The State of Cloud Security: How Does Your Organization Compare? | SANS Cloud Security Summit 2019

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

I'm Dave Shackleford for those of you that might not have been around yesterday most of you probably were and I'm gonna be kicking us off this morning with you know I'm gonna I'm gonna steal from them yesterday right I'm gonna start off with the worst talk of the day it's only gonna get better from here right so and you know who knows maybe that's true but the reality is this talk is really sort of in some ways less of a talk and more of some interesting data and so for those of you that don't know just about every year year and a half-ish depending on whether we can get our schedules together sans does a survey on cloud security and we go out to the community folks just like you and we just ask some questions what you know what's happening out there what are you guys doing what's happening with your company your organization's are you guys moving to the cloud if so what are you doing and of course focused on security what are some of the headaches that you're experiencing what are some of the winds you might be experiencing too what are the things that you're doing better than you might have been doing before so it's all about the sort of holistic view of cloud particular to security but you know it's coming from the community perspective and so what I want to do is relate to you guys some of the major points that we found this year so you guys are of course getting the first preview of this we're gonna be doing a webcast actually two webcasts on this over the course of the next week but you guys get it first and so this is the first time I have an opportunity to get up and talk to everybody about some of the things that we found this year as we came back and so this is my Captain Obvious slide for the day we've seen an emphasis on attacks in the cloud and it's not so much because the cloud is insecure necessarily I'll talk a little bit more about that it's because any surface area that people significantly start shifting towards is going to draw the attention of attackers so that's all that's really going on and of course alongside that we've got some interesting factors you know really just looking at you know people not maybe knowing what they're doing in terms of configuration not necessarily realizing some of the assets they have in the cloud and I need to tell everybody that we've had a lot of exposed s3 buckets over the past few years it's the gift that keeps on giving but we've also got new things that have started cropping up over the course of the last you know what's called 18 months or so that I think show a little deeper element of security miss configuration and perhaps just lack of awareness just last year there was a whole bunch of open kubernetes api eyes that got exposed and in fact got hijacked some of you guys might have read about this some pretty big-name companies in fact were a part of this where they had opened up these kubernetes api as people basically jumped in there and started you know crypto mining stuff and took some money from them so if you don't know what you have obviously you're gonna have problems and that list keeps them going Microsoft had a pretty big outage blah blah blah this goes on however this is not a doom and gloom talk this is a talk just to say look given the fact that number one we've got more use of cloud than ever before we've got more data and assets in the cloud we've also got a lot of huge explosive growth across the cloud providers themselves more cloud providers more assets more customers means more places to attack we're gonna see some pretty interesting things shaking out of this and so just to start off a little bit of demographics I tried to sort of crunch this down we had a really good mix I'll just sort of leave it at that we had a very broad representation of different verticals and different types of industries I saw a little bit of an uptick in two spaces particularly this year number one we saw more government agencies responding to us which it shouldn't surprise anybody that government agencies want to make use of cloud as well but we definitely saw them coming and actively responding and participating in some of our survey instruments this year which was cool the other one was a significant uptick in smaller businesses and organizations which to me is really one of the major hallmarks of cloud adoption becoming more mature if it's only big massive enterprises you know multi-billion dollar industries that are global in scale that's one end of the spectrum but until we sort of get everybody along for the ride we're not going to really be able to say well cloud is you know officially here for everybody so that was another big one that we saw most of the responses came from the US Europe and Asia we definitely saw some other things from pretty much all the different places aside from Antarctica so some key findings a couple things that I wanted to point out and you know I won't read the slides to you I have a bad tendency when I deliver data points to folks I just smack a bunch of stuff up on a slide you guys would get a copy of all these later so you know you can gaze upon this to your heart's content but I'll just draw some of the highlights number one we saw that people did in fact get attacked in the cloud I mean you know I'll get to that here in just a bit but we did see an increase in unauthorized access coming back people that knew that they had had some form of unauthorized access so only 19% said that they had something about this going on in 2017 towards the end of that was when we had our last survey this year we saw that that had gone up to roughly a third of the organizations that we polled we also saw over 55% said that they were still just really struggling to get some of the log data and to just deal with that now for those of you that were here yesterday and you heard a lot of the really awesome discussions and presentations that were given you know the term