The Missing Piece of Cloud Security

hi everyone and thank you for joining me in the missing piece of cloud security now to be honest with you it actually took me a moment to come up with what picture i was going to use for this because if you look at it right it's this beautiful you know just day and you're gonna go out and you're like wow blue skies and how many of you would go wait a minute like what happened to the clouds yeah that's how dorky i am and that's just how dorky this is going to be so i hope you enjoy this ride i guess i should go ahead and introduce myself though my name is el marquez and i am

the linux and security advocate at innozure now i know that's a bit of a weird title people are always like you do what now and maybe it's unique but i love my position because what i do is i work with our research team and my friends who are researchers and companies which we collaborate with basically any researcher who's willing to sit down with me and i dig into their findings what are you working on what did you find and then i just keep asking questions what does that actually mean how does it relate to what we're doing how does it relate to and more and more questions until i'm able to refine it into information that's easy to share

but actually has actionable steps that you can take and implement into your environments implement into your companies to increase your security posture it's a lot of fun and along with that i am an advocate for hacking is not a crime so you always hear me say cyber criminal not hacker we're all hackers we're all having fun with this and inventing new things and one thing that i'm very proud of is that i'm an advocate for operation safe escape we're a 501c3 helping victims of domestic violence who are being targeted by their abusers with the use of tech so if you or someone you know is in this situation please reach out and know that you're not alone

okay let's take a deep breath after that and go on to our agenda okay so our agenda today is going to be a bit long but you know what all of this is important and so first we're going to start out with cloud compute security challenges then we're going to talk about security challenges when it comes to the cloud providers themselves then we're going to go beyond the abstract you're not really here to hear a lot of theoretical and it could be and it has been you're here to find out like what is happening now then of course we'll have the big reveal i mean that's why you're all here for right then like i

said i'm gonna finish off with actual actionable security suggestions for you and suggestions i mean go and do this then i'll wrap up with questions and please feel free to ask them i am cramming in what could be four hours worth of information trying to condense it down and don't be afraid of asking anything that's a technical deep dive like i said before i work with researchers if i don't know the answer i can get them for you let's get this party started with cloud compute security challenges this is a critical part of cloud security because what is it that you're trying to protect and if you tell me your environment i can tell you you're already doing it

wrong it's like taking your car in for maintenance because something isn't working and the mechanic says okay what are we working on today and you save the car and walk off that just leads to more investigation more work and honestly more than we can probably have time to do so i ask you what is it that you're protecting you're protecting your workloads yeah you have firewalls and you've got your environments that are built out with you know different availability zones of different if you're worrying about protecting those things then you're losing sight of the big picture you're there to protect your workloads your applications and your customers data and these all happen within your compute resources

but in order to understand what the critical issues are here we actually have to go back in time and we're going back in time quite a ways we're going to 1985 and if we're one of the newbies in tech you're going wow that might be before i was born but okay 36 years ago we had the advent the release of windows right windows was it was what is the word i'm looking for it was kind of just uh lord it was groundbreaking right it brought computing it brought computers to anyone who really wanted to use them as it kind of you know evolved it made it easier for anyone to be able to use computing

powers it was put into schools it was put into companies and so it became the operating system that everyone was familiar with makes sense that now it's actually 85 percent of the market share you know in 2020. let's go to linux though linux kernel version 1 was released as a side project in 1991. now i'm not talking linux the operating system i'm talking linus wrote a bunch of code threw it together met his needs sent it out to a mailing list and was like i don't know if this is going to help anyone else but it's here for you to use feel free to change it feel free to do whatever you want with it turns out people could use it and it

continued to grow but we didn't actually get the first linux distribution until slackware in 1993. there is a big gap so when it comes to computing and what people are familiar with you know windows has this heavy history where linux is still seen as the little baby in the industry many people aren't familiar working with it just a side note though on how cool linux is yeah i'm a linux user if you can't tell you know yoda yeah yoda and all the new movies he was created using linux just throwing that out there linux though really kind of got on steroids to be honest and grew up and really became a contender in the operating system world when it came to

the cloud oh i love this image if you ever meet me in person ask me to see my tattoo it's about this big and this wide and it's this exact same image so i know if you're hearing my dog bark i'm sorry welcome to the pandemic now when it comes to linux in the cloud now in 2021 it makes up 96.3 percent of the world's 1 million top servers and 90 of cloud infrastructure now i'm willing to go out there and say you know what linux is the cloud the cloud is linux when i heard that over 50 of azure that's right windows microsoft's cloud is actually running linux we got to the point where we know

