Palo Alto Networks Prisma Public Cloud Overview

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
awesome so my name is Varro and boudoir came in through the acquisition of rad loc spent about 13 years in cloud security space I'm curious how many of you here are also responsible along with what I call your day jobs of securing a core infrastructure to also think about security for applications that are moving to the cloud quite a few of you I saw some of your buyers I think that some of you here with AWS certifications and things so exciting conversation here hopefully you know look Palo Alto Networks is a pretty broad portfolio of security the way we think about security for cloud we think about three main areas we think about security for SAS applications we think about security for public cloud and we think about security or your access as your data and your users are moving and accessing these cloud applications for the sake of time today we've decided to focus on really I think a top of mine subject hopefully for many of you which is as you start taking your applications and either lifting and shifting them into public cloud platforms like AWS as you're in GCP or rewriting cloud native applications so what is the impact from a security standpoint what is the opportunity for us to think about security differently in these environments and you know hopefully we can have an engaging conversation around that you know just to sort of start this off you know as we've been thinking about security for public cloud a few things change first of all you know it's cloud adoption is more developer led than CIO lead like CIO strategy may say digital first but ultimately feels like a lot of the developers are going in deciding which cloud platforms make the most sense for which cloud environments and they'll ultimately govern these environments DevOps is the one that's really deploying applications they have administrative privileges they have root access into these accounts and security all of a sudden we're you know we used to come in and have a gating process to approve every firewall change and approve pretty much any operating system deployed in there all of a sudden we're going in and saying wait a minute we need to have visibility as a show of hands maybe I'll ask a question how many of you here you know if you wanted to know sitting here today do you have databases running in public cloud and if you are aware where are they running do any of us have systems to be able to okay excellent how would you do that I'm curious we have a bunch of systems to track all that all the assets all the assets and where everything else we just don't put anything in the cloud without doing that so it's not developer led actually okay surety what so good I think I think that's a very I think that's unique and probably advantages to the way your organization is approaching it I would imagine there are some other organizations here where developers have gone out there and all of a sudden know you're being told hey you know what you got to go look at that comment because exactly what I'm thinking is we have developers and and I find stuff that they do and I just want to walk over and just you know smack him upside the head for the stuff they do yes what happen Utley and unfortunate that happens and it's interesting Gartner stats show that 99% of cloud security failures through to left for the next five years will be the customers fault as they call it which is your developers are trying to do the right thing but ultimately they just don't have the tooling the understanding the awareness on how to go about deploying these so they're moving fast because that's what they're being told to do but you know for us the security practitioners we now need to retool completely to know what do you have in the cloud you are very unique sir I have an asset inventory system most organizations 99 percent of them actually don't even have an asset inventory system for what what's deployed in the cloud okay once you understand what's deployed in the cloud then the question is the changes that are being made who's making them why are they being made you know some of the best organizations in the world you know some of the best biggest transportation companies biggest electric car companies have had compromises because of simple things developer left keys on github with their code checked it how do you know what do you do right or what kind of data stored in all these s3 buckets that people are putting terabytes and petabytes of information up in it's hard to tell and so you know we believe we need to think about security a little bit differently in public cloud whereas traditionally we've thought about security a lot in runtime right so a lot of times we'll hear customers say oh you know I don't even have not even in production in the cloud and then we get calls saying ah I just got crypto mine 400,000 dollar bill in one week so you know we think security done right for the cloud isn't just and runtime isn't just security where you're validating their code once it's built but it's how do you shift that left to have a desired outcome where you want to allow your developers to feel accountable feel ownership of their environments yet for you to get the visibility you need get the governance and guardrails you need you need to establish those guardrails in a way that developers understand that so if we agree at a high level that are you know a typical life cycle in deployments the cloud or build deploy run and it's constant right you're building deploying and running you can't wait to have the gate at runtime once the code is written it's deployed guess what a lot of this is happening using infrastructures code nobody is even going in and attempting to manually make changes in these environments they're using terraform they're