BLUE TEAM VILLAGE - Cloud Security Myths: Cutting through he BS-as-a-service

Video thumbnail (Frame 0) Video thumbnail (Frame 1501) Video thumbnail (Frame 2694) Video thumbnail (Frame 5582) Video thumbnail (Frame 7986) Video thumbnail (Frame 10597) Video thumbnail (Frame 12401) Video thumbnail (Frame 16302) Video thumbnail (Frame 18360) Video thumbnail (Frame 20259) Video thumbnail (Frame 25121) Video thumbnail (Frame 27527) Video thumbnail (Frame 30382) Video thumbnail (Frame 36305) Video thumbnail (Frame 37698) Video thumbnail (Frame 42308) Video thumbnail (Frame 45731) Video thumbnail (Frame 49438) Video thumbnail (Frame 52078) Video thumbnail (Frame 55158) Video thumbnail (Frame 59991) Video thumbnail (Frame 66647)
Video in TIB AV-Portal: BLUE TEAM VILLAGE - Cloud Security Myths: Cutting through he BS-as-a-service

Formal Metadata

Title
BLUE TEAM VILLAGE - Cloud Security Myths: Cutting through he BS-as-a-service
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
Cloud Security is a magical world of as-a-service miracles. Just spin up your intrusion-detection- as-a-service, SOC-as-a-service, incident-response-as-a-service, and start feeding it security- intelligence-as-a-service. Come hear from this CISO-as-a-service unwrap the onion of cloud access security brokers (CASB), cloud workload protection platforms (CWPP), microsegmentation, cloud security posture management (CSPM), software-defined perimeters (SDP), and bunch of other cloud related topics. What do they do? Do they really work? What do you with all those security appliances you’ve accumulated?
Information Right angle Metric system Mereology Information security
Mobile app Functional (mathematics) Service (economics) INTEGRAL Multiplication sign 1 (number) Limit (category theory) Front and back ends Goodness of fit Term (mathematics) Computing platform Information security Service (economics) Dependent and independent variables Computer network Bit Cloud computing Line (geometry) Twitter Type theory Linker (computing) Software Right angle Computing platform Information security Hacker (term)
Web page View (database) Perspective (visual) Neuroinformatik Data management Mathematics Different (Kate Ryan album) Personal digital assistant Data center Bus (computing) Right angle Information security Perimeter Physical system Computer architecture
Functional (mathematics) Service (economics) Link (knot theory) Data recovery Execution unit Virtual machine Goodness of fit Inclusion map Different (Kate Ryan album) Computer hardware Data conversion Office suite Information security Service (economics) Dependent and independent variables Programming paradigm Data storage device Virtualization Cloud computing Flow separation Software as a service Word Googol Hybrid computer Data center Website Backup Right angle
Slide rule Server (computing) Game controller Functional (mathematics) Service (economics) Sequel Multiplication sign Authentication 1 (number) Wave packet Planning Data management Spreadsheet Computer configuration Database Computer hardware Information security Family Enterprise architecture Dependent and independent variables Scaling (geometry) Software developer Electronic mailing list Physicalism Cloud computing Incidence algebra Control flow Word Process (computing) Hypermedia Internet service provider National Institute of Standards and Technology Self-organization Right angle Figurate number Family Lambda calculus
Complex (psychology) Group action Functional (mathematics) Game controller Service (economics) State of matter Firewall (computing) Multiplication sign Open set Information privacy Likelihood function Information technology consulting Product (business) Goodness of fit Computer configuration Information security Hydraulic jump God Service (economics) Email Key (cryptography) Characteristic polynomial Electronic mailing list Computer network Cloud computing Instance (computer science) Word Arithmetic mean Internet service provider System programming Data center Right angle Whiteboard Information security Family Resultant
Surface Group action Game controller Functional (mathematics) Service (economics) Perfect group Observational study Multiplication sign View (database) Set (mathematics) Product (business) Computer configuration Computing platform Cuboid Energy level Elasticity (physics) Pairwise comparison Perimeter Exception handling Area Software developer GUI widget Mathematical analysis Internet service provider Virtualization Cloud computing Computer configuration Software Integrated development environment Data center National Institute of Standards and Technology Right angle Procedural programming Information security Perimeter Lambda calculus
Group action Service (economics) Pay television Observational study Structural load Motion capture Device driver Semantics (computer science) IP address Product (business) Workload Latent heat Cross-correlation Googol Cuboid Energy level Information security Computer architecture Service (economics) Pay television Multiplication Simulation Dialect Information Variance Cloud computing Denial-of-service attack Stack (abstract data type) Instance (computer science) Device driver Limit (category theory) Digital object identifier Latent heat Workload Software Internet service provider Lastteilung Right angle
Group action INTEGRAL 1 (number) Cloud computing Analytic set Fault-tolerant system Information technology consulting Cartesian coordinate system Casting (performing arts) Computer configuration Bus (computing) Encryption Information Information security Enterprise architecture Adaptive behavior Electronic mailing list Cloud computing Bit Instance (computer science) Control flow Type theory Category of being Process (computing) Googol Workload Internet service provider Right angle Computing platform Video game console Information security Arithmetic progression Slide rule Functional (mathematics) Game controller Server (computing) Service (economics) Adaptive behavior Division (mathematics) Login Rule of inference Field (computer science) Product (business) Workload Term (mathematics) Operator (mathematics) Acoustic shadow Computing platform Computer architecture Operations research Multiplication Projective plane Client (computing) Cartesian coordinate system Antivirus software Word Film editing Software Personal digital assistant
