Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond the AWS Security Maturity Roadmap

Beyond the AWS Security Maturity Roadmap

Scott (Piper)’s AWS Security Maturity Roadmap is the definitive resource for cloud-native companies to build a security program and posture in AWS. It does an amazing job at providing broadly applicable guidance along the maturity curve. However, for many fwd:cloudsec attendees, the roadmap ends too soon.

In my experience there is a set of technical capabilities and controls that companies should consider once they’ve “shipped the roadmap." In this talk, I’ll take you on a rapid fire tour beyond Scott's paved road, focusing on the problems you’ll encounter scaling a cloud security program. A key framework will be “build versus buy,” and the talk will be opinionated about where cloud security teams can fall into the trap of undifferentiated work.

The goal is to walk away with a clear view of the possibilities at the leading edge of cloud security, risk-informed guidance on priorities, and a crucial new reference for writing cloud security roadmaps.

Rami McCarthy

June 12, 2023
Tweet

More Decks by Rami McCarthy

Other Decks in Technology

Transcript

  1. @ramimccarthy Rami McCarthy Beyond the 
 AWS Security Maturity Roadmap

    
 https://speakerdeck.com/ramimac/fwdcloudsec
  2. $ get-caller-identity Security Engineer @ Figma 
 figma.fun/seceng 
 


    Infrequent Contributor @ tl;drsec https://tldrsec.com/guides/sta ff eng-security/ https://tldrsec.com/blog/cloud-security-orienteering/
  3. @ramimccarthy Not All Cloud Security Programs • Engineering and Automation

    oriented • “Zero Trust” architecture • Software product • Maximalist cloud security • Guardrails not Gatekeepers + Paved Roads
  4. @ramimccarthy Build vs. Adopt vs. Buy Sabry Tozin (via Roy

    Rapoport) • Are we solving a problem unique to our company? • Are we solving a problem at a scale unique to our company? • Is the cost and effort of integrating an off-the-shelf solution so large that we may as well build one? • What are the purchasing/ongoing license costs of the product in comparison to building it ourselves?
  5. @ramimccarthy Secrets Management A mechanism for engineers to easily and

    securely manage credentials and other secrets provided to services in your cloud environment. Adopt: Options Buy: Options • Hashicorp Vault • Doppler ( YC W19 ) • Infiscal ( YC W23 ) • AWS Secrets Manager / AWS KMS One Read: “Managing secrets is the biggest risk people aren't talking about”, Strategy of Security • mozilla / sops • square / keywhiz • pinterest / knox • lyft / confidant
  6. @ramimccarthy Secrets Management Build: Adopt: Not recommended Recommended • Standardize

    as early as possible, generally with a thin 
 wrapper over CSP services. Focus on DevEx. • Revisit every ~year, and layer necessary capabilities • Before adopting, be very sure requirements and 
 practices 1 : 1 match • Be wary of premature purchase or deployment of a 
 heavy solution Buy: A mechanism for engineers to easily and securely manage credentials and other secrets provided to services in your cloud environment.
  7. @ramimccarthy Asset Inventory Leverage the CSP control plane to discover

    and identify cloud assets, and to monitor their adherence to configuration standards. Adopt: Options Buy: Options • Firemon Cloud Defense (fka DisruptOps)* • Commercial versions of Steampipe and Cloudquery • turbot / steampipe • cloudquery / cloudquery One Read: What should you use - CloudQuery or Steampipe?, badshah
  8. @ramimccarthy Asset Inventory Leverage the CSP control plane to discover

    and identify cloud assets, and to monitor their adherence to configuration standards. Build: Adopt: Not recommended Recommended • You can get far by adopting open source tools • You need something, early. Adopt inventory first, 
 then add controls in incrementally • You probably don’t need a full CSPM 
 until later than you’d expect • Don’t write anything that calls cloud APIs yourself, 
 it’s been done (well) • Think critically about what controls matter, and watch out for 
 toil and noise Buy:
  9. @ramimccarthy -> CSPM Continuously assess the security posture by maintaining