using cloud formation and one problem in the source that's templatized and automated now goes triggers in 50 different places when these bills are triggered right so we wonder then can we put security into the build phase developers are using Jenkins can we put the checks and give them the best practices checks in a way that they understand how to consume them just like when they hit a sort of red-green deployment the the checks where their QA and automation is happening can we do security checks right there can we check for vulnerabilities in containers right there before they even build an image so we think that's really important we think that in deployment time you need to sort of continue and have another gating process and ultimately take it all the way through run time and by no means will you be able to check for everything in build phase but we do think if you can the way I like to think about it is an 80/10/10 rule and we catch 80% of the things that the build phase and really put the onus on the developers to fix these because guess what you have way more developers in your organization then you have sock analysts to respond to alerts so if we want the old-fashioned way if we can call it that for a moment we generated lots of alerts for violations of policy violations of sort of your architectural requirements and those were Splunk alerts or those were some other alerts in the sock what do you do with them your analysts aren't really familiar with these platforms in the if they're being told that hey this you know KS hasn't been rotated in over 90 days well heck what do i do I don't have control I don't happen to admin permission into that environment and so if 80% of the feedback can be delivered right to the developer because they all have good intentions they want to fix these problems and then 10% of the things really go in into the sock for investigations so these are things like potentials security compromised on a stolen credential or an access key an AWS or potentially seeing suspicious traffic to crypto miners those probably warrant more investigations and also then leverage automation for the last 10% of the cases because you know let's say you have an open s3 bucket or an open security group in AWS with 422 open to the Internet and you're just not allowing that in your environment just shut it down use automation right and you'll hear about demister and some of the other things we're doing in automation but at least from my philosophy standpoint and cloud we believe and that's the right way to think about this that's the scalable way to think about this so if we agree about that for a moment that you need security and build deploy and run there's yet another dimension where you need holistic security none of your cloud applications are going to be higher percent of VMs 100% pass and so the question is you go start buying best-of-breed products for each one of these and now you end up with 6070 tools like you did in the on-premise data center or do you have an opportunity actually to have consolidated visibility such that if an application starts at a VM talks to an s3 bucket that then triggers some notification service you have visibility into that entire application lifecycle and that visibility is consistent that control for policy and governance is consistent and all the threat detection and incident response around the stack is consistent so you know you may have heard recently we announced our acquisition of twistlock and pure sec just wanted to sort of give you a sense of where that fits in because we want to believe and and we want we hope you believe that while you want Vesta breed security for containers best to breed for path services best to breed for infrastructure service you do want them integrated and that's sort of where you know our Prisma public cloud offering really comes to be now architecturally the way we deliver these solutions and I'll pause and take some questions is we want to do this in a most DevOps friendly way that we possibly can so our prism a public cloud offering actually does not intrude into your environments it's not a proxy is not an inline solution rather it works off of cloud native api's and we talk about this as an embrace and extend model we take all the data that the cloud providers through the api's getting read-only access into environments and within minutes for correlating this data across the popular cloud providers and the first thing we do is try to optimize it for consistency right the api's of azure are very different than the api's of AWS then api's of GCP so we basically take four distinct data sets we take flow logs from the cloud providers that give us all north-south east-west visibility of who's talking to what without being in line we take all the user activity information so understanding of what your developers are doing in these environments we also capture information about configurations of resources so how many s3 buckets have you got how many you see two instances how many I am profiles what changes are being made into those things and then we'll augment that data with third-party feeds whether there's thread Intel feeds or vulnerability feeds of woloson tenable will capture all of that information together and then look we use a logical way of first of all applying best practice policies rule sets wherever we can so out of the box we ship with about 400 policies and every week we add more so if you're thinking what are these policies cloud providers ship about 1,400 features a year you a security practitioner sitting here are wondering what could my developer do wrong next what do I need to look out for these are policies these are rules and these best practices are mapped to compliance standards like ISO sock to you know as a fascinating conversation earlier when there and Edward yourselves