Cloud security is a minefield of news that assumes the word "Security" is lurking somewhere in your job description. It doesn't have to be this way. Weekly cloud security news for people with other jobs to do. Cloud Security For Humans.
Links: Microsoft Azure Cloud Vulnerability Exposed Thousands of Databases: https://www.darkreading.com/cloud/microsoft-azure-cloud-vulnerability-exposed-thousands-of-databases Google, Amazon, Microsoft Share New Security Efforts After White House Summit: https://www.darkreading.com/operations/google-amazon-microsoft-share-new-security-efforts-post-white-house-summit New Data-Driven Study Reveals 40% of SaaS Data Access is Unmanaged, Creating Significant Insider and External Threats to Global Organizations: https://www.darkreading.com/cloud/new-data-driven-study-reveals-40-of-saas-data-access-is-unmanaged-creating-significant-insider-and-external-threats-to-global-organizations Researchers Share Common Tactics of ShinyHunters Threat Group: https://www.darkreading.com/attacks-breaches/researchers-share-common-tactics-of-shinyhunters-threat-group How to automate forensic disk collection in AWS: https://aws.amazon.com/blogs/security/ Confidential computing: an AWS perspective: https://aws.amazon.com/blogs/security/ New in October: AWS Security Awareness Training and AWS Multi-factor Authentication available at no cost: https://aws.amazon.com/blogs/security/amazon-security-awareness-training-and-aws-multi-factor-authentication-tokens-to-be-made-available-at-no-cost/ Use IAM Access Analyzer to generate IAM policies based on access activity found in your organization trail: https://aws.amazon.com/blogs/security/ TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Corey: This episode is sponsored in part by Thinkst Canary. This might take a little bit to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, or anything else like that that you can generate in various parts of your environment, wherever you want them to live; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use them. It's an awesome approach to detecting breaches. I've used something similar for years myself before I found them. Check them out. But wait, there's more because they also have an enterprise option that you should be very much aware of: canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment and manage them centrally. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files that it presents on a fake file store, you get instant alerts. It's awesome. If you don't do something like this, instead you're likely to find out that you've gotten breached the very hard way. So, check it out. It's one of those few things that I look at and say, “Wow, that is an amazing idea. I am so glad I found them. I love it.” Again, those URLs are canarytokens.org and canary.tools. And the first one is free because of course it is. The second one is enterprise-y. You'll know which one of those you fall into. Take a look. I'm a big fan. More to come from Thinkst Canary weeks ahead.Jesse: Disaster befell much of the middle south of the US when Ida slammed into the coast and plowed its way up north through the land. What does a hurricane have to do with security? Business continuity. Business continuity is the discipline of maintaining business operations, even in the face of disasters of any kind, such as a hurricane-driven storm surge running over the levees and flooding whole towns. If you have all your computing systems in the cloud in multiple regions, then such a disaster won't fully halt your business operations.However, you still might have connectivity issues and possibly either temporary or permanent loss of non-cloud systems. Be sure your non-cloud systems have appropriate backups off-site to another geographically disparate location. Better yet, push backups into your cloud infrastructure and consider ways to utilize that data with your cloud systems during a crisis. Hmm, perhaps you'll like it so much you will push everything else up to the cloud that isn't a laptop, tablet, or phone.Meanwhile in the news, Microsoft Azure Cloud Vulnerability Exposed Thousands of Databases. Security for cloud providers can potentially have catastrophic and large scale repercussions. Keep an eye out for any problems that come up that might affect your operations and your data. Do keep in mind your platform has a direct impact on your own risk profile.Google, Amazon, Microsoft Share New Security Efforts After White House Summit. The National Institute of Standards and Technology—or NIST—is building a technology supply chain framework with the big tech companies, including Apple, Amazon, Google, IBM, and Microsoft, and this is a big deal. I'm sure the fighting amongst those companies will make this initiative die on the vine, but I hope I'm wrong.New Data-Driven Study Reveals 40% of SaaS Data Access is Unmanaged, Creating Significant Insider and External Threats to Global Organizations. Back to basics: secure your data; lock down those buckets; don't be stupid. Also, when we're talking cloud apps and services, there should be no assumption that anyone accessing the application via an obfuscated link or permissions too broad to effectively secure the data therein.Announcer: Have you implemented industry best practices for securely accessing SSH servers, databases, or Kubernetes? It takes time and expertise to set up. Teleport makes it easy. It is an identity-aware access proxy that brings automatically expiring credentials for everything you need, including role-based access controls, access requests, and the audit log. It helps prevent data exfiltration and helps implement PCI and FedRAMP compliance. And best of all, teleport is open-source and a pleasure to use. Download teleport at goteleport.com. That's goteleport.com.Researchers Share Common Tactics of ShinyHunters Threat Group. Put Indicators of Compromise—or IOC—data for the latest APT group or malware into your monitoring tool or tools. It's possible, depending on the vendor, that there are already detections you can add to your production monitoring. Save some time and look for those pre-made searches, configurations, and scripts before you make your own.How to automate forensic disk collection in AWS. Automating forensic data gathering is incredibly valuable. This not only has obvious value in security incident response, but it has value in teaching us how these parts in AWS work. This is worth a close read—several times if you need to—to understand how EBS, S3, automating EC2 actions, CloudWatch logging—among other services—operate. There are other pieces to the glue here to learn, as well.Confidential computing: an AWS perspective. If you use EC2, you need to understand the AWS Nitro System. Their hardware-based approach to their hypervisor for virtualization combined with hardware-based security and encryption is quite well made. Everyone worried about security at all while using EC2—which I argue should be all of you—should know the concepts of how Nitro works.New in October: AWS Security Awareness Training and AWS Multi-factor Authentication available at no cost. Now, this has value. Free basic security training for average users on fundamental computer security, including things like phishing and social engineering, is an amazing gift. Also, how many times have I wanted to point someone into an easy-to-understand multi-factor authentication tutorial? Oh, not often; only every single day.Use IAM Access Analyzer to generate IAM policies based on access activity found in your organization trail. Creating solid IAM access policies is hard because you have to know all things an account needs to touch to perform an operation or deliver a service. The IAM Access Analyzer is a total game-changer.You can review the activity to ensure you don't see anything nefarious happening, then apply the config generated. Now, you have a working app that has the bare minimum permissions required to function, but blocking all operations outside those things. This prevents many malware from sneakily doing other things.And now for the tip of the week. Know your compliance requirements; are you a school, preschool, K-12, college? FERPA; are you a medical facility? HIPAA; are you a US government entity? FISMA; are you conducting credit card transactions? PCI; are you storing data on an EU citizen? GDPR. The list goes on, and on, and on.You need to know every single one of the compliance requirements your systems and people touch. Most of these compliance rules and laws cover a fair amount of the same ground, so compliance with several of them isn't an order of magnitude more work than compliance with one or two of them. However, it is critical that you have clear documentation for each one on how you are compliant and what processes, or data, or report proves compliance. If you build these processes into your IT or security operations monitoring or reporting system, your life will be far better off than doing it by hand every single time someone asks—or demands—proof of compliance. And that it for the week, folks. Securely yours, Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Links: How to Make Your Next Third-Party Risk Conversation Less Awkward: https://www.darkreading.com/vulnerabilities-threats/how-to-make-your-next-third-party-risk-conversation-less-awkward 5 Vexing Cloud Security Issues: https://www.itprotoday.com/hybrid-cloud/5-vexing-cloud-security-issues Attackers Increasingly Target Linux in the Cloud: https://www.darkreading.com/threat-intelligence/attackers-increasingly-target-linux-in-the-cloud Top 5 Best Practices for Cloud Security: https://www.infosecurity-magazine.com/magazine-features/top-5-best-practices-for-cloud/ Zix Releases 2021 Mid-Year Global Threat Report: https://www.darkreading.com/cloud/zix-releases-2021-mid-year-global-threat-report The big three innovations transforming cloud security: https://siliconangle.com/2021/08/21/big-three-innovations-transforming-cloud-security/ The Benefits of a Cloud Security Posture Assessment: https://fedtechmagazine.com/article/2021/08/benefits-cloud-security-posture-assessment How to Maintain Accountability in a Hybrid Environment: https://www.darkreading.com/cloud/how-to-maintain-accountability-in-a-hybrid-environment 6 Cloud Security Must-Haves–with Help from CSPM, CWPP or CNAPP: https://www.eweek.com/security/6-cloud-security-must-haves-with-help-from-cspm-cwpp-or-cnapp/ The hybrid-cloud security road map: https://www.techradar.com/news/the-hybrid-cloud-security-road-map How Biden's Cloud Security Executive Order Stacks Up to Industry Expectations: https://securityintelligence.com/articles/biden-executive-order-industry-expectations/ Cloud Security: Adopting a Structured Approach: https://customerthink.com/cloud-security-adopting-a-structured-approach/ The Overlooked Security Risks of the Cloud: https://threatpost.com/security-risks-cloud/168754/ TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Corey: This episode is sponsored in part by Thinkst Canary. This might take a little bit to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, or anything else like that that you can generate in various parts of your environment, wherever you want them to live; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use them. It's an awesome approach to detecting breaches. I've used something similar for years myself before I found them. Check them out. But wait, there's more because they also have an enterprise option that you should be very much aware of: canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment and manage them centrally. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files that it presents on a fake file store, you get instant alerts. It's awesome. If you don't do something like this, instead you're likely to find out that you've gotten breached the very hard way. So, check it out. It's one of those few things that I look at and say, “Wow, that is an amazing idea. I am so glad I found them. I love it.” Again, those URLs are canarytokens.org and canary.tools. And the first one is free because of course it is. The second one is enterprise-y. You'll know which one of those you fall into. Take a look. I'm a big fan. More to come from Thinkst Canary weeks ahead.Jesse: It is 2021. Conference calls and remote meetings have the same decade-old problems. Connection drops, asking if anyone can hear us, asking if anyone can see our screen, even though we can clearly see the platform is in sharing mode with our window front and center. Why is this so hard? We live in the golden age of the cloud.Shouldn't we be easily connecting and sharing like we're in the same room rather than across the planet? Yes we should. Sure, there have been improvements, and now we can do high-quality video, connect dozens or hundreds of people from everywhere on a webinar, and usually most of us can manage a video meeting with some screen sharing. I don't understand how we can have Amazon Chime, WebEx, Teams, Zoom, Google Meet—or whatever it's called this month—GoToMeeting, Adobe Connect, FaceTime, and other options, and still not have a decent way for multiple people to see and hear one another and share a document, or an application, or screen without routine problems. All of these are cloud-based solutions.Why do they all suck? When I have to use some of these platforms, I dread the coming meeting. The worst I've seen is Amazon Chime—yes, that's you, Amazon—Microsoft Teams—as always—and Adobe Connect. Oof. The rest are largely similar with more or less the same features and quality, except FaceTime, which is still only a personal use platform and not so great for conferences for work. I just want one of these to not suck so much.Meanwhile in the news. How to Make Your Next Third-Party Risk Conversation Less Awkward. You know that moment. Someone asks a question at the networking event. The deafening silence while you stare at the floor trying to find a way to get out of embarrassing yourself. Do your future self a favor and do some work before this happens again. You'll feel better and you'll have better visibility while improving your security posture.5 Vexing Cloud Security Issues. Unlike the tips and best practices list, this one is a ‘don't be stupid' type list. Some of these are foundational basic security steps. Watch out for the zombies.Attackers Increasingly Target Linux in the Cloud. Linux is the most common cloud-hosted OS. It shouldn't be surprising that it's the most common platform to attack, as well. Secure and monitor your cloud hosts closely. This is also a good reason to consider pushing toward a dynamic services model without traditional operating system footprints.Top 5 Best Practices for Cloud Security. Oh, yay. Another top number list for newbs. We all need reminding of the basics of best practices, especially as they evolve. Are you doing these five things? Why not?Announcer: Have you implemented industry best practices for securely accessing SSH servers, databases, or Kubernetes? It takes time and expertise to set up. Teleport makes it easy. It is an identity-aware access proxy that brings automatically expiring credentials for everything you need, including role-based access controls, access requests, and the audit log. It helps prevent data exfiltration and helps implement PCI and FedRAMP compliance. And best of all, teleport is open-source and a pleasure to use. Download teleport at goteleport.com. That's goteleport.com.Jesse: Zix Releases 2021 Mid-Year Global Threat Report. I suggest looking at the whole report, however, know attackers are using email, SMS and text messages, and customizing phishing more than ever before. Your people are going to see more social engineering attacks, so be sure everyone understands the basics of what types of things not to say on the phone and the usual about not following URLs in messages and emails.The big three innovations transforming cloud security. CASB, SASE, and CSPM—pronounced ‘cazzbee' ‘sassy' and, well, nothing fancy for CSPM that rolls off the tongue, so just use the letters—are your new friends. With the three of these used for your cloud environment, you'll have better visibility and control of your risk profile and security posture.The Benefits of a Cloud Security Posture Assessment. Okay, so we've covered CSPM some, but you need a CSPA before you implement your CSPM. I tried to use more acronyms but I ran out of energy. Seriously, an assessment of your risks and security posture are invaluable. Without it, you may be missing vital areas that leave you exposed.How to Maintain Accountability in a Hybrid Environment. If you support delivery of services to mobile apps, you should consider the security of the client end as relates to your application. You could get caught by some nasty surprises, no matter how secure your server environment appears to be.6 Cloud Security Must-Haves–with Help from CSPM, CWPP or CNAPP. Gartner loves making up—I mean defining, new markets so they can invent new acronyms and sell us yet another Magic Quadrant subscription. Sadly, it's the lens through which we must view the industry because media and vendors rely too much on Gartner Magic Quadrants.The hybrid-cloud security road map. Migrating some or all of our services to the cloud can feel like scaling an inverted cliff with butter on our hands, but it's easier than you think. Sometimes we just need some gentle guidance on an approach that might work for us.How Biden's Cloud Security Executive Order Stacks Up to Industry Expectations. US President Biden's Executive Order number 14028, “Executive Order on Improving the Nation's Cybersecurity” is surprisingly relevant to the real problems we face in cybersecurity every day. If you don't have time or energy to read the entirety of the 24-page document, you should understand the impact of it. Hint: it's a good thing for security.Cloud Security: Adopting a Structured Approach. Sure, the basics are largely the same as security in non-cloud environments. However, there are new ways to implement much of these security measures, and if you aren't careful, you will miss all the new ways you must protect your resources and services that either change or are wholly new in the cloud.The Overlooked Security Risks of the Cloud. It's easy to think moving things to the cloud offloads work and lowers our risk profiles. Don't forget there are tradeoffs. We have to do more and different security things to ensure our services, data, and users are protected.And now for the Tip of the Week. Lock down your AMIs. If you have Amazon Machine Images—or AMIs—be sure they aren't available to other people. Even if these don't have your proprietary information in them, they do disclose your foundational EC2 image, so attackers can more easily tailor their approach to get into your real infrastructure. Ensure your AMI permissions are restrictive so the public can't touch them.Go to your AWS Console, EC2, and then AMIs. Select your AMIs, and then Actions, Modify Image Permissions, and then add your accounts. And that it for the week, folks. Securely yours, Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Links: AWS Cancels re:Inforce Security Conference in Houston Due to COVID-19: https://www.crn.com/news/cloud/aws-cancels-re-inforce-security-conference-in-houston-due-to-covid-19 Cloud-native security benefits and use cases: https://searchcloudsecurity.techtarget.com/tip/cloud-native-security-benefits-and-use-cases The state of cloud security: IaC becomes priority one: https://techbeacon.com/security/state-cloud-security-iac-becomes-priority-one Takeaways from Gartner's 2021 Hype Cycle for Cloud Security report: https://venturebeat.com/2021/08/12/takeaways-from-gartners-2021-hype-cycle-for-cloud-security-report/ IBM upgrades its Big Iron OS for better cloud, security, and AI support: https://www.networkworld.com/article/3626486/ibm-upgrades-its-big-iron-os-for-better-cloud-security-and-ai-support.html Securing cloud environments is more important than ever: https://federalnewsnetwork.com/commentary/2021/08/securing-cloud-environments-is-more-important-than-ever/ The Misunderstood Security Risks of Behavior Analytics, AI & ML: https://www.darkreading.com/risk/the-misunderstood-security-risks-of-behavior-analytics-ai-ml Accenture Says it ‘Detected Irregular Activity,' Restored Systems from Backup: https://www.darkreading.com/attacks-breaches/accenture-detected-irregular-activity- Google Releases Tool to Help Developers Enforce Security: https://www.darkreading.com/application-security/google-releases-tool-to-help-developers-enforce-security How to Make Your Next Third-Party Risk Conversation Less Awkward: https://www.darkreading.com/vulnerabilities-threats/how-to-make-your-next-third-party-risk-conversation-less-awkward Cost of Cyberattacks Significantly Higher for Smaller Healthcare Organizations: https://www.darkreading.com/threat-intelligence/healthcare-sees-more-attacks-with-costs-higher-for-smaller-groups TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Corey: This episode is sponsored in part by Thinkst Canary. This might take a little bit to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, or anything else like that that you can generate in various parts of your environment, wherever you want them to live; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use them. It's an awesome approach to detecting breaches. I've used something similar for years myself before I found them. Check them out. But wait, there's more because they also have an enterprise option that you should be very much aware of: canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment and manage them centrally. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files that it presents on a fake file store, you get instant alerts. It's awesome. If you don't do something like this, instead you're likely to find out that you've gotten breached the very hard way. So, check it out. It's one of those few things that I look at and say, “Wow, that is an amazing idea. I am so glad I found them. I love it.” Again, those URLs are canarytokens.org and canary.tools. And the first one is free because of course it is. The second one is enterprise-y. You'll know which one of those you fall into. Take a look. I'm a big fan. More to come from Thinkst Canary weeks ahead.Jesse: There are many types of attacks that result in security breaches. To understand how many of them work, you need to understand how software languages function and how the hardware operations work in memory and in the CPU. However, you can learn a lot about security without having to learn those things. You can look at some of the attack vectors and gain a high-level understanding of what is happening. For example, man in the middle, or MITM, attacks are when someone inserts malicious code into the communication of two entities. That MITM service will capture communications, make a copy, then send it along like normal.A buffer overflow happens when the allocated memory space for some type of input–whether its contents of a file or dialog boxes and the like—is less than the amount of input. In simpler terms, there is a bucket available for input. The attacker pours more water into the bucket than the bucket can handle. The result is that code in memory could be overwritten and become executable. So, you can learn about security flaws without digging under the surface to see what is actually happening. However, I strongly urge anyone doing security-related things to learn more about these attack types, and the others.Meanwhile in the News. AWS Cancels re:Inforce Security Conference in Houston Due to COVID-19. The closings have begun. Dust off those creator lights, and prep that mic on your desk. In the wake of last year's lockdowns and sudden remote working, there was a huge spike in phishing and other scams. Don't be caught in this round.Cloud-native security benefits and use cases. If you have a multi-cloud or a hybrid SaaS and self-managed systems in cloud providers or in data centers, it's possible you need different security tools. Don't go all cloud-native just because you have an initiative to do so. Slow down and ensure your security meets the needs of all your technology and services, not just the new and shiny ones.The state of cloud security: IaC becomes priority one. Cloud-native services are far too complex to do traditional cybersecurity. Truly cloud-native services need cloud-native monitoring systems. Consider Infrastructure as Code, or IaC, as part of a comprehensive solution in your process.Takeaways from Gartner's 2021 Hype Cycle for Cloud Security report. If you only read this one because the headline is awesome, I think that's okay. Gartner's evaluations are often seen as a deep truths into impenetrable markets. Don't forget though, Gartner simply looks at all the parameters that are quantifiable and makes a judgement of comparison between products. They are valuable reports, yes, but it should never be the only deciding factor in making decisions on products to use.IBM upgrades its Big Iron OS for better cloud, security, and AI support. Don't worry if you aren't running z/OS. Most people aren't. However, if you are using z/OS, this looks to be a solid upgrade, assuming your systems meet the requirements et cetera, et cetera, et cetera.Securing cloud environments is more important than ever. I post a lot of foundational articles that talk about different—and sometimes the same—aspects of cybersecurity. I do this because there are so many of you who haven't implemented even one of my suggestions yet. Please read this one if you've ignored my earlier warnings.Announcer: Have you implemented industry best practices for securely accessing SSH servers, databases, or Kubernetes? It takes time and expertise to set up. Teleport makes it easy. It is an identity-aware access proxy that brings automatically expiring credentials for everything you need, including role-based access controls, access requests, and the audit log. It helps prevent data exfiltration and helps implement PCI and FedRAMP compliance. And best of all, teleport is open-source and a pleasure to use. Download teleport at goteleport.com that's goteleport.com.The Misunderstood Security Risks of Behavior Analytics, AI & ML. Finally someone with a realistic view of artificial intelligence—or AI—and machine learning—or ML. First, there is zero AI in generally available security software. None. They are not autonomous machines with the ability to think for themselves and make nuanced judgements. ML implies a feedback loop for self-tuning, based on the calculated confidence interval of the results. This is a lot to do on the fly with security data feeds, but some products do implement some ML, or at least make it available. The upshot is this: AI and ML are marketing terms. Grill your vendor on what the math is doing.Accenture Says it ‘Detected Irregular Activity,' Restored Systems from Backup. Oops. Don't forget, we all get popped someday. Please remember, we'll all get embarrassingly owned someday. How you recover, how fast you detect, and how fast you identify root causes are far more important than a tiny news article talking about how you got popped.Google Releases Tool to Help Developers Enforce Security. Yay, automated code analysis and testing. This is great. If you are running Google products and services, this helps your transition to shift left and introducing true DevSecOps.How to Make Your Next Third-Party Risk Conversation Less Awkward. Talking to vendors or open-source project teams about security issues in their code or services can be tough. You don't want to come off as completely suspicious and untrusting, however, you shouldn't come across as not caring or implying security isn't important, either.Cost of Cyberattacks Significantly Higher for Smaller Healthcare Organizations. Take heed, you smaller healthcare organizations. Ransomware tends to target critical infrastructure and hospitals because there is a higher probability of getting paid than there is for different verticals.And now for the tip of the week. You should have a network scanner that performs routine scans all the time. This is true of cloud-hosted systems, as well. Don't scan at the exact same time or in the same order in a day. Splay the times so it's a bit less predictable.Bring the scan data results into your SIEM and use it to help baselines, produce alerts, and generally to improve visibility of the current risk levels and overall security posture. Active scanning like this is valuable in several ways, such as enumerating what devices are answering on your network or networks. This can be input into your configuration management database, or asset list as well. Also, either the SIEM or the scanner will likely provide a way to map findings to the known security flaws in your systems. And that's it for the week, folks. Securely yours, Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Links: Cloud Security Basics CIOs and CTOs Should Know: https://www.informationweek.com/cloud/cloud-security-basics-cios-and-ctos-should-know/a/d-id/1341578? Spring 2021 PCI DSS report now available with nine services added in scope: https://aws.amazon.com/blogs/security/spring-2021-pci-dss-report-now-available-with-nine-services-added-in-scope/ Top 5 Benefits of Cloud Infrastructure Security: https://www.kratikal.com/blog/top-5-benefits-of-cloud-infrastructure-security/ The three most important AWS WAF rate-based rules: https://aws.amazon.com/blogs/security/three-most-important-aws-waf-rate-based-rules/ Researchers Call for ‘CVE' Approach for Cloud Vulnerabilities: https://www.darkreading.com/cloud/researchers-call-for-cve-approach-for-cloud-vulnerabilities Managed Private Cloud: It's all About Simplification: https://www.computerworld.com/article/3623118/managed-private-cloud-its-all-about-simplification.html 100 percent of companies experience public cloud security incidents: https://betanews.com/2021/08/04/100-percent-public-cloud-security-incidents/ Why cloud security is the key to unlocking value from hybrid working: https://www.welivesecurity.com/2021/08/05/why-cloud-security-key-unlocking-value-hybrid-working/ Organizations Still Struggle to Hire & Retain