    a current inventory of cloud assets, with risk assessment to detect any misconfigurations. Adopt: Options Buy: Options • Wiz • Aqua • Orca • Lacework • Ermetic • Lightspin ( Cisco) • Prisma Cloud • cloud-custodian / cloud-custodian • prowler-cloud / prowler • Zeus-Labs / ZeusCloud One Talk: “Success Criteria for your CSPM”, David White (up next)
  10. @ramimccarthy -> CSPM Continuously assess the security posture by maintaining

    a current inventory of cloud assets, with risk assessment to detect any misconfigurations. Build: Adopt: Not recommended Recommended • Think about extensibility and integrations • Evaluate options based on preset criteria, don’t let vendors sell you CNAPP + + • If you build, only do it on top of an adopted inventory platform. Don’t spend your engineer’s time building an open source CSPM. It’s undifferentiated and commoditized. It’s also a lot of work • Don’t let an opinionated CSPM dictate your security program • Be thoughtful about dispatching findings to other teams • Bundled CSPMs can be thoroughly mediocre Buy:
  11. @ramimccarthy Automated Remediation In order to keep up with the

    rate of change in the cloud, teams reach for solutions to automate the immediate resolution of common misconfigurations. Adopt: Options Buy: Options • Native to your CSPM • AWS Config • twilio-labs / SOCless • cloudconformity / auto-remediate One Read: "The Dangers of Corrective Auto Remediation in Your Public Cloud”, Lightspin
  12. @ramimccarthy Automated Remediation In order to keep up with the

    rate of change in the cloud, teams reach for solutions to automate the immediate resolution of common misconfigurations. Build: Adopt: Not recommended Recommended • When you’re unable to move to Infrastructure as Code • If you lack a chokepoint for changes • When preventative controls are feasible • As an early control for your program • Applied without sufficient context Buy:
  13. @ramimccarthy Secure IAC Modules “Shift-left” secure configuration and empower your

    developers with secure- by-default IAC modules. Adopt: Options Buy: Options • asecure.cloud • Gruntwork AWS Infrastructure as Code Library • Resourcely • asecure.cloud • Terraform Registry Read more: "Why you should pave roads", Eric Hydrick
  14. @ramimccarthy Secure IAC Modules “Shift-left” secure configuration and empower your

    developers with secure- by-default IAC modules. Build: Adopt: Not recommended Recommended • Pair with SAST to detect usage of “vanilla” resources • Steal undifferentiated examples • Commoditize secure architecture as modules • Wait for a need to surface before investing in a module Buy:
  15. @ramimccarthy Infrastructure as Code Scanning Detect misconfigurations within your infrastructure

    as code, before they can be introduced to your environment Adopt: Options Buy: Options • Native to your CSPM • Native to your SAST • aquasecurity / tfsec • returntocorp / semgrep • turbot / steampipe-plugin-terraform • bridgecrew / checkov One Read: “Shifting Cloud Security Left — Scanning [ IaC ] for Security Issues”, Christophe Tafani-Dereeper
  16. @ramimccarthy IAC Scanning Detect misconfigurations within your infrastructure as code,

    before they can be introduced to your environment Build: Adopt: Not recommended Recommended • Develop rules based on your specific environment 
 and requirements • Surface detections, with context, at PR time • Rolling out rules in “block” mode • Turning on all possible rules Buy:
  17. @ramimccarthy Deception Engineering ( Honeypots/tokens) Deploy high-signal, low noise tripwires

    in your environment. Make attackers think twice before using found credentials, and know when someone has tried. Adopt: Options Buy: Options • Thinkst Canary • Native to your CSPM • Thinkst Canarytokens.org • Basic AWS API Key + SIEM detection • spacesiren / spacesiren (inspired by Atlassian Project SPACECRAB ) One Read: “Zero Maintenance AWS Canary Tokens That Scale”, Will Bengston
  18. @ramimccarthy Deception Engineering ( Honeypots/tokens) Build: Adopt: Not recommended Recommended