it's going to be hard to beat in fact uh microsoft ceo steve ballmer and i'm really hoping i'm saying that right is said in 2001 linux is a cancer that attaches itself to intellectual property sense and everything that it touches and no hard feelings there right however as linux grew in popularity they had to do a bit of backtracking now this was released in 2014 with microsoft's new ceo saying microsoft loves linux what does this have to do with compute security there it is linux security is cloud compute security without becoming familiar with the linux operating system it's going to become extremely difficult to become comfortable in the cloud and with people having more experience

within the windows environments that transition is a stark one and with companies going all in and just saying all right workloads are now in cloud we're doing this deployment now we're doing this move now who's taking the time to give the security teams the developers teams their ops teams the training that they need in order to be able to secure these environments better there's a lot of visibility missing when it comes to the actual planning of it we're just kind of thrown into the deep end and said hey secure it there's big issues here big holes that really need to be addressed but that's not even i guess the biggest hole that i'm seeing uh kind of the biggest issue but not the

biggest hole because what do we think about cloud provider security challenges like when is the last time you invited your cloud provider to have a nice cup of tea sit down and talk about their security posture what is it that they're doing to keep you safe hey have you been breached recently what did you do about that breach you know azure what did you do about that reach google cloud i'm gonna pick on the top three just because it's easier than going after the small you know cloud companies we're hoping that you know they take off well so i'm not gonna pick on them too much the issue is that the cloud itself is ephemeral by nature and so it's

constantly changing they're constantly new servers and new providers out there they've got their own release cycles they've got you know oh this is the new hotness you know we're going to introduce this and it's going to take this service away from here and once again you're losing the insight to what's actually occurring and without having these conversations without understanding what the cloud provider is actually offering you how can you even say that you have security posture and the one thing i always get is they're like oh you're making too big of a deal with this this is a really simple answer i mean they even make a chart for it who hasn't heard of the cloud responsibility

model simple right aws google cloud whatever picking on them because they made this image aws protects is responsible for the actual protection of the cloud and you're responsible for everything in the cloud that's it right it's really easy to understand i mean when it comes to the operating system well that's obviously like in the cloud right so that's me but if it comes to storage and databases that makes up the cloud so that's them but what if i'm running my yep hold on it actually does get confusing and what i end up referring to this if this is how you believe that your security is your security agreement is with your cloud provider i end up calling this the

cloud irresponsibility model because it's an extremely irresponsible stance to have i want to know i did not coin this term and if you know who did if you know who coined it there you go please let me know like i would love to give proper attribution the reason that it gets confusing is hey then we have all our as models right um there's a joke to be made there that i hope that you all got there's you know infrastructure as a service which tends to line up more with that right we've got our virtualization and then we're in charge of our os and our middleware but wait there's also a platform as a service which means they

then have the operating system in the runtime but but i thought i controlled what was in the cloud and then they have software as a service where they just own everything and what if my i'm going to pick on marketing i pick on a lot of different teams hopefully everybody just has fun with it but big on marketing marketing is using all software as a services you know they're using google they're using or yeah they're using gmail they're using dropbox they're using asana and then our developers are really doing quick deployments and they're using a lot of platform as a service and we also have a lot of our infrastructure as a service running you

know some of our antiquated or older applications yo security team what are you protecting like do you know exactly where all of your assets are what teams are using what what you should be monitoring what's the most important thing to be monitoring you know hey we've got security campaigns that are running for marketing but at the same time we need to do security checks for our developers as they have their deployment cycles and who's still using this old server that we have set up over here that we paid for should we even be monitoring it i'm running out of breath and probably speaking too loudly because it does get very overwhelming when it comes to

actual practice of it i've spoken to a lot of different companies i've done a lot of lunch and learns and presentations like this where i ask the question do you actually know every single thing that's on your system every single thing that's in your environment in your cloud in your hybrid cloud and i get a lot of just smiles and nods and no i have one guy that told me that he did and then he also told me that they're only running about three servers so you know what fair if you have a much wider environment out there and you can tell me that you know every single thing that's there every single thing that's running in it

i'd really challenge you to go back and take a second look in a second thought about this okay so we also need to remember that relying on the cloud security model or relying on the cloud providers really isn't enough but with everything that i just said we have 78 of organizations saying that they're really unsure where their security responsibilities fall most importantly and you know if you're off doing something else like listen to the spot the buck stops with you if i am trusting you with my information and you're breached and it's out there i don't care what cloud provider you were using i don't care that it was their fault i care that i trusted you with my

