Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond the Baseline: Horizons for Cloud Securit...

Rami McCarthy
September 15, 2023

Beyond the Baseline: Horizons for Cloud Security Programs

There is a definitive resource for cloud-native companies to build a security program and posture in AWS: Scott Piper’s AWS Security Maturity Roadmap. However, mature programs quickly progress past the end of Scott’s roadmap. In this talk, I’ll take you on a rapid fire tour beyond the end of the roadmap, focusing on the problems you’ll encounter scaling a cloud security program. A key framework will be “build versus buy,” and the talk will be opinionated about where cloud security teams can fall into the trap of undifferentiated work. The goal is to leave you with a clear view of the possibilities at the leading edge of cloud security, risk-informed guidance on priorities, and a crucial new reference for writing cloud security roadmaps.

Rami McCarthy

September 15, 2023
Tweet

More Decks by Rami McCarthy

Other Decks in Technology

Transcript

  1. @ramimacisabird Rami McCarthy Beyond the Baseline: Horizons in Cloud Security

    Programs 
 https://speakerdeck.com/ramimac/sect
  2. @ramimacisabird What are we protecting against? • Getting AWS creds

    via SSRF on rss.app • AWS takeover through SSRF in JavaScript • Yahoo Small Business ( Luminate) and the Not-So-Secret Keys • Bug Bounty Story: Escalating SSRF to RCE on AWS • A Nifty SSRF Bug Bounty Write Up • Mozilla Hubs Cloud: cloud api credentials exposure
  3. @ramimacisabird Not All Cloud Security Programs • Engineering and Automation

    oriented • “Zero Trust” architecture • Maximalist on “Cloud Security” • Guardrails not Gatekeepers + Paved Roads
  4. @ramimacisabird Build vs. Adopt vs. Buy Sabry Tozin (h/t Roy

    Rapoport) • Are we solving a problem unique to our company? • Are we solving a problem at a scale unique to our company? • Is the cost and effort of integrating an off-the-shelf solution so large that we may as well build one? • What are the purchasing/ongoing license costs of the product in comparison to building it ourselves?
  5. @ramimacisabird Secrets Management A mechanism for engineers to easily and

    securely manage credentials and other secrets provided to services in your cloud environment. Adopt: Options Buy: Options • Hashicorp Vault • Doppler ( YC W19 ) • Infiscal ( YC W23 ) • AWS Secrets Manager / AWS KMS One Read: “Managing secrets is the biggest risk people aren't talking about”, Strategy of Security • mozilla / sops • square / keywhiz • pinterest / knox • lyft / confidant
  6. @ramimacisabird Secrets Management Build: Adopt: Not recommended Recommended • Standardize

    as early as possible, generally with a thin 
 wrapper over CSP services. Focus on DevEx. • Revisit every ~year, and layer necessary capabilities • Before adopting, be very sure requirements and 
 practices 1 : 1 match • Be wary of premature purchase or deployment of a 
 heavy solution • Don’t ever roll your own crypto Buy: A mechanism for engineers to easily and securely manage credentials and other secrets provided to services in your cloud environment.
  7. @ramimacisabird Asset Inventory Leverage the Cloud Service Provider’s control plane

    to discover and identify cloud assets, and to monitor their adherence to configuration standards. Adopt: Options Buy: Options • Firemon Cloud Defense (fka DisruptOps)* • Commercial versions of Steampipe and Cloudquery • turbot / steampipe • cloudquery / cloudquery One Read: What should you use - CloudQuery or Steampipe?, badshah
  8. @ramimacisabird Asset Inventory Leverage the Cloud Service Provider’s control plane

    to discover and identify cloud assets, and to monitor their adherence to configuration standards. Build: Adopt: Not recommended Recommended • You can get far by adopting open source tools • You need something, early. Adopt inventory first, 
 then add controls in incrementally • You probably don’t need a full CSPM 
 until later than you’d expect • Don’t write anything that calls cloud APIs yourself, 
 it’s been done (well) • Think critically about what controls matter, and watch out for toil and noise Buy:
  9. @ramimacisabird -> Cloud Security Posture Management Continuously assess the security

