, Brett Caley, & Matt Jones - yubidisaster: Building Robust Emergency Admin Access to AWS Accounts •Rich Mogull - OUs, SCPs, and a Root User Account Recovery
  42. @ramimacisabird 🔗 ramimac.me VAM : Secrets Scanning •Source Code •Terraform

    State •Image file systems •CI/CD Systems • … ramimac/aws-customer-security-incidents gitleaks/gitleaks Allan Reyes - Keeping secrets out of logs
  43. @ramimacisabird 🔗 ramimac.me Configuration as Code: Secure by Default •

    Semgrep for Terraform Security: Secure-by-default modules • asecure.cloud • Semgrep for Terraform Security: Use Semgrep to evangelize secure-by-default modules
  44. @ramimacisabird 🔗 ramimac.me Configuration as Code: Scanning • Christophe Tafani-Dereeper

    - Scanning Infrastructure as Code for Security Issues • Adam Cotenoff - Standardizing Terraform Linting • Scan plans, not just HCL • Brad Geesaman - Pipeline Precognition: Predicting Attack Paths Before Apply