cloud trail came up a lot we talked a lot about logs and events around the cloud control planes I think that's great but I think people are still struggling on how to deal with it all and how to take that data distill it make it meaningful turn it into artifacts and things that they can make use of as part of their investigations again I'll get to that here in just a few minutes and the final one was really more about risk and auditing for people that are looking at cloud providers in the first place and we had to ask this just to say hey you know if you've got to go vet a provider a third party as part of your you know call it just overall you know partner evaluation or your vendor risk management programs what are you looking at primarily to get a sense of how good a job they're doing and we had a fairly flat answer set which I'll get to at the very end of the presentation but at the top of the list was ISO 27001 and I think that's predominantly due to you know I'd say maturity to some degree I think maturity in that area it's just a standard that's been around a long time but it's also one of the more internationally recognized standards and that has a lot to do with things so let's talk about what people are doing in the cloud in the first place so to start us all off we always ask you know what kinds of apps you're using what kinds of services are you using in the cloud because if you hang out and you talk to people about cloud in general especially even in here just even from what we discussed yesterday you might be led to believe that it's all Amazon Google and Microsoft and the fact of the matter is that's a much smaller percentage of cloud use than most realize or at least tend to think about on a day to day basis in fact I've seen varying statistics that are out there but for most if you say cloud it's SAS its software as a service applications that people might have dozens of in some organizations that I work with hundreds of different types of software as a service applications so it's much easier for a small organization in particular to make their initial foray into cloud by signing up for office 365 or going and spinning some things up in Salesforce or going and making use of box for cloud storage so we wanted to find out what kinds of things people were using and this was a surprise because in our last survey we had I mean 84% came and said yeah we're using these you know sort of workforce types of apps business applications and a lot fewer specifically noted those this year they came back and said they were using a lot of storage some other sorts of security services were much bigger I don't know if this one you know I'm gonna take as gospel it might have just been the respondent set that we got in this particular case you never know until we have a couple years of that data under our belts but that drop was really surprising to me because most of the clients that I work with both large and small are definitely making use of some of that type of different type of applications so server virtualization almost half so server virtualization of course is instance workloads that you might spin up in Amazon or as your Google cloud platform and I think you could probably extrapolate that out to things like containers and those types of workloads as well we didn't really specifically focus on that but that's encouraging to see people feeling comfortable enough to say you know a half of us are willing to go put our own servers and workloads out of the cloud and do something with that so a pretty broad set of different types of services certain types of business apps obviously storage and archival of storage server virtualization and then again about half closed to half we're using different types of security services in the cloud as well which i think is also a massive shift so the whole realm of security as a service really has only arisen as a need to accommodate gaps that we might not have been able to put in place controls for things that we're normally used to if you can't take it with you and put it into the cloud that's where security as a service types of offerings might be able to fill those gaps and help out and we didn't get into too much specificity yet I'll get to more of this in just a little bit there's certainly more to say about that a couple more stats on cloud use just looking at how many or different types of providers people are using this was definitely also something I found interesting the majority are still around two to three so just across the spectrum two to three providers of all sorts sort of feels right but we had a higher percentage that came back and said a very you know again smaller percentage actually saying that they were you know using one provider so it only went down by one percentage points so I don't really take that to mean a whole lot but the last one I thought was interesting more than 20 providers almost doubled still a small number but you're seeing people more willing to go sign up for more types of services I know yesterday and some of the talks that people were giving there was some discussion around the use of multiple cloud providers multi cloud is sort of becoming the norm for a variety of reasons whether that's for backup and continuity whether that's simply for different types of capabilities that they might offer you really need something that's a Google cloud versus what's in Amazon for example whether it's cost savings whether it's just you know different stuff who knows but I think that number is going to grow significantly because especially when you can do account things like SAS that's going to get a lot bigger and probably a lot faster so this is my you know sort of short way of saying people are getting a lot more comfortable attend sitive data into the cloud is anybody surprised by this at all is anybody surprised that we're getting a lot more comfortable with the idea of taking sensitive data of a variety of types and putting it into a third party arrangement anybody shock horror yeah I don't know maybe but it depends