Infosec Employees: Report: https://www.darkreading.com/careers-and-people/organizations-still-struggle-to-hire-retain-infosec-employees-report NSA, CISA release Kubernetes Hardening Guidance: https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/ HTTP/2 Implementation Errors Exposing Websites to Serious Risks: https://www.darkreading.com/application-security/http-2-implementation-errors-exposing-websites-to-serious-risks Ransomware Gangs and the Name Game Distraction: https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/ Using versioning in S3 buckets: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Corey: This episode is sponsored in part by Thinkst. This is going to take a minute to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, that sort of thing in various parts of your environment, wherever you want to; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use those things. It's an awesome approach. I've used something similar for years. Check them out. But wait, there's more. They also have an enterprise option that you should be very much aware of: canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files on it, you get instant alerts. It's awesome. If you don't do something like this, you're likely to find out that you've gotten breached, the hard way. Take a look at this. It's one of those few things that I look at and say, “Wow, that is an amazing idea. I love it.” That's canarytokens.org and canary.tools. The first one is free. The second one is enterprise-y. Take a look. I'm a big fan of this. More from them in the coming weeks.Jesse: The general theme in security news and trends show us that perimeter defense has a whole new meaning. There is no large perimeter anymore. Nearly every device is on a public or otherwise hostile network, from servers to phones to laptops. Every device needs scanning, protecting, monitoring, and analyzing. None of these devices can be viewed in a vacuum, as separate entities without the context of behavior of systems and services accessed from across a network.This is why zero trust and cloud native applications and services go so well in these hard times. If you can't trust anything without checking on current events, then you have to authenticate and analyze in real-time to determine if something is safe to allow. In the ancient days of yore, everything was default allow and you stopped things you knew were bad. Then along came default deny, where you allowed only those things you white listed. But that was a full-time allowance of bad things to happen when an account was compromised.Ditch the white list and just implement real-time contextual security. If you do this, does it really matter if someone gets a hostile device on your network? Nope. If you treat everything, including owned and managed assets, as hostile, some new unmanaged device or service doesn't change your operations or exposure much if at all.Meanwhile in the news. Cloud Security Basics CIOs and CTOs Should Know. Some of the critical things non-cybersecurity execs ought to know: moving to the cloud isn't a security easy button, cybersecurity insurance generally sucks, and moving to the cloud takes a lot more work than people think to get operationally secure.Spring 2021 PCI DSS report now available with nine services added in scope. When you do compliance and use cloud infrastructures and SaaS services, you need to prove your services support compliance requirements. This AWS report can help. Also, review the new services added to see if you can improve your service delivery and applications supporting PCI.Top 5 Benefits of Cloud Infrastructure Security. Using the cloud doesn't make you more secure, but there are advantages that can make security more manageable in the cloud than it is in legacy data centers.The three most important AWS WAF rate-based rules. Sometimes ya just got to geek out. Also, your security person won't always be there to set up things like Web Application Firewalls with DDOS mitigation and other nifty security and compliance tools.Researchers Call for ‘CVE' Approach for Cloud Vulnerabilities. If there is a vulnerability in cloud service provider services, they should get a CVE like anyone else, right? After all, it's just software, which is what the CVE is supposed to track.I understand shining light on the problems to force cloud companies to fix them, but that is partly what the CVE system is for. If there are configurations that open gaping security holes, they need to be in CVE. Why do they want to make a new thing to replace a perfectly good thing?Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That's goteleport.com.Jesse: Managed Private Cloud: It's all About Simplification. So, let's see if I understand this. Several article sources talk about the benefits of using private cloud citing the exact same benefits as using a public cloud service, except claiming it's more secure for finance and medical verticals. Hello folks, AWS Outposts anyone? The only difference is the shared responsibility model, except that now you have an outside agency managing everything. Neither are more or less secure than the other. They are different approaches to risk acceptance and mitigation.100 percent of companies experience public cloud security incidents. Despite the sensationally alluring feel of the headline, the real news from this is that moving to cloud operations exposes the horrible lack of processes around custom development and production management that most organizations have. Don't blame being in the cloud for your poor operations, just don't be stupid.Why cloud security is the key to unlocking value from hybrid working. [sigh]. Hybrid cloud, hybrid cars, hybrid corn, and now hybrid work. I haven't understood why it's so hard to understand that there are additional security concerns and either increased or displaced risk pushing workloads and data to the cloud. The only common answer I can think of is that security in general is full of theater and drama. Of course, there's more risk. Obfuscated risk is dangerous.Organizations Still Struggle to Hire & Retain Infosec Employees: Report. The extreme lack of trained and/or experienced cybersecurity talent underscores the importance of all of us knowing security well enough to mitigate most risks. Sure, having someone dedicated to the work is far superior to having security tacked onto the duties of others, but without the ability to fill those dedicated roles, someone has to keep the script kiddies and APTs out.NSA, CISA release Kubernetes Hardening Guidance. This is pure IT security gold. The spooks often hold secrets most of us haven't figured out, partially due to the immense resources they throw at cybersecurity. This report is 52 pages of great advice. Also, now everyone knows security issues in Kubernetes environments. Don't be stupid. Go read this now.HTTP/2 Implementation Errors Exposing Websites to Serious Risks. Black hat and other security conferences are famous for gloom and doom pronouncements that are just theoretical attacks that likely won't ever be practical in real-world production systems. However, this one may have some legs.Ransomware Gangs and the Name Game Distraction. With ransomware groups regularly getting international media attention, they're retreating to the shadows when the heat turns up on them. They will vanish from headlines, but they will simply rebrand and move forward as if they were a new group. This is why following Indicators Of Compromise, or IOCs, is more important than worrying about the exact behavior profile or name of a group.And now for the tip of the week. Don't lose overwritten file data. Use S3 versioning. Enabling versioning on your S3 buckets allows disaster recovery and an audit trail for changes in your data objects. The docs are fairly straightforward, as well. Check out the AWS doc section called: Using versioning in S3 buckets. And that's it for the week, folks. Securely yours, Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Links: 4 Factors that Should Be Part of Your Cybersecurity Strategy: https://www.csoonline.com/article/3625254/4-factors-that-should-be-part-of-your-cybersecurity-strategy.html Software Bill of Materials'—not just good for security, good for business: https://thehill.com/opinion/cybersecurity/564787-software-bill-of-materials-not-just-good-for-security-good-for-business Third Party Security Failure Caused 1 TB Data Breach at Saudi Aramco; Hackers Play Puzzle Games With Oil Giant: https://www.cpomagazine.com/cyber-security/third-party-security-failure-caused-1-tb-data-breach-at-saudi-aramco-hackers-play-puzzle-games-with-oil-giant/amp/ Federal Tech Leaders Outline Future of FedRAMP: https://governmentciomedia.com/federal-tech-leaders-outline-future-fedramp ‘Holy moly!': Inside Texas' fight against a ransomware hack: https://apnews.com/article/technology-government-and-politics-business-texas-hacking-47e23be2d9d90d67383c1bd6cee5aef7 Firefox 90 Drops Support for FTP Protocol: https://www.securityweek.com/firefox-90-drops-support-ftp-protocol Lower-Level Employees Become Top Spear-Phishing Targets: https://www.darkreading.com/attacks-breaches/lower-level-employees-become-top-spearphishing-targets U.S. Government unlikely to ban ransomware payments: https://U.S. Government unlikely to ban ransomware payments The Power of Comedy for Cybersecurity Awareness Training: https://www.darkreading.com/careers-and-people/the-power-of-comedy-for-cybersecurity-awareness-training Inside the Famed Black Hat NOC: https://www.darkreading.com/edge-articles/inside-the-famed-black-hat-noc Cloud Security Alliance Releases Guide to Facilitate Cloud Threat Modeling: https://cloudsecurityalliance.org/press-releases/2021/07/29/cloud-security-alliance-releases-guide-to-facilitate-cloud-threat-modeling/ 5 Benefits of Disaster Recovery in the Cloud: https://securityboulevard.com/2021/08/5-benefits-of-disaster-recovery-in-the-cloud/ Black Hat USA 2021 and DEF CON 29: What to expect from the security events: https://www.techrepublic.com/article/black-hat-usa-2021-and-def-con-29-what-to-expect-from-the-security-events/ TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Corey: This episode is sponsored in part by Thinkst. This is going to take a minute to explain, so bear with me. I linked against an early version of their tool, canarytokens.org in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, that sort of thing in various parts of your environment, wherever you want to; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use those things. It's an awesome approach. I've used something similar for years. Check them out. But wait, there's more. They also have an enterprise option that you should be very much aware of canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files on it, you get instant alerts. It's awesome. If you don't do something like this, you're likely to find out that you've gotten breached, the hard way. Take a look at this. It's one of those few things that I look at and say, “Wow, that is an amazing idea. I love it.” That's canarytokens.org and canary.tools. The first one is free. The second one is enterprise-y. Take a look. I'm a big fan of this. More from them in the coming weeks.Jesse: As more services are delivered by cloud-native microservices with dynamic scaling, compliance management and monitoring becomes terrifyingly complex and difficult. The way around this is to implement processes and tools that can continuously monitor and manage compliance-related configurations using automated analysis and reporting of your cloud-native services. This collection of processes and tools is called Cloud Security Posture Management, or CSPM. CSPM generally involves a fair amount of automation to ensure secure practices are used and compliance requirements are continuously met. Implementing CSPM alongside DevSecOps and an organizational focus on shifting left in services development rounds out a tripod to support your cloud initiatives.Meanwhile, in the news. 4 Factors that Should Be Part of Your Cybersecurity Strategy. Our security perimeters are no longer controlled by our organizations. With so many people working remote, every device on their network has become part of the threat landscape, from connected fridges to game consoles.‘Software Bill of Materials'—not just good for security, good for business. SBOMs, as they're called, are coming. Even if there is never a law forcing SBOMs like food ingredients labels, there could be an ever-increasing requirement for vendors to supply them. It might be a good idea to start building these, even if they're only supplied when legally or contractually required.Third Party Security Failure Caused 1 TB Data Breach at Saudi Aramco; Hackers Play Puzzle Games With Oil Giant. This case study is like slowing down to see the aftermath of a crash and trying to piece together what happened. Given the breach came from a vendor, it's a sideways attack on Aramco. Are you sure your vendors are secure? Thoroughly analyze all your third-party tools and services to ensure they aren't the weaker link.Federal Tech Leaders Outline Future of FedRAMP. Changes to FedRAMP are a big deal if they open up options for US federal agencies, or if the FedRAMP process—or its replacement—speed up certification. Many FedRAMP SaaS services lag their commercial counterparts because it takes so long to jump through the FedRAMP approval process. This hurts the market and the federal agencies.‘Holy moly!': Inside Texas' fight against a ransomware hack. Learn from the plight of others before others learn from your plight. Reading case studies of disclosed incidents gives us insight into how doomed we are if we don't get our act together.Firefox 90 Drops Support for FTP Protocol. [sigh]. This is the end of an era of wide-open access and abuse. But I'm a little sad and nostalgic for my early computing days. I remember using FTP to get things to my internet-connected host account where I could then use Zmodem or Kermit to download things to my local machine. I remember when using HTML sites were new, but you could still get everything from FTP sites. Ugh, the bad old days.Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That's goteleport.com.Jesse: Lower-Level Employees Become Top Spear-Phishing Targets. We always protect the big fish but the better target for phishing are the people not being closely monitored. If you can trick a system into lateral movement or privilege escalations, you can start with any non-admin user and infiltrate silently. This is why good SIM tools and behavior analysis mechanisms are critical to modern security.U.S. Government unlikely to ban ransomware payments. Now, this is a relief. This is like making it illegal to pay a kidnapper, even when the kidnapper is not within the U.S. Please try to solve your ransomware problems without paying, but if you must, you must.The Power of Comedy for Cybersecurity Awareness Training. The Duckbill Group's own Corey Quinn is the living embodiment of teaching through humor. When we laugh, we remember. Also, there's a lot of hilarity in security if you lean back and see it all at once. Aren't we just a series of bad sitcom reruns where all the same tropes are trotted out every season, and you can't even tell a rerun from a first-run? It's the same attacks and mostly the same old tired defenses, day in and day out.Inside the Famed Black Hat NOC. I was inside the DEFCON SOC once and the concentration of security skill and experience in the room was amazing. They were friendly and collegial and great to work with. If a couple dozen people can build a world-class SOC or NOC for an event that lasts only a few days, we can all make some great improvements with the limited resources at home.Cloud Security Alliance Releases Guide to Facilitate Cloud Threat Modeling. When shifting left and doing DevSecOps, there has to be methods for assessing security issues faced by the systems you build. If you don't have at least a flashlight, you won't notably improve security.5 Benefits of Disaster Recovery in the Cloud. When I first worked with disaster recovery and business continuity, we would ship tapes to a vendor who sets up hardware we were using for recovery from backups exercise on bare-metal systems. Whoo. Wow, have times changed. DR in the cloud could be more about distributed active sites split across regions, and other such fun things instead of slow hardware solutions.Black Hat USA 2021 and DEF CON 29: What to expect from the security events. The last week of July and/or the first week of August each year is ‘Security Summer Camp' in Las Vegas, Nevada, in the United States of America. We've called this week that for years because in the same week in the same city, there is Black Hat, one of the largest security conferences in the world, DEF CON the largest hacker conference in the world, and besides—although this year it's virtual again—as well as a variety of other events.And now for the tip of the week. Use Kubernetes. If you want to decouple your services delivery from the underlying systems and infrastructure, look to Kubernetes. If you are building a multi-cloud hybrid strategy, using Kubernetes is likely a great option to reduce your complexity and overhead. And that's it for the week. Securely yours, Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Links: What does it Take to Secure Containers?: https://www.darkreading.com/cloud/what-does-it-take-to-secure-containers- Critical ICS vulnerabilities can be exploited through leading cloud-management platforms: https://threatpost.com/industrial-networks-exposed-cloud-operational-tech/168024/ Kaseya Obtains Universal Decryptor for REvil Ransomware: https://threatpost.com/kaseya-universal-decryptor-revil-ransomware/168070/ Kubernetes Cloud Clusters Face Cyberattacks via Argo Workflows: https://threatpost.com/kubernetes-cyberattacks-argo-workflows/167997/ Cloud security is like an ‘all-you-can-eat buffet': https://statescoop.com/cloud-security-is-like-an-all-you-can-eat-buffet/ Cloud security in 2021: A business guide to essential tools and best practices: https://www.zdnet.com/article/cloud-security-in-2021-a-business-guide-to-essential-tools-and-best-practices/ GitHub boosts supply chain security for Go modules: https://www.zdnet.com/article/github-boosts-supply-chain-security-for-go-modules/ Cloud (in)security: Avoiding common cloud misconfigurations: inhttps://www.ironnet.com/blog/cloud-insecurity-avoiding-common-cloud-misconfigurations Akamai Edge DNS outage knocks out multiple major websites: https://siliconangle.com/2021/07/22/multiple-major-websites-taken-offline-widespread-internet-outage/ TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it's time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you're building a secure business on AWS with compliance requirements, you don't really have time to choose between antivirus or firewall companies to help you secure your stack. That's why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That's lacework.com.Jesse: Building new things in the cloud is often a fun and exciting process, however moving a legacy application or infrastructure is usually a difficult and stressful process. There are several ways to implement a migration of something to run in the cloud. Which cloud migration strategy you choose largely depends on timeline and available resources. Some ways to accomplish an application migration are: one, rehost, aka lift-and-shift; two, refactor; three, rebuild; and four, replace. Rehosting, or lifting and shifting, simply means replicating your current legacy infrastructure on systems in the cloud, then cutting over from production. You spin up cloud systems in something like AWS EC2, install the OS and supporting middleware, add your application and data on top, then cut to prod.Refactoring means rewriting your application to run in at least partially cloud-native services, but you can shortcut some of this by using container or middleware services, such as cloud-native databases offered from your cloud provider. Doing this means you largely use your codebase unchanged, but the underlying infrastructure is more scalable and is at least partially like a cloud-native product.Rebuilding means writing a cloud-native app to be truly cloud-native. This is much like writing a new application as cloud-native, but you have an existing codebase—and possibly compatibility issues to contend with—from which to pull.Replacing simply means implementing a SaaS tool that meets the same business requirements as the legacy application without migrating any of the old code. For example, moving to use Salesforce instead of a legacy CRM product or custom-built sales process tracking systems.You can, of course, do some of these in stages as iterative steps. To do this, you could lift-and-shift your existing systems, then slowly work out replacing individual pieces with cloud-native solutions over time. Then you eventually get to a place where you can do very little work to yank out your final EC2 or container systems. At that point, you have a fully cloud-native application. If you don't have much, or any, cloud application experience in your organization, follow the path of stepping through these processes as you grow your organization's cloud skill-base and experience. Your people will migrate with your applications.Meanwhile in the news. What does it Take to Secure Containers? Using containers isn't instant security. They're easier to lock down in terms of services and such, but it isn't a silver bullet. The vampires are still going to storm the house if you invite them in.Critical ICS vulnerabilities can be exploited through leading cloud-management platforms. Industrial control systems, or ICS, are notoriously insecure by default and often difficult to secure at all. Modern paradigms of locking down access to these infrastructures and tunneling all access through management and monitoring platforms is great. However, that platform is now the keys to the whole kingdom, so secure your cloud management apps and dial up the monitoring.Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That's goteleport.com.Kaseya Obtains Universal Decryptor for REvil Ransomware. This is amazing that Kaseya got their hands on the bits to unlock REvil things. If you are their customer, go get this right away. This doesn't get you off the hook, though. There are likely time bombs just waiting for whatever rises from the ashes of REvil to take over the next phase. Watch your back.Kubernetes Cloud Clusters Face Cyberattacks via Argo Workflows. Argo Workflows are great—so I hear—but now you could be pwned if you aren't careful. Back to my often-used admonishment, don't be stupid. Like many things, it's easy to lock down and keep the control systems hidden, but you have to both care and verify you've been diligent.Cloud security is like an ‘all-you-can-eat buffet'. The lesson here is that, as one source says, securing cloud resources is not the same as securing on-prem resources. The tools are often the same or similar, but how you use them is different. Also, the sheer volume of highly granular data from cloud systems is impossible for humans to parse and manage. You need better, highly tuned tools for the cloud.Cloud security in 2021: A business guide to essential tools and best practices. The tl;dr: don't be stupid. Like many lists of fundamental cloud security things, it's lots of obvious things most people say they understand and never implement, consequences be damned.GitHub boosts supply chain security for Go modules. I harp on supply-chain protection frequently because corrupting your software supply chain is insidious and incredibly hard to detect and remediate. Looks like there's some help if you code in Golang.Cloud (in)security: Avoiding common cloud misconfigurations. You can never read enough of these lists of obvious things to do. Even if you have done most of the basics correctly, it's likely some new project hasn't followed the best practices. This is back to my usual admonishment: DBS.Akamai Edge DNS outage knocks out multiple major websites. Most of us got ensnared in this one. Either your DNS was wonky or sites you use were messed up. Keep this in mind with single-vendor solutions. Granted, there are times that you can't avoid something being unavailable. No matter how well you plan, something will break or be owned by malware or attackers. Fail gracefully and make a necessary recovery plan.And now for the tip of the week. Check your sources. Don't believe every article or blog you read until you have verified the source as trustworthy. Think of this as the zero trust model of information gathering. Trust no source until you confirm that source's information with a trusted third party. This is true for news, process and methodologies, and product or service vendors. Go to multiple sites, look at many frameworks and standards, and get lots of reviews and experiences from others on products and services before you implement. Securely yours, Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Links: How to Bridge On-Premises and Cloud Identity: https://www.darkreading.com/vulnerabilities—threats/how-to-bridge-on-premises-and-cloud-identity-/a/d-id/1341512 How AWS is helping EU customers navigate the new normal for data protection: https://aws.amazon.com/blogs/security/how-aws-is-helping-eu-customers-navigate-the-new-normal-for-data-protection/ Cloud security should never be a developer issue: https://www.securitymagazine.com/articles/95641-cloud-security-should-never-be-a-developer-issue Tool Sprawl & False Positives Hold Security Teams Back: https://www.darkreading.com/application-security/tool-sprawl-and-false-positives-hold-security-teams-back/d/d-id/1341517 The what and Why of Cloud-Native Security: https://containerjournal.com/editorial-calendar/cloud-native-security/the-what-and-why-of-cloud-native-security/ OSPAR 2021 report now available with 127 services in scope: https://aws.amazon.com/blogs/security/ospar-2021-report-now-available-with-127-services-in-scope/ Researchers Create New Approach to Detect Brand Impersonation: https://www.darkreading.com/endpoint/researchers-create-new-approach-to-detect-brand-impersonation/d/d-id/1341549 Privacy Law Update: Colorado Privacy Bill Becomes Law: How does it Stack Up Against California and Virginia?: https://www.adlawaccess.com/2021/07/articles/privacy-law-update-colorado-privacy-bill-becomes-law-how-does-it-stack-up-against-california-and-virginia/ CISA Launches New Website to Aid Ransomware Defenders: https://www.darkreading.com/threat-intelligence/cisa-launches-new-website-to-aid-ransomware-defenders/d/d-id/1341539 stopransomware.gov: https://stopransomware.gov TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it's time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you're building a secure business on AWS with compliance requirements, you don't really have time to choose between antivirus or firewall companies to help you secure your stack. That's why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That's lacework.com.Jesse: There are several larger topics within the realm of cybersecurity that come up constantly. Subscribers of MiS are likely seeing these emerge from topics I cover. Some of the most common themes lately are compliance, privacy, ransomware, and DevSecOps. So, we are all working from common definitions, let's elaborate a bit on each.Compliance is the process of meeting some list or lists of requirements, usually have an outside agency of some sort. Most people think about this in terms of laws like GDPR, SOC, HIPAA, FERPA, and others. These are great examples, but compliance includes meeting certification requirements like SOC 2, various ISO certifications, or PCI.Privacy gets broad in terms of implementation, but at its core, it means the protection of information related to a person or organization. Basically, don't collect or disclose things you don't absolutely need to, and always ensure you have permission before any collection or disclosure of information.Ransomware is the software that will destroy or disclose—or both—your data if you don't pay someone. DevSecOps is the methodology of writing software with secure practices and systems in mind from the start. It's that whole shift-left thing.Meanwhile in the news. How to Bridge On-Premises and Cloud Identity. Identity and access management, or IAM, is difficult without introducing wholly different environments. We have to pick an IAM solution, so we choose what works across all our environments and services. Of course, ultimately, this means implementing Single Sign-On, SSO, of some sort as well.Sophisticated Malware is Being Used to Spy on Journalists, Politicians and Human Rights Activists. Not all horrible software sneaking into our devices and systems are from hidden criminal or enterprises or nation-state sponsored groups. Some of it sadly comes from for-profit companies. Just like a hammer can be used for horrible things, so can some security software.A Complex Kind of Spiderweb: New Research Group Focuses on Overlooked API Security. APIs run our whole cloudy world. They're the glue and crossovers communication mechanisms rolled into one conceptual framework. However, while we may introduce security flaws in our use of the billion APIs we have to use, the APIs themselves might have security vulnerabilities as well. I'm interested in the output from this practical research group to see if this bolsters API use and implementation in general.How AWS is helping EU customers navigate the new normal for data protection. Managing regulatory compliance is a circus act on a good day. On a bad day, it's a complex web of sometimes conflicting and sometimes complementary solutions. Many organizations worldwide need to meet EU regulations, so be sure to know if you must as well.Cloud security should never be a developer issue. I first thought this was the counterargument to the shift-left and DevSecOp movements, but this piece supports those movements. I like the view of supporting and protecting the developers to do better security. You don't need to hire a bunch of security experts and teach them to code; that wouldn't work so well. You can hire coders and teach them to code securely.Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That's goteleport.com.Jesse: Tool Sprawl & False Positives Hold Security Teams Back. Tool confusion and poorly tuned alerting systems plagues IT and security alike. Think about how you can streamline this by consolidating both IT and security management monitoring and alerting tools into a set of tools spanning use cases. Also, you need to read this because a source of the article is one of the most forward-thinkers in security today: Kelly Shortridge.The What and Why of Cloud-Native Security. Sometimes we humans struggle with the transition to a new paradigm. Well, most of the time. Despite rapid and drastic shifts in technology constantly since computers were a thing, we still struggle as professionals. Many of us had just gotten cybersecurity figured out when this cloud thing started raining on us. Let's get us all sorted out before we miss the rainy weather.OSPAR 2021 report now available with 127 services in scope. If you think your compliance issues are complex, have you considered what a global cloud provider has to support? I've worked with compliance for over two decades and I still struggle to keep up with the pace of change. Thankfully, AWS breaks it down for you with the Outsource Service Provider Audit Report, or OSPAR.Researchers Create New Approach to Detect Brand Impersonation. Brand impersonation is where someone puts up a site that looks just like yours, but it's a ruse to collect passwords and other information. Having a better way to find these and alert us is amazing. It used to be, this type of thing wasn't common because of the effort involved to do it. Now, it's far easier, even though the technology underpinning things have gotten much more complex.Privacy Law Update: Colorado Privacy Bill Becomes Law: How does it Stack Up Against California and Virginia? If you aren't sure what privacy laws apply to your operations, you should consult legal advice and get on top of this quickly. There are laws being passed in many jurisdictions around the world tightening the requirements for storing, using, and reporting on people's information and activities in your environments.CISA Launches New Website to Aid Ransomware Defenders. Many of us don't need to know the details about security things as long as they're monitored and managed by people who do know cybersecurity. However, we all need to better understand ransomware because it's a difficult-to-impossible problem to tackle without a concerted effort between multiple groups in our organizations. Check out the stopransomware.gov site for some help.And now for the tip of the week. Compliance is often a messy thing. It shouldn't be the burden it ends up being for most of us. Use the AWS Artifact service to understand AWS compliance. This service saves you hours of trying to figure out what reports to give your auditors for security compliance. Get in there and look around; it's peace of mind, just one URL away. You can manage various compliance-related agreements in there as well, so it's a fantastic resource. And that's it for the week. Securely yours Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Links: Fake Amazon cloud service AWS InfiniDash quickly goes viral: https://siliconangle.com/2021/07/05/fake-amazon-cloud-service-aws-infinidash-quickly-goes-viral/ 7 Unconventional Pieces of Password Wisdom: https://www.darkreading.com/application-security/7-unconventional-pieces-of-password-wisdom/d/d-id/1341400 Pentagon Cancels Disputed JEDI Cloud Contract With Microsoft: https://www.usnews.com/news/business/articles/2021-07-06/pentagon-cancels-disputed-jedi-cloud-contract-with-microsoft SolarWinds Discloses Zero-Day Under Active Attack: https://beta.darkreading.com/threat-intelligence/solarwinds-discloses-zero-day-under-active-attack 98% of Infosec Pros Say Multi-Cloud Environments Create Additional Security Challenges, Reveals Survey: https://securityboulevard.com/2021/07/98-of-infosec-pros-say-multi-cloud-environments-create-additional-security-challenges-reveals-survey/ Autonomous Security is Essential if the Edge is to Scale Properly: https://www.darkreading.com/endpoint/autonomous-security-is-essential-if-the-edge-is-to-scale-properly/a/d-id/1341391 Digital Habits During Pandemic Have Lasting Impact: https://securityboulevard.com/2021/07/digital-habits-during-pandemic-have-lasting-impact/ Are Security Attestations a Necessity for SaaS Businesses?: https://www.darkreading.com/risk/are-security-attestations-a-necessity-for-saas-businesses/a/d-id/1341426 How to Improve Cybersecurity for Your Business?: https://www.ccsinet.com/blog/how-to-improve-cybersecurity-for-your-business/ CISA Analysis Reveals Successful Attack Techniques of FY 2020: https://beta.darkreading.com/threat-intelligence/cisa-analysis-reveals-successful-attack-techniques-of-fy2020 How Predictive AI will Change Cybersecurity in 2021: https://insidebigdata.com/2021/07/09/how-predictive-ai-will-change-cybersecurity-in-2021/ TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it's time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you're building a secure business on AWS with compliance requirements, you don't really have time to choose between antivirus or firewall companies to help you secure your stack. That's why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That's lacework.com.Jesse: Last April, I went to a secret training camp. We studied the entire AWS functional objection orientation language services—or FOOLS—suite of tools and APIs. The first public rollout of AWS FOOLS-supported products is already an amazing success. AWS Infinidash took the internet by storm. This product is such an amazing way to quickly dash into production all your FOOLS-coded projects.I'm looking forward to the UDB service, AWS Infinitdiscus, where you toss your data to the cloud, the automated problem-solving tool, AWS Infinihurdle, where you leap over virtual objects, and the non-ephemeral cloud-native microservice, AWS Infinimarathon, where you can run microservices for long-running batch jobs. Sadly, I suspect the all-in-one API product AWS Infinitriathlon won't see the light of day because the project participants keep dropping out before it's finished. I hope they finish someday. I feel like it's a new day dawning with AWS FOOLS. This is a watershed moment as momentous as the day we discovered Agile over waterfall.Meanwhile, in the news. Fake Amazon cloud service AWS InfiniDash quickly goes viral. [laugh]. This turned into a fantastic and fun internet meme that won't be going away anytime soon. Also, everything I said above about AWS FOOLS is a joke. This is not real. I'm sure there will be reports about AWS FOOLS soon enough, now.7 Unconventional Pieces of Password Wisdom. Passwords suck. We all know they suck. We all hate them. However, we will always need to memorize a few passwords. Set passwords you can remember but are hard to guess and make them as long as the site or application will allow. Passphrases are far superior, of course.Pentagon Cancels Disputed JEDI Cloud Contract With Microsoft. If you wonder what happens when a trillion-dollar company takes you to court, just recall how AWS managed to kill this massive contract with Microsoft. Don't tangle with AWS, Google, or Microsoft unless you know what you're doing.SolarWinds Discloses Zero-Day Under Active Attack. Okay, let's be honest. If I gave you every urgent patch announcement, this whole publication would be a boring list of stuff to install. Be sure to watch your vendors for patches and everything else.98% of Infosec Pros Say Multi-Cloud Environments Create Additional Security Challenges, Reveals Survey. Using more than one public or private cloud combined into one infrastructure or service delivery platform is difficult for IT, of course. For security, the tools used in one cloud stack are different than another cloud stack. This makes it hard to do a single comprehensive solution that works seamlessly between them all. Shift farther left on these things.Autonomous Security is Essential if the Edge is to Scale Properly. Mobile edge computing—or MEC—and other edge service delivery models are turning into more critical as we move to more cloud-native applications with low latency needs. These applications operate at speeds humans can't ever track, so automated responses are the only way to keep them monitored or secure.Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That's goteleport.com.Jesse: Digital Habits During Pandemic Have Lasting Impact. The gin isn't merely out of the bottle. The bottle is shattered, melted down, and reformed into artwork to remind us of the distant past. People changed how they use their computers and personal devices, and their online behavior is now forever altered. Don't expect a return to historical behaviors to come with a return to offices.Are Security Attestations a Necessity for SaaS Businesses? There's a fair amount of debate as to whether security adaptations of compliance to things like SOC 2 levels or ISO 27001 have any value. My general approach is to indicate they are necessary when it makes an impact on your business or mission, otherwise, it doesn't really matter much.How to Improve Cybersecurity for Your Business? We security people never get tired of reminding everyone how some basic concepts implemented into business practices and production systems makes for far better security than the world's most crazy and new SIM, or honeypot, or red team. I figure if I keep reminding everyone of this in different ways, someone out there might just follow the advice. Also, I'm sure most of you won't, or your organizations won't let you.CISA Analysis Reveals Successful Attack Techniques of FY 2020. Imagine my not surprise when phishing links are at the top, followed by application exploits, and then fishing attachments. Knowing the popular attack methods helps you guide your defenses and your security with more effectiveness and efficiency.How Predictive AI will Change Cybersecurity in 2021. AI is an overused marketing buzzword, but doing tons of math can make sense of the world. The volume and complexity of security operations today makes doing cybersecurity impossible without lots of math.And now for the tip of the week. Taking a lesson from the whole AWS Infinidash meme, don't use a cloud service, software, systems, or even a coding library unless you really need to use it. Less is more here, as in, less things to secure is more security without having to work as hard. Everything that happens to the computerized ecosystem must be secured in some fashion. This means controlling account, authentication, and access authorization.This includes ensuring data integrity at every step of data being written or read, this encompasses every single bit of code that runs every time something executes within the ecosystem, on behalf of the ecosystem, or for outside services, and touches the data in and related to the ecosystem. This means every single thing you use you don't need is added risk and additional ways someone can attack and breach your systems and get at your resources and data. If you don't need it, don't use it. If you no longer need something, turn it off and stop using it. What's better than turning off services you don't need? Never turning them on in the first place. And that's it for the week, folks. Securely yours Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Links: Cyber insurance isn't helping with cybersecurity, and it might be making the ransomware crisis worse, say researchers: https://www.zdnet.com/article/ransomware-has-become-an-existential-threat-that-means-cyber-insurance-is-about-to-change/ House lawmakers introduce bill to increase American awareness of cyber threats: https://thehill.com/policy/cybersecurity/560077-house-lawmakers-introduce-bill-to-increase-american-awareness-of-cyber 5 Mistakes that Impact a Security Team's Success: https://www.darkreading.com/edge/theedge/5-mistakes-that-impact-a-security-teams-success/b/d-id/1341470 Google Working on Patching GCP Vulnerability that Allows VM Takeover: https://www.itsecuritynews.info/google-working-on-patching-gcp-vulnerability-that-allows-vm-takeover/ NSA & CISA Issue Warning About Russian GRU Brute-Force Cyberattacks Against US, Global Orgs: https://www.darkreading.com/attacks-breaches/nsa-and-cisa-issue-warning-about-russian-gru-brute-force-cyberattacks-against-us-global-orgs/d/d-id/1341458 $70 Million Demanded as REvil Ransomware Attackers Claim 1 Million Systems Hit: https://www.forbes.com/sites/daveywinder/2021/07/05/70-million-demanded-as-revil-ransomware-attackers-claim-1-million-systems-hit/?sh=7517b8f957c0 How to monitor and track failed logins for your AWS Managed Microsoft AD: https://aws.amazon.com/blogs/security/how-to-monitor-and-track-failed-logins-for-your-aws-managed-microsoft-ad/ Six ways businesses can reduce their cyber security risk as incidents rise: https://www.newshub.co.nz/home/money/2021/06/six-ways-businesses-can-reduce-their-cyber-security-risk-as-incidents-rise.html How to get a lucrative job in cybersecurity: https://www.bbc.com/news/business-57663096 Why MTTR is Bad for SecOps: https://threatpost.com/mttr-bad-secops/167440/ What is the dark web? How to access it and what you'll find: https://www.csoonline.com/article/3249765/what-is-the-dark-web-how-to-access-it-and-what-youll-find.html TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it's time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you're building a secure business on AWS with compliance requirements, you don't really have time to choose between antivirus or firewall companies to help you secure your stack. That's why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That's lacework.com.Jesse: What? Your backups are really just diversified pools of production data across multiple cloud provider regions, or stores with no space wasted on offline or non production data? That's awesome. You are a beautiful target for ransomware. Best practices from a production infrastructure view don't always match up to best practices for security.However, there are ways to provide data protection and redundancy as ransomware impact mitigation while still providing dynamic operational systems. Once again, this solution is to shift left and design security into every single interaction and layer of your systems and infrastructure.Meanwhile, in the news. Cyber insurance isn't helping with cybersecurity, and it might be making the ransomware crisis worse, say researchers. I know of organizations that have purposefully reduced spending on their cybersecurity programs in favor of hefty cyber breach insurance. It seems at first like a great balance sheet move, but in the long run it doesn't pay. Just build adequate security programs, please.House lawmakers introduce bill to increase American awareness of cyber threats. Wow, so now the whole nation will be subjected to useless clickthrough CBT experiences that don't change their behavior? Excellent. I'm sure the APTs of the world are shaking in their VR headsets already.5 Mistakes that Impact a Security Team's Success. Call them fiefdoms, silos, or something else, whatever name you use, operating in any way but cooperatively is horrible and unprofessional. If you are frustrated by other people doing this to you, think about the ways you can bridge the divide and draw them into a shared success model where everyone wins by working together.Google Working on Patching GCP Vulnerability that Allows VM Takeover, AWS users rejoice. Finally a cloud security problem you can ignore. GCP users, it's your turn to panic and question your choices. Now, you know what it feels like to be everyone else using cloud services. Being in the cloud doesn't reduce your risks inherently; it merely shifts the focus of some of your risks.NSA & CISA Issue Warning About Russian GRU Brute-Force Cyberattacks Against US, Global Orgs. Cyber attacks are becoming more frequent and more automated. Even the human-driven APT attacks are using scalable cloud technologies to do their dirty work. Monitor your cloud and service or system usage for anomalous behavior, as well as known attack profiles.$70 Million Demanded as REvil Ransomware Attackers Claim 1 Million Systems Hit. Ransomware is no joke. If you don't already have easily recoverable systems and data, ransomware can be the end of you. Also, if the supply chain for your software includes outside libraries or packages of any kind get assurance in writing, with details, from your vendors on how they are both securing and monitoring for these attacks.Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That's goteleport.com.Jesse: How to monitor and track failed logins for your AWS Managed Microsoft AD. If you need to make AWS send you custom-crafted alerts about failed logins, you aren't doing something right. If you don't have proper log management and a SIEM of some sort, spend your precious little resources slapping something together for broader monitoring instead of crafting bespoke little jewels of highly specialized AWS magic for very narrow use cases. There are so many turnkey solutions for log monitoring and alerting, why would we waste time building our own? Don't be stupid.Six ways businesses can reduce their cyber security risk as incidents rise. I'm sure regular readers will know this list isn't anything new, but maybe one or two of you will finally implement a few things. Use any multi-factor authentication scheme, combined with a proper password manager for all your users, employees and customers alike. Even a tiny business struggling to make ends meet can afford $6 to $10 per month on a password vault servers for employees.How to get a lucrative job in cybersecurity. I swear this isn't a Ponzi scheme advert. The opener has the usual kid hacker to security pro story we've all seen in the movies, though many of us in cybersecurity today had that type of journey to our roles. The modern era generally isn't conducive to opportunities for self-taught hacker kids, however there is hope for people who have not gotten computer science or other related security or engineering degrees.Why MTTR is Bad for SecOps. Oh, I love me some data and metrics, but I love me some useful information and insights from data and metrics even more. Too many people get caught up in dashboards of metrics without understanding which numbers are useful. Efficacy reports in IT or SOC operations drive behavior of both management and individual contributors. Make useful reports instead of screenfuls of dials and graphs that are meaningless.What is the dark web? How to access it and what you'll find. Want to see things you can't unsee? Want to risk venturing to sites your HR department will be calling you about? Want to see if your organization's data is for sale? Here's a way to meet all your stupid desires. Pro tip: don't go following this stuff in this article on your precious computer with your private personal or organizational data on it.And now for the tip of the week. Implemented organizational password manager; do it today. There are so many options it's difficult to choose between them, but you can quickly find numerous sources that show the most popular for enterprise usage. Whichever one you choose, ensure it allows for central management of passwords, multiple vaults with various permission options, and personal vaults for each user. The top providers are all cloud-based services with various local front ends or caching methods. Find one that's cross-platform of course.Most cloud vault providers have options in the sub-ten-dollar per user price range with higher-end enterprise features for not much more than that. There is an incredible amount of return on your investment in a standardized vault system. It's stupid not to do this. Also, you must require use of the vault for access to organizational resources and shared accounts. And that's it for the week. Securely yours, Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Links: Cybersecurity industry reacts as antivirus pioneer John McAfee found dead: https://www.csoonline.com/article/3623188/cybersecurity-industry-reacts-as-antivirus-pioneer-john-mcafee-found-dead.html Storms & Silver Linings: Avoiding the Dangers of Cloud Migration: https://beta.darkreading.com/cloud/storms-silver-linings-avoiding-the-dangers-of-cloud-migration 7 ways technical debt increases security risk: https://www.csoonline.com/article/3621754/7-ways-technical-debt-increases-security-risk.html New DNS Name Server Hijack Attack Exposes Businesses, Government Agencies: https://www.darkreading.com/vulnerabilities—threats/new-dns-name-server-hijack-attack-exposes-businesses-government-agencies/d/d-id/1341377 CISO Jason Lee on Zoom's response to its pandemic security challenges: https://www.csoonline.com/article/3622671/ciso-jason-lee-on-zooms-response-to-its-pandemic-security-challenges.html Software-Container Supply Chain Sees Spike in Attacks: https://beta.darkreading.com/cloud/software-container-supply-chain-sees-spike-in-attacks Four states propose laws to ban ransomware payments: https://www.csoonline.com/article/3622888/four-states-propose-laws-to-ban-ransomware-payments.html Senators propose bill to help tackle cybersecurity workforce shortage: https://thehill.com/policy/cybersecurity/560318-senators-propose-bill-to-help-tackle-cybersecurity-workforce-shortage Expecting the Unexpected: Tips for Effectively Mitigating Ransomware Attacks in 2021: https://beta.darkreading.com/vulnerabilities-threats/expecting-the-unexpected-tips-for-effectively-mitigating-ransomware-attacks-in-2021 What Lies Ahead for K-12 Cybersecurity?: https://securityboulevard.com/2021/06/what-lies-ahead-for-k-12-cybersecurity/ How to Protect Healthcare Data from Ransomware Attacks: https://www.ccsinet.com/blog/data-from-ransomware-attacks/ System Resilience: What Exactly Is It?: https://insights.sei.cmu.edu/blog/system-resilience-what-exactly-is-it/ Resilience Engineering: An Introduction: https://www.bmc.com/blogs/resilience-engineering/ Charting a path to software resiliency: https://medium.com/walmartglobaltech/charting-a-path-to-software-resiliency-38148d956f4a 7 Best Practices to Build and Maintain Resilient Applications and Infrastructure: https://thenewstack.io/7-best-practices-to-build-and-maintain-resilient-applications-and-infrastructure/ TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it's time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you're building a secure business on AWS with compliance requirements, you don't really have time to choose between antivirus or firewall companies to help you secure your stack. That's why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That's lacework.com.Jesse: I've heard the term ‘fail gracefully' hundreds of times. What the heck does that really mean? Most people don't think too hard on how their system should gracefully bow out rather than the old school method of complete failures and horrible restarts. Resilient software engineering is the discipline of making software and systems fail in ways that minimize and isolate failures while continuing to deliver service and availability. Basically, it means if you have a failure from hardware or dependencies, like a database, your service continues to work correctly and the broken parts just get shut down and replaced.Cloud-native software using microservices or even dynamically deployed containers or systems is the perfect way to implement resiliency in your operations. Look toward the next development cycle of your software and systems to begin implementing this immediately if you don't already have this in place. None of this really makes sense until you see an example, so think of it this way: you have a web-based service for customers to see their account profile and order history. It's built to scale with containers using AWS Elastic Kubernetes service—or EKS—and it is designed so when a system throws errors of any kind, that container is closed down. Then the Aws Elastic Load Balancer—or ELP—service points all subsequent requests to a different container instance in EKS.In that scenario, if a container is breached in a security event, or if something simply fails due to a software bug or data corruption, the service recovers by tossing a new system while yanking out the old system. This is security by designing self-healing IT systems. You get both security and stability for the same effort. This is DevSecOps in practice and shows how a shift-left mindset for your organization is the best possible approach for your business or mission.Jesse: Meanwhile, in the news. Cybersecurity industry reacts as antivirus pioneer John McAfee found dead. Sure John McAfee was clearly in his own blend of strange and eccentric, but he launched an entire industry vertical 34 years ago. The computer age has been around long enough now that the founders of the early megacorps are all fading away. Don't forget our history, and if you ever asked yourself, “What would John McAfee do?” Please go do the opposite unless you plan on launching a successful business.Storms & Silver Linings: Avoiding the Dangers of Cloud Migration. This reminds me of the weeping and gnashing that happened every time some new wiki went up at various jobs and projects. I learned to hate wikis because they were always horribly organized and always out of date. Heed the advice here: if it's out of date, archive it somewhere else and don't migrate to your shiny new cloud.7 ways technical debt increases security risk. Fixing old software in a fast-moving world is like the scope creep of how much stuff we acquire between moving houses or offices. You can either take advantage of touching everything to purge and organize, or you can blindly shove it all in a box and move it. We all think we'll get around to fix it later. Nope. We don't. We increase our risk in ways we can't see. Go fix your stuff.New DNS Name Server Hijack Attack Exposes Businesses, Government Agencies. There is so much information someone can gather about your organization by collecting information that was supposed to go to you. AWS closed this hole, but not all DNS services have. DNS is a resilient service, but it was never designed with modern attacks in mind. I love DNS and I hate DNS. You should too.CISO Jason Lee on Zoom's response to its pandemic security challenges. Explosive growth is scary; 30X growth in months is terrifying. Zoom did it. Can you? Very few companies can stay functioning, let alone secure in those situations.Software-Container Supply Chain Sees Spike in Attacks. I don't think I've beat the drum of supply-chain attacks enough. These are on the rise now that there is a great example of how effective these are. I sure hope you've secured your supply chain. I'm sure you haven't, but we can always hope.Four states propose laws to ban ransomware payments. This is a bit like making it illegal to pay kidnappers or terrorists. I know many companies will get owned and pay anyway, and regulations to stop money flowing to criminals is nothing new. There will be loopholes found and exploited, like in all things. Keep up with what laws affect your organization and how you perform security. To stop ransomware pandemic, start with the basics. We security people repeat ourselves constantly because implementing the basic security defenses mitigates most risk for most organizations. Please go do at least the [CIST 00:05:51] top five if you can't do all of them.Senators propose bill to help tackle cybersecurity workforce shortage. The US federal government is pushing hard on cybersecurity now that they were owned in front of the whole world by the SolarWinds and MS Exchange debacles. Like most companies, cybersecurity seems to be an afterthought in budgets and priorities, until the media gets to pummel them for weeks on end in the news.Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That's goteleport.com.Jesse: Expecting the Unexpected: Tips for Effectively Mitigating Ransomware Attacks in 2021. Much of the advice I see for mitigating any horrific attack is a huge amount of labor, but all the work is necessary. Ransomware can wipe out whole backups, destroy codebases that aren't recoverable, it can steal, or even worse, publicly disclose your secrets. Don't think you are ready for a large ransomware attack. These things are driven by people who have studied your systems and might have been in them for weeks.What Lies Ahead for K-12 Cybersecurity? As the president and principal of a small elementary school and a technologist, I've implemented mostly cloud services to support the school operations and classroom work. Many of us in tech who work with large organizations in state, local, and higher ed—called SLED—national, or federal governments, and large corporations forget that there are small and mid-sized businesses—or SMBs—and K through 12 schools that also have the same concerns we do. After all, we all run Windows, Mac OS, Unix, and Linux, middleware and cloud services.How to Protect Healthcare Data from Ransomware Attacks. If all of us protected our data like we ought to for protected or personal health information—or PHI—and personally identifiable information—or PII—then we'd have far less breaches and even less exfiltration and disclosure of our private information.And now for the tip of the week. Introducing software resiliency is far from trivial, so let's look at how to get started understanding this. First, to understand what this all means, read some primers like System Resilience: What Exactly Is It? from the Carnegie Mellon University Software Engineering Institute and Resilience Engineering: An Introduction from BMC's DevOps blog. Then look at how to implement this. Charting a path to software resiliency is a Medium piece written for the Walmart Global Tech blog and 7 Best Practices to Build and Maintain Resilient Applications and Infrastructure, a piece on the new stack by Kris Beevers of NS1. There are hundreds of quality resources out there on these subjects, but this should get you started on your new path to a brighter, cloudier future. And that's it for the week, folks. Securely yours Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it's time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you're building a secure business on AWS with compliance requirements, you don't really have time to choose between antivirus or firewall companies to help you secure your stack. That's why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That's lacework.com.Jesse: Don't be stupid. Focus on your real risks, not hacker movie risks. It is easy to get caught up in a type of advance for persistent threats and the latest in obscure attack methodologies to the point where you spend all of your energy and time hunting for these in your systems. This stuff is right out of the latest bad hacking movie. It's a colossal waste of time for most of us. Spend your time on learning and monitoring things based on your real risk, not your overblown sense of self-importance that the latest international crime ring of nation-state-backed hackers wants to breach your defenses. News flash: APTs probably don't care about you. If you make it fairly easy to get your data and use your resources, of course you'll get popped. That's like leaving your wallet on a bench in the park; of course someone will take it. Raise the barrier to entry for obtaining your resources and you reduce opportunistic crime, just like locking your car at night protects from casual pilfering through your things.Meanwhile, in the news. Amazon Sidewalk Mesh Network Raises Security, Privacy Concerns. Tangential to cloud security, these types of networks worry me for privacy and physical security concerns more than cybersecurity for the device and users. As this article says, privacy and security are separate issues. Conflating the two can compromise one or the other or both. Don't confuse privacy and security as being one and the same.This Week in Database Leaks: Cognyte, CVS, Wegmans. I routinely hammer on securing your cloud storage and other ways to minimize self-exposure of sensitive data for a reason. You should be scared of the implications of these exposures in terms of business risk, reputation loss, and regulatory violations and fines. In other words, don't be stupid.Data is Wealth: Data Security is Wealth Protection. Ignore the schilling of services as usual and take in the message: protecting your data is your prime directive. Ask yourself every morning, “How will I protect my data today?” Doing anything else is doing it wrong.Google Workspace Adds Client-Side Encryption. This means you can store encrypted data in your Google accounts without Google having access to the contents of your data. This is a big deal. Take advantage of this if you use Google for document creation and storage.Corey: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn't translate well to cloud or multi-cloud environments, and that's not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial.Jesse: Cybersecurity Tips for Business Travelers: Best Practices for 2021. I plan to avoid a return to routine business travel, but if you want to, or don't have a choice not to get back on the road, do it safely. If you don't want the US Customs and Border Patrol agents searching your devices, wipe your phone before reaching customs. You can set your device to wipe on too many failed passcode entries then backup your phone right before boarding or departing the plane and wipe it on the way to the customs by tapping one number over and over as you walk off the plane.2021 Verizon Data Breach Incident Report insights. The annual Verizon data breach incident report—known as DBIR—has incredible and useful insights for all tech workers, not just security practitioners. Once again, humans are the weak link. I know spending more time educating your people than hunting for ABTs is boring sauce, but you'll be better off.One in Five Manufacturing Firms Targeted by Cyberattacks. If you create real-world goods, you are a prize target. Don't be fooled into thinking you're safer because it's harder to steal things in meatspace than in cyberspace.Confidential Computing: The Future of Cloud Computing Security. Using hardware-level security is still possible in the cloud. Most of us don't need to encrypt everything on a system or everything running in memory, but some of us do need to be that paranoid. However, don't do this unless you really truly have a business case for it, and to implement checkout services like AWS CloudHSM for encryption of in-use memory and data.Many Mobile Apps Intentionally Using Insecure Connections for Sending Data. Don't use insecure transport in your apps. Encrypt your data in transit. Eventually, consumers will have ways to disable all apps that don't use basic security measures like proper authentication without stored credentials or using unencrypted channels. Don't be stupid. Are you sensing a theme of the week?The Art and Strategy of Becoming More Cyber Resilient. Resiliency in IT architectures and applications is becoming the only way to survive the modern distributed world, especially in cybersecurity. You need to change your whole paradigm to be risk and recovery-based, not just the old-school defender attitude of building lots of walls.Cyber is the New Cold War & AI is the Arms Race. The whole AI marketing trope gets old. Ugh. But the message is accurate. There is too much data even in small systems to manage detection and protection without advanced math hunting for anomalous things that go bump in the night. We are in an arms race and we are at war. If nothing else, I like this article because it says what many of us in security always say: “It isn't if you get popped; it's when you get popped.”The Future of Machine Learning and Cybersecurity. A reality check on using advanced math for security monitoring and analysis is important. Use it but don't rely on it too much. Like with all things in life, find balance between known attack analysis and mathematically finding potential attack indicators.And now for the tip of the week. Use a virtual private cloud or VPC for any systems or services not requiring direct public interaction. All three of the biggest public cloud providers have these available. Both AWS and GCP use the term VPC, but Azure calls it an Azure Virtual Network or VNet. This is as simple as setting up a private network for your compute and storage systems and adding a second network for public access for your outside interactions with users and external services. They're easy to implement, and you get significant improvements in security and risk profile reduction quickly using VPCs. This is the cloud version of keeping your things hidden behind a firewall on-prem.And that's it for the week. Securely yours Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you're about to listen to.Show Notes:Links: ABT1 Report: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf Securing Your Cloud Transformation Journey: https://onwireco.com/2021/06/08/securing-your-cloud-transformation-journey/ TeamTNT Strikes Again: A Wake-Up Call to Start Securing Cloud Entitlements: https://securityboulevard.com/2021/06/teamtnt-strikes-again-a-wake-up-call-to-start-securing-cloud-entitlements/ Secure Access Trade-offs for DevSecOps Teams: https://beta.darkreading.com/vulnerabilities-threats/secure-access-trade-offs-for-devsecops-teams?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple Cyber Gangs: Who are they in 2021 and what do they Want?: https://securityintelligence.com/articles/cyber-crime-gangs-who-are-they-today/ Required MFA is not Sufficient for Strong Security: A Report: https://www.darkreading.com/cloud/required-mfa-is-not-sufficient-for-strong-security-report/d/d-id/1341263 With Cloud, CDO and CISO Concerns are Equally Important: https://www.itsecuritynews.info/with-cloud-cdo-and-ciso-concerns-are-equally-important/ Colonial Pipeline CEO: Ransomware Attack Started via Pilfered ‘Legacy' VPN Account: https://beta.darkreading.com/attacks-breaches/colonial-pipeline-ceo-ransomware-attack-started-via-pilfered-legacy-vpn-account Cloud Security: Why Being Intentional in Encryption Matters: https://securityintelligence.com/articles/cloud-security-intentional-encryption/ CSPM explained: Filling the gaps in cloud security: https://www.csoonline.com/article/3620049/cspm-explained-filling-the-gaps-in-cloud-security.html Five worthy reads: Confidential computing–the way forward in cloud security: https://securityboulevard.com/2021/06/five-worthy-reads-confidential-computing-the-way-forward-in-cloud-security/ Data Protection in the K-12 Cloud: https://securityboulevard.com/2021/06/data-protection-in-the-k-12-cloud/ Cybersecurity Executive Order 2021: What it Means for Cloud and SaaS Security: https://thehackernews.com/2021/06/cybersecurity-executive-order-2021-what.html Hackers Can Exploit Samsung Pre-Installed Apps to Spy On Users: https://thehackernews.com/2021/06/hackers-can-exploit-samsung-pre.html Top 10 security items to improve in your AWS account: https://aws.amazon.com/blogs/security/top-10-security-items-to-improve-in-your-aws-account/ TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: Are you building cloud applications with a distributed team? Check out Teleport, an open-source identity-aware access proxy for cloud resources. Teleport provides secure access for anything running somewhere behind NAT SSH servers, Kubernetes clusters, internal web apps, and databases. Teleport gives engineers superpowers. Get access to everything via single sign-on with multi-factor authentication, list and see all SSH servers, Kubernetes clusters, or databases available to you, and get instant access to them using tools you already have. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. And best of all, Teleport doesn't get in the way. Download Teleport at goteleport.com. That's goteleport.com.Jesse: Us security people and the general news media like talking about APT this and APT that however, like most things with cybersecurity, the term isn't even explained. The term is Advanced Persistent Threat—or APT—and it came from Kevin Mandia, founder of Mandiant, a security company, in the famous ABT1 Report as it's called, released in early 2013, is a fascinating read. Well, maybe some of us love reading these things.There's a lot of hype around APTs and what it all means. An APT is essentially a well-funded hacking group, usually with nation-state backing. This means some government is funding and/or training and otherwise supporting the efforts of what amounts to a criminal enterprise attacking assets. Most of us shouldn't care much about APTs though, as long as we secure our cloud accounts and use properly configured multi-factor authentication, or MFA.Meanwhile, in the news. Securing Your Cloud Transformation Journey. Plan, build, run, repeat. Plan, build, run, repeat. It's so simple, however, the details are complex and varied at every one of these stages to reduce the possibility of something catastrophic happening.TeamTNT Strikes Again: A Wake-Up Call to Start Securing Cloud Entitlements. If you don't secure your IAM credentials for cloud services, the keys to your kingdom will be shared about by nefarious actors. I've recently pointed out that this ABT group, the TeamTNT, was harvesting easy-to-obtain credentials. I love a chance to hammer on basic protocols and methodology since almost nobody actually follows them correctly. Go secure your cloud credentials right now.Secure Access Trade-offs for DevSecOps Teams. Proper security is a balance between the needs of service delivery or data availability and safety. Work with your development groups at the left end, or start of your development process, to find that balance early.Cyber Gangs: Who are they in 2021 and what do they Want? I found this a tad on the sensationalist side of things, and because it focuses on the human-driven, highly targeted attacks, it seems like the world is caving under the pressure of cyber street gangs tearing us all apart. Despite this, it has good advice, and I think the topic is a very interesting peek into things most of us don't see.Required MFA is not Sufficient for Strong Security: A Report. Multi-factor authentication—or MFA—is not the pinnacle of protection. MFA is highly valuable, but only when you set it up correctly and close all the side and back doors of your floating house in the clouds. Don't forget to lock up on your way out.With Cloud, CDO and CISO Concerns are Equally Important. Now, most of us won't have a Chief Data Officer—or CDO—but that doesn't mean we shouldn't include the creators and curators of our precious data. Just say no to the culture of no.Colonial Pipeline CEO: Ransomware Attack Started via Pilfered ‘Legacy' VPN Account. Really? Really? In most situations like this, there's a root cause here that most people overlook: incomplete or inaccurate asset management systems. If you don't know what you have, you can't track how to secure it. Do you want to become international news because you forgot to monitor some VPN system nobody actually uses?Cloud Security: Why Being Intentional in Encryption Matters. Of course we should encrypt all the things, but we should do it sanely. Ensure you have personally identifiable information—or PII—and protected health information—or PHI—and other highly sensitive materials encrypted both at rest, which means sitting on storage devices or services of some sort, like S3 buckets and in transit, which means a network transaction such as sending query result records for a web app.Announcer: If your mean time to WTF for a security alert is more than a minute, it's time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you're building a secure business on AWS with compliance requirements, you don't really have time to choose between antivirus or firewall companies to help you secure your stack. That's why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That's lacework.com.Jesse: CSPM explained: Filling the gaps in cloud security. Cloud security posture management—or CSPM. Great, another acronym for another security product category. This might grow legs and go places, so bone up on it while we all experiment with it to see how useful and reliable it actually is.Five worthy reads: Confidential computing–the way forward in cloud security. I love me a meta-post; you are listening to one right now. So, I'll reference another source that's just a list of other sources, yeah? These are great pointers to more in-depth coverage on confidential computing and what that means. Confidential computing is essentially encryption of data via hardware, rather than the software or application layer. In theory, this makes it harder to decrypt the data. I'm in a wait-and-see place with that though.Data Protection in the K-12 Cloud. Being the principal for a K-through-five school, I love this one. It's a great read or listen—it's a podcast with a partial transcript—and I highly recommend listening to this one. Elementary schools often have huge budget shortfalls, even the private schools. It makes it difficult for us to implement proper security at such a small scale. It is, however, worth every second you spend on security and privacy.Cybersecurity Executive Order 2021: What it Means for Cloud and SaaS Security. Biden's executive order on improving the nation's cybersecurity is a dense read, but Hacker News breaks it down for us normal people. Can you guess my favorite part in the executive order? Email me with your answer.Hackers Can Exploit Samsung Pre-Installed Apps to Spy On Users. I try not to pick on any particular company because everyone fails in some way or another, and everyone gets pwned at some point. However, I've heard Android users complain about the Samsung builds being full-up with junk you don't need. Now, there's even more reason to be suspicious of the default software. If I ran Android devices still, I'd consider going back to the days when I ran CyanogenMod and broke my phone every few days. Nah, I'll keep my Apple device, thanks.And now for the tip of the week. Read the AWS Security Blog starting with Top 10 security items to improve in your AWS account entry from last year in March. This walks you through what AWS sees as the most critical things to look at and do, such as using MFA—correctly please—responding to things found in GuardDuty, and limiting security groups. For some of us implementing all of these things might be a big ask and large hurdle to leap over. However, their work will pay off handsomely.And that's it for the week, folks. Securely yours Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you're about to listen to.Links: Blog entry: https://swagitda.com/blog/posts/on-yolosec-and-fomosec/ Why the Worst Cloud Security Predictions Might not Come True: https://securityintelligence.com/articles/worst-cloud-security-predictions-not-true/ First Known Malware Surfaces Targeting Windows Containers: https://www.darkreading.com/vulnerabilities—threats/first-known-malware-surfaces-targeting-windows-containers/d/d-id/1341230 Justice Dept. Claws Back $2.3M Paid by Colonial Pipeline to Ransomware Gang: https://krebsonsecurity.com/2021/06/justice-dept-claws-back-2-3m-paid-by-colonial-pipeline-to-ransomware-gang/ TeamTNT attacks IAM credentials of AWS and Google Cloud: https://www.scmagazine.com/home/security-news/cloud-security/teamtnt-attacks-iam-credentials-of-aws-and-google-cloud/ School Cybersecurity: How Awareness Training Removes Attackers' Options: https://securityintelligence.com/articles/how-awareness-training-improves-school-cybersecurity/ Only 17% of organizations encrypt at least half of their sensitive cloud data: https://www.scmagazine.com/home/security-news/only-17-of-organizations-encrypt-at-least-half-of-their-sensitive-cloud-data/ Return to Basics: Email Security in the Post-COVID Workplace: https://beta.darkreading.com/vulnerabilities-threats/return-to-basics-email-security-in-the-post-covid-workplace Zero Trust or Bust: What it is and Why it Matters to Data Security: https://securityintelligence.com/posts/zero-trust-why-it-matters-data-security/ What the FedEx Logo Taught Me About Cybersecurity: https://www.darkreading.com/vulnerabilities—threats/what-the-fedex-logo-taught-me-about-cybersecurity/a/d-id/1341118 How the Rise of the Remote SOC Changed the Industry: https://securityintelligence.com/articles/work-from-home-remote-soc/ Organizations Shift Further Left in App Development: https://www.darkreading.com/application-security/organizations-shift-further-left-in-app-development/d/d-id/1341219 Kate Turchin Wang YouTube: https://www.youtube.com/c/KeynoteSinger The Misaligned Incentives for Cloud Security: https://securityboulevard.com/2021/05/the-misaligned-incentives-for-cloud-security/ Kelly Shortridge Twitter: https://twitter.com/swagitda_ TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it's time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you're building a secure business on AWS with compliance requirements, you don't really have time to choose between antivirus or firewall companies to help you secure your stack. That's why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That's lacework.com.Jesse: Every week, I read dozens of articles, hundreds of social media posts on several platforms, and thousands of private messages about cybersecurity. There is one single most pervasive theme from all of them: security messaging is binary; there are generally only two mindsets about security. Both of these are wrong.First, there's the sensationalists who dream of being Case, the antihero in Gibson's novel, Neuromancer, which is, by the way, the greatest dystopian cyberpunk novel ever written. I will fight you on that. These jokers want the world to think they are the first and final defense against the alien invasion of sophisticated and powerful hackers. Really, most of these folks are trying to chase a non-existent adrenaline rush doing defensive security. Don't get me wrong, I love being a defender. It's just not strapping a saddle onto a missile and riding into the sunset.Second, there's the cyber-doomers who spread fear, uncertainty, and doubt—we call it FUD—about how cyberspace has already collapsed and we're all on life support while the hackers outside [unintelligible 00:02:06] run amok in pure cyber-anarchy. These purveyors of apocalyptic doomscapes assure us all that culture of no is the only answer to keeping sanity and safety within our control. They live on and trade in fear, but all this does is cost more money and hinder the mission in business. Kelly Shortridge calls this YOLOsec and FOMOsec and does a much better job at this than I can. Go read her blog entry.Meanwhile, in the news. Why the Worst Cloud Security Predictions Might not Come True. We security people are usually gloom and doomers. It's our stock and trade.However, the migration to cloud is moving the exposed attack surfaces. This may not mean an increase in risk for many organizations. This could simply be a shift in risk categories.First Known Malware Surfaces Targeting Windows Containers. If you run Windows systems in Kubernetes clusters, you may get popped by this one. Once again, following the basic best practices of running everything—yes, I do mean everything—using the minimal amount of permissions possible in your environment, managing your cloud resources is likely your protection. This is called the principle of least privilege.Justice Dept. Claws Back $2.3M Paid by Colonial Pipeline to Ransomware Gang. This one just feels good. Recovering a few million dollars from ransomware groups is barely a rounding error, but it's like getting your five pennies back from that bully who stole $25 in lunch money from you and your friends.Announcer: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn't translate well to cloud or multi-cloud environments, and that's not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial. That's extrahop.com/trial.Jesse: TeamTNT attacks IAM credentials of AWS and Google Cloud haven't I been on message about securing your credentials? I don't ever believe someone deserves to be attacked and breached, but if you don't secure your accounts and use the principle of least privilege, you're likely to get owned sooner rather than later. Stopping the low-hanging fruit.School Cybersecurity: How Awareness Training Removes Attackers' Options. The only path to long-term change for things like getting people to stop using links in phishing emails is to teach children not to do these stupid things when they are young. More people won't do stupid security things as adults if they spend their childhood learning how to be smarter about their computer use.Only 17% of organizations encrypt at least half of their sensitive cloud data. Really people? This is a combination of laziness and not shifting left with security in your development and deployment processes. If your data is encrypted and the inevitable—or pervasive, depending on how bad your security practices are—access misconfiguration exposing your data won't be catastrophic.Return to Basics: Email Security in the Post-COVID Workplace. One thing almost every security person agrees on—and data supports—is that there are a handful of basic best practices that mitigate almost all risks. Email is the scourge of modern life—God I hate it—and is full of nasty phishing junk. Get your people to not be stupid about email.Zero Trust or Bust: What it is and Why it Matters to Data Security. You know I can't pass up an opportunity to hammer on zero trust. As a co-panelist with me at a conference said to me yesterday, zero trust is a horrible name for the concept of dynamic contextual authorization, but it's the name that stuck. Whether you've heard my soapbox rants on zero trust or not, your homework is to read another pushy article about implementing zero trust.What the FedEx Logo Taught Me About Cybersecurity. Do you see the arrow? I've done some detours through design and logo development, and I've seen the FedEx arrow forever now. Go look at the logo they have. Whitespace in visual design being overlooked by most people is a great analogy to explain newer algorithmic security analyses.How the Rise of the Remote SOC Changed the Industry. This is a cool peek behind the curtain of cybersecurity profession and the dangers. This article brings up ethics, which is something most articles ignore, but most of us in security think about the ethical ramifications of our work every single day.Organizations Shift Further Left in App Development. This is another topic I like beating on. It's like I'm building a one-person band of security methodologies. Actually, I'm quite musically inept, so if you really want to have [laugh] some musical fun in cloud security, go listen to Kate Turchin Wang, the cloud security singer on YouTube. She's awesome.The Misaligned Incentives for Cloud Security. I often say economics drives behavior. There's a whole field of study on this called behavioral economics. This article is dry and dense, but it lays out how cloud providers aren't given reasons to work that hard on security. If you want to follow the rabbit down the hole about behavioral economics and cybersecurity, follow Kelly Shortridge on Twitter, she's @swagita_. She is both amazing and entertaining.And now for the tip of the week. This one is easy. Well, maybe not for some of us. Work with me here. Put down your tools. Set aside your technical mission for the moment. Go ask your organizational leaders what they care about in your business or mission. Really talk to them. Send them an email. Be curious and be genuine. You will learn vast amounts more about what your security focus should be and should not be by learning the business.That's it for the week, folks, securely yours Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you're about to listen to.Links: Autonomous drone attacked soldiers in Libya all on its own: https://www.cnet.com/news/autonomous-drone-attacked-soldiers-in-libya-all-on-its-own/ 3 SASE—or ‘sas-ee'-Misconceptions to Consider: https://www.darkreading.com/cloud/3-sase-misconceptions-to-consider-/a/d-id/1341088 Chinese APT Groups Continue to Pound Away on Pulse Secure VPNs: https://www.darkreading.com/attacks-breaches/chinese-apt-groups-continue-to-pound-away-on-pulse-secure-vpns/d/d-id/1341174 Cybersecurity M&A Roundup: 36 Deals Announced in May 2021: https://www.securityweek.com/cybersecurity-ma-roundup-36-deals-announced-may-2021 The VC View: Identity = Zero Trust for Everything: https://www.securityweek.com/vc-view-identity-zero-trust-everything Three Things Holding Back Cloud Security: https://securityboulevard.com/2021/05/three-things-holding-back-cloud-security/ What does the Future Hold for Cloud Security: https://hackernoon.com/what-does-the-future-hold-for-cloud-security-i82e35md Report: Cloud Security Breaches Surpass On-Prem Ones for the First Time: https://www.mariakorolov.com/2021/report-cloud-security-breaches-surpass-on-prem-ones-for-the-first-time/ What is DevSecOps, and how Can it Improve Your Security: https://biztechmagazine.com/article/2021/05/what-devsecops-and-how-can-it-improve-your-security-perfcon State of Security Research Zeroes in on Data Strategies: https://www.splunk.com/en_us/blog/leadership/state-of-security-research-zeroes-in-on-data-strategies.html TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it's time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you're building a secure business on AWS with compliance requirements, you don't really have time to choose between antivirus or firewall companies to help you secure your stack. That's why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That's lacework.com.Jesse: Automation of processes is crucial for speed and reliable repeatability. However, automating tasks and procedures should be done with a certain amount of caution. Start by automating discrete tasks, then group or chain those tasks after thorough testing for safety. As you build experience and confidence in these groups of tasks, you can automate larger collections of operations. This is where security orchestration, automation, and response—or SOAR platforms—are critical to maintain automated operations in a cost-effective manner with minimal overhead.In large-scale dynamic cloud deployments, whether using full-system stacks, containers, or cloud-native microservices, automating security operations is a requirement for functional response. This necessitates a high level of trust in your automation. Likely you'll migrate into more machine learning and fuzzy-logic-based decision criteria that could have unintended consequences if you don't put the right guardrails in place. Unfettered machine-based decision-making is how Skynet [laugh] is born. Please do be careful on your testing and implementation and production.Meanwhile, in the news. Autonomous drone attacked soldiers in Libya all on its own. This is Skynet straight out of a Terminator movie. Remember this story when you are implementing automation in your environment. Unchecked and unmonitored automation can cause serious problems where there were none.3 SASE—or ‘sas-ee'—Misconceptions to Consider. If you thought this was about self-addressed stamped envelopes, you are at least as old as I am. It's pronounced ‘sas-ee', which is all wrong phonetically. SASE, like my dog named Sassy, is a very valuable member of the family, but it won't cure all your woes.Announcer: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn't translate well to cloud or multi-cloud environments, and that's not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial. That's extrahop.com/trial.Jesse: Chinese APT Groups Continue to Pound Away on Pulse Secure VPNs. I hope you've patched your Pulse Secure VPN because if you haven't, a nation-state will own you soon. Go patch it and turn up monitoring if you haven't already.Cybersecurity M&A Roundup: 36 Deals Announced in May 2021. None of us should wonder why the cybersecurity vendor market is so confusing after seeing the list of mergers that happen routinely. Just like with other tech markets, the big companies are slowly eating their way through the startups.The VC View: Identity = Zero Trust for Everything. I don't think I beat on the zero-trust