and a few others on you know controls and consistency and what standardization do we use how can you prove your secure well a lot of the standards as you mentioned here earlier we're never written for the cloud so you the customer want to align with the NIST 800-53 framework somebody's got to do the hard work taking that standard and making them technical controls for each cloud provider well we do that for you out of the box right so that's all all of these sort of policy based then there are things we simply can't cash using policies stolen credentials crypto jacking use cases suspicious traffic ports can sweep attempts so that's where we will use machine learning based on this data leak that we've sort of created across your cloud platforms and we'll use machine learning to sort of infer and detect and report on those anomalies the end result of this if you think about at the very top is a few different things first of all for those of you not as fortunate as you build you the CMDB build you the asset inventory system out of the box knowing what assets are there where they're deployed what changes are being made and who's making those changes all part of that we then give you all the best practice guardrails for your developers aligned to the various compliance standards so you have that there we then give you more of the thread hunting detection and response so I asked you the question where could you go and ask how many databases are out there in your public cloud environment take it a step further how many of them are connected to the that right now you don't have a way to ask that question so this system gives you that ability yes on that note I'll actually pose a question to you any guesses on what percentage of customers have internet connected databases do you think across a research that if you wonder do you do more than they think they do yeah interesting statistic 92% of firewall rules they k cloud native firewall rules like security groups have unfettered outbound access there's just no control it's kind of scary if I told you that we have seen 1/3 of databases in the cloud to be internet connected that's surprise you I thought the number would be higher but database is that almost every customer has that but I was thinking was 90% yeah we're not 1/3 but just scary stuff right think about this we've spent the last couple of decades as a security industry solving these problems how are they merging in the cloud it just warrants different architectures different approaches to security and that's sort of what we're trying to build here and so so continuing on you have threat detection you have this ability to ask questions arbitrarily investigate incidents it becomes kind of a DVR for your cloud and the best of the all is sort of we believe in a open ecosystem as part of your sock at the end of the day you're gonna have this in conjunction with tools like vulnerability scanning tools identity tools threat Intel tools and we try to sort of integrate those in a way where not only can you have workflows that are very developer friendly like JIRA and ServiceNow page your duty slack but also very sock friendly because in this sort of depths a cops era we're not gonna be successful if we over-rotate on one or the other we have to have consistency in integrations and workflows across both what you experience with people mapping or existing on-site policies to a cloud that tends to in my mind be problematic because there are very different construction for infrastructure yes what I found is for customers that are just starting out the basic people want to start with a CIS feels like CIS checks the Center for information security has actually created a good very cloud specific benchmark they're one of the only ones where there's a standard that's built for AWS for gcp for kubernetes for Azure and so it feels like if organizations don't quite know where to start on to your point of taking legacy standards and trying to move them to the cloud it's I'm not talking about the standards and baselines and benchmarks because those will just happen naturally yeah I'm talking about their existing policies because a baseline and base benchmark to me is not really for policy so a policy policy being so not technical controls you're talking about policy being right now shall not the data shall be encrypted at rest policy that's Paul's okay yes I think a lot of the have policies most organizations we work with also have drafted and spent years drafting a cloud security and architecture blueprint correct the hard part is how do you validate the technical controls that's all I was just wondering what you guys have seen from a mapping of one to the other because there's big holes there are big holes and so that's where most of our customers use technologies like this because not only does it have over a dozen industry controls and standards so ISO NIST stock - PCI HIPAA gdpr just out of the box but also gives customers the ability to take their policies and map them to a custom control framework just through the UI or through our API so that combination is usually what we've seen and do you automatically so if I loaded up a policy whatever can you spot the things that are just impossible to implement inside a cloud so again it comes down to there are some things that are very technical controls there are some that are procedural controls obviously all the technical controls that through the API can be validated we validate so for example with the cin benchmark about 76% of the controls or technically can be automated so we've automated those but there are still 24% that just can't be automated these are or no people policies training policies and so if you that yeah when you talk about encryption I'm really concerned about key management yeah I'm sorry because who manages the keys is generally the