on the type so if you look at the types of data that people are most willing I mean business intelligence intellectual property means a lot of different things to a lot of different people I strongly wager that you know there's probably some threshold or limits that people are sort of you know like no we're not going to do this but if you go down this list you know customer personal information financial and accounting data sure yeah absolutely and I think that's gonna grow and we didn't necessarily ask this in conjunction with this question but I think it's to be at least somewhat assumed there's a better comfort level and maybe that's not necessarily inform the security side it's from the business risk side somebody in your organization is cool with putting that data out into the cloud and if they have the ability to make that call they might do it so what that tells us as security folks is that we've got to go along for the ride and ensure that we're doing everything we can to protect that so something we already know and in conjunction with that question we just wanted to find out whether privacy was a factor and another one that I don't think is probably a surprise looking at things like GDP are looking at some of the major privacy regulations that have cropped up over half said yes and a couple just weren't sure in general but if you take that I mean I would probably say that many of the unknowns are hedging their bets but probably have something to worry about here you know you're getting close to roughly two-thirds of the respondents that came back and said yeah privacy is a factor for us and there's some fascinating things that go along with this too you know not to wax philosophical geographic regional specificity has a lot to do with the choice of some of the cloud providers that you'll find out there for instance some of you guys may be familiar that there is actually an entire continent called Africa you guys have heard of it yes so Africa has extraordinarily low numbers of points of presence with all of the major providers so if you go and look across the big three the Google the Microsoft the Amazon and then go check out the different regional offerings that might be available in South Africa or Central Africa or even the northern African region it's a ghost town why well because they haven't felt the need to put anything there yet that's changing and part of the reason that it's changing is due to a significant growth in local and country specific privacy laws that are starting to crop up there so Microsoft has some stuff there Amazon and Google are sort of making their move into that region as well I'm just using it as an example but if you're a global organization that happens to have business in one of those areas that's something that you've got to take into account when you choose a provider I always tell a story in some of my classes about a client of mine and you'll appreciate this I think just prove just how weird it is you nobody could have predicted this but I've got a client huge international retail company that several years ago decided to choose Amazon as their infrastructure as a service provider no shocker but they chose London as their European region now pause for a minute and ask yourself what's the problem with that right now mm-hmm yep they didn't think about that and of course nobody could have so they're actually right now having to go through a significant migration of data out of that location into one of Amazon's EU specific locations over there so they're looking at you know about Frankfurt they're looking at other places just because they know that might not be something that they can rely on down the road so again it's interesting to see how different regions and some of that even you know political elements play into this let's get into some of the security elements of this and this is where we start talking about what's changing out there what's happening with some of the folks that has been going out to the cloud and what they've been able to find we wanted to find out whether folks were using some of the sort of later better technologies that have emerged to facilitate cloud use and and you know really each one of these could be its own topic and its own right but we asked about things like federated identity as a service we talked about multi cloud brokers just because we've seen this adoption of multiple cloud providers that has sort of plagued people if they didn't plan for it we talked about things like cosby's cloud access security brokers which is a whole security as a service brokering cert you know primarily for SAS services but that's grown a bit to facilitate access - and control of data - platform and infrastructure services as well and then we also asked about cloud network access services so this is things like your Z scalars and sort of that access model for networking not so much just for software as a service or application access and right there at the top of the list you can see the cloud network access and we got some responses back from people to where they were able to put in you know sort of their own entries there is a big shift to using the cloud as a connectivity mechanism for employees in fact there's a massive shift away from traditional VPN technologies so you're seeing that end user sort of focus coming into play here if you've got people to travel and maybe they have their own laptops or their own tablets of their own mobile devices people are trying to get away from having to maintain centralized core services that everybody has to connect back to to get to other places that they're going I'm not saying that's happening wholesale but I'm definitely seeing a move away at least in some cases from some of those types of traditional central hub and spoke architectural models for end-user types of connectivity I think the big one though just identity you cannot really architect cloud services whether for end-users or core services or both without having a massive emphasis on identity services of some types and