Asynchronous Transfer Mode Game controller Enterprise architecture Service (economics) Proxy server Open source INTEGRAL Disintegration Set (mathematics) Open set Computer programming Product (business) Goodness of fit Different (Kate Ryan album) Personal digital assistant Encryption Musical ensemble Cuboid Energy level Configuration space Reverse engineering Information security Proxy server Metropolitan area network Authentication Area Enterprise architecture MIDI Physical law Cloud computing Bit Exploit (computer security) System call Type theory Word Data management Software Internet service provider Data center Right angle Information security Service-oriented architecture Asynchronous Transfer Mode Reverse engineering
Server (computing) Game controller Overlay-Netz Service (economics) Ferry Corsten Decision theory 1 (number) Virtual machine Combinational logic Numbering scheme Set (mathematics) Drop (liquid) Mereology Product (business) Number Architecture Data model Computer configuration Hybrid computer Software Encryption Information Endliche Modelltheorie Website System identification Information security Macro (computer science) Perimeter Computer architecture Authentication Overlay-Netz Enterprise architecture Graph (mathematics) Military base Computer network Control flow Replication (computing) Connected space Type theory Virtual LAN Software Basis <Mathematik> Data center Right angle Encryption Service-oriented architecture Communications protocol Perimeter
Game controller Service (economics) Open source Dependent and independent variables Multiplication sign Workstation <Musikinstrument> Motion capture Combinational logic Data storage device Login Mereology Computer programming Number Virtual memory Blog Read-only memory Different (Kate Ryan album) Semiconductor memory Electronic meeting system Automation Energy level Physical law Process (computing) Information security Traffic reporting Physical system Social class Enterprise architecture Dependent and independent variables Open source Data storage device Internet service provider Planning Cloud computing Bit Motion capture Incidence algebra Subject indexing Process (computing) Software Internet service provider Data center Right angle Figurate number Musical ensemble Information security Table (information)
the next talk that we're gonna have right now is cloud security metrics presented by Xavier ash thanks guys if you want some metrics I'll give you some metrics too but that's a so cloud security myths so I like to make sure that I'm talking to the right Clara cloud crowd there we go so I wouldn't get an idea of what you guys do so that make sure that you know I'll give you the information you need so who here is you know part of a sock analyst you guys have got to respond to cloud security crap all right so we got some analysts in here all right so engineers people have got to like design security for the cloud all right goodbye guys so all right so that that's generally where the talk is going to be aimed towards those people but we are going to talk I've got some I are in the cloud and some other talks or other things about dealing with security in the cloud so let's go ahead and get
started so a little bit about me I am I'm old I've been around for a long time and I most recently worked for Gartner so if you see these terms that only Gartner uses that's because they infected me with their terms and so it just just bear with me as I as I use those terms as I describe some of this stuff I've done I've been in vendor world consulting did a little bit of my own business for a while but I've recently switched gears and after getting accepted this talk I now do IR so I don't do cloud security more but you know I play a good one on TV so now I do a run into a response team for a large financial institution so I do it so that's why I put in the IR and the cloud stuff to make sure you covered that over all right so so what is the
cloud right so in general most people talk about the cloud in these three general places right you've got software's or service infrastructures or service and platform as a service and there's all these that is the three types of cloud right and and I'm here to say that there's there's a lot more than that and and so we want to make sure that we all understand when we say the cloud what are we talking about I want to make sure that everyone walks away knowing about especially function as a service and other service type of things right so function as a service is a big you know push and and for those that that you know design security and design and/or work in a sock we generally are not the ones that are going to decide hey we want to go do this function as a service thing right that's going to be some business line some IT architect some you know developing team that says hey container is a service we could we could you know let's let's do this new container stuff and so as we talk about you know there's these three types of cloud mean four types of well there's actually five types of cloud services there's it keeps ever changing right so here's a couple more that back end as a service Peschel if you're doing mobile that's that's a popular one now you know just just all that bad other crap but you have to do you know that just all the the stuff to run a mobile app is back end as a service integration platform as a service to be able to get data from here to there a lot but we started off in the sales world and if you use what's the i-ight et TF that that's in a good example Unified Communication Service we're getting getting your voice stuff payments as a service all these wonderful services that United make sure that you cover when you design for security so very important all right
so everybody know got it down everybody knows what the cloud is we're all in the same page it's one big thing that we can talk about easily right security cloud security is just one thing that that's that's what I'm trying to drive home is that there's a lot of different things here so let's let's kind of talk about how doing security is changing the cloud one of the things that I like to really