topic often enough. [laugh]. I concur with the argument laid out in this one that identity management is rapidly becoming synonymous with zero trust. You might as well sigh the great sigh while deploying precursors to a full zero trust architecture. You'll need it soon enough anyway, so you might as well get a jump on it.Three Things Holding Back Cloud Security. I often tell people there are various things I've never learned how to do correctly but rather, I've learned what not to do. Knowing what is wrong behavior is extremely useful, but what is even more powerful is knowing what things to do that are right thinking. This article ought to improve your security posture.What does the Future Hold for Cloud Security? We all need some calculated guessing to know the future. Getting out the magic eight ball might seem almost as accurate, but knowing the trends that are current and predicted into the future helps you build larger, more complex, and highly flexible future services.Report: Cloud Security Breaches Surpass On-Prem Ones for the First Time. Pay attention to this one. Even if you don't read the article, the headline has enough to catch the most important indicator. Cloud systems and services are being targeted by attacks more often than traditional systems and services.What is DevSecOps, and how Can it Improve Your Security? Know your terms, I used to say all the time. Whether or not we use things like DevSecOps, or shifting left, or the whole red versus blue versus purple team thing, we need to know what these things mean. I rarely use the terms red, blue, or purple teams, but security people commonly toss the words about. Here's your cheat sheet: red equals attack, blue equals defense, and purple equals a combo of red and blue on a single team.State of Security Research Zeroes in on Data Strategies. Not enough companies are publishing data they gather in their normal course of business. Splunk—disclosure: I am an employee of Splunk—has released its first-ever such reports about a variety of topics. It has some great insights into how companies operate. My favorite chart shows the hidden costs of security incidents on page four.P8O or Potato? The horse in the 1800s named Potoooooooo—aka ‘Pot-8-Os'—is clearly the precursor to a recent trend of naming things with a count of the letters in the middle of the word such as K8s—pronounced ‘Kates'—for Kubernetes, and O11Y—pronounced ‘Ollie'—for observability.And now for the tip of the week. Enable multi-factor authentication—or MFA—for cloud account access. Because MFA means accessing a user account requires more than just the password, it is more difficult to compromise an account through brute force or other password discovery methods. The barrier for entry is raised high enough that other attack vectors which take more nuanced and sophistication must be used to successfully break through your defenses. To do this with AWS IAM, first read the documentation on MFA and decide whether a software-based authenticator is within your acceptable risk profile or if you need to implement a hardware solution. Then go to your AWS Management Console, Services, then Security Identity and Compliance section, IAM, then Access Management, and Users to edit your users. Choose a user to edit, then go to the security credentials tab, follow the Manage link after Assigned MFA Devicesthen follow the prompts.Pro tip here: hardware takes time to acquire and implement. Therefore, immediately enable software MFA everywhere, even if you plan on implementing a hardware solution for some of your accounts. Then you can migrate those specific accounts, or all of the accounts to the hardware solution when that is ready for production. And that's a wrap for the week, folks. Securely yours, Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you're about to listen to.Links: Password strength XKCD: https://xkcd.com/936/ Building fine-grained authorization using Amazon Cognito, API Gateway, and IAM: https://aws.amazon.com/blogs/security/building-fine-grained-authorization-using-amazon-cognito-api-gateway-and-iam/ Misconfiguration of third party cloud services exposed data of over 100 million users: https://blog.checkpoint.com/2021/05/20/misconfiguration-of-third-party-cloud-services-exposed-data-of-over-100-million-users/ Cost Savings, Better Security Drive Adoption of Emerging Technologies: https://www.darkreading.com/risk/cost-savings-better-security-drive-adoption-of-emerging-technologies/d/d-id/1341081 Cobalt Strike Becomes a Preferred Hacking Tool by Cybercrime and APT Groups: https://www.darkreading.com/attacks-breaches/cobalt-strike-becomes-a-preferred-hacking-tool-by-cybercrime-apt-groups/d/d-id/1341073 Attackers Took 5 Minutes to Start Scanning for Exchange Server Flaws: https://beta.darkreading.com/threat-intelligence/attackers-took-5-minutes-to-start-scanning-for-exchange-server-flaws Credential Stuffing Reaches 193 Billion Login Attempts Annually: https://www.darkreading.com/cloud/credential-stuffing-reaches-193-billion-login-attempts-annually/d/d-id/1341064 How Ransomware Encourages Opportunists to Become Criminals: https://www.darkreading.com/attacks-breaches/how-ransomware-encourages-opportunists-to-become-criminals/a/d-id/1340953 American insurance giant CNA reportedly pays $40m to ransomware crooks: https://www.theregister.com/2021/05/22/in_brief_security/ 79% of observed Microsoft Exchange Server exposures occurred in the cloud: https://www.scmagazine.com/home/security-news/cybercrime/udpos-malware-spotted-exfiltrating-credit-card-data-via-dns-server/ Google Cloud CISO: Usability must be baked into design of security tools: https://www.scmagazine.com/home/2021-rsa-conference/google-cloud-ciso-usability-must-be-baked-into-design-of-security-tools/ TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it's time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you're building a secure business on AWS with compliance requirements, you don't really have time to choose between antivirus or firewall companies to help you secure your stack. That's why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That's lacework.com.Jesse: Stop using passwords. No really, stop using passwords; use a password vault. Although, when you have to memorize a password to access something that you can't use the vault to look up, such as to get into your phone or computer to access your vault, use a passphrase. A passphrase is a group of words or a full sentence. See the famous password strength XKCD comic for how to understand, passphrase is better.Pro-tip: do not use easy-to-guess phrases. Don't use your dog's name, kid's name, and your favorite sports team. A good one is ‘dolphinstrollthroughmountains.' [unintelligible 00:01:38] the period in the end. A bad one is ‘SpotKarengiants.' I want everyone to know that neither of these have ever been nor ever will be a passphrase used by me, you shouldn't use them either. At least a few of you will, but you've been warned.Also, my dogs aren't named Spot. I don't have a family member named Karen—that I know of—and I don't really know anything about the Giants except that I think they're a football team. A password vault is software that stores your passwords in an easily accessible manner. There are several cloud-based services with client software and/or browser plugins, and all of these have family, team, and business or enterprise service levels that allow easily sharing password entries or creating shared vaults for storing accounts. Password vaults are generally between only $4 and $10 per user, per month, even at the family and at the business level, which is a trivial cost even for small businesses. Even my tiny nonprofits use a cloud password vault service, it's worth every single penny. This will change your life and transform your business, especially in a remote world.Meanwhile, in the news. Building fine-grained authorization using Amazon Cognito, API Gateway, and IAM. I talk all the time about the value zero trust architecture—ZTA—and the importance of shifting left to make your applications and services more secure. Building cloud-native software with ZTA integrated at the API call layer is the best way to secure your operations.Misconfiguration of third party cloud services exposed data of over 100 million users. On cue, there is yet more research showing that cloud apps and services are exposing access credentials or keys to user or service data. If these app developers shift left and integrate better authentication and authorization mechanisms, they could use this for marketing, and gain users and customers.Announcer: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn't translate well to cloud or multi-cloud environments, and that's not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial. That's extrahop.com/trial.Jesse: Cost Savings, Better Security Drive Adoption of Emerging Technologies. I love surveys like this because it gets me a peek into what other people think. This particular one is worth logging into ISACA to download because it shows the importance of organizations and their staff getting proficient with cloud technologies as something to adopt to future-proof your apps and services.Cobalt Strike Becomes a Preferred Hacking Tool by Cybercrime and APT Groups. PowerShell is amazing, but it's a security nightmare. Attackers use it regularly to set up shop inside your network to own all the things. You should learn about the tactics, techniques and procedures—or TTP—and tools they like to use without having to dive into weedy details.Attackers Took 5 Minutes to Start Scanning for Exchange Server Flaws. Cybersecurity is an arms race. We're losing the war, you know. Attackers develop new tools faster than we can develop detections and protections. For this reason, we should all be implementing algorithmic analysis of activity in our environments to find suspicious behavior, even when it isn't tied to a known attack.Credential Stuffing Reaches 193 Billion Login Attempts Annually. If you need some more incentive to shift left and implement CTA, let the number one hundred ninety-three billion password attempts sink in. One hundred ninety-three billion. Also, if you aren't using a password vault, you might as well just use your hamster's name with some numbers after it that you keep on a public website, so you can find it easily for all of your passwords.How Ransomware Encourages Opportunists to Become Criminals. We have cloud this and cloud that, and we call it ‘X as a Service.' But the bad actors have SaaS offerings, too. Like cloud has revolutionized our businesses and missions, it has done the same for them. Ransomware as a Service? That terrifies me more than almost anything else that has come from the dark underbelly of the interwebs for a very, very long time.American insurance giant CNA reportedly pays $40m to ransomware crooks. See, it's the old extortion play, done online. Even if you aren't a juicy target, are your customers. Long ago, I lost count to the number of very secure enterprises that were breached through a vendor connection of some sort. Treat all things as hostile. Yes, this is another way for me to beat the ZTA drum.79% of observed Microsoft Exchange Server exposures occurred in the cloud. We all need to stop treating systems run in cloud environments like they're sitting in our data centers or under our desks. Yes, I used to have a production system under my desk. Oh, the bad old days. You need to do those basic system security steps we've talked about for decades when something is out there exposed to the world. Lock down your ECT or equivalent systems, please.Google Cloud CISO: Usability must be baked into design of security tools. Some of us few in cybersecurity have been screaming to the chiller fans for decades that most security tools are hard to understand and use. For example, the technology for widespread sending of encrypted emails has been around for over 20 years. I've used it. However, the tools are so hard to use for the average computer user, nobody does use them. Our security monitoring and control systems need to be easy to use, or no amount of shifting left will improve your security because nobody will climb the cliff to figure it out.And now for the tip of the week. Encrypt all data in transit. Period. It's trivial to implement transport encryption. That just means any data that enters or leaves by the network—thus being transported—is encrypted. Recall the shared responsibility model that separates what you and your cloud provider must secure and manage.This means you must secure your data at rest and in transit. And you have zero control over what route your data takes between even your own cloud systems or services, which is different than in our own data centers, quite often. So, if you send something, encrypt it. Use TLS, or SSH, or VPN tunnels—which usually use things like TLS and SSH—or any other standardized encryption methods in your systems, available to your APIs, and in your coding libraries. If an app or service doesn't do this now, go slap in an encrypted tunnel and get that fixed immediately.And that's a wrap for the week. Securely yours Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you're about to listen to.Show Notes:Links: Report finds old misconfiguration woes continue to hammer corporate clouds: https://www.scmagazine.com/home/security-news/cloud-security/report-finds-old-misconfiguration-woes-continue-to-hammer-corporate-clouds/ Pentagon Weighs Ending JEDI Cloud Project Amid Amazon Court Fight: https://www.wsj.com/articles/pentagon-weighs-ending-jedi-cloud-project-amid-amazon-court-fight-11620639001 Netflix Exec Explains Where Infosec Pros are Going Wrong: https://www.infosecurity-magazine.com/news/netflix-exec-infosec-pros-going/ Firms Struggle to Secure Multicloud Misconfigurations: https://www.darkreading.com/cloud/firms-struggle-to-secure-multicloud-misconfigurations/d/d-id/1341008 Researchers Create Covert Channel Over Apple AirTag Network: https://nmap.online/news/2021/researchers-create-covert-channel-over-apple-airtag-network Ransomware is Getting Ugly: https://www.schneier.com/blog/archives/2021/05/ransomware-is-getting-ugly.html Try this One Weird Trick Russian Hackers Hate: https://krebsonsecurity.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/ Attorneys share worst practices for data breach response: https://searchsecurity.techtarget.com/news/252501054/Attorneys-share-worst-practices-for-data-breach-response Ransomware Guidance and Resources: https://www.cisa.gov/ransomware How to Get Employees to Care About Security: https://www.darkreading.com/theedge/how-to-get-employees-to-care-about-security-/b/d-id/1341058 Corey Quinn's Twitter: https://twitter.com/QuinnyPig TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it's time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you're building a secure business on AWS with compliance requirements, you don't really have time to choose between antivirus or firewall companies to help you secure your stack. That's why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That's lacework.com.Jesse: All the rage is DevOps, for good reasons: it works. You can't do good cloud work without a flexible and functional DevOps operation. Similarly, you can't do good security in the cloud without DevSecOps. However, [laugh] security people love their cryptic and geeky terms, so you hear, “You should shift left.” This is derived from the left shift bitwise operators that do binary math that moves values to the left. I told you it's geeky.This moving left translates to moving security integration into a project farther left in the development process when you start on the left and move to production on the right. Ultimately, this means you bring security into the very beginning of your conceptual designs, and write your first lines of code with security processes and methods in mind from the very start. Use more security tools, authentication and authorization hooks, and more granular encryption methods in your underlying services structures through your more complex processing. More work on literally coding security in at the start could save you several orders of magnitude of direct and indirect costs in the future. Don't get owned, don't get ransomed.Meanwhile, in the news, Report finds old misconfiguration woes continue to hammer corporate clouds. If you haven't heard me and countless others rant about going back to basics of cloud security, you haven't been listening. This article should scare you into finally checking your basic permissions on things like storage and services so you don't get pwned by being stupid.Pentagon Weighs Ending JEDI Cloud Project Amid Amazon Court Fight. When a nearly $2 trillion company drags anyone into court, things will change. The largest move to cloud services by the US Department of Defense might not happen because Amazon got pissed and sent lawyers. Watch how this unfolds to learn both how Amazon the company operates and how the market moves toward or away from cloud in general and either Azure or AWS specifically as a result of this legal challenge.Netflix Exec Explains Where Infosec Pros are Going Wrong. Most of us who work in cybersecurity will read this piece and have one of two strong reactions. People like me and everyone who isn't a security professional will nod and smile and agree that times are changing and security needs to get with the times. Everyone else in security will scowl, and pout, and get mad.Firms Struggle to Secure Multicloud Misconfigurations. We all struggle to secure all the things, but this report shows that most of us struggle to secure any of the things. Back to basics; I keep hammering on this because things like shutting down or securing ports and services and locking up cloud storage objects get you the biggest improvement in security posture out of almost anything else you do.Announcer: This episode is sponsored by ExtraHop. Extrahop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn't translate well to cloud or multi-cloud environments, and that's not even counting IoT. Extrahop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial. That's extrahop.com/trial.Jesse: Researchers Create Covert Channel Over Apple AirTag Network. As this article says at the end, most people won't care about this obscure and difficult security thing to do. This is interesting reading, but the most important takeaway for you is to know that this type of technical wizardry is so far outside the realm of feasibility for most anyone on the planet that it should not scare you. For most of us, when we see big news about weird things like this, geek out on it and ignore it.Ransomware is Getting Ugly. The only way to not be a victim of ransomware is to not let it into your network. If you don't protect access to your systems, you won't protect access to your data, and eventually, you'll be paying to keep your information private. Even then, it may end up online for the world to peruse after you've paid.Try this One Weird Trick Russian Hackers Hate. Wow, install the right virtual keyboard and reduce your risk of getting hit with ransomware? If I ran Windows anywhere, I'd already have installed it before talking about it.Attorneys share worst practices for data breach response. I cannot stress enough that every single thing you do or say or type into any device or service could be subject to legal discovery and disclosure. Don't make bad jokes; don't make sarcastic comments that aren't sarcastic out of context, and well just don't be stupid. Any or all of it could land in a global headline.CISA Ransomware Guidance and Resources. You need to understand ransomware. It's a terrifying problem and it's not going away. Go skim this guide, which is quite short, then follow links to the trainings and webinars, and the guides and services. Be prepared to face ransomware because it's looking like we'll see it in action ourselves as time marches on.How to Get Employees to Care About Security. Fresh from the annual RSA security conference, the largest of its kind in the world. For us followers of Corey Quinn, QuinnyPig on Twitter, and chief cloud economist at The Duckbill Group, we already know humor teaches us faster than pain and suffering. Well, maybe. Make security training funny.And now for the tip of the week. Aws CloudTrail is your security friend. It's your best Robo-pet, fetching the morning paper. By default, it should be enabled, but you need to do something to make it useful. Go to your AWS Management Console, show all services, and find CloudTrail under the management and governance section.Create a trail, name it's something—anything at all that makes sense to you—and then read the notice there that you do not get charged for the creation of the logs but you will pay for the S3 bucket storage. Of course, right? Please monitor the size of this thing so you don't get shocking charges. The best thing to do is open the full create trail workflow as the fine print under trail detail says, then choose ‘sane setting' for what to log and which buckets to use. Next, ensure you have something reading those logs like using CloudWatch to pop alerts for you. Better yet, shove them into your Log Analyzer or your SEM.And that's it for the week. Securely yours Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you're about to listen to.Show Notes:Links: Here's the hacking group responsible for the Colonial Pipeline shutdown: https://www.cnbc.com/2021/05/10/hacking-group-darkside-reportedly-responsible-for-colonial-pipeline-shutdown.html Biden says ‘no evidence' Russia involved in US pipeline hack but Putin should act: https://www.theguardian.com/us-news/2021/may/10/colonial-pipeline-shutdown-us-darkside-message Colonial Pipeline CEO warns of possible fuel shortages following cyberattack: https://www.foxbusiness.com/technology/colonial-pipeline-ceo-warns-of-fuel-shortages-following-cyberattack Colonial Pipeline hackers apologize, promise to ransom less controversial targets in future: https://www.theverge.com/2021/5/10/22428996/colonial-pipeline-ransomware-attack-apology-investigation Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys: https://thehackernews.com/2021/05/over-40-apps-with-more-than-100-million.html Red Hat bakes cloud security into the heart of Red Hat OpenShift: https://siliconangle.com/2021/04/27/red-hat-bakes-cloud-security-heart-openshift/ Amazon debuts CloudFront Functions for running lightweight code at the edge: https://siliconangle.com/2021/05/03/amazon-debuts-cloudfront-functions-running-lightweight-code-edge Critical Patch Out for Critical Pulse Secure VPN 0-Day Under Attack: https://thehackernews.com/2021/05/critical-patch-out-for-month-old-pulse.html New Amazon FinSpace Simplifies Data Management and Analytics for Financial Services: https://aws.amazon.com/blogs/aws/amazon-finspace-simplifies-data-management-and-analytics-for-financial-services/ Spectre Strikes Back: New Hacking Vulnerability Affecting Billions of Computers Worldwide: https://scitechdaily.com/spectre-strikes-back-new-hacking-vulnerability-affecting-billions-of-computers-worldwide America Hacks Itself. Waiting for the Cyber-Apocalypse: https://tomdispatch.com/waiting-for-the-cyber-apocalypse/ Wanted: The (Elusive) Cybersecurity ‘all-Star': https://www.darkreading.com/operations/wanted-the-(elusive)-cybersecurity-all-star/d/d-id/1340929 How to Solve the Cybersecurity Skills Gap: https://securityboulevard.com/2021/05/how-to-solve-the-cybersecurity-skills-gap/ Most Organizations Feel More Vulnerable to Breaches Amid Pandemic: https://www.darkreading.com/risk/most-organizations-feel-more-vulnerable-to-breaches-amid-pandemic/d/d-id/1340954 How the COVID-19 Pandemic is Impacting Cyber Security Worldwide: https://innovationatwork.ieee.org/how-the-covid-19-pandemic-is-impacting-cyber-security-worldwide/ Impact of COVID-19 on Cybersecurity: https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.html Biden on cyber security after 100 days: A good start, but now comes the hard part: https://securityboulevard.com/2021/05/biden-on-cyber-security-after-100-days-a-good-start-but-now-comes-the-hard-part/ Why Software Supply Chain Attacks are Inevitable and what you Must do to Protect Your Applications: https://securityboulevard.com/2021/05/why-software-supply-chain-attacks-are-inevitable-and-what-you-must-do-to-protect-your-applications/ TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it's time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you're building a secure business on AWS with compliance requirements, you don't really have time to choose between antivirus or firewall companies to help you secure your stack. That's why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That's lacework.com.Jesse: Infrastructure security, including both critical physical systems that make our modern human lives possible, and supply chain on critical software systems is the theme of the week—maybe month, or a year—and we need to sit up and pay attention. Our electrical grids, telco systems, fuel pipelines, water supplies, and more, are delicate flowers ready to be stomped by anything with brute force, or eaten away by a swarm of tiny insects. These systems lurk online in the background where most of us don't see them. However, all these are managed by computerized systems and they aren't as air-gapped as we would hope they are. Internet of Things—or IoT—operational technology—or OT—and industrial control systems—or ICS—aren't new security problems to solve. These have been highly vulnerable forever, but now we're seeing how IoT, OT, ISS security lags far behind mainstream cybersecurity. This is a rapidly changing trend, but we should be worried over the next few months and years, as the security for these things catch up to the rest of the world.Meanwhile, in the news, “Here's the hacking group responsible for the Colonial Pipeline shutdown.” And, “Biden says ‘no evidence' Russia involved in US pipeline hack but Putin should act.” And, “Colonial Pipeline CEO warns of possible fuel shortages following cyberattack,” and, “Colonial Pipeline hackers apologize, promise to ransom less controversial targets in future.” I could list hundreds of more articles on the Colonial Pipeline breach. These are some choice ones you should read to understand the impact of this event. And also hacker groups with sort of a conscience? Hmm.“Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys.” Wow, just wow. This is the modern equivalent of hard-coding a password in plain text into an app anyone can read. Please don't be stupid. Don't put keys or passwords into your apps in ways that expose your whole internal structure and customer or user data to the world.“Red Hat bakes cloud security into the heart of Red Hat OpenShift.” DevSecOps is like DevOps, but integrating security into the entire process. If you aren't doing DevSecOps already, you need to start. I like that Red Hat has an offering that makes it easier to adopt for organizations that need a managed service.“Amazon debuts CloudFront Functions for running lightweight code at the edge.” Using a DevSecOps model is critical when you run code that calls someone else's functions. CloudFront functions look useful programmatically to deliver a smooth and fast user experience, but be careful about your inputs and outputs and test your code well.“Critical Patch Out for Critical Pulse Secure VPN 0-Day Under Attack.” Finally, a patch to install if you use pulse secure. You need to know what's happening and you need to install the patch. It's still a good read even if you don't use the product.“New Amazon FinSpace Simplifies Data Management and Analytics for Financial Services.” Like many of us, I'm an armchair economist who likes to geeking out over market and economy analysis and trends. AWS FinSpace looks like a combination of a fantastic way to open opportunities for new players in the financial services industry—or FSI—but at the same time, this moves the trust of data integrity and availability into someone else's hands. When I worked with supercomputers used by chemists, the accuracy and availability of computational results were the most important aspect of the work, so outsourcing some of the fundamental maths makes me fret.Announcer: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn't translate well to cloud or multi-cloud environments, and that's not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial. That's extrahop.com/trial.Jesse: “Spectre Strikes Back: New Hacking Vulnerability Affecting Billions of Computers Worldwide.” Hardware flaws are both esoteric and terrifying. This shows that anything can be compromised given enough willpower and science. Always assume your systems are flawed and breakable and have multiple checks and balances to ensure the efficacy of operations and the integrity of your data.“America Hacks Itself. Waiting for the Cyber-Apocalypse.” I'm a Cold War spy novel aficionado, and I can't go a week without reading a story or novel about a dystopian nightmare. You know, like today's news. Most of the former teaches us about the origins of the latter, and we are living in one of those nightmares now. If you want to understand more about nation-state hacking and cracking, this one is for you.“Wanted: The (Elusive) Cybersecurity ‘all-Star',” and, “How to Solve the Cybersecurity Skills Gap.” The whole point of Meanwhile in Security is to help people who don't do security full time, and this piece expresses my thoughts on the cybersecurity labor market quite well. There are not enough experienced security people on the planet to meet the demands, so everyone has to learn more about security just to get through the day. Repeat this mantra when it gets you down. “I can do it. Security isn't as hard as security people claim. Remember, I can do it. I can do it. I think I can. I think again.”Cloud-native businesses struggle with security, you aren't alone. As more things move to cloud services, security gets more complex and difficult for everyone. These are solvable problems, but it will take an industry shift for it to become easy. It looks worse now than it will be in the near-term future over the next couple of years. We'll catch up to the bad guys' methods and mindsets soon enough.“Most Organizations Feel More Vulnerable to Breaches Amid Pandemic,” and, “How The COVID-19 Pandemic is Impacting Cyber Security Worldwide,” and, “Impact of COVID-19 on Cybersecurity.” There are tons of articles, and surveys, and studies out talking about how cybersecurity has become a larger problem during the global pandemic. It isn't only SARS-CoV-2 rampaging through our human world. I find it important to understand trends in cybersecurity in any sector or vertical because it helps me understand how to gauge my own risk.“Biden on cyber security after 100 days: A good start, but now comes the hard part.” It is important to understand how government policies and politics affects the tech industry, and cybersecurity is not any different. The speed of innovation in attacks and defenses usually leaves governments way behind. We should understand how government thinks about these things.“Why Software Supply Chain Attacks are Inevitable and what you Must do to Protect Your Applications.” I wrote about supply chain attacks recently because it is a scary problem that has shown up in the news with catastrophic results. Everyone managing any type of infrastructure or service needs to understand the nature of the attacks and the associated risks.And now the tip of the week. Remember the article about exposing AWS access keys? Yeah, don't do those things. Even AWS tells you not to. Any app or service should be protected using the most limited IAM role you can possibly use, and keys allowing access to those roles should not be embedded directly into code.Build a process to pull the access credentials when an app launches or connects to your service to initiate the access Instead of putting these things directly into the client systems. You should always be thinking of the ‘least privilege paradigm.' This means you give a service or user the smallest possible set of access rights to do the job needed. For example, AWS allows you to use AWS Config to track what a service touches. So, in testing, use AWS Config to see what your service needs and limit access to only those minimal things it needs.And that's a wrap for the week, folks. Securely yours Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Cloud security is a minefield of news that assumes the word "Security" is lurking somewhere in your job description. It doesn't have to be this way. Weekly cloud security news for people with other jobs to do. Cloud Security For Humans.