particularly for you know sort of taking things like Active Directory or directory type services and brokering those out into other places it's becoming almost a mainstay that that's happening so that's you know that's not surprising to see that close to half of the respondents said that they were making use of those types of services - so this is another one where I think we're going to see some significant growth over time just seeing that use of services like that and we had a handful of other ones that sort of came in as well looking at the different types of things people were worried about in the cloud and I'll come back to controls by the way I have a whole massive thing about controls and the different types of controls that people were using I just sort of started off the survey with that one but the big thing I wanted to know what's actually real I mean you hear a lot of FUD out there in the industry about what could go wrong or the types of things that might happen to anybody that's going in provisioning assets out into the cloud but does it really come true is it just us you know sort of fear-mongering or are there really cases where people are experiencing breaches and significant types of intrusions or is it just things that people are concerned with or some combination of both and sure enough as you could probably expect it was a bit of a combination so back in 2017 we sort of saw that unauthorized access was close to the top of the list of actual problems that people were having or some of the concerns that they were at least worried about same thing here but the second one was the biggest change so that's what really changed in fact this year was instead of going and looking at you know the seventh / seventh position where in ability to respond to incidents was sort of way down people really hadn't gotten to a point where they were worried about that that much yet now they're really worried about this like this is a significant change just to see people acknowledge in the fact that traditional ways of handling incidents are responding to incidents that they might have been pretty comfortable with on-premise haven't necessarily translated as well and I know there's gonna be some discussion about that today and some of the other talks that are going on I think in fact in just having conversations in the industry that tends to bubble to the surface a lot it's don't feel like I can take my Incident Response methods tools some combination both out of the cloud and have them be as effective as I would like them to be so that's another thing that I'll talk about in just a little bit more detail here in a moment other concerns just lack of visibility into data and then of course the unauthorized access to data from other cloud tenants this whole notion that you might be in a bad neighborhood and you don't know it so you know who are your neighbors in the cloud you have no idea unless you go sign up for a single tenancy option which for any of you that have actually explored that option it's like I don't know a thousand times more expensive so typically businesses are like no you know I'm not going to do this I'm gonna go sign up for the multi tenant option but what the multi tenant option does is it puts you into the swamp and you're wholly reliant on the cloud provider to maintain things like segmentation of memory and CPU processing and disk isolation for storage that's a trust factor that we have to get used to but it doesn't mean that people aren't worried about it so there's still some concern about how that's being addressed and how the providers themselves are ensuring that our data and all of our other types of processing or being kept isolated and separate so downtime was definitely something people saw I mean just in terms of the things that actually came true versus those people were just worried about downtime sure of course you're gonna see some downtime there is no such thing as a 100% uptime situation I've actually seen some offered SLA s from providers that guarantees that but you should go into those arrangements knowing that you are being lied to and again I'll sign off on that if I'm the CIO because you're gonna give me contractual guarantees of service payments and other things but there is no such thing as a hundred percent you know and so forth I love the s3 resilience SLA from Amazon anybody know what that is I've got their head eleven nines just going ahead and let that one sit there for a minute I mean why not why not make it twelve seriously at that point who cares but eleven nines is whole is just hugely unrealistic but I'll take it all right I'll sign up for it anyway back to this things that actually happened downtime is gonna happen biggest change was an actual case of people being breached so we did see unauthorized access by outsiders sort of creeping up here again we only had twelve percent of people say that that happened in our last survey twenty-eight percent so I mean over doubled for sure and what does that say don't know that's the thing there's still some question marks around that because what we don't necessarily know is all the details behind why that's occurring in the first place I don't want to make any assumptions that it's because the cloud providers are doing anything negligent at all in fact more than likely it's because people are putting more stuff into the cloud and they don't know what they're doing and they're probably miss configuring things we definitely saw more people say that API misconfigurations were occurring and that's because we're using more api's which I'll get to here in a moment as well so the good news for us though just to take that into contact only 10% really said hey we know it happened so even though you say well we did see an uptick in this we definitely did see some people saying they experienced the breaches we only saw 10% that we're willing to you know sort of put their stamp on it and say yeah absolutely we really did see it happen I like the you know the the the red and green options right like so 72% we're