    posture by maintaining a current inventory of cloud assets, with risk assessment to detect any misconfigurations. Adopt: Options Buy: Options • Wiz • Aqua • Orca • Lacework • Prowler • Prisma Cloud • Ermetic ( Tenable) • Lightspin ( Cisco) • prowler-cloud / prowler • cloud-custodian / cloud-custodian • Zeus-Labs / ZeusCloud One Talk: “Success Criteria for your CSPM”, David White
  10. @ramimacisabird -> CSPM Continuously assess the security posture by maintaining

    a current inventory of cloud assets, with risk assessment to detect any misconfigurations. Build: Adopt: Not recommended Recommended • Think about extensibility and integrations • Evaluate options based on preset criteria, don’t let vendors sell you CNAPP + + • If you build, only do it on top of an adopted inventory platform. Don’t spend your engineer’s time building an open source CSPM. It’s undifferentiated and commoditized. It’s also a lot of work • Don’t let an opinionated CSPM dictate your security program • Be thoughtful about dispatching findings to other teams • Bundled CSPMs can be thoroughly mediocre Buy:
  11. @ramimacisabird Automated Remediation In order to keep up with the

    rate of change in the cloud, teams reach for solutions to automate the immediate resolution of common misconfigurations. Adopt: Options Buy: Options • Native to your CSPM • Gomboc • AWS Config • twilio-labs / SOCless • cloudconformity / auto-remediate One Read: "The Dangers of Corrective Auto Remediation in Your Public Cloud”, Lightspin
  12. @ramimacisabird Automated Remediation In order to keep up with the

    rate of change in the cloud, teams reach for solutions to automate the immediate resolution of common misconfigurations. Build: Adopt: Not recommended Recommended • When you’re unable to move to Infrastructure as Code • If you lack a chokepoint for changes • If you have SOAR-like capabilities, use them for this • When preventative controls are feasible • As an early control for your program • Applied without sufficient context Buy:
  13. @ramimacisabird Secure Infra as Code Modules “Shift-left” secure configuration and

    empower your developers with secure- by-default IAC modules. Adopt: Options Buy: Options • asecure.cloud • Gruntwork AWS Infrastructure as Code Library • Resourcely • asecure.cloud • Terraform Registry Read more: "Why you should pave roads", Eric Hydrick
  14. @ramimacisabird Secure Infra as Code Modules “Shift-left” secure configuration and

    empower your developers with secure- by-default IAC modules. Build: Adopt: Not recommended Recommended • Pair with SAST to detect usage of “vanilla” resources • Steal undifferentiated examples • Commoditize secure architecture as modules • Wait for a need to surface before investing in a module Buy:
  15. @ramimacisabird Infrastructure as Code Scanning Detect misconfigurations within your infrastructure

    as code, before they can be introduced to your environment Adopt: Options Buy: Options • Native to your CSPM • Native to your SAST • aquasecurity / tfsec • returntocorp / semgrep • bridgecrew / checkov • turbot / steampipe-plugin-terraform One Read: “Shifting Cloud Security Left — Scanning [ IaC ] for Security Issues”, Christophe Tafani-Dereeper
  16. @ramimacisabird IAC Scanning Detect misconfigurations within your infrastructure as code,

    before they can be introduced to your environment Build: Adopt: Not recommended Recommended • Develop rules based on your specific environment 
 and requirements • Surface detections, with context, at PR time • Rolling out rules in “block” mode • Turning on all possible rules Buy:
  17. @ramimacisabird Deception Engineering ( Honeypots/tokens) Deploy high-signal, low noise tripwires

    in your environment. Make attackers think twice before using found credentials, and know when someone has tried. Adopt: Options Buy: Options • Thinkst Canary • Native to your CSPM • Thinkst Canarytokens.org • Basic AWS API Key + SIEM detection • spacesiren / spacesiren (inspired by Atlassian Project SPACECRAB ) One Read: “Zero Maintenance AWS Canary Tokens That Scale”, Will Bengston
  18. @ramimacisabird Deception Engineering ( Honeypots/tokens) Build: Adopt: Not recommended Recommended