put into people's mind we talk about shifting the mindset of what cloud means we used to have this you know these designs of saying we've got this perimeter we've got this you know system bus and we've got this you know this architecture that really kind of starts with our data center and that's not really the truth anymore right that the truth is is that the user in user is is the center of that hub they're going to go out to all of these different services and and this kind of you know this is a good talk especially when you know if you get into there's a tangent about endpoint management you know a lot of big companies like to say here say here's a trusted computer right yeah you're a your contractor I'm gonna give you a trusted computer therefore I I can manage that and I can I can control everything you're doing the problem is is that that's not the case anymore right you know we have it's as the cloud kind of continues to permeate our business processes this is gonna be the perspective and our users are going to demand being able to use whatever device they want and so it's yeah this just aside tangent this is this is a you know nice change so we talk about cloud and really you know cloud security we got talk about who does what and I found
this great site it's called Pizza as a service and you know the link here you can just remember pizzas or as a service in google it and use this in your conversations when you're talking about what who does what when it comes to these different cloud services and so this this they've updated it to include containers or service and functions as a service but you see here traditionally when we're talking about the you know the data center it is you know we own everything that's kind of like you know good old homemade pizza right and we're gonna move to infrastructure as a service this is this is what most people think of when they think of cloud that AWS opening up an ec2 virtual machine they are you're handing over the the responsibility for virtualization and hardware but you still got the rest of the stuff to do which is kind of like a you know communal kitchen you show up and you know that you can just use their kitchen so but containers as the services as we move into this you know paradigm of using containers that the OS is now no longer responsibilities you're just moving around containers you know that's your you know bring your own pizza situation take away when you're now looking at you know platform-as-a-service you just walk up and you know take your pizza away you go to a restaurant you know that's your your functions of service you're just showing up and you're gonna get a pizza delivered you just want that function and then finally the party right software-as-a-service everything you just show up there's just pizza there and so this is a good good way of you know making sure that people understand who's responsible for what and this goes to you know when we talk about you know your your cloud security controls so also love the word
hybrid everybody says yellow we get this hybrid cloud situation right we're gonna do a hybrid cloud and this is as just as easy to describe as just the cloud right there's only one thing of hybrid hybrid is cloud versus datacenter well you've got to make sure that your when you somebody says that the hybrid cloud you said well what do you mean are you using the cloud as a backup place with a place to do disaster recovery are you you know doing you know just just using it as a storage unit what things are you actually shipping to the cloud and and it do you actually have like a separate data center out in the cloud or do you really kind of extend your data center you've got data center one that's here in my office and data Dana Center - that's AWS and you can't really tell the difference right so hybrid cloud could mean a lot of things and make sure that when you're driving you know driving home conversation that you're walking away and say you know we know what we're talking about and and so don't just say you know if somebody just says hey you know the cloud you know you can you know dive into that but then when they say hey hybrid cloud you say well what do you mean by that and so dive into that make sure that you know so as we change through this this
different mindset of what what stuff is in the cloud one of the things that we're driving towards is this service world right it basically is as we got excited about not having to run our own hardware then we said oh wouldn't it be great if we didn't have to run our own software and and we can just have more and more other people do things and so as as these cloud poor service providers have clued in to this they've said oh oh you want to run sequel how about sequel as a service alright well that's great that the I'm now I don't even have to work and do auto-scaling on one I have one database and it can just auto scale on its own and I don't have to worry about you know actually creating containers or do anything that I just have a sequel database or an elastic search you know and it's just this thing that you can call and it expands and it is really easy to use problem is is that you without a server there's a whole lot of things that break down when it comes down to security as we move into the cloud that is the biggest the you know gap that we have as you walk away from this talk I want you to understand is that as we move to the surveillance world what things are not going to work so I went around yes yesterday a day before that I went to blackhat and talked to everybody that had the word cloud on their on their banner which was just about everyone I hate everyone does cloud I use security in the cloud being a secure cloud best security in the cloud I said well you know how did your thing work and I say well we do this thing was a and then we install an agent so oh you saw an agent that's great what do i do of what with service options if i've got an elastic search stack how do you protect them well I know exactly so be sure to take edges take away from this is that you know that understand that these service options are going to continue to pop up and so is your company as your organization moves into the cloud it is not just going to be infrastructure-as-a-service you and unless you know you want to put these training wheels on your you know your enterprise development and say hey we're not going to innovate these these these services are so easy use and really accelerates you know time to deliver and security that our time to deliver on on business processes that they're gonna happen so we secured you guys we can't say well we can't put an agent on that so you can't do that all right then and and the the more we act like that the more we're going to get kicked out of the boardroom we have to be able to do security in the cloud and not say here's what you can and can't do alright so what do I mean by security in