    • Deploy the quick and free version in high value targets. 
 Probably your CI/CD tooling • Think about what you’ll do if one goes off before it happens • Do your best to tightly each key to a single potential 
 vector for compromise • Don’t roll out Will’s architecture until you’ve killed 
 known attack vectors Buy: Deploy high-signal, low noise tripwires in your environment. Make attackers think twice before using found credentials, and know when someone has tried.
  19. @ramimccarthy 1. Scaling Granular Access Support role-based, least-privileged access across

    an explosion of roles. Adopt: Options Buy: Options (“CIEM”) • salesforce / cloudsplaining • Netflix / repokid • iann0036 / iamlive • common-fate / iamzero • noqdev / iambic Read more: “ConsoleMe: A Central Control Plane for AWS Permissions and Access”, Netflix • Ermetic • Native to your CNAPP? • ???
  20. @ramimccarthy 2. Scaling Access Management Enable a user friendly roll

    out of granular access by making it easy to understand available access and leverage it. Adopt: Options Buy: Options • Common Fate Cloud • Leapp Cloud • Netflix / consoleme • Noovolari / leapp • common-fate / granted Read more: “Access Service: Temporary Access to the Cloud”, Segment
  21. @ramimccarthy 3. Scaling Temporary Access Remove risky ambient permissions and

    allow step-up and break-glass authorization. Adopt: Options Buy: Options • ConductorOne • Indent • Opal • Sym • aws-samples / aws-iam-temporary-elevated- access-broker • ??? Read more: “Common uses of just-in-time access in the cloud”
  22. @ramimccarthy Scaling … Access Build: Adopt: Not recommended Recommended •

    Build incrementally, and always keep an eye on 
 the user experience • Right now, ~ JIT access is about where you should 
 really consider buying • Partner with other internal stakeholders on a unified 
 source of truth for identity and role • Trying to preemptively define necessary IAM in a bubble • Centralizing all creation of IAM Buy: 1. Support role-based, least-privileged access across an explosion of roles. 2. Enable a user friendly roll out of granular access by making it easy to understand available access and leverage it. 3. Remove risky ambient permissions and allow step-up and break-glass authorization.
  23. @ramimccarthy Scaling Account Management Taking advantage of the inherent blast

    radius boundary of an Account rapidly turns into toil to stand up new accounts and juggle their lifecycle. Adopt: Options Buy: Options • ??? • org-formation / org-formation-cli • rebuy-de / aws-nuke • AWS Control Tower One Talk: “Reimagining multi-account deployments for security and speed”, Netflix
  24. @ramimccarthy Scaling Account Management Taking advantage of the inherent blast

    radius boundary of an Account rapidly turns into toil to stand up new accounts and juggle their lifecycle. Build: Adopt: Not recommended Recommended • Rightsize your investment in automation, “human cron” 
 can be a good place to start • Find good internal development partners with strong cases 
 for investment • Don’t wait too long to split out use cases with different 
 threat models or administration patterns. Migration across 
 accounts is painful, and data gravity can be a blocker. Buy:
  25. @ramimccarthy Control Validation / Attack Simulation Test and validate your

    controls and detections on an automated, ongoing basis. Adopt: Options Buy: Options • AttackIQ • Cymulate • SCYTHE • Randori • awslabs / aws-cloudsaga • DataDog / stratus-red-team • WithSecureLabs / leonidas One Talk: “Adversary emulation for incident-response readiness”, Anna McAbee / Brandon Baxter / Chris Farris
  26. @ramimccarthy Control Validation / Attack Simulation Test and validate your

    controls and detections on an automated, ongoing basis. Build: Adopt: Not recommended Recommended • Consider leveraging internal frameworks and tools for QA • Validation at time of creation is likely sufficient for 
 commodity controls and medium program maturity • Keep a close eye on relative investment in “breaking” 
 vs. “building • Be deeply skeptical of “automated red teaming” as a product • Finding issues is only useful as an effective 
 input to mitigation Buy:
  27. @ramimccarthy Egress Monitoring and Filtering Make attackers lives harder post-compromise