like you know not that we know of well that's you know that's that's my nice way of saying you know you you don't have to really admit it if you don't want to some people even on an anonymous survey or wholly uncomfortable telling you they've had a real security problem you know maybe they thought we were tracking them or something I don't know but I like that some people were at least honest and said yeah we did have a problem and in the red here you can see another 10% that said yeah we can't really prove it but we think we had some issues and that goes back to not having enough detail or data around the response efforts themselves this is the closest I could get to nailing down what actually happened in those cases remember it's not a lot of cases only 10% that really said yes but in that 10% number one and I love this because it just it's what everybody knows it's a count credential hijacking right have you guys seen this movie before do you know how it ends yeah we know how it ends right the Keeping Up with credentials is like the gift that keeps on giving because it implies that we don't really have a good handle on accounts in the first place and we know we don't have a good handle on accounts in the first place so that has made its way into the cloud the other one is miss configuration so people that are screwing up their configs people that are not managing their accounts or tracking their accounts as well as they would probably like to and then coming in third its privileged user abuse or privileged user something and that might imply DevOps that might imply service accounts that might imply cloud administrators or engineers anybody that has more access to cloud resources than others but none of those really surprised me at all there's nothing that that stands out to me in those responses that is super sophisticated are really that different from the same old problems that we're experiencing in-house which is very urging for me as a security professional because what it means is these are the problems we know we know these problems we simply have to adapt our strategies to be able to handle them in the cloud and there was some awesome talks given yesterday about access management and the challenges that go along with that and so this is something that is very apparently happening across the board not only from the end-user side but from the administration side as well and especially when you start developing automated or semi-automated pipelines you really got to make sure security is embedded in that at all layers so that you don't inadvertently automate your way to problems as well so this is something that I really enjoyed sort of seeing the responses come in as things that weren't unexpected we tried to find out what kinds of things people were using controls wise and there's a litany of controls that are out there and I probably could have gone into a ton more detail on any one of these I'm not going to go into you know all the specifics around all of these different controls I do have a few things to sort of pull out of this here in just a moment but if you look across the board here I think what you're seeing consistently is is to sort of major themes number one I think a lot of people are still trying to manage this from in-house I think they're still trying to use the same old tools the same old types of controls and then sort of you know I don't want to borrow a term from yesterday that we sort of you know bashed a little bit but the whole lift and shift sometimes you can't necessarily lift and shift your security controls either now I think a lot of people are still trying to do that but what's encouraging are these security as a service and both sort of options that are coming in in the green and the blue bars in particular in a couple different areas things like vulnerability scanners I mean look bonor ability scanning is something that we've sort of just accepted as a core control today everybody's got some of this and it's all the usual suspects fortunately all of them have made their way to the cloud if you listed the major vendors in that space every single one of them has a cloud native or cloud compatible option cool we're starting to make use of that people have gotten comfortable with the idea of moving some of those things out same thing goes to some of these other areas right you know like intrusion detection prevention sort of still a lot of in-house management of that you look over here at you know examples of things like log and event management which people were talking about yesterday and there were some awesome discussions of that in particular the Wazza stuff that you guys gave it also talked on thank you very much complete adaptability to cloud versus trying to do it on premise so a couple key takeaways that I got out of here still being managed internally we saw some growth in caz B's encryption gateways definitely some Identity Management but altogether I still really am hoping to see more people start moving things out into either a hybrid model or even a holy cloud native model and sort of just get out of this mindset that we've got to take the traditional stuff and just hope for the best to make it work sometimes it can I'm not saying that all those controls are dead but a lot of them just don't quite work the way people had thought that they would the good news to people are at least accepting the fact that cloud is here to stay and that's what I take away from people having policies and having some somewhat of a governance strategy in place in fact if you sort of pressed me on it most of the year as a consultant what I tend to do is go take a look at people's cloud configurations architecture programs in general and most of the problems the biggest problems aren't in the technical arena there's definitely those problems too as people that just sort of ran to get there but it didn't put that back-end policy and overall plan in place as to how people were gonna work together and get the job done consistently over time that's governance it's not