the cloud well so here just a quick list of the you know nest control family so we can remind ourselves there's a lot of things that we you know as security teams were responsible for right and so as we think back of our you know pizza is a service slide right so there's a couple of these that we can go ahead and strike off as soon as we do infrastructure-as-a-service right the baseline just put put some VMs in the cloud we no longer have to deal with personnel security physical and Environment Protection all right we would need to make sure our cloud service providers are doing those right and if you do sought to right you have and make sure your your providers are doing those but you're handing off the responsibility so doesn't then eliminate the need to do this is just somebody else is doing this and so with both NIST and a couple of others your cloud service providers lots of big ones for example I've got you know great spreadsheets to go through and say here are the controls in which you do which we do and and and how to figure all that out but generally those meet those really assume infrastructures are service and so you have to say all right if I'm gonna have some lambda functions out there that is main going to be connecting how do i authenticate to that how do I make sure that that works as that scales up and I have an incident on one of those nodes how am I going to respond to that all right so another way
of making sure the word understand what we'd say cloud security there's really thing you know three kind of groupings that I usually say are are we talking about like services you know there's cloud security security as a service you know security things that are happening Minoo in the cloud you know things like Proofpoint you know you send your email through their cloud right so that's just kind of like security as a service so that's that's one kind of thing when you talk about cloud security there's there's cloud security products right so you're your virtual firewalls your your your DLP things and you know like virtual appliances that you're going to be putting in your your cloud so those are products in the cloud and then there's a you know for the cloud right and and a lot of these are going to be run by the cloud service provider you're probably going to use as your AWS as I am but there's there's also a third party one of those so make sure that when again you know again we say cloud security what are we talking about we talking about you know cloud security services products in the cloud or our functions the cloud now generally as a dive in here I'm going to look mainly as the products in the cloud because that's where a lot of the gaps tend it didn't happen is and so so let's kind of dig in
here so I did label this talk cloud security myths so here we go here's some good security myths I love this I googled around said all right so I'm going to talk about cloud security miss what are cloud security mess and know what they're all over the place but in general I felt like these were myths that you would talk to non security folks about all right so the cloud is not secure we can't go to the cloud now as a consultant I actually talked with a couple of companies that still to the state 2018 said well I can't trust my data in the cloud these guys were not doing government super-secret stuff honestly one of them was a cigarette maker I mean we know how to make cigarettes he's not secret sauce and you're not you're gonna be okay by putting your day in the cloud they still did not want to make that moved to say okay we can think about maybe doing some plan but we're not gonna put any of our you know classified data in there so that's one myth you know so yes we hear all the time about you know data breaches in the cloud this was found in the cloud yeah that's not the cloud service provider when's the last time you heard Amazon hacked you know they jumped from one you know one AWS instance to another right or across across but that doesn't happen right so so the you know likelihood of that happening you really love so the cloud is actually really secure I love this other one the clouds perfectly scared well no yeah so it is as secure as you make it you put up data there and you leave it out in the open somebody's gonna find it right you put you load your AWS keys and your github yes somebody's gonna find it so though the cloud is only secure as you want to make it there's a cloud security is too complex to maintain this one I kind of say yes right and here's why all right so the complexity to cloud security and this is what this is the the mean of the talk is is that all of these controls you know that big lists of family of controls we could design all these different results we got I am we've got you know data protection we've got you know all these things I've got to be able to figure out how can I convert that control to all of these different services all right we've got you know function of service your services options how can I do that and every week or so somebody's gonna say okay but now AWS has got this new thing and it's awesome it's gonna revolutionize the thing we're gonna do in six months so security you have to get on board with how we're gonna do this and so yes there is a lot of complexity it can be done but we have to understand that you know you've got to be able to communicate risk to these people yes you can do that six months you can do that six weeks but you're gonna do it and you know it's gonna be a much riskier situation because we're not gonna have all of our controls converted for this new banking new fandangled technology all right so all cloud service providers the same I'm gonna jump to it in a minute and then on-premise service our so much safer I love this one because yeah we all know how poor our security is that our own data centers right so let's let's just not even go there yeah oh my oh my god cloud all right so cloud security truce