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you're about to listen to.TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it's time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you're building a secure business on AWS with compliance requirements, you don't really have time to choose between antivirus or firewall companies to help you secure your stack. That's why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That's lacework.com.My recent experience prepping a commercial space for a state fire marshal office inspection and approval has me thinking about compliance and security and ever-present ‘temporary' fix for things. How many times have we said, “Oh, I'll just do this quick fix to get us by,” and that quick fix becomes the de facto supported production implementation? Repeat after me: all changes are permanent until replaced. All changes are permanent until replaced.Anything we alter at all, whether it in computing or in real life, is a permanent alteration until it is replaced by a new alteration, or by a natural corrective or evolutionary process, like decay. We cut our hair and it grows back. We weed our gardens and the weeds return. If you don't want temporary changes happening in your environment, then implement hard controls that will correct any aberrations that come up. Cloud-native architectures give us the tools to force this by making it seamless to close down and erased from existence anything that veers from your ideal. Take advantage of this now.Meanwhile, in the news. Password reset code brute force vulnerability in AWS Cognito. If you use this AWS service, you should read this one. Although it is now patched, it's good to understand how AWS Cognito works more closely, which is true for any other security service you rely upon that is hosted by your cloud provider or other vendor.Task force seeks to disrupt a ransomware payment. This is tangentially related to cloud security because both Amazon and Microsoft has joined up on this one, but I'm personally fascinated by strange frenemy combinations who work together on these things. I'm watching for either interesting things to happen with their recommendations that could have an impact on disclosure of ransomware incidents, or for it all to fizzle out to do nothing.Is your cloud raining sensitive data? Kubernetes generally needs securing like any other service. Time to stop ignoring your newest infrastructure and lock Kubernetes down. However, if you want real security for your Kubernetes clusters, you should look at a robust solution like Fairwinds Insights. I'm a big fan of outsourcing tool development to experts.Enterprise lift and shift to the public cloud requires a newer type of API and cloud security program to prevent data breaches. Ignoring some glaring editing mistakes, which is rather difficult for me to do, I'd like this easy-to-read case study of a traditional on-prem infrastructure going through a lift-and-shift cloud migration. This piece specifically addresses some of the serious security implications of doing this, and how your attack surface changes dramatically in the process.NOAA shifts some key environmental data processing to the cloud. This one is important to me personally. Years ago, when I was a security engineer for the United States Department of Energy Oak Ridge National Laboratory High-Performance Computing Group—boy, that's a mouthful—I helped ensure security for one of the National Oceanic and Atmospheric Administration—or NOAA—supercomputers doing climate research. NOAA moving any of its compute systems supporting global research is a very big deal, and this is a great example of why AWS GovCloud is helping the US federal government modernize and move to the cloud. Also, mixing an acronym-heavy industry with government work turns into a pile of TLS so fast. Also, as another aside, this was back when I met The Duckbill Group CEO, Mike Julian, in Knoxville, Tennessee.Announcer: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn't translate well to cloud or multi-cloud environments, and that's not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial. That's extrahop.com/trial.ClearDATA expands flagship solution to facilitate health care's adoption of containers and serverless tech. Speaking of outsourcing to experts, there are lots of compliance reporting options out there, and like my favorite, Qmulos. Full disclosure, remember I do work for Splunk. But there are less options for actively managing compliance in your cloud environment. Does anyone have experience with ClearDATA's Comply offering? Email me, I want to know more.Expanding security, visibility, and automation across AWS environments. I'm most interested in the AWS Graviton to ARM-based security in the asset discovery for AWS environments announcements in this piece. First, I love me some chip geekery, especially when security-related, and second, the thing most of us suck at is tracking your assets. Any help managing an asset list for our security tools is gravy.As Microsoft nears a $2 trillion market cap, Amazon is most likely to reach that level next. I'm always looking at economics and how that drives both behavior and technology. Also, looking at how markets move and companies grow and die tells us more about trends in technology decisions and spend than many other indicators. Stop and think about the implications of this: four of the world's five largest companies by market capitalization are us tech giants. Three of these are the parent companies of the three cloud giants: Microsoft, Amazon, and Alphabet or Google. It's a cloudy forecast for sure.Seven modern-day cybersecurity realities. None of these are earth-shattering news, but at least some of these will make you cringe when you consider your own environment. Feeling uncomfortable thinking about any of these is a good thing if you act on that feeling. Go forth and fix things.The challenge of securing non-people identities. Most of us wearily monitor people's account activity to ensure they aren't compromised. But the art and science behind monitoring accounts not tied to a person is more difficult to master. I argue some of the recent big security breaches shine light on these accounts being more critical to risk mitigation than human-used accounts.And now for the tip of the week. Turn off instances or containers or cloud services you aren't using. We turn off unused services on a system, right? Not using Postgres or MySQL? Shut it down. Not using the webserver? Shut it down.Leaving something answering on the network that isn't being actively used, or worse, not actively monitored, is an attack vector that can be easily leveraged by malware and bad actors. This is true for whole systems or cloud services that aren't actively part of your functional environment. If you aren't using your testing system, it should not be running at all. Leaving unused whole systems is far worse than leaving an extra service running because an intruder now has free reign over a whole machine that isn't in the spotlight, not just a corner of a well-used system. Given you can programmatically turn whole servers or containers on and off, there's no excuse for leaving them up when not in use. Turn those systems off. When in doubt, close the route.And that's a wrap for the week. This is Meanwhile in Security. Securely yours, Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you're about to listen to.Show Notes:Links:Information Security Compliance: Which regulations relate to me: https://www.tcdi.com/information-security-compliance-which-regulations/ TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it's time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you're building a secure business on AWS with compliance requirements, you don't really have time to choose between antivirus or firewall companies to help you secure your stack. That's why Lacework is built from the ground up for the cloud: Low effort, high visibility, and detection. To learn more, visit lacework.com.Jesse: Compliance requirements are everywhere. I've been on both sides of the table for dozens of audits, and I've even worked on commercial building fire code compliance for data centers and even a school. Whatever your industry, there are compliance requirements lurking somewhere in your buildings, your data center, and your clouds. You should know what legal compliance mandates you must meet as well as industry standards or certifications you should meet. You don't have to learn all the intricate details of any of these compliance laws or frameworks, however, you should at least know what the requirements you have and what frameworks you should use.You need to understand more than what your organization does at a high level. You also should know what general activities your organization performs, such as selling things, providing services to a public, or quasi-public entity, or government agencies, or schools, or managing investments or banking. Then go find out your compliance needs. An article called Information Security Compliance: Which regulations relate to me? By TCDI—which appears to be a consulting firm that I neither endorse nor know anything about at all—is a short primer on some common compliance programs that really should prove useful to you.Meanwhile, in the news, SANS cloud security curriculum gaining altitude. Become a SANS cloud ace. SANS and GIAC have the best security training and certifications, and now they've expanded their cloud courses, including some more foundational options non-security people should find valuable. The training is detailed, challenging, and rewarding, and will teach you far more than most other programs including hands-on exercises that are key to learning tech.Introduction to the NIST cybersecurity framework. I like the cybersecurity guidelines and frameworks NIST creates because they are useful and understandable tools for non-security and security people I like. I like this introductory primer to better understand structured security frameworks and to start learning how auditors think. Essentials to consider when choosing a cloud security posture management solution; whether your primary job is security or not, I always advocate for a centralized, simplified automation and standardization of security controls wherever possible. For multi-cloud environments, you can outsource to a cloud security posture management—or CSPM—provider, and this quick read has tips I like on some basics to consider for how to choose your solution.SOC 2 attestation tips for SaaS companies. Everyone should understand the basics of service organization control type two, more commonly known as SOC 2, as it is fundamental to doing business in the cloud. SOC 2 is especially important for SaaS providers because it shows there are certain safeguards for data confidentiality, integrity, and availability, among other things.Enterprises need to change passwords following ClickStudios' Passwordstate attack. Tangentially related to cloud, password managers are great tools as long as they are secure, but if you use this one you need to know two things. First, you have to change all your passwords, and second, you need to search for indicators of compromise—or IOCs—for possible nasty things in your environment.Five objectives for establishing an API-first security strategy. With cloud-native services APIs become an easy target, so you need to know how to design their use securely. I would use these tips in designing a SaaS offering, so you should too. Hackers are exploiting a Pulse Secure Zero-Day to breach orgs around the world. You need to trust your zero trust solution, and if you use Pulse Secure, you need to know what to do about this right now. If you don't use Pulse Secure, you should still understand what happened so you can be prepared for when this happens to you.Announcer: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn't translate well to cloud or multi-cloud environments, and that's not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial. That's extrahop.com/trial.Jesse: Man charged with planning to blow up Amazon Web Services data center in Virginia. You should always have your critical services and all of your data in multiple availability zones, and as much as possible spread across multiple regions. Someday, one of these nutters will succeed in disrupting AWS just enough to give you a bad day. Also, it's easy to forget that most people don't know how ‘the cloud' and ‘the internet' actually work. Heck, we barely know how these things work and we're supposed to know this stuff.SalusCare, a health services provider, sues AWS over security response. Sure, anyone can sue anyone for anything, but you need to be careful with your data and even more careful with your customers' data. Does your service agreement and licensing protect and indemnify you from things like this? Even a nuisance lawsuit is costly, so be informed.Risk, the misunderstood discipline. Security and finance people talk about risk constantly and some of us evaluate risk in our daily lives. Yep, I do every day at work and home. You need to understand some fundamentals of risk to know how to make decisions. What are the different roles within cybersecurity? Just like IT is balkanized and specialized, security is just as splintered and confusing. It helps to understand some basic differences in security roles, even if you don't want those jobs for yourself.Review last access information to identify unused ECT, IAM, and Lambda permissions and tighten access to your IAM roles. While the title is a mouthful, it is critical that you routinely and frequently audit your AWS environment to tighten permissions down to only what an account or service must access to do its job. Open permissions you think something needs, then use these methods to see what it doesn't use, and close those down to the minimum required to function.And now for the tip of the week. Always assign permissions to AWS IAM user groups. Never assign permissions to individual users. If a user needs a combination of permissions none of your user groups have in IAM, then create a new group with that combination of permissions, or use multiple existing groups to assign the user the exact set of permissions needed. This is critical for two reasons.First, using groups scales for easier management for when you have more users needing the same permissions; you can quickly end up with lots of users floating about with one-off custom permissions that's more complicated and time-consuming to track and audit. Second, when a project dies or morphs, you can delete or alter the related group permissions to change all the related users at once. In addition, this allows you to work more closely with project teams to roll out security with the new projects. And that's a wrap for the week, folks securely yours, Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you're about to listen to.Show Notes:Links: All Layers Are Not Created Equal”: https://blog.paloaltonetworks.com/2019/05/network-layers-not-created-equal/ Help Net Security article: https://www.helpnetsecurity.com/2021/04/06/john-kindervag-zero-trust/ TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn't translate well to cloud or multi-cloud environments, and that's not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial. That's extrahop.com/trial.Last week, I talked about Zero Trust as an office building where you have different ways of getting access to different parts of the building. Now, we're going to talk about Zero Trust architecture or ZTA. That always makes me think of a ZA plan. What's your plan? When the zombie apocalypse comes, you need to have Zero Trust. You do not trust anyone until you've confirmed that they are in fact, not a zombie.But how do you do this? Well, first you have to define what a zombie is and you have to define what a human is. And you also have to define what kind of resources that they get to access. Zombies don't get to access anything, especially not brains. But humans, they get to access all kinds of things: defensive positions, food, resources, medicine, shelter, and you have to confirm their identity every single time that they want to access something.How do you do this? Well, the first thing you have to do is to find this, kind of, statically. Jesse comes up, shows he's not zombie, gets something out of the kitchen. Next time, Jesse comes back, wants some medicine. You check; yep, Jesse's still not a zombie; he gets to have some medicine.However, in a Zero Trust world, what if one time somebody comes along, looks like Jesse, but he's actually a zombie? He doesn't get access because the risk has changed. This is exactly what Zero Trust is all about. It's doing authentication and then authorization based on the current context, what's happening right now. You let somebody in until it become a zombie.You let an account into your resources to use your applications until it looks like it's probably an attacker and not the actual real person behind that account. See how they are just like? When you're implementing Zero Trust architectures, it's not quite so as simple as seeing if somebody's flesh is rotting off their bones. So, what is in a Zero Trust architecture? Well, there's some basic components.For instance, you have policy engine, which is basically what determines what the rules are and how they are applied in context, and you have Identity and Access Management—or IAM—and that is how you authenticate and how you determine whether an account actually is being driven by the person or thing that it should be. There's of course monitoring systems to gather and report on your environment, and then you have a SIEM—or Security Information and Event Manager—and an optional security orchestration automation and response or SOAR tool. And the reason for this is so that you can change the architecture and the environment based on the current status of things. So, the policy engine can alter the environment in a feedback loop. And so the policy engine itself, as you can tell, is the brains behind everything, it sits in the middle and it drives the Zero Trust architecture to implement Zero Trust model in your environment.So, how does this work? Well, if you talk to John Kindervag, the original creator of the Zero Trust model, he recently has an article where he was interviewed and he talked about some of the methodologies of doing this. So first, you define your protective surfaces—what are you protecting—then you map the transaction flows, what things are talking to other things, what systems are working together? How do your applications work? And then you architect the environment, so you have to put controls where the data or the services are, right?So, right at every single application, which is great in a cloud environment, especially if you're doing things like using Lambda functions, microservices, serverless functions, as well. And then you create a Zero Trust policy, and you do that by using the Kipling Method, which is the journalistic method of who, what, when, where, why, and how. There's even an article that he wrote—John Kindervag that is—a couple of years ago, and he talks about how that applies.It's a great reading, but the main thing you have to get out of that is you have to answer all of these questions about what's happening in your environment. And then lastly, you monitor and maintain your environment. You gather telemetry, you do machine learning and analytics, and you look at risk analysis, and you have automated responses going through your SOAR platform. Those are the five key things. In short, this is what you should take away from that article on Help Net Security.One, define your protective service. Two, map your transaction flows. Three, architect your environment. Four, create your policies, your Zero Trust policies using the Kipling method. And five, monitor and maintain your environment just like anything else. Make sure it's working, tune it, tweak it, evaluate it constantly.This is a never-ending cycle where you should always be analyzing, tuning, changing because your environment that you're protecting changes. And also the risks that you have will migrate and change over time. And technologies change; you're going to be moving things, swapping things out, implementing new things. You have to keep this in mind and go through this cycle over and over again, always defining what the new thing is, figuring out how that interacts with other things and how accounts access data and resources within it. And also following your business; how are things changing in your organization? What other types of things are needed for you to do and to protect the environment as close as possible to those new services and those new data sources?Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That's goteleport.com.Let's do a quick example. You have a fictitious service running on an EC2 instance and it plugs into your IAM—remember that Identity and Access Management tools. You have monitoring on it, you've got the logs going places, it has a security event manager looking at it, so your SIEM's got it covered. And you've got your store platform has the ability to create accounts, shut it down, do all the things to it. Your Zero Trust policies indicate that if an employee has put in their notice, or they've otherwise been put on a watch list because management a little worried about them or HR is investigating them, then they cannot access this resource.So today, I log in, I authenticate using IAM, I used my correct multi-factor authentication. It is successful, and then I go to access your application and the Zero Trust policy engine says, “Yep, Jesse can now get in.” And then tomorrow, I put in my notice in the morning and I've got two weeks left. I go to log in to use your service, but today I'm on the watchlist. And so your service goes to the policy engine, says, “Can Jesse login?” And the policy engine says, “Hey. So, he's authenticated correctly; he does not have an increased risk score except for this anomaly where he's also in the watchlist.”Now, suddenly, Jesse doesn't get access to that particular resource. And if I get an offer to stay and I rescind my notice, and now I'm off the watch list and now I'm back, so in theory, I should be able to access that same application. However, you could also put in rules that says if somebody rescinds their notice and they stick around, they stay in a watchlist for a while. So, perhaps you do allow me access to that system, but you do better monitoring on what I'm doing in that system. Or even better yet, I can only access some of those resources, not all of them available in that application.If you design your infrastructure correctly, and you design your applications in a dynamic fashion that allows this to happen with granular rule sets for permissions inside of the application or resource, then you can do this kind of nuanced access through the policy engine that you cannot otherwise do in a traditional format where it's just, you're in and you get everything. This is even better than role-based access controls because it's granular permissions about individual little things that I can access or do and that application. That's a good primer on how to think about implementing your own Zero Trust architecture.Now, for the tip of the week. I cannot stress enough this point to secure your cloud storage. Everyone says this; all the cloud people get tired of hearing it. I know. So, do I. However, all of us have had some permissions somewhere that we didn't change, or we changed to the wrong thing—“Oh, we're just going to do this to test for a little while.”—and then it's like the days of yore with anonymous FTP sites, and suddenly there's a wide-open, world-readable and world-writable upload and download site for [whereas 00:10:47] and other nasty things you don't want in your infrastructure.So, you open your cloud storage, like S3 buckets, and it's just free storage for anybody and everyone. Or even worse, it is something that you do not want the world to see: your secret plans for your next go-to-market strategy. So, just go to your cloud provider, like AWS's own documentation has a topic called, “How can I secure the files in my Amazon S3 buckets?” Just go read it; go do it. Every time and every single time you come across storage that you haven't seen before, audit it. Audit your storage regularly; make sure that somebody hasn't changed permissions just to test this one thing. We all know that all changes are permanent until replaced. And that's a wrap for the week, folks. Securely yours, Jesse Trucks.Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you're about to listen to.Show Notes:Links: An introduction to the mathematics of trust in security protocols: https://ieeexplore.ieee.org/document/246634 No More Chewy Centers: The Zero Trust Model Of Information Security: https://www.forrester.com/report/No+More+Chewy+Centers+The+Zero+Trust+Model+Of+Information+Security/-/E-RES56682 800-207, “Zero Trust Architecture”: https://csrc.nist.gov/publications/detail/sp/800-207/final TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn't translate well to cloud or multi-cloud environments, and that's not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial. That's extrahop.com/trial.Zero Trust is everywhere and nowhere. Over a decade old, Zero Trust feels like a new thing for many of us, but this feeling is likely because most of us experience or manage operational security methodologies following various forms of old-school trust and access models. In these models, a user or service authenticates to a network or service and gets all the things granted to them by their role or account permissions. This is often referred to as a trust but verify paradigm. Many organizations still use Virtual Private Network, or VPN, access mechanisms to connect from the outside to internal or trusted networks.Accessing these internal or trusted networks provides access to a variety of systems with low to moderate security generally available to anyone granted access to the associated network. Each user accessing these networks is authenticated in some manner and then is trusted with the ability to connect to available resources. This is like many corporate office buildings: badge in or show ID to the security desk in the lobby, and you are granted access to wander the halls at will, with access to nearly any floor and office. In many modern office buildings, especially those with multiple tenants, there might be sections of the building that require additional verification using a badge reader or being cleared by guards at another security desk. This is like network segmentation trust models where each user must be granted specific access to certain networks.Much like accessing different companies in the multi-tenant building works by being cleared by the front desk or using badge readers to unlock the doors and being granted access to all of the offices they're in, access to resources and services on these network segments is controlled at the entrance by firewalls and/or authentication gateways. While most services today require authentication to get beyond the front door, similar to the network segmentation model but on an application or service level. Usually, there are static definitions of access granted to each user although most applications and services rely on role-based access controls or RBAC, these roles are statically defined with access to a list of resources, services, or capabilities for all users given that role. Searching network segmentation best practices finds dozens of results over the last couple of years with great advice on segmenting networks and limiting access to resources on those networks. Much of it is similar to one another and generally good advice to follow. I like to think of access to networks, resources, and services as being on a need-to-use and access to data on a need-to-know basis. Zero Trust upends the entire access model.In June of 1993, IEEE published GJ Simmons' article, “An introduction to the mathematics of trust in security protocols,” which, as the title implies, defines a mathematical approach to calculating trust in the context of computer systems. This concept opens possibilities for automating complex access authorization schemes. In 2009, while working as an analyst for Forrester Research, John Kindervag published a white paper titled “No More Chewy Centers: The Zero Trust Model Of Information Security,” outlining the Zero Trust model as a new paradigm for controlling access to resources and services.Implementing a Zero Trust model creates the ability to dynamically grant access to resources and services based on real-time context, not statically defined need-to-use and need-to-know bases. Going back to the office building analogy, this is like the security station guards verifying things that are currently true before allowing you to access the building or any of the building spaces. For example, they could confirm you are currently employed by a tenant of the building and give you an access card that is good for one-time entry into your organization space. However, if you leave your offices and need to return, you have to go back to the security station to get another one-time entry pass to your suites. Even if you never leave the building, you still must go down to the security station to get your one-time access pass.If you need to visit another space in the building, the security station guards would verify you have an appointment that grants you access to a different space, and they would give you a one-time access pass to enter those spaces. Once again, when you need to return to your own offices, you must go back for another pass to get in. This is exactly how Zero Trust works.In an ideal Zero Trust world, every time you must access a network, resource, or service, you must also authenticate in some way to both verify your identity and to obtain authorization to access the network resource or service. This goes beyond having a token to use for multiple transactions, like when we store a website cookie or token to skip logging in when we return to a site. Instead, the site would require authentication for access authorization every time we return. In a realistic Zero Trust Architecture, or ZTA implementation, a cookie or token stored for a single session to skip login for every single page or image access is useful, but in a strict ZTA implementation, there would be an authentication action for every single file access even within the context of a site's single page load with graphics.Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That's goteleport.com.The US National Institute of Standards and Technology, or NIST, published the Special Publication, 800-207, “Zero Trust Architecture” to define how to implement ZT. I recommend NIST ZTA as a foundation for your approach to, or at least understanding of, an operational ZTA implementation in the absence of other guidance from a reputable source. To implement ZT takes some basic components, and at the heart of it all is the policy engine.The policy engine contains the rules to determine whether to grant or deny authorization for an account to access any particular resource or service. These rules should contain contextual parameters such as the device and network being used to initiate the request, or whether an account is in a watchlist or is otherwise at a higher risk level or in a different risk category than it usually is at the time of the request. For example, if I require access to HR records to perform my job duties, by default, my account would be granted access to the HR system providing those records. However, whether I am granted such access for a particular request should depend on the device I'm using, the network my device is using, and the current risks associated with the device, the network, and my account. In this situation, if I used my organization-issued laptop to connect to the VPN, the policy engine could grant me access to the HR system which provides me access to the HR data.However, if I used my personal smartphone from a public network and the security monitoring systems show anomalous behavior associated with my account, the policy engine should deny my access to the HR system. There are myriad ways to architect a ZTA solution and there are a number of reliable vendors with policy engines or whole CTA service offerings available as either implementation or ongoing managed services.I strongly suggest you review your environment to see where Zero Trust is already in place or ought to be implemented. At the very core of a Zero Trust implementation is the ability to quickly change access rules for accounts connecting to resources or services. This can be done in simple or complex ways. In the next episode, I will explore Zero Trust architecture implementation in much more detail.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you're about to listen to.TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn't translate well to cloud or multi-cloud environments, and that's not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial. That's extrahop.com/trial.Jesse: This week, Verizon announced a deepening of its partnership with AWS with the launch of a private mobile edge computing, or MEC, service, which was previously only available from Verizon using Microsoft Azure cloud services. This new service complements the public MEC offering using AWS that Verizon introduced in August of 2020, and brings MEC solutions within reach of many organizations who could not consider implementing MEC in the past. What is mobile edge computing and what do these services provide? Mobile edge computing, sometimes called multi-access edge computing, is an infrastructure approach that provides cloud compute services at the edge of the network closest to the end-users of those services. To service implementations for mobile end-users, the hardware hosting the cloud services are co-located with the 4G or 5G networks rather than relying on transport to and from regular cloud services in addition to traversing the mobile networks.This provides low-latency access for critical and real-time applications by users on those mobile networks. With the advent of 5G, latency on mobile networks has dropped down to or below levels commonly measured in landline-based networks. A common example cited is the use of MEC with self-driving cars for ultra-low latency access to traffic, weather, and other real-time conditions. However, a more practical example is using MEC to provide real-time analysis of crowd densities and line cues in public spaces such as theatres or public transit stations. The difference between public and private MEC is that, as the names imply, public implementations are accessible on the public internet, whereas private implementations are only accessible via internal private networks.The latency for private MEC implementations tend to be much lower than public MEC implementations as well because the hardware running the compute services is physically located with the end-user systems, such as in a manufacturing plant or train station, but public MEC systems are usually located with a mobile network provider away from the end-users. The Verizon private MEC uses the AWS Outpost service, which is a hardware-based extension of AWS Cloud services physically located at the customer site rather than in AWS or Verizon data centers. These systems include Verizon 5G services for use on private local networks to provide low latency, easy to manage, and secure wireless access. Because of the co-location inside the customer network, the AWS Cloud services provided by this offering are only available to the customer hosting the hardware. The Verizon public MEC uses the AWS Wavelength service, which is a collection of AWS zones co-located with Verizon's 5G network in select locations. These are generally available [over 00:03:53] AWS Cloud services, usable by nearly any AWS customer. Meanwhile, what about security and MEC?Because the Verizon MEC services use existing AWS products, there are no new security mechanisms, tools, or requirements added to either of the public or private MEC services. The customer is required to manage all the usual security for systems and applications they deploy with either of the MEC solutions using the shared responsibility model with two slight differences with AWS Outpost. Let's look a bit more closely at these two products and their security models.AWS Outpost is essentially an AWS Cloud in a box or rack of servers physically installed in the customer's location. This is remotely managed by AWS and provides a subset of the same AWS services, using the same APIs and other tools, as standard AWS offers in their normal regions. This is different than a wholly private and self-managed cloud implementation because AWS still manages the cloud infrastructure within the Outpost's equipment.Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That's goteleport.com.Jesse: With Outpost, there are two changes to the shared security model. Obviously, there's an added layer of security managed by the customer to protect the physical hardware, and the customer must also provide adequate network access and security for the network. However, in terms of the systems, services, and applications running in the environment, operations and security are the same as running those same services in any other cloud environment. The hardware within the server or rack is built on the AWS Nitro platform. Nitro is a hardware implementation of the AWS hypervisor technology, coupled with chip-based hardware security subsystems.This allows for a secure implementation of AWS Cloud services while also protecting customer environments and data. AWS Wavelength is the implementation of many of the familiar AWS Cloud services but co-located by AWS within mobile provider 5G networks, and uses the same shared responsibility model as normal AWS solutions. Essentially, Wavelength is used much like any other AWS environment. To use Wavelength, you must request access to the desired Wavelength zone or zones. Once access is granted, create or modify an existing AWS virtual private cloud, or VPC, with coverage extended to include the Wavelength's zone or zones.Then you deploy MEC-based services in the Wavelength zones as you normally would in other AWS regions and zones. Given this as an implementation of VPC, there are no additional security concerns outside the normal issues with managing a complex VPC environment. As always, you can limit access to these services and applications in all the usual ways with either the public or private MEC solutions. You can limit access to VPC connected systems, open it to public access and/or require authenticated access. However, one caveat is that to grant access from outside the organization with the private MEC solution using Outposts, your network must provide a path to the services just as you would set up any self-hosted solution today. For more details on the services, go to the AWS documentation for Outpost, Wavelength, and Nitro.Now that we've covered what this announcement means, it's useful to talk about how this might apply to your environment. Most organizations will have little or no use for MEC capabilities now or in the future. However, some organizations might find new uses for MEC now that the barrier to entry for this type of service is brought lower with the advent of these services as standard AWS and Verizon offerings. Implementing any solution that relies on low latency connections and high-speed calculations for near-instant results requires a non-trivial investment in time and resources, as we all know, but pushing such a solution to production use or as a rapid go-to-market strategy could be much faster and easier than it used to be using the services. The real security implications come if you're implementing MEC solutions that touched your IoT devices, which historically weren't involved in connected networks such as these. I'm [laugh] pretty sure that pricing is non-trivial as well, but you'd have to talk with our friends Mike and Corey at The Duckbill Group about cost analysis. I'm just the security guy.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you're about to listen to.Links: "What is an Attack Surface? (And How to Reduce it)": And How to Reduce ithttps://www.okta.com/identity-101/what-is-an-attack-surface/ "Developing Cyber Resilient Systems: A Systems Security Engineering Approach": https://csrc.nist.gov/publications/detail/sp/800-160/vol-2/final TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn't translate well to cloud or multi-cloud environments, and that's not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial. That's extrahop.com/trial.Jesse: There's a constant daily show of security-related news from all directions. It's a storm that never abates. Sifting through it all feels daunting to most people, including many security professionals. We need a strategy to sort it all out and focus on the things that matter, as quickly as we can. [laugh]. The easy and terrifying answer is just to subscribe to all the newsletters for everything your organization uses or your group manages; go read the articles they point to, and [laugh] give up because it's total information overload.For some security people, this approach does make sense and it works; except the whole giving up part, of course. However, if this isn't useful for most of us. As with anything driven by business needs, understanding how to find and evaluate useful security news starts with knowing your business. Whatever your role, you should understand how your work supports and furthers the organizational mission.Understanding your mission leads to understanding your risks, therefore you will know your role in risk mitigation. This leads to understanding how and why your technological solutions both support your mission and mitigate your risks to that mission. Now, let's look at how this foundational understanding of your business drives your consumption and evaluation of security news.News strategy. It should be obvious that the role you and your technology have relative to the mission and risks determine the choosing of both the types and the sources of security news you should read. It is tempting to focus only on cloud-specific sources and topics, but running in the cloud does not obviate the need for the security of your systems, applications, and data. It is also true that ignoring cloud-specific security news is a bad idea. To determine which to focus on first or most, look at the likely exposure your infrastructure has in terms of your risks.For example, if your application delivers the services of your business to external customers as opposed to an internal employees' service, then most people will interact primarily with your application services presented by your systems. Your largest attack surface would be your service application, the data presented and used by your application, the operating system or microservice platform supporting your application, and the network infrastructure to tie it all together. We define attack surface as the collective group of services, systems, or data exposed to access by a potential adversary. In other words, if something can be touched on the network, it is part of the attack surface for initial intrusion. And if something on the system can be touched by local access, it is part of the attack surface for an attacker who has gained access beyond the network resources.This means most of us have a primary or larger attack surface in the application and systems exposed in services delivery, and our cloud infrastructure underneath and supporting our systems and services is likely a secondary or smaller attack surface. For more reading on attack services, check out Okta's article called “What is an Attack Surface? (And How to Reduce it)” and read some attention to the topic in the US National Institute of Standards and Technology or NIST Special Publication 800-160, Volume Two called “Developing Cyber Resilient Systems: A Systems Security Engineering Approach.” Wow, that's a mouthful.Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That's goteleport.com.It is generally the case for most people and organizations that non-cloud-specific news will provide the most return on our investment of time upfront, though this changes once processing and acting upon general security news become streamlined. Now, let's talk about how to determine the usefulness of the news we encounter.Evaluating news. Most of us would head straight to industry sources to see what the biggest news of the day is, but I suggest a different approach to triage your news needs. First, look at mainstream news sources such as the New York Times Washington Post, and the Guardian or even NPR, CNN, and BBC. Is there cybersecurity-related news showing up in many or all of these sources? If there is big news, it will be all over it with original source articles, and even articles summarizing those other news sources.This will likely give you a general idea of the service or technology affected, which helps you determine whether further research is required to understand the impact it may have on your organization. These sources may not clarify what specific technical services or systems are involved, however. Once you found these big news items, search in the tech industry-focused sources to get more relevant detail that isn't over-simplified for larger public audience. If there isn't a big news from mainstream sources, look for popular topics across tech industry-focused sources. See what these sources are saying across the board to see what are the most critical elements you should consider and investigate.Some popular sites to consider are Wired CIO and CSOs security site. Also, don't forget your LinkedIn newsfeed or your various social media venues like Twitter, your Facebook timeline, Instagram, or your other favorite internet Hangouts. Your next stop to further refine your understanding of the technical things happening with a widespread security issue is to dig into a topic on technical-focused sites. These can be specific to a particular vendor technology, like Microsoft's security blog, Red Hat's security channel, or Cisco's security content, for example. This is where you start getting into the detailed and specific vulnerabilities, including the method of compromise, such as buffer overflows, remote code execution, or RCE, privilege escalation, or denial of service, or DoS, attack types.I'll discuss more about these attack types another time. To dig into the deep technical details, find articles on your topic in publications like SC Magazine's security news site, the Hacker News, or Dark Reading among others. Although keep in mind, these sometimes get deep into the security domain and use security-specific language and jargon that might be a bit hard to follow if you're not used to it. The technical articles often will reference the common vulnerabilities and exposures, or CVE identifiers. The CVE Program is a service of The MITRE Corporation, which operates federally-funded research and development centers, or FFRDCs, in a number of areas including a [Strong Center 00:08:37] in the National Cybersecurity FFRDC.MITRE's cybersecurity work extends to a number of areas and come up frequently in security domains. I will cover more of what MITRE does in a future episode. In a short description, a CVE identifier points to an entry in the CVE program list that provides basic information about a vulnerability in a standard format, covering things like the operating system or software package affected, vulnerable versions, a description of the vulnerability, and pointers to the deep dive into the exact nature of the vulnerabilities. Follow the links in the CVE entry for remediation and mitigation specifics on patches, upgrades, or other mitigation steps for vulnerabilities, such as configuration changes.While searching for a security exploit, and looking at headlines at the time of recording this podcast, I see big news about patching iPhones, and iPads, and a widespread attack on Exchange servers, which includes things about the Black Kingdom ransomware used by the Hafnium cybergang. Those are great rabbit holes to fall into for some fun security reading. If your organization uses iPhones, iPads, or Microsoft servers, go down the holes and see where they lead.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you're about to listen to.Links: aws.amazon.com/compliance aws.training docs.microsoft.com/asure/security TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That's goteleport.com.Jesse: Trilogy of Threes and a New Mantra. Trilogy of Threes. Good security practices and good security programs are built on three separate but intertwined principles, each of which has three parts. Simon Sinek's Golden Circle framework lays the foundation for why you have a security program, which is a balance of risks to critical assets and services, and business objectives. The next part of how you apply the Golden Circle to your security program is about how you accomplish meeting these objectives and mitigating your risk through the People, Process, and Technology framework.The PPT method helps you define the roles are needed to implement your security program, the overview of processes or actions within your security program, and the types of technology that supports your security program. The final part of how you apply the Golden Circle encompasses what specific things you do to implement your security program using the Holy Trinity of Security: confidentiality, integrity, and availability, or the CIA triad. In your security program, you should define who should be allowed access to any data or service, how you monitor and protect any data or services, and how you keep data or services available for users. Although understanding how to build a security program from nothing is incredibly important, most of us are already operating within an existing security program. Many of us will have influence only on the specific implementation of tools for the Holy Trinity, CIA. All this theory is crucial to understand, but you still have a job to do. So, let's get practical.Where to start today. Searching online for ‘Top X for AWS Security' returns an expected long list of pages and there are shed-loads of fantastic tips in the results. However, reading through many of them, including AWS's own blog entry on the topic, shows that proper cloud security involves large projects and possibly fully re-architecting your entire environment. As is often the case in these things, all the best security advice in the cloud has to do right security from the very beginning. Yet this is like discovering a new love of playing the piano late in life like I did, [laugh] but someone telling you the right way to learn to play the piano is to take lessons as a child. This isn't so useful advice, now is it? Of course, it's too late to become a child piano prodigy, but it's not too late to take up the piano and do well.Fundamentals. In traditional non-cloud environments, physical security for everything leading up to touching a machine is usually the purview of a different part of the organization, or an entirely different organization than the security team or group responsible for system network and application security. Generally, most information or cybersecurity starts with accessing the software-based systems on a physical device's console or through a network connection. This, of course, includes accessing the network through some software path, usually a TCP or UDP-based protocol. In cloud environments, the cloud providers, such as Amazon Web Services—or AWS—Microsoft Azure, or Google Cloud Platform—GCP—maintains and is wholly responsible for all the physical environment and the virtual platform or platforms made available to their customers, including all security and availability required for protecting the buildings and hardware, up through the hypervisors presenting services allowing customers to run systems.All security above the hypervisor is the customer's responsibility, from the operating system or OS through applications and services running on these systems. For example, if you run Windows systems for Active Directory Services, and Linux systems for organizations' online presence, then you own all things in the Windows and Linux OSes, services running on those systems, and the data on those systems. This is called the shared responsibility model. AWS provides details on their compliance site aws.amazon.com/compliance as well as in a short video on their training and certification site aws.training.Microsoft describes their model on their documentation site docs.microsoft.com/asure/security. Google has lots of information in various places on their Google Cloud Platform GCP site, including a guided tour of their physical security for their data centers, but finding a simple explanation like the other two major services have available eluded me. Google does have a detailed explanation of their shared responsibility matrix, as they call it, which is an 87-page PDF. Luckily, given the overwhelming popularity over the other cloud providers, I tend to focus mostly on AWS. I didn't read the whole GCP document.Announcer: If your mean time to WTF for a security alert is more than a minute, it's time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you're building a secure business on AWS with compliance requirements, you don't really have time to choose between antivirus or firewall companies to help you secure your stack. That's why Lacework is built from the ground up for the Cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That's lacework.com.Jesse: basic AWS training. Amazon provides ample training and online tutorials on all things AWS. This includes AWS basics through advanced AWS architecture and various specialty areas like machine learning and security, among others. I encourage everyone who touches anything in AWS to go through their training courses online at aws.training.If you are new to AWS or cloud in general, go take AWS Cloud Practitioner Essentials, and then take some primers in AWS security: AWS Security Fundamentals; Introduction to AWS Identity and Access Management, or IAM; and AWS Foundations: Securing Your AWS Cloud. These are all eLearning-based and free. This will be some of the best nine to ten hours you can spend to build a foundation for securing your AWS infrastructure.Learning is great; doing is better. Whether you've taken the relevant AWS training or just want to dive in and make your AWS security better today, you'll want to go make a difference in your risk and exposure as quickly as possible. After all, unless you're listening to this as a seasoned security professional, you're probably here to learn how to make your security better as quickly and easily as possible. Anyone looking at the list of courses I've suggested and considering my fundamental approach might be trying to discern which first principles of good security I'll talk about first. If you're thinking along those lines, you might miss some of the very basics.As with all things in the tech world, there are some basics that can't be repeated often enough. The most simple and blatantly obvious advice is to secure your S3 buckets. Let's cover that again so nobody misses the point. Secure. Your. S3. Buckets. Now, repeat that 27 times every morning while you get ready for work before you touch your keyboard.This is the cloud version of securing FTP, meaning FTP isn't too bad protocol, but it's notorious for being misconfigured and allowing anonymous FTP uploads and downloads. If you want to fall into a hole learning everything there is to this, go read the Security Best Practices for Amazon S3 portion of the S3 User Guide. If you don't have time or energy for wading through that lengthy but valuable tome, check some basics for your maximum ROI for minimal effort. If you allow public access to S3 files directly, you should seriously reconsider your solution. There are dozens of ways to provide access to files that aren't as risky as opening direct access to data storage.You should block public access at the account level by going to the S3 services section in the AWS Management Console. And in the menu on the left, select ‘Block Public Access Settings for this Account.' If you can't do this immediately, go lockdown all buckets that don't have this insane requirement to be open to the public. Do this by selecting the bucket, and block access in the permissions tab.You should always be thinking of the fundamentals of great security, and you should always be learning and improving your skills, of course. You should also continually make little changes and review the basics. Some new project will go live and some S3 bucket will have horrible permission settings, or some other fundamental violation of security best practices will occur. We should always be looking out for violations of the basics, even while we work on the larger projects with greater apparent impact. I repeated my mantra 27 times today. Have you?Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you're about to listen to.Links: EI-ISAC Cybersecurity Spotlight – CIA Triad: https://www.cisecurity.org/spotlight/ei-isac-cybersecurity-spotlight-cia-triad/ What is the CIA Triad?: https://www.f5.com/labs/articles/education/what-is-the-cia-triad The CIA triad: Definition, components and examples: https://www.csoonline.com/article/3519908/the-cia-triad-definition-components-and-examples.html TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That's goteleport.com.Jesse: This is the t of a trilogy of threes that covers this core foundations of good security practices and good security programs. In the first issue of Meanwhile in Security, I explained how security is a mindset, not a tool, and the importance of understanding the why or the purpose for building a security program. This drives everything you do in your organization for securing your critical assets. The why is the core reason for having a security program.Next, I laid the foundation for the how or the principles that guide the work of your security program by exploring the people, process, and technology paradigm upon which all successful security programs are based. Using PPT, you will build a longer-lasting, more dynamic, and highly successful security program.Following Simon Sinek's Golden Circle model, the outer ring is the what or services offered by an organization group or individual. In implementing and maintaining a security program, the how focuses on the confidentiality, integrity, and availability of all data and services offered within the scope of your security program. This is often called the holy trinity of security, or the CIA Triad. All actions performed and tools implemented in support of the security program stem from one of these fundamental precepts of security. Let's dig into the parts of the Triad.Confidentiality. The first part of the Triad is confidentiality, which is about controlling data in services' access. In their article titled “EI-ISAC Cybersecurity Spotlight–CIA Triad,” the Center for Internet Security, or CIS, defines confidentiality as quote, “Data should not be accessed or read without authorization. It ensures that only authorized parties have access.” End quote. I expand on this definition to include services not just data. Every organization and person has data to protect. The traditional approach to confidentiality assumes that any service that touches the data falls within the scope of confidentiality, as a means to protect against disclosure of the data that services accesses. This can lead to a focus on robust and complete data access controls without similar attention paid to services that don't directly touch data with those controls in place. However, I consider access to and use of services within the scope of confidentiality because protecting use of resources is often as important or in some cases more important than the data access. This is often the case with cloud-native applications using microservices. Many modern services can take action without accessing specific data sources, especially when the data source is defined as part of the microservices invocation. For example, consider an attacker who has pilfered a file or files from your services or systems or from some other source and wants to perform analysis or some type of processing of the file or files. If you run services useful to the attacker in this scenario, the attacker may not touch your data, but they may attempt to use your services without authorization. To apply confidentiality to your security program, determine and document what data in services are sensitive and require access protection. To do this you may need to track down data and service owners. This process is closely related to the why of your security program which ultimately exists to protect your data or services.Announcer: If your mean time to WTF for a security alert is more than a minute, it's time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you're building a secure business on AWS with compliance requirements, you don't really have time to choose between antivirus or firewall companies to help you secure your stack. That's why Lacework is built from the ground up for the Cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That's lacework.com.Integrity. The second part of the Holy Trinity is integrity, which refers to keeping data intact and services functioning as expected. Anyone accessing data or a service should only have the ability to alter or remove any data or alter or repurpose a service when they are authorized for such actions. In Debbie Walkowski's post for the F5 Labs site on July 9, 2019, “What is the CIA Triad?” she defines that integrity is about ensuring data quote, “Is correct, authentic and reliable.” End quote. Any authorized changes or removal of data or to services violates integrity, and are generally classified as alteration or modification attacks. Changes to some of your data can immediately call into question other data protected by the same security program and security monitoring or control tools. A type of integrity attack on software is a supply chain attack. This is an attack on any part of the process of creating, testing, and distributing software. This attack could be an alteration of the source code or have compiled binaries and their related checksums prior to distribution to end-user customers. A recent high-profile example is the changes to the supply chain of some SolarWind software that was then installed in thousands of their customers' systems. You can implement integrity protections for your data by putting in place monitoring tools to detect changes to or removal of any data. You can monitor services integrity with tools and logging that indicate any unauthorized changes in running processes, and testing to ensure expected services functionality. Be sure to incorporate integrity definitions, monitoring, and controls into your security program.Availability. The third part of the Holy Trinity is availability, which is maintaining the ability to access and use data or services. If your data is protected from unauthorized access and verified intact, it is useless if it cannot be accessed by authorized users and services. In his feature article titled “The CIA Triad Definition Components and Examples” in CSO on February 2020, Josh Fruhlinger writes that availability means quote, “Authorized users should be able to access data whenever they need to do so.” End quote. This applies to services as well because a service should be available to authorized users when those users need to use the service. Clearly, your services are useless if authorized users cannot access your services. There are many ways to prevent access to services, as well. For example, most of us have heard of Denial of Service or DoS, or Distributed Denial of Service, or DDoS attacks. A DoS on any service can be accomplished in numerous ways from flooding the network or system with too much traffic, stopping the service from running by crashing it or turning it off, or blocking access to the service by altering the network in some way. A DDoS is a method of flooding a network with traffic from multiple sources rather than from a single system. Ensure your security program incorporates availability of your data and services by documenting the means which provide access to your data and services and then implement a combination of monitoring and control systems to detect and respond to attacks on availability.The Golden Triangle defines which organizational personnel policies and procedures and technical tools implement monitoring and controls for the Holy Trinity. These two triads are the how and the what of your security program and work together to support your security program's why. Create or refine your security program by documenting which aspects of your program directly address all the elements of both PPT and the CIA Triad. Taking this approach will ensure your security program is both comprehensive and comprehensible to management IT staff and users, not only the security professionals and auditors. Tune in next week when I discuss applying the trilogy of threes in the cloud.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you're about to listen to.Links: “What actually is “The human aspect of cyber security”?”: https://www.cybsafe.com/community/blog/what-is-human-aspect-of-cyber-security/ “What is Process View of Work?”: https://asq.org/quality-resources/process-view-of-work Smartsheet Complete Guide to the PPT Framework: https://www.smartsheet.com/content/people-process-technology TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: Are you building cloud applications with a distributed team? Check outTeleport, an open-source identity-aware access proxy for cloud resources. Teleport provides secure access for anything running somewhere behind NAT SSH servers, Kubernetes clusters, internal web apps, and databases. Teleport gives engineers superpowers. Get access to everything via single sign-on with multi-factor authentication, list and see all SSH servers, Kubernetes clusters, or databases available to you, and get instant access to them using tools you already have. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. And best of all, Teleport doesn't get in the way. Download Teleport at goteleport.com. That's goteleport.com.Jesse: Last week, I had laid the foundation for a core philosophy driving how I evaluate everything, especially in security. I try to always know the why: why something exists, why someone does a thing, or why an organization has a policy or a program. Now, let's talk about defining the framework of your defensive security program. The sexy and exciting world of offensive security—red teams, penetration testing, hacking, or cracking—gets most of the attention when non-security people think about our work. The popularization of the hacker type in media and entertainment fuels many of these misconceptions, but the reality is that defensive security is far more important than offensive security. If you see defensive security depicted in the media at all, the person doing it is generally portrayed as inept. In fact, the opposite is true. Those of us in defensive security solve incredibly complex problems, often with insufficient resources and tools. For the record, I know your work defending systems is far more challenging, rewarding, and complicated than non-security people realize. I know defending systems can be confusing if that's not your full-time job. I also know that there is solid science underlying our work. Understanding that science will increase your success when implementing your security program. This week, we're discussing People, Process, and Technology, often called the “Golden Triangle.” This foundational framework applies to all successful security programs, even if the security program was not originally designed or written using this framework. The Golden Triangle is your how, or the principles of your security program. Unfortunately, too many people see defensive security as boring, and the people who implement it as buttoned-up indentured servants to corporate or government overlords. There's far more science than art in our work versus the enticing cool factor of breaking into systems to steal away the crown jewels.Golden Triangle: People, Process, and Technology, or PPT. Many of you may have heard of the People, Process, and Technology paradigm, but most of you won't know what people mean by it. The reason PPT matters and is successful is because it's a business process model. In other words, it's a proven framework for building a successful and functional organization. The use of PPT in security was first popularized by Bruce Schneier in 1999. He references having used the model in a blog post in 2013, but I failed to find the original article. Since his first mention of it, the idea has taken root and is now part of the general toolkit and lexicon of security practitioners everywhere. PPT is wholly applicable to IT of course, although it's less popular in IT circles. Let's break it down.People. The first of the triad—people—refers obviously to humans. This is the human impact on security. This certainly includes your security professionals and management, yet this also can include general employees or contractors of your organization depending on the scope of your security program. Security personnel are critical to the success of a security program from the CSO all the way down to individual contributors: the security analysts. Without the right people designing, implementing, and supporting your security initiative, your program is doomed to fail. You need to know that the people performing tasks and using tools are skilled in the right area so that you can be successful. You must populate your security teams with people well-versed in the business and technologies being protected and monitored, or if you cannot do that, you must provide basic resources and training to provide them with adequate knowledge to do the job. For example, you may be tempted to only hire generalist who know a little bit about everything without any depth of knowledge. But to build the most successful program, your people need domain knowledge. If you are protecting Windows systems and networks, you need to hire Windows experts and network engineers, or you need to bring your existing staff up to speed on these topics. To go a bit deeper into the people concepts, checkout CybSafe's article, “What actually is “The human aspect of cyber security”?” Note this is not an endorsement for or against CybSafe, the company, its people, or its services. I don't know enough about them to comment either way. However, it was a very good article.Announcer: If your mean time to WTF for a security alert is more than a minute, it's time to look atLacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you're building a secure business on AWS with compliance requirements, you don't really have time to choose between antivirus or firewall companies to help you secure your stack. That's why Lacework is built from the ground up for the Cloud: low effort, high visibility and detection. To learn more, visitlacework.com. That'slacework.com.Jesse: Process. The second of the triad—process—refers to a defined series of tasks or actions that comprise the security program. There are actions performed by humans, or automated with machines or software to support the why of this security program. Because your security program requires actions to be taken, it will fail without properly defined and implemented processes. Ultimately, people interact with processes, whether a particular process is all human performed and driven, or wholly automated by machine or software, or any combination of the two. Defining these processes is key because if people don't understand what they must do and how they must do it, they will fail at implementing and following the process. In security, this is particularly true because most processes consist of a combination of human performed and automated work. A breakdown in process could result in catastrophic security breach. For example, when SolarWinds failed to protect its source code supply chain, thousands of customers were breached. In this case, the company didn't have a comprehensive process for ensuring the integrity of their source code. A retooling of the source code verification process could have prevented this from happening. You must define your organization's key security processes, including system and service monitoring, asset tracking—which is both more and less difficult in cloud settings than traditional operations, in different ways—event alerting, incident declaration and response, and remediation. I will delve into the details of some of these processes in the future. The American Society for Quality, or ASQ, defines process by explaining different types of processes from an organizational view, and we tech people can learn from their work, see the ASQ article called “What is Process View of Work?” for larger understanding of process in this way.Technology. The third part of the triad—technology—refers to all types of tools used by humans, either manually or through automation, to perform the tasks outlined in the processes in the security program. In security, there tends to be a much heavier reliance on technical tools than in some other areas of your organization. The reason for this may be obvious: by definition information or cybersecurity is the monitoring, alerting, and responding to things that happen on technical infrastructures of some sort… with some social engineering in there, too, but that's a topic for another day. Especially in cloud environments, most security program processes can be automated with little or no human intervention. Indeed, many security processes must be automated or the work cannot be done. Ultimately, however, humans will be consuming the output of these various systems. However, you may not have the luxury of automating as much as another security group can, or you may not yet understand your environment enough to implement heavy automation. If that's the case, you may end up with voids in your security program, places where analysis is not available or is unattainable because of your available technology. If that's the case, you should document this unmitigated risk or vulnerability so that you can address the issue when resources become available. But know this: even small operations need some tools to have even a faint hope of catching incidents happening in their network. We live in an age of data, and our systems create too much of it at too high volumes at too fast of rates for a human to manually sift and sort through the data. Thus, you must define the types of tools needed to monitor your environment and respond to security incidents in your organization, even if some of those tools are just on your wish list for now.Smartsheet has an in-depth explanation of the whole PPT framework. In there, everything you need to know about the people process technology framework, which has good descriptions of all the parts of the triad including a section on technology. The PPT model can be applied to an existing security program or used to build a new security program. Its flexibility and adaptability offer your organization the underlying structure to build or retool your security program into a robust defense system. By finding the why of your security program and defining the how using the People, Process, and Technology Model, you are well on your way to developing a successful security program. The next step is to determine the what of how you implement security monitoring and controls.Tune in next week when I discussed the holy trinity of confidentiality, integrity, and availability.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Links: https://simonsinek.com/product/start-with-why/ https://www.ted.com/talks/simon_sinek_how_great_leaders_inspire_action?language=en TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: Are you building cloud applications with a distributed team? Check out Teleport, an open-source identity-aware access proxy for cloud resources. Teleport provides secure access for anything running somewhere behind NAT SSH servers, Kubernetes clusters, internal web apps, and databases. Teleport gives engineers superpowers. Get access to everything via single sign-on with multi-factor authentication, list and see all SSH servers, Kubernetes clusters, or databases available to you, and get instant access to them using tools you already have. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. And best of all, Teleport doesn't get in the way. Download Teleport at goteleport.com. That's goteleport.com.Jesse: Welcome to Meanwhile in Security. I think we all need a personal assistant to sift through the flood of security news and innovations coming at us. But even if each of us had a PA—and who am I kidding, almost none of us do—our assistants would need their own assistants just to handle the flood of information. I think most of us agree that information overload poses a significant challenge to many of us. And with that challenge comes risk. When I talk to people about security, most of them say they need a guide and translator to sort out the deluge of information they receive. More importantly, I've learned that missing key information related to security can jeopardize your organization's mission success, and security breaches are costly, both financially and in lost reputation. When my friends Corey and Mike at The Duckbill Group asked me to create Meanwhile in Security, I remembered my own struggle to stay on top of security news in addition to staying current with the IT operations I managed. I designed this newsletter and podcast with a goal of serving as your personal translator and guide. Each week, you can count on me to explain a security-related topic, whether it's a core security concept, a breakdown of the latest big security breach in the news, or a guide for implementing an operational security methodology. Of course, you might wonder why me? Why Jesse Trucks? What do I bring to this discussion? For more than 20 years, I've been in the trenches, managing operations and security for networks, systems, and applications, and working with public and private organizations of all sizes and types. I've done system forensics, managed defensive security and audits, and more. As both an individual contributor and in management, I've written documentation and reporting for users, system admins, and management, designed and implemented training, risk mitigation, and security programs, and helped companies, schools, hospitals, and government agencies in the US and elsewhere improve security operations and compliance, respond to breaches and develop and implement risk analysis and mitigation strategies. I've lived through the industry transformation from bare metal, to virtualization, to containerization, and to cloud. This breadth and depth of experience gives me a unique understanding of systems on micro and macro scales. I know how to manage business needs and people. And I've learned that security is as much about conception of risk and risk mitigation as it is about the technology used to manage risk. Connecting business IT and security together is what I love doing. For me, translating security for all these audiences is one of my core personal missions. I've learned that having open dialogue and inviting questions is a powerful tool for creating meaningful change. So, here are my questions for you: what security concepts or topics confuse you? Be honest. What keeps you up at night about security? How can I help you better understand the importance of security? How can I help you translate security topics for your peers and managers? Where in your cloud journey do you need to better understand security issues and potential risks? Please send me your questions, concerns, and feedback. I can't wait to hear from you.Find your why, or how to convince people that security matters. As I mentioned earlier, one thing I've learned during my career is that security is as much about people's conception of risks and risk mitigation as it is about the technology used to manage risk. In this first episode of Meanwhile in Security, I want to establish the foundation for an effective security approach. Driven by management and budgetary concerns, it's easy to get caught up in choosing the tools to manage security without understanding the why of what you are managing. This often leads to financial waste, frustration, and organization-wide resistance to security-related changes. In addition, it usually leads to poor security practices due to misalignment with the risk mitigation needs of the business. The first important lesson in managing security is to realize that security is a mindset, not a tool. We often hear security is a process, but this skips straight to implementation. I suggest that implementing and managing security is a process which encompasses people's actions with technical tools. Not every tool is a perfect fit for the job we need to complete. You wouldn't bring a hammer to a laundry pile any more than you would bring a washing machine to a building site. We can't know the tools we need if we don't have a roadmap for the protection we're seeking. Thus, it's important to understand that security and compliance aren't your primary goals. Protecting something is the goal. Designing and implementing security programs is a painstaking and time-intensive task, and organizations often go through many iterations before finding a program that works. That's because they lose sight of the fact that your security plan is not your actual goal. Protecting data or services, the infrastructure for those data or services, and the data integrity and services availability are the goals. We're all protecting something valuable, but if we lose sight of why we're protecting the things we're protecting, we lose the narrative on how to protect it. In other words, a security program is nothing without a why or a reason.Corey: If your mean time to WTF for a security alert is more than a minute, it's time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you're building a secure business on AWS with compliance requirements, you don't really have time to choose between antivirus or firewall companies to help you secure your stack. That's why Lacework is built from the ground up for the Cloud: low effort, high visibility and detection. To learn more, visit lacework.com. That's lacework.comBest-selling author and speaker Simon Sinek discusses the golden circle in his book Start With Why as well as his TED Talk, “How Great Leaders Inspire Action”, where he explains the neuroscience behind the importance of knowing why you do something. In these documents, Sinek outlines how in successful organizations, the why is the purpose that drives everything the organization does; the how is the principles that guide the work, and the what is the services offered by an organization. His approach mirrors what a successful security program should do. This science-based approach makes sense both from an organizational and an individual standpoint. Thus, what you are securing ultimately depends on determining why you are securing it. If you can identify the why underlying the security need, you will more easily decide and take control of what methods and tools you need to use. Frequently, I've seen an organization over-architect their security solutions and over-purchase tools to secure their data because they don't fundamentally have a grasp on why they are securing the information in the first place. This can also lead to shelfware status, even first tools that could be useful for risk mitigation and improving security. Purchasing the right tool is wasted resources without a success plan for implementing the tool. And you can't have a success plan without understanding why you need the tool in the first place. More importantly, you must understand that the why of securing your something is dependent upon your organization's mission and goals. Goal-driven change that makes sense to the end-user is change that users will embrace and even cheer-lead themselves. As an example, faculty and staff at a small community college were told that they had to change their passwords every 90 days. This led to general grumbling and unhappiness from all corners because the decision was communicated without a mission-dependent message attached to it. When the message was reframed as faculty and staff needed to change their password so that they could better protect student data, there was a wide-scale adoption of this security methodology. In a future issue, I will talk about better password policies, of course. In other words, faculty and staff cared about students, not passwords. By reframing the issue as a piece of the organization's fundamental mission of serving students, faculty and staff could see their compliance as part of their job and relate it to their organizationally related self-identity. Once you know why you're securing something, you can define the how and what of the security process. This approach can seem daunting, particularly if you're asked to dive into tools before determining your security goals. There's also the risk of people adopting a cowboy mentality early on because they want to spend time discussing feats of derring-do and other rodeo-like exploits without focusing on the steps that your organization needs to take to develop a security program that meets your current needs and that can scale with your growing security demands. When I'm developing a security program, I take a multi-pronged approach to form an often deceptively simple solution that can grow with the company's needs. By defining why you are protecting the something needing protection, you can define risks associated with your something. From your defined risks, you pivot to understanding what technical resources support the information or service or facility with your something needing protection. Knowing the technical infrastructure and services supporting or delivering your something means you are ready to develop the security program. To clarify, I define a security program as follows: A security program is a combination of principles, processes, and procedures implemented to mitigate or counter the defined risk to the things needing protection so the organization can continue supporting its mission. Technical tool selection and implementation can only happen when there is an envisioned and approved security program. Thus, the step that I see most organizations start first is actually the last step in developing a successful security program. This can be a shock to people in most organizations who are either excited about jumping feet first into security, or who feels a sense of urgency about implementing security solutions. However, in my experience, starting with the correct mindset allows us to do better risk mitigation, improve incident detection and response success and manage operational security later. Security can be confusing and complex, but it doesn't have to be. Starting with a strong foundation will result in operational and organizational success later. Tune in next week when I discuss people, process, and technology.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Ever noticed how security tends to be one of those things that isn't particularly welcoming to folks who don't already have the word "security" somewhere in their job title? Introducing our fix to that: Meanwhile in Security. Featuring Jesse Trucks.
© 2020-2025 Ivy Podcast Discovery LLC