cloud not an end user that's a big problem for certain industries yes but if you wanted us to have controls that validate that keys are being rotated in the cloud you're using the kms correctly those are technical controls they can't apply here sorry yeah no you had a question yeah earlier you said that you tie in to the vendors api's yes I'm wondering if you go another level than that for instance in AWS are you just pulling what pulling the same stuff out of cloud watch or are you getting your data directly so so combination so we'll pull cloud trail will pull VPC flow logs but then we'll also make describe calls to every resource in the cloud because we want to capture every diff of every change made meaning if while you were here your developer this morning came in modified an existing security group from allowing access only on port 443 and extended that rule to allow port 80 we want to track that change and such that you have audit ability and forensics tracking on all of that and so for that we make we use a combination right cloud watch will tell us something changed then we'll make a describe call see what changed and we combine this we're to give you another example now this is why cloud security is different if you just looked at net flow logs if anybody here looked at VPC flow logs they're painful they are absolutely painful they don't tell your directionality of traffic they don't tell you what's behind an en I inelastic network interface at 9:00 a.m. it could be in a database talking to a web server which is just you know maybe it's web server rather talking to database if that roles switched because somebody reassigned the IP you wouldn't know or 2vp sees you can have the same IP address so when you start aggregating this data it's extremely painful so a big part of what we do is take VPC flow logs and then we'll match the NI to say it right now at this second which instance is it applied to then we'll use machine learning to try to infer based on traffic we're seeing and other other components what is that instance what do we think that is how was that presume so great question thank you let me give you a couple examples of how that data is presented so here's an example of just a pure asset inventory screen hopefully you guys can see it back there this is basically telling you how many resources will be found across multiple clouds which service how many ec2 instances how many s3 how many agile virtual networks how many of them against our best practices that we ship out of the box or passing how many are failing all of that information is presented in this screen as an example let me see we have a couple of other greens I'll show you this on the other hand is where we're presenting to you anomalous user activity so this is a bit of a heat map of your developer that's showing you on the on the access here the different services and API is in the cloud the developers using alongside of time and the big bubbles that are colorful or in red are usually high severity findings around these meaning the developer here is logging in from a location we haven't seen them log in from before performing activities we haven't seen them perform before chances are this is not really the developer who you think it is right so this is a different presentation layer let me see if I have a couple more this is a presentation layer of what I was talking to you earlier asking the question do I have any instances exposed to the Internet what class of instance now we present you to the data in a in a network topology map and what you see above here which may be a little hard to read is a query language where you can pretty much ask any arbitrary question about networks about users about configurations all through that so again the data is presented based on the kind of data in the use case it is as well I don't know if that answers your question that's what you were hoping for and all of this is available through API there's a lot of times you're not gonna be sitting waiting to center around queries you just don't have time to do it all right so a lot of ated alerting which you wouldn't use the word developer because in my world developers will never do this they may develop in a development environment or a development instance but they'll never be running in production our operators operations folks would be managing production and do you not yet have a DevOps team that's doing both combined in your environment we have ops team that gets to the point where things are deployed and TRADOC there enough ID they don't manage production fair enough so they work with getting everything up until it gets promoted to let's get promoted to production but when you so there's a defined line between the two and there's a reason for that yeah because up to that point security may not actually be involved yep Farren and we really want security involved on production because and we really want to limit in control who has access to that yeah and I think what we have built if you think about the build the deploy and the run phase as I mentioned build will be completely developers deploy will be DevOps run will be a lot of where the security alerting that is more runtime related well as occurring as well actually do well ideally I'm not sure gonna say who does it but ideally you should be doing security at all levels so that the developers work within the secure environment yes so that they get the alerts that they know they need to fix right thoroughly feedback it early feedback and then when they do the build deploy into testing they still get they're still in a secure environment yeah so basically I'm a big fan of measuring 12 inches to the foot yeah instead of one great and I think that's our philosophy and building these capabilities is don't build it so far on one side and over-rotated that give that early