you got to get away from this perimeter thinking now there is I am gonna talk about like a transient VP sees and how to set that up and and so there is going to be some aspect of you know building kind of a perimeter into your cloud but it's it's it's it's because there's really two ways of doing that both sorry there's three ways of doing things in the cloud there is agents there is api's and there is network based stuff and so really you've got you got to make sure your solutions will fit one of those one of those three so you can so with with with network based stuff we're going to create some some transit V pcs so make sure that we can get the the network traffic to go through our network products distribute threat service think about you know if you're gonna try to protect all of your company's data and they start using the ERP as a service sales and you know Salesforce what there's data up there and there's all of these different areas where now you've got to you know apply all these controls and be able to keep that safe so there's a distributed threat service you will need new tools or you know get tools that you know they make sure that the tools you've got are starting to get updated and become more cloud away or become container aware become more aware of what you're doing in the environment lots of new policies and procedures because you know just go back and read it and think about all right if I'm you know moving from you know from data center cloud what am I gonna have to rewrite so so I said that you know it takes a long time to convert
those controls all right so some cloud services are more equal than others right so this is a recent Gartner study they looked at you know it took a large majority of the NIST controls and said hey except for I am they did we did another study on that but is how much if I just go with what Amazon or Google or as your gives me out of the box how well am I covered and it's really interesting how you know there's so many gaps on the Google side and and it's it's it's I always think about like you know here's here's the perfect little cloud thing that already works for you but has fewer options and then Google says here's just this basic platform to do some creative things and so Google just kind of takes a different approach to it while both Azure and AWS are trying to say I want to give you all the tools that you don't have to go to anybody else we have everything for you but there are gaps there and the gaps there you need to be able to identify and and and this is just and this kind of simplifies the view just say oh well we again are we just talking about ec2 VMs or do like can I had the same level of logging if I just have a virtual elastic set right so so let's make sure that you know as you do your own analysis here that you understand and and look at the options that your your development team having these haven't even used yet if they're if they're not doing functions as a service within next year your there's gonna be a lambda function out there doing something and all of a sudden it's going to be mission critical so go ahead and and and think about all those things and be able to do this analysis for your own for your own company in your own situation alright so I want to added
this this big search you know if you have a gardener and you know passing get on you look at the full study here here are some of the highlights that I thought I would call out so Amazon guard duty great product it does have a region specific thing so if you guys that actually are working in the cloud using guard duty as your your sim if you have multiple regions just know it's not doing across region correlation so if you do have multiple regions and AWS you want to make sure that you're using you either assume that risk or use another sim to do your your do your alerting so let's go take away I I love finding out that Google's OEM they have the it's actually semantics owns a hood they call it the the Google workload protection it's just semantics and so if you have opinions about semantics there you go I've just given you more information to do something with so Google does not support transit VPC so as I said there's really three three ways of doing security it's it's it's either you know having a John on a box which we know that has a limitation api's which course has limitations because every not a var API gives you all the same access and or network and so if you're going to be doing network based stuff and and I say that you probably need to do network based stuff from IR and and and in some you know being able to do things on the wire as Google does not support transit the BBC's so keep that in mind as you're looking at these and of course there's more cloud service providers than just these but we had to you know stop somewhere um so if you know anything about you know denial service protection Google's is kind of like old school you know if they're gonna just flood you with data then they've got protection however there's technology there's a method called scrubbing we'll get into her now but that's a lot of the more modern denial service attacks are mitigated using scrubbing that is a premium add-on for Asher and AWS but Google does not have that at all so again you know when you think about which services to put in which cloud service provider that might move it move you one way or the other so the if you're applying you know the the laughs on on the on AWS that you really can only use it on there those two either on cloud front or the load balancer so there's other third-party products I know five and a couple of others are really kind of you know looking to cover that gap but the laughs it's got a lot of limitations and the the out of the box capabilities for for AWS as your get does provide endpoint security well I think that it's interesting AWS doesn't even rebrand anything so so azure does have that I would encourage you to look at what what's available out there for for cloud based endpoint security for those instances in which you can actually put in agent and then stackdriver so they're both AWS and and Google have or AWS and as your have a great logging tools a stack driver takes a little bit further and you can just doesn't like debug level stuff which is great if you want to also do some IR but what I thought was interesting is that stack driver can be used on AWS and so if you've got both Google and AWS look a stackdriver - maybe consolidate logging and get a get get a couple more features alright so transit