an exciting topic in fact it's a very fast way to repel people from you at cocktail parties but nonetheless just be aware that you know the good news is people are realizing this so we saw an uptake of some of this the thing that I really was unhappy to see was in my opinion the number of people leveraging things like api's and implementing security controls through more programmatic methods it's just not as high as I want to see for people that are getting out there I'd like to see that number way up and I know Ben talked a little bit about that yesterday just that you know in our panel the idea of using software-driven mechanisms to implement your security controls it's it's not a nice-to-have it's a must-have it's something that absolutely has to occur if we're gonna get there and we're just not seeing people use this stuff as much as they should so the good news is at least some of them are so the people that are using CSP api's configuration management right there so people are tying into you know deployment mechanisms leveraging images and templates they're also defining a lot of this insecurity is code or infrastructure is code which is nice to see as well logging an event management I would actually go so far as to say you're never gonna get there in getting all the logs and events that you need out of the cloud providers without tying into API somewhere you're gonna have to go make some queries you're gonna have to tap into this and siphon it out somehow to something you just really can't do that without leveraging some of the cloud native tooling that has been made available for the large providers Identity and Access Management is another one so you can see you know sort of a consistent theme that people are applying here it's defining assets and infrastructure core controls its managing identities across the board and then I think also just dealing with events from a security perspective has become such a pressing issue that people are acknowledging that they're starting to explore the better ways to go about getting that data and pull it out and start making use of it so looking at some of the controls integration we you know I don't know how I feel about some of the network stuff here because I think it could be open to interpretation my general experience in taking traditional network control definitions and network architectural definitions and bringing them out to cloud is that people haven't done a very good job of it in fact this is one place that I hear a lot of complaints for people that say well I you know I sort of expected to be able to bring my traditional firewall architecture or my traditional you know sort of routing switching you know etc models with me you know in the cloud good luck finding a switch it's just not there for you right layered layer two is no longer you know really part of your situation well what does that mean it means that if you had been relying holding on some stuff at layer two it's time to move on you know you better figure out some new ways to do things so this one I'm interested to see you over the course of the next couple of years how it shakes out to see whether people really feel as though they're doing this the right way network traffic analysis is extraordinarily difficult in infrastructure-as-a-service environments if you take a look at what you've traditionally done in-house with things like taps or inline types of monitoring or things like port mirroring or span ports on switches it's really hard to get that stuff it's just not easy to do I'm not saying there aren't options but it's really challenging and my experience is that most people really haven't done this so I I'm not sure I feel about that top one but we'll see come on people do feel like they've integrated their sims people are starting to integrate some of the endpoint types of tools which is expected especially if people feel the need to have that endpoint detection capability or you know call it next-gen AV what do you want to in place you can still install things into instance workloads in the cloud it's not always a great idea because of the overhead that comes along with that but at least in some cases you know you can if you're willing to pay for the overage that comes with it so I'm you know again encouraged to see that people or at least sort of moving in that direction and taking some of the things they need to at least get their multi-factor authentication Wow what a shocker you know over 60 percent said they're actually doing that we've only been yelling about this for decades so it's finally nice to see that people or at least acknowledging that it is a core control that needs to happen you know I'm not so sure these people that are the next 12 months I'm like what are you doing out there alright you shouldn't be there alright don't don't leave you know don't leave the house yet you guys aren't ready you know you don't have your clothes on but you know the next thing is you go across the board and look at the things that people are doing or you know sort of saying they're planning on doing it's all the traditional types of tools that you would expect it's it's those things that we've sort of looked at and said okay you know what are the major elements of this and so like for instance the next one that's you know sort of the big one here it is vulnerability scanning yeah it's almost sixty percent said they're pretty comfortable they've got that integrated the next one down from that is anti-malware so for people that need it and let's face it half the people that have to say they have anti-malware it might be a compliance checkbox as much as anything else you have those tools whether that's you know as you're giving you some sort of a native integration with defender whether that's you know name a vendor that has a product in the marketplace that you can integrate in we have seen the adaptation of that tooling to accommodate for cloud so it's no longer an excuse in other words to be able to say hey you know if I have to have anti-malware I can't go to the