feedback in that entire process to be secure well because developers a lot of times they know what they're doing and I want to get you know systems up and running and security becomes they will just add that later and or someone else to do it or whatever and that's not a good thing and that's what I think the view you're seeing here is more of the security centric view developers are not gonna come and look for this stuff their feedback is given to them inside of Jenkins inside of their build tools and sorry you just pay all the scans or fail whatever and that's actually usually not enough information to fix the problem yeah so we've worked really hard to make sure when anything that gets filled as complete feedback on what they need to do prescriptively to go fix it see you exactly fascinating I'd encourage you guys to try some of those the DevOps centric tools they're available free they're available at at developers Dhaliwal networks comm / Prisma so please try them please give us feedback I think I think it'd be fascinating to see how we're trying to you know again address that audience change the dynamic of you know they don't understand this so give them feedback that they can really act upon those Prisma have the capability so if I was a security person we were doing encryption yeah that when we detected that they and her code crypting or whatever that they were doing encryption incorrectly we just switched out with the right primitive so the underneath just does the right thing for them ya know it doesn't get into the application code logic so the way this is working is more on the infrastructure and paslo today but to me that would be the powers layer it's like changing out what primitives are using to be the write on the API configuration yes so let me give you a couple examples where it would go out of correct let's take one as a let's take three security group a user you have said your policy states now shall not open up security groups to the internet developer or DevOps or whoever ends up pushing a new security group either manually or through code and that it has an incorrect configuration the system can automatically go remove that offending Akal from that so you don't have that problem let's take one for C Q so you know as three buckets somebody left an s3 bucket open to the Internet common thing we've all heard about the the nightmares with that you can make sure that it turns it off to private so it is not an accessible to the public sorry good yep I was just gonna be coming on the whole developers don't think about security but that's complete BS right now in today's environments because developers keep getting blamed for all the holes and all the breaches and everything developers are the ones that they're they're looking more and more into how to actually be more secure how to you know how to consume these API so they can try to develop proactive not necessarily reactive systems that are trying to figure out okay I just got compromised now what do I do it's more about trying to figure out the training analysis to determine something that's going on I don't want to end up on show it in and be listed as all these ports open so how I can how can I change my change my in-depth security but that a lot of times it's a retraining for them helping your security needs to help them with the you need to start from the beginning with a security conscious yes and I don't think that's retraining I mean to build applications and web applications all the time the first thing that comes to mind is are my SQL statements protected are my admin pages protected HTTPS you know let's encrypt has done a huge push into getting certificates I mean that's the thing is where it's not so much for retraining it's just in the past you were correct is that it was get this crap out and get it out as fast as you can do it now it's more of don't put me on the front page of the newspaper I want to I want to I'm sure this is done correctly and that's why I applaud all the API is because they are certainly an exposure point into a lot of you know potential mining setups for what people are trying to figure out things but it's allowing developers to be more proactive as opposed to reactive and try to make it so that we don't have to worry about getting that notification that says we were just compromised it's also a requirement in going along with that the security team needs to be working with the development team to ensure that that happens in real time while they're developing so that I can give the advice they need to fix that because some of the times this stuff like crypto related things oh yeah I just did a TLS sir well we need to do protect the private key and a bunch of other things and where you store it they may not think about these these other things because all they're thinking about oh I got the right sir it's like no you got more to do well it raises a key point that security is a collaborative effort it's not also estimated it has to be training on all sides of each other because we're all going to have our own perspectives on it the developer sorry the developers are gonna have to learn security but the security teams here in the cloud case have to learn the cloud because even if we give you alerts are you gonna do you even know where to start you off a AWS can you have a look at your cloud formation say hey someone made it change and can we run that process against and say hey security group is open why yes so those are free tools on developers are Palo Alto Networks calm slash paper okay you could scan terraform you can scan cloud formation all of that
Info
Channel: Tech Field Day
Views: 22,460
Rating: 4.7297297 out of 5
Keywords:
Id: XMeb6r7EM8g
Channel Id: undefined
Length: 28min 15sec (1695 seconds)
Published: Thu Jun 20 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.