VPC so make sure that everybody with this is a technique that has definitely you know kind of required to implement a lot of the you know a cloud security that you see over the Red Hat you know when they say wait we can do these wonderful things if it is a network based approach you're going to need to build a transit VPC and and this just basically means that I've got to run my network traffic through a V PC to be able to to get this stuff done so this is just a basic architecture approach but is overlooked by a lot of architects and realizing oh well we're gonna have to do this other thing and so especially when when if you're moving the cloud and get this in place beforehand if not and look to go talk to you network engineers and look at implementing this so you can do things like you know packet capture IPS and other things on the wire right
alright so now I get into somebody's like said this is some Gartner term so excuse me so cloud workload protection platforms alright so this is a really big long word for endpoint security in the cloud right so but in a lot of these products I looked at we're just the same you know EDR or antivirus product just they just put the word cloud on so what I want to do is is if you are going to look at and you should if you don't have already as is look at these endpoint based solutions here's what you need to make sure that they have all right so both agent lists and agent based operations because most of these are going to be Asian based to begin with but see which ones can tap into you know API is either at the hypervisor at the cloud and and and decide what type of functionality is useful so that you can get that you know threat protection a threat detection and protection coverage on those serverless options all right diction of containers you got to make sure that even if you're not using containers today you we'll be soon so make sure that your endpoint protection is container aware so tagging and segmenting so I've got another slide on micro segmentation but that you know being able to understand the traffic coming out of each container from a different instance you know and and with all the auto scaling everything else you need to be able to scribe the data in very finite ways and make sure that if you are looking at or already doing you know traffic tagging and and security groups that your endpoint security solution works with those and can help you know if you've already done the job of describing here's all of my you know Enterprise bus traffic you know built to this great you know ApS security group and I can identify that as I've done all the micro services tagging and then you go install this product and it you can't see those tags they can't work with them so you can't really write rules to based off of that other work so this is one is where you know the enterprise architects are going to be building this kind of technology and you know make sure that your security projects can leverage it so native API based on grace especially if you're going if your multiple cloud providers you need to look at you know can i integrate you know have one one console for both my google and my a double us cloud you know that that saves a whole lot of you know pain and effort so if you do have a multi cloud integration make sure that you can do that and you know traditional antivirus really not a big deal on servers however application control whitelisting this you know you should work for bit nine so i love this stuff but i think that that's a very key feature as well so this is your shopping list if you're gonna go look for the is wonderful world of cloud workload protection platforms IE imports pretty alright next category
of you know miraculous solutions is the kaz be alright so who here has even tried to use caz bees out in the field anybody I got a couple hands over here couple hands alright calves bees ten gotten a cut of a bad rap because I did you know back when I was doing consulting I asked so what about cast me so like as B's then they're there to paint they're there for this sized company we're too big for more you know they there's too complicated and it can be so Cosby's in general was is this group of products that says I need to put something in between my user and by typically SAS providers to a do additional stuff so when you talk about converting controls over to the service world there's also all these you know software's of service providers and I want to do things like you know authentication well yes you can go and do you know they've got you know Centrify and all these others now can can really help you that with that but the caste products kind of do a more than that you know allow you to do can can can add on an additional encryption can you know do something the capsulation do adaptive access control I've got a couple of features here and yeah I've got and there's multiple architectures the way that these work and I've got that my next slide but one of the main features is you know your shadow IT so you can kind of go start getting a hold of these other products so of course yes if you've got you know proxy logs your Splunk could probably figure out who's using these other you know shadow IT products so I wouldn't go if that's your only use case I wouldn't go out and buy a Cosby just for that but you can then apply start applying some of your security controls to those there's products in an academy product and so you can you know likes to apply those to your sanctions as and then also be able to apply those to any of the unsanctioned says that you come up and you can start onboarding those but how do they work