cloud because I can't get it know it's actually out there um what we didn't see though was a consistent application of a single vendor solution and that's I wouldn't say that's necessarily a problem unless you're in a multi cloud scenario where it's just the operational overhead of trying to manage a bunch of stuff that might be a huge headache so what this tells you is that people are finding some you know application of single vendor options again anti-malware seems to be pretty good you see the vulnerability scanning is pretty good but you know after that it's sort of all over the place so I think people are having to explore new options whether that's in cloud stuff whether that's you know sort of new cloud native options that they hadn't had before this is one of the big areas that we've really focused in on over the course of the past couple of years and our surveys is really you know getting down to the artifacts that people want or need as part of their investigations some of these things I think you can do pretty easily like i said vulnerability scanning not that tough you can you can pull that off but as soon as you say well what do you traditionally need right if you talk about traditional forensics practices today what do you traditionally need in order to feel as though you've got that covered and so you know as a starting list it might be things like disk acquisition you might be memory acquisition it's probably things like network traffic and pcaps or whatever format you might need for a collection of data and then it's probably things like event data in whatever form as a starting point can you get that and can you in fact put a process in place that allows you to sort of match up or accommodate for what you've traditionally done in some cases we got responses back and people said yeah we feel like we can in a lot of cases the answer was absolute and especially when you start bringing in these really complicated problems like chain of custody or legal types of access or law enforcement scrutiny or oversight of some of these types of situations I think people really aren't comfortable with a lot of this yeah now I know Ken's gonna be doing a great talk a little bit later today about how to go about actually getting some of this stuff and so it's exciting to see we're getting there I think there is some significant movement on this front but a lot of people said that they were really challenged by this they really felt that they couldn't get real-time visibility into some of this they felt that their processes were immature and by the way that holds water in what I have seen out there in fact if I go and let's say you guys were one big organization if the couple folks over there were the Sauk and the forensics and the IR team they might not have had hardly any time to really sort of adapt their processes to cloud build out those sort of workflows and play books and really get their hands in the stuff and right there is where it all breaks because if your IR team doesn't know how to use your cloud infrastructure the way I look at this is AWS is a skill asher is a skill google cloud is a skill and the worst time to figure out a new skill is in the middle of a firestorm so those folks need that time they've got to get in there and they've got to start learning where that forensic evidence is and what it looks like and we went down the list and saw some additional challenges people cited as well you know just lack of access to some of the low level data and ability to correlate some of the things which I saw some great discussion of yesterday I think we're starting to figure that out in other words look at the cloud trail events I mean there's an enormous litany of event types that are available to you I personally think they're pretty well named myself I've spent along a lot of time with this right like disabled multi-factor like okay well I can probably figure out what's going on there right or stop logging hmm wonder what's actually happening there those are things that I think makes some sense but you're going to know them and you've got to take those and tie them to other event data and other things that are occurring so I think that is just a matter of time but that inability to maintain chain custody compatibility issues with forensics tools that people have been used to and comfortable with I think that's probably gonna be a continuing problem over time this definitely stood out as a problem and I can sum up this slide in probably one generic Shackelford statement most security people don't understand Identity Management it's just a fact of life it's not a knock I'm not pointing fingers I typically find identity and access management and particularly identity policy that is broader in scope I'm not talking about authentication and multi-factor and all that it's all part of this too but when you start getting into legit fine grain rule definitions that have to encompass things like application tier access and so forth that's not something that a lot of security people have spent a lot of time on and it needs to be and that's really where one of the big headaches comes in it's just this feeling that hah we haven't gotten there yeah I would agree we haven't gotten there but we will because you cannot do this without having significant identity and access controls across the spectrum in fact I'm sure some of you will have heard this whole adage a in the industry today that identity is the new perimeter I sort of don't agree I think the perimeter is still the perimeter but the definition of what the perimeter is is necessarily shifting to be a little more encompassing of things that are more identity based so we'll see more of this this is a place that I have a lot of faith that improvements will occur just in the sense if you look at the green bar here the fact that people have gotten comfortable integrating in-house directory services if I asked security teams 10 years ago hey how would you guys feel about just taking your Active Directory throwing it out into the cloud people