    • Deploy the quick and free version in high value targets. 
 Probably your CI/CD tooling • Think about what you’ll do if one goes off before it happens • Do your best to tightly each key to a single potential 
 vector for compromise • Don’t roll out Will’s architecture until you’ve killed 
 known attack vectors Buy: Deploy high-signal, low noise tripwires in your environment. Make attackers think twice before using found credentials, and know when someone has tried.
  19. @ramimacisabird 1. Scaling Granular Access Support role-based, least-privileged access across

    an explosion of roles. Adopt: Options Buy: Options (“CIEM”) • salesforce / cloudsplaining • Netflix / repokid • iann0036 / iamlive • common-fate / iamzero • noqdev / iambic Read more: “ConsoleMe: A Central Control Plane for AWS Permissions and Access”, Netflix • Ermetic • Native to your CNAPP? • ???
  20. @ramimacisabird 2. Scaling Access Management Enable a user friendly roll

    out of granular access by making it easy to understand available access and leverage it. Adopt: Options Buy: Options • Common Fate Cloud • Leapp Cloud • Netflix / consoleme • Noovolari / leapp • common-fate / granted Read more: “Access Service: Temporary Access to the Cloud”, Segment
  21. @ramimacisabird 3. Scaling Temporary Access Remove risky ambient permissions and

    allow step-up and break-glass authorization. Adopt: Options Buy: Options • ConductorOne • Indent • Opal • Sym • aws-samples / aws-iam-temporary-elevated- access-broker , iam-identity-center-team • GoogleCloudPlatform / jit-access • ??? Read more: “Common uses of just-in-time access in the cloud”
  22. @ramimacisabird Scaling … Access Build: Adopt: Not recommended Recommended •

    Build incrementally, and always keep an eye on 
 the user experience • Right now, ~ JIT access is about where you should 
 really consider buying • Partner with other internal stakeholders on a unified 
 source of truth for identity and role • Centralizing all creation of IAM • Trying to preemptively define necessary IAM in a bubble Buy: 1. Support role-based, least-privileged access across an explosion of roles. 2. Enable a user friendly roll out of granular access by making it easy to understand available access and leverage it. 3. Remove risky ambient permissions and allow step-up and break-glass authorization.
  23. @ramimacisabird Scaling Account Management Taking advantage of the inherent blast

    radius boundary of an Account rapidly turns into toil to stand up new accounts and juggle their lifecycle. Adopt: Options Buy: Options • Substrate • ??? • org-formation / org-formation-cli • rebuy-de / aws-nuke • AWS Control Tower One Talk: “Reimagining multi-account deployments for security and speed”, Netflix
  24. @ramimacisabird Scaling Account Management Taking advantage of the inherent blast

    radius boundary of an Account rapidly turns into toil to stand up new accounts and juggle their lifecycle. Build: Adopt: Not recommended Recommended • Rightsize your investment in automation, “human cron” 
 can be a good place to start • Find good internal development partners with strong cases for investment • Don’t wait too long to split out use cases with different 
 threat models or administration patterns. Migration across 
 accounts is painful, and data gravity can be a blocker. Buy:
  25. @ramimacisabird Control Validation / Attack Simulation Test and validate your

    controls and detections on an automated, ongoing basis. Adopt: Options Buy: Options • AttackIQ • Cymulate • SCYTHE • Randori • awslabs / aws-cloudsaga • DataDog / stratus-red-team • WithSecureLabs / leonidas One Talk: “Adversary emulation for incident-response readiness”, Anna McAbee / Brandon Baxter / Chris Farris
  26. @ramimacisabird Control Validation / Attack Simulation Test and validate your

    controls and detections on an automated, ongoing basis. Build: Adopt: Not recommended Recommended • Consider leveraging internal frameworks and tools for QA • Validation at time of creation is likely sufficient for 
 commodity controls and medium program maturity • Keep a close eye on relative investment in “breaking” 
 vs. “building • Be deeply skeptical of “automated red teaming” as a product • Finding issues is only useful as an effective 
 input to mitigation Buy:
  27. @ramimacisabird Egress Monitoring and Filtering Make attackers lives harder post-compromise