so there's generally like usually three the four is is there as well so there's API mode there's a tab and so basically and some cosby's they just say I'm going to talk to the SAS / and I'm gonna tell it's got an API there and they know you're coming from you know company X and we're gonna apply all these controls for you because we have this native integration so this is API mode and a lot of the big size providers work with a lot of Cosby's out of the box and can apply your security controls without necessarily doing a man in the middle the man to man in the middle there's a forward proxy mode or reverse proxy mode won't necessarily get into the technical differences there but you know you can understand that the other way of doing this is you've got to basically put yourself in the middle and then broker those communications so that you can apply those security controls like authentication encryption and whatnot and then there's enterprise integration which is you know complex word is saying that I've got all these other little products that are going tap into and and provide the same cash be level services so again I was going around to all these providers yesterday or vendors yesterday and asking a biomes so and they described how you're doing oh so you're kind of like a Cosby right wait I'm not really casbah really ours is so much different right sounds like no you're direct as me so so this is one of these product solutions that in general I do think that most Cosby's is still fairly new set of technologies and if you're a large enterprise probably not going to you know be able to meet all of your demands just about you know their product there might be now some of the Cosby products and but started to like put a little more a lot more enterprise features but they this is a good mid market program if you've got a if you've got a very small data center or node a center and your company runs a whole lot of different size products I would look at looking at some of these to help fulfill some of your security needs like I said this is one of these network based solutions that can apply security controls for SAS and other security other cloud service technologies without necessarily having to you know manage the full agent alright so
everyone's heard all about that you know I've got this breach people left out data over this so so this is a mandatory thing is to make sure that you understand how you're doing ongoing cloud security posture management you know Gartner used to call this cloud infrastructure security posture assessment sis what then you know the Congress decided to create a really bad law a law called Cisco now you don't want to call thing Cisco because everybody gets all fussy and no no not that okay so we're gonna call it cloud security posture management now and so if you only have the only doing things in one you know AWS or just just as your they do each of the products do have their own like you know checklist toolkit however this is one of those areas I think that defense-in-depth is probably warranted right if you're you're having the cloud service provider tell you that everything's ok and in general that might be good enough for you but if you think that you need a little bit more there are third-party products there's open source was a cloud sploit I think is one of these there's a lot of good as they all right yeah right now that cloud Scout to Crowell a prowler security monkey cloud custodian and clouds boy so you just look out there for those type of solutions and what they'll do is you know look to see how you've got things set up and constantly tell you hey yo you've got an open ec2 bucket right you know that's that's the kind of things we want to avoid and so this is uh this is this is your security blanket make sure that nobody over there that has the permissions to do so does something stupid and you can immediately respond to it it's a mandatory tool in your cloud security toolkit all right
software-defined perimeter anybody know what this one is all right got one one all right so software-defined perimeters I really like this because I work first startup and this is kind of what we did we didn't call it this because we wanted to be cool we wanted to call it micro segmentation you know ngx was talking all about micro segmentation we're like we can do so much better but this is basically the type of solution it says I'm gonna put in this everyone that I've seen so far is agent base some of think was some like some may have api's but the idea is I got an agent on one side I got an agent on the other and there's a broker in the middle and based off of different situations I can do different things in that kinda that with that situation so if I've got an agent on the endpoint I can actually stop network traffic from getting to back through the IP stack based off of this brokers decision so for example you know you can do authentication before the the TCP session is even established so you can make things disappear so that's why I call it software-defined perimeters I can put a server on the internet and and it says I've got you know I'm only gonna allow you know other endpoints that have this other agent because I brought this third party wood broker that's gonna say I'm coming in as authenticated this IP over here he's good to go you can allow you can open up a TCP session for him all these other ones you're just gonna drop the TCP session so I think it's a really neat way of doing security there's you can also do things like add encryption and Capulin capsulation but and again and you can look at this for east-west traffic as well it doesn't have to be client-server that you can you do this in the in the data center again most of this is agent based but provides some some really interesting security to make make make machines hide off the off the network unless you're part of this this brokered solution so really neat tools there all right micro segmentation
so you know no cloud talk is good without micro segmentation like I said worked in this this for a couple years so micro segmentation I this is this my definition here because that to help help write the lot of this and so it's basically saying I want to make a decision on whether traffic is allowed to flow based on something more than just IP and port all right so so I can say this is coming from these set of servers and it's coming from these sets of services so I know that this data there's they'll doubt right I don't need to know I don't need to do a protocol inspection or anything like that I can just go ahead and say yes I can identify this I can tag it and then I can link this in with my networking solution to then provide you know this this a lot of east-west control on making sure that only traffic that should go where goes goes right so micro segmentation is being built in the last software-defined networking products it's obviously available you know the ngx product from from VMware and and I've seen a lot of enterprises start to actually push out you know endpoints endpoint agents and and and start participating their entire company and doing micro segmentation most of the you know and so the architectures their native micro segmentation is you know in the cloud