Reliable Automated Cloud Native Security Operations

Transcript

1. Akash Mahajan

2. None

3. Akash Mahajan – About Me • Co-Founder of Appsecco (appsecco.com)

   • Co-Founder of null.co.in – India’s largest open security community • Speaker at ADDO twice • Cool fact – I had one of my talks featured in Feedback Loops ☺ • Author of Security Books • Burp Suite Essentials • Security Automation using Ansible2 • Security Trainer c0c0n, nullcon, BlackHat US

4. 1. Briefly describe what is reliable, automated & cloud native

   2. Make a strong case for why unintentional public S3 buckets are bad for security 3. Demo – A security response against public S3 buckets 4. Elaborate on why we want reliability 5. Conclusion on why cloud native SecOps 6. A simplified client case study – If we have time remaining Agenda for the next 20 minutes

5. • There are many-many ways to meet our security objectives.

   • From my experience for the cloud native workloads, Security Operations need to be cloud native • Some of the audience of this conference may think that I am preaching to the choir • I feel that there is still a lot of merit in discussing specific use cases and drive home this point • I have security expertise, not running large scale prod systems expertise • That is what all of you viewers bring to the table Disclaimer

6. Num Word What I mean 1. Reliable Our system will

   work without fail and with minimal MTTR 2. Automated Work done which has removed toil. Removed repetition, reduces human error and will scale as per the need 3. Cloud Native Leveraging services of that specific public IaaS cloud (AWS) 4. Security Specifically related to operational security. Runtime once deployed to production Words and What I mean

7. Breaches due to public S3 buckets

8. Not just an alarming news headline A website that downloads

   files from public S3 buckets Access to data for free or 20 Euros per month!

9. 1. List S3 buckets which are public in an AWS

   account 2. Remediate this security misconfiguration using automation 3. I lied, only two steps as once we have remediated, we can go back and list the buckets again 3 Steps to finding our public S3 buckets & securing them

10. Demo - Step 1 – Listing Public Buckets using Slurp

11. None

12. Demo – Step 1 - Confirming the contents of the

    public buckets
13. None

14. Demo – Step 2 – Remediation for public buckets

15. None

16. Demo – Step 3 – Confirming it worked for us

17. None

18. • Security choices will be made based on output of

    service that we automated for discovery of buckets • The service will become the primary interface, SecOps team members will be trained to respond to this instead of manual discovery. • Over time this will become the way • Beyond a certain scale, only automation will ensure timely coverage Why do we want reliability?

19. Small agile teams can focus on creating and fulfilling business

    aligned security objectives and key results instead of managing the infrastructure around it Why become Cloud Native for our security operations?

20. • Focus on solving issues that matter to business first

    • One less server is one less target for attackers • Infra as code, configuration managed as code • Secure defaults backed in • Automation to some extent is inherent • Newer security features can be rolled out • Scale our scope Secure Operations for our Cloud Native Security Operations

21. • Major reskilling, capability building, and capacity building required •

    Compliance, legal challenges around data, privacy etc. • Already existing security costs in software, hardware and training – (anchoring bias, sunken cost) Challenges that you may face

22. o Bring in near real time detection and blocking of

    security attacks oAnalyse incidents quickly and with automation oRemediate potential security holes before they become a problem What we would like to achieve from SecOps PoV

23. 1. Developers create public buckets all the time 2. While

    awareness and security training is on-going (enforcement), this automated monitoring is finding public buckets daily 3. Public bucket which violate the tagging policy reported as security issues (via API) to their vulnerability management dashboard 4. Even though there is a gap in finding reported and remediation, the team has real data now. 5. This makes it easy for the secops to have relevant conversations with the team members A client case study

24. Any Questions or thoughts? Akash Mahajan | [email protected] | @makash