    by filtering egress traffic from your services and alerting on anomalous destinations. Adopt: Options Buy: Options • AWS Network Firewall • Chaser Systems DiscrimiNAT Firewall • Aviatrix • stripe / smokescreen One Read: “Internet Egress Filtering of Services at Lyft”
  28. @ramimacisabird Egress Monitoring and Filtering Make attackers lives harder post-compromise

    by filtering egress traffic from your services and alerting on anomalous destinations. Build: Adopt: Not recommended Recommended • Consider when modifying network architecture • “Monitor” mode can be cheap to deploy • Reliability is huge if you place this on the critical path • A hamster wheel of pain is likely if you’re not thoughtful 
 about how new, valid connections will be 
 identified and allowlisted Buy:
  29. @ramimacisabird Infrastructure Access Adopt: Options Buy: Options • Teleport •

    StrongDM • BastionZero • Cloudflare Access • Tailscale (and other Wireguard-based VPNs) • AWS SSM + IAM Authentication for < SERVICE > • Tailscale (and other Wireguard-based VPNs) • Teleport (open source) One Talk: “Zero Touch Prod: Towards Safer and More Secure Production Environments” Move beyond pervasive raw-SSH access to patterns for getting shells in services that provide least privilege, auditability, support dual control, and can constrain data ingress and egress.
  30. @ramimacisabird Infrastructure Access Build: Adopt: Not recommended Recommended • Move

    from SSH to SSM (or equivalent) early • Get alignment on “what good looks like” • You won’t get anywhere stopping your coworkers 
 from doing their jobs • Think about what it will take to get logging to a place 
 that could power real-time detections Buy: Move beyond pervasive raw-SSH access to patterns for getting shells in services that provide least privilege, auditability, support dual control, and can constrain data ingress and egress.
  31. @ramimacisabird Data Perimeter Install guardrails that only allow access for

    trusted identities, accessing trusted resources, on expected networks. Adopt: Options Buy: Options • InstaSecure • Native services One Read: “Building a Data Perimeter on AWS”
  32. @ramimacisabird Data Perimeter Install guardrails that only allow access for

    trusted identities, accessing trusted resources, on expected networks. Build: Adopt: Not recommended Recommended • Start small - one example would be “we never call 
 s3 : PutObject outside our organization” • Make sure to test your controls, edge cases 
 on condition support can create surprise gaps • Be careful, AWS doesn’t offer safe ways to roll out SCPs Buy:
  33. @ramimacisabird What else? •Vulnerability Management •Detection Engineering •Continuous Compliance /

    Compliance Automation •DFIR preparedness •Runtime Security •Service to Service Authentication
  34. @ramimacisabird • Prioritization is inherently custom to your risk and

    business • Don’t do everything, everywhere, all at once • But, conversely, uneven application of controls can be ineffective and impractical • Scaling program requires increasing investment to maintain and avoid regression in current controls Keep in Mind https://speakerdeck.com/ramimac/sect
  35. @ramimacisabird Cut for time (speed round) • Vulnerability Management •

    Shared concern with AppSec, generally • ASPMs are rapidly bringing in cloud context • Detection Engineering • Security Data Lakes are an emerging trend • See: brex / substrate, BSidesSF 2023’s “To Normalized Logs, and Beyond," • Continuous Compliance / Compliance Automation • Vanta / Drata on one end, JupiterOne on the other • DFIR preparedness • Netflix-Skunkworks / diffy, google / cloud-forensics-utils, awslabs / aws- automated-incident-response-and-forensics • Cado, Mitiga
  36. @ramimacisabird Cut for time (speed round) • Runtime Security •

    auditd [blog], OSQuery, Falco, or cilium / tetragon, GuardDuty Runtime Monitoring ( EKS ) • Sysdig or Isovalent, or whatever comes with your CNAPP • Chainguard for a different part of the problem • Service to Service Authentication • Start with: A Child’s Garden of Inter-Service Authentication Schemes, Latacora • If you can get this for free with a Service Mesh, you probably should • This gets talked about more than it gets implemented (well) • Basic shared secrets can provide initial answers here