or with you know VMware third party model is I've got some other product that is going to come in and do it for me and then the overlay model is is the agent based model like loomio and then the hybrid model is using some combination thereof right so in cloud you've got micro segmentation natively right so if you're doing any micro segmentation on your in your datacenter you can carry that over to the cloud you should and and and can make sure that that your your tat you know for years the ng exit that they the the tags carry over and you can you can create an enterprise-wide micro segmentation scheme a lot of people get worried about the micro segmentation I've got I didn't put that graph again you know it forgot complex city you know I've got VLANs work hard but now you're talking about micro segmentation their each other thousands of different you know so a lot of people I've seen Enterprise let's call this macro segmentation no we're not gonna do it this mile we're just gonna simplify I do micro segmentation either way it's it's is a very strong control that you should look at and when you're designing your networks and your cloud solutions because when you look at the number of controls and you look at a lot of the service options sometimes you're just gonna have to segment that stuff off right I can't put an agent on it it's encrypted traffic you know I've covered my bases who I've got it authenticated connections but I can't do anything else with it so how can I secure that you know my data layer in the cloud so you can do some micro segmentation make sure that only you're the approved services can connect to that and and and really you have to do micro segmentation when you're talking about otter scaling a lot of the you know dynamic nests of the cloud so all
right so it's in response to the class so we'll talk a little bit about how we can now make you know so now something bad has happened right so one you might have to plan for IR in the cloud so of course a lot of this is logging but logging is always not enough but when you are doing logging I would look at things like write-once storage all right so s3 bucket s3 bucket versioning is a good way of making sure that as you put your logs in that they're they're immutable and then also you know index all of your SAS services all right if something bad were to have no that we kind of laugh about oh there's the sales guys using Salesforce what do they really need instant response for oh I lost my contacts I'm sorry a huge sales guys you sales team loses a whole bunch of stuff trust me that's gonna be a big IR situation because the sales guys you know a lot of companies and the sales guys run the company right and so if they can't sell stuff nobody's getting paid so we gotta go that's a big deal so go talk to your SAS providers and figure out what can I get access what can how can I get make sure my IR team can get in get the data at NIEHS get the get the you know whatever you know logs whatever different you know captures that I can get you know plan for that stuff you know and this is also where you know you might look at it and say hey I think I might want to look at cosby's now because now if cosby's I can start doing you know capturing some that Network data alright so if if I you know don't have net witness on every single thing I can at least start you know capturing those and so I can figure out how to respond for my software as a service providers um note that all of your cloud service surprised they have their own IR process and if there was a situation if there's a data center on fire they're gonna they're gonna let you know so if you're you know part of IR part of the sock make sure that you one you've index all of your cloud services you know where they are and to that you know what their IR program is now if you're mature enough to be able to sit there and pull sock 2 reports that's great but you know to go and you know Microsoft Amazon they all have really good you know explanations on how their IR process so so just remember because there's different levels of responsibility that IR process might be kicked off by your actual cloud service providers so just make sure you have that in your mind so a couple of tips here so ec2 we can actually you know if you've actually got you know vm's there you can do a snapshot capture in EBS Asher you can actually you know if you've got you know IRAs iOS you can just capture the data drive directly in the portal Marguerita shotgun great little tool for doing memory captures especially in the cloud and if you're on AWS there's this great combination of toolkits called the open source Incident Response toolkit it's got a number of different tools packaged together and in that way you can actually start up you know have an IR station in your cloud so that you know when you go to you know capture something you can go ahead and just mount it on your I arm instance and and and you can go in and start working away so again IR it's not you know waiting until it happens to put all this together right so build all that out and that in a Security Center has got a pretty good you know playbook based system in this screw Center that can help a lot of the IR automations and of course if you got something like de missed oh but now they all kind of tie into those so again just like with the enterprise or the endpoint security stuff if you're doing automations like rainbow tables just are just you know make sure that they can connect to your to your cloud so again the takeaway here is that you know there is lots of different things in the cloud there will continue to be lots of different things to cloud and we have lots of different security controls that we have to continue to do it's very hard to keep up with that and so we gotta make sure that we index as much as we can and we can we can communicate those gaps and also you know so that you can talk intelligently to the vendors and they say hey you know this great beautiful thing that you know here's what it can do I'm like right but how does it work because that's going to tell you what kind of coverage you have so I appreciate your time for coming out
and if anybody has any questions I can take a few now otherwise I'll be around the back to talk a little bit further so any questions I answered them all great well I appreciate you guys coming out have a good time [Music]
Feedback