would have looked at me like I had three heads now granted of course I'm being a little exaggerated here the idea is you almost can't do some of this without it you've got to get comfortable with your identities and the representation of said identities being a bit more extensible than they have in the past and one way or another and that's just a part of it right the other piece is more object and asset based identity everything in the cloud is an asset and every asset can have an identity whether that server workloads whether that's container whether that's users whether that's groups whether that's role assignments for services communicating amongst each other that is all identity and that is something security teams are definitely finding they've got to get more control of this is another place that I have high hopes right the whole idea of automation and orchestration as a generic topic is one that we really can't avoid in any discussion of cloud security and in fact one of the things that I was really encouraged to hear and some of the presentations yesterday is that there's emphasis on this in fact we're trying to get away from manual activities wherever possible nobody wants to go in and click their way to glory you know it's just not the the recipe for success so you got to figure out more automated workflows and scriptable methods and really just use the tooling that's in place hopefully within the cloud providers themselves to accommodate for this so it's of course things like terraform and cloud formation and as your you know resource manager templates the whole infrastructure is code concept it's things like serverless technologies so again really cool to see almost half of the respondents have started making use of things like serverless now the dark secret of server lists and that's an intro to our next topic which is coming up after me is that there is still actually a server it's just not when you have any access to so you gotta have some at least acknowledgment of that but configuration orchestration you know plug-ins for things like jenkins and other devops pipeline tools we're starting to move in this direction and so it's good news I'm again I I'd love to see those numbers be a little bit higher in fact I'd really love to see if nothing else on this list was was sort of standing out to me I'd really was hoping I would have seen a significantly higher number on this purple bar the use of configuration orchestration tools like ansible or puppet or chef or any of those not necessarily because we're always moving directly into the immutable infrastructure you know mindset although that's great if you can but just because we need better consistency in management and oversight of some of that this is also good news for us I think right and the good news here first off and hasn't been reflected in what you see here you know so Amazon was was the final holdout really on sort of controlling penetration testing into their infrastructure as a service environment and they still do but they sort of opened up most of the major services just a few months ago which was huge which is a massive change in their policy going back years and years so if you're in any one of the large infrastructure as a service provider environments for the most part you can do pen tests when you need to do pen test which is awesome which is huge for organizations that want need to do that the thing that has to sort of come in here though is that remember infrastructure as a service does not equal all cloud so as soon as you bring in platform services and SAS many of them don't allow you to do pen tests still and so that number is gonna stay up here you're certainly going to see people still struggling to be able to pull off pen tests at least in some cases but we also asked about things like audits I don't think I've ever had a case where any of the large cloud providers invited me to come hang out on premise with them you know you're probably not going to get an invite to go hang out at an Amazon Data Center or you know Google Data Center although I was actually just over in Europe a few months ago and apparently and you know the European Financial Commission over there does have some clout and there are rumors of getting some on-premise audit invites that I can't validate I just sort of heard the secondhand but nonetheless most of what we have to rely on are the audit reports that are provided by the providers themselves the attestation reports in whatever form whether that's cloud security alliance whether that's ISO whether that's you know a sock to report which are riveting by the way those reports they're giving us at least some intel on what these guys are saying they're doing are willing to trust them that's a decision that only you can make so this is the subjective conversation in that regard to finish up right the whole idea takeaways from the server we're seeing our survey this year seeing a lot of growing cloud use as anybody could expect we're seeing more willingness to put sensitive data into the cloud and we're most definitely seeing some areas of frustration but that doesn't mean there aren't encouraging points to take away from this we're seeing people get comfortable with automation we're seeing people get comfortable with some of the security service offerings that are available in the cloud themselves we're seeing more and more organizations starting to use hybrid solutions places I'd like to see improvement definitely around API use definitely around automation all the way around I think that's stuff that it's just gonna take some time for security folks to get comfortable with but it's coming and thanks for listening to me [Applause]

Info

Channel: SANS Institute

Views: 1,755

Rating: 4.8048782 out of 5

Keywords: sans institute, information security, cyber security, cybersecurity, information security training, cybersecurity training, cyber security training, cloud, cloud security

Id: YGlPy3Wlb7w

Channel Id: undefined

Length: 44min 59sec (2699 seconds)

Published: Thu Jan 30 2020