    by filtering egress traffic from your services and alerting on anomalous destinations. Adopt: Options Buy: Options • AWS Network Firewall • Chaser Systems DiscrimiNAT Firewall • Aviatrix • stripe / smokescreen One Read: “Internet Egress Filtering of Services at Lyft”
  28. @ramimccarthy Egress Monitoring and Filtering Make attackers lives harder post-compromise

    by filtering egress traffic from your services and alerting on anomalous destinations. Build: Adopt: Not recommended Recommended • Consider when modifying network architecture • “Monitor” mode can be cheap to deploy • Reliability is huge if you place this on the critical path • A hamster wheel of pain is likely if you’re not thoughtful 
 about how new, valid connections will be 
 identified and allowlisted Buy:
  29. @ramimccarthy Infrastructure Access Adopt: Options Buy: Options • Teleport •

    StrongDM • BastionZero • Cloudflare Access • Tailscale (and other Wireguard-based VPNs) • AWS SSM + IAM Authentication for < SERVICE > • Tailscale (and other Wireguard-based VPNs) • Teleport (open source) One Talk: “Zero Touch Prod: Towards Safer and More Secure Production Environments” Move beyond pervasive raw-SSH access to patterns for getting shells in services that provide least privilege, auditability, support dual control, and can constrain data ingress and egress.
  30. @ramimccarthy Infrastructure Access Build: Adopt: Not recommended Recommended • Move

    from SSH to SSM (or equivalent) early • Get alignment on “what good looks like” • You won’t get anywhere stopping your coworkers 
 from doing their jobs • Think about what it will take to get logging to a place 
 that could power real-time detections Buy: Move beyond pervasive raw-SSH access to patterns for getting shells in services that provide least privilege, auditability, support dual control, and can constrain data ingress and egress.
  31. @ramimccarthy Data Perimeter Install guardrails that only allow access for

    trusted identities, accessing trusted resources, on expected networks. Adopt: Options Buy: Options • InstaSecure • Native services One Read: “Building a Data Perimeter on AWS”
  32. @ramimccarthy Data Perimeter Install guardrails that only allow access for

    trusted identities, accessing trusted resources, on expected networks. Build: Adopt: Not recommended Recommended • Start small - one example would be “we never call 
 s3 : PutObject outside our organization” • Make sure to test your controls, edge cases 
 on condition support can create surprise gaps • Be careful, AWS doesn’t offer safe ways to roll out SCPs Buy:
  33. @ramimccarthy Cut for time •Vulnerability Management •Detection Engineering & Security

    Data Lakes •Continuous Compliance / Compliance Automation •DFIR preparedness •Runtime Security •Service to Service Authentication
  34. @ramimccarthy • Prioritization is inherently custom to your risk and

    business • Don’t do everything, everywhere, all at once • But, conversely, uneven application of controls can be ineffective and impractical • Scaling program requires increasing investment to maintain and avoid regression in current controls Keep in Mind 
 https://speakerdeck.com/ramimac/fwdcloudsec
  35. @ramimccarthy Cut for time (speed round) • Vulnerability Management •

    Shared concern with AppSec, generally • ASPMs are rapidly bringing in cloud context • Detection Engineering • Security Data Lakes are an emerging trend • See: brex / substrate, BSidesSF 2023’s “To Normalized Logs, and Beyond," • Continuous Compliance / Compliance Automation • Vanta / Drata on one end, JupiterOne on the other • DFIR preparedness • Netflix-Skunkworks / diffy, google / cloud-forensics-utils, awslabs / aws-automated- incident-response-and-forensics • Cado, Mitiga
  36. @ramimccarthy Cut for time (speed round) • Runtime Security •

    auditd [blog], OSQuery, Falco, or cilium / tetragon, GuardDuty Runtime Monitoring ( EKS ) • Sysdig or Isovalent, or whatever comes with your CNAPP • Chainguard for a different part of the problem • Service to Service Authentication • Start with: A Child’s Garden of Inter-Service Authentication Schemes, Latacora • If you can get this for free with a Service Mesh, you probably should • This gets talked about more than it gets implemented (well) • Basic shared secrets can provide initial answers here