information and now because of what you did it's out there this is a lot of responsibility for security teams i mean if an application gets breached really where does the buck stop do they go developers how could you have let this happen or they do they say security what happened why did you allow this attack to occur why did you allow allow this attack to be successful then like i said we have the hybrid cloud deployments security products when it comes to the cloud are constantly shifting so if you have you know a little bit like i don't know your containers inside of gks and google because that would be the simplest and i have my aws ec2 web

servers running and i've got my cloud you know um actual databases on-prem and you're doing something else with azure you know i don't really use azure often how are you matching up your security services like if google offers one service with a b and c are you sure that the other two providers do as well or are there two services that you need to be relying with and have you configured those correctly have you had the conversations there's a lot of just darkness a lot of unknowns when it comes to having uh your reply you're only relying on the cloud providers and i've already spoken about some of these right you have your rapid deployments that are we actually keeping

up with the tools as quickly as our developers are needing to change environments developers i love you i'm not picking on you i understand that there is a lot of this that's just being put on you and then we hit containers all right now we've gone from rapid deployments of every few minutes to every few seconds inside of the environments that are deploying every few minutes i don't know about you but honestly i don't know how most people do it because i end up feeling or ended up feeling when i was doing all this insanely overworked like i was just under a mountain that i'd never get past one thing that people do not think about

and you seriously need to know this and think about it and put it in your plans is the fact that cloud providers they're being targeted as well the department of homeland security cissa i forget all the acronyms basically big security um big security organizations within the u.s government as well as some within the australian government and all right i'm not going to dig into every country governments are letting you know starting in 2014 that they are seeing advanced persistent threats specifically target msps it's gone as far as in 2021 september 3rd and i'm going to have a resource page up i'll share this with the organizers put it on my slides it's lo punk slash b-sides you know uh lord i

forgot for a minute slash b-side to charlotte i don't know where i am these days uh we'll get it to the organizers anyways i will have links to the actual product to the actual um documents that are out there sorry okay so they're putting out all this documentation and all of these notices that say right september 3rd hey it's not they are targeting it's they have targeted they have been successful this is what you need to do we're going to see the growth of this one thing that has changed because of this is now we're seeing advanced persistent threats becoming less specific like i am targeting only company a they get into the msp they get company a but hey you

know what here's a crime of opportunity because i have company b company c so even if you don't think you are a company that would become that target you could just become a you know a target of just availability of opportunity so you need to have that in mind all right we're about 15 minutes in at this point if my ability to rehearse this accounts for anything you're probably going okay a lot of theoretical hopefully you're saying some good information but back this up like what are you actually seeing when it comes to research and you know attacks so let's go into the attacks one of the attacks that's currently really in the news and really making

headlines right now is cloud snooper now cloud snooper was actually detected by sofo so great work on their researchers and they did it while they were investigating malware that had you know basically a malwa infestation i'm gonna go with that on um cloud infrastructure that was hosted on aws like this is not aws specific though i need you to understand this it could happen on any cloud it could happen on your openstack build that's on prem so don't tune me out if you're just you know going like oh i don't use aws this was an extremely sophisticated attack that was employing unique combinations of techniques that like they hadn't seen before it enabled them to evade detection and really provided

the ability for the malware on the system to be able to communicate freely the issue here is that the servers that it was able to compromise and was working within were properly secured the firewall rules were great the uh security groups around them were great and i love how sophos explains all of this because they explain it to me literally like i'm five all right so i'm not gonna walk through all of this i'll make it you know available for you but it's entertaining enough that i'd like to spend a little time on it so we've got our castle right our castle is our environment it's fortified it's all around our web server the image is over

here if you see me looking at it every once in a while and we have both of our nights there right and their nights are going to be our firewall rules they're configured they're ready you see the closed ports the gates they are ensuring that only the sheep the http packets are coming in but there's something scary here right look there is a wolf in sheep's clothing like this isn't going well and inside the castle there's already a root kit installed there's already a back door that has been taken advantage of goes to the concept that you should always assume breach we can build all of the walls that we want to but at times we're

just building a wall around the attacker that has already gone into our system then you know what the c2 traffic is able to throw off its wolf you know its clothing show its actual face of being a wolf and run away with our sensitive data and you see that at the bottom with the little wolf that says exfiltration running away with his uh with his two chickens i love learning like this hopefully you look at this and can just kind of go through it and you know becomes granular away from my comics i enjoy this way too much let's go into the actual code itself now when i started looking at the cloud snooper malware and believe it or not my

company actually trusts me to play with real malware i don't know what's wrong with them um i was able to see two different variants that i had abilities to look into one was detected and found and uploaded in february 26th and if you look at the very end of it i should have highlighted these you see that when it was run through virustotal only 17 out of the 58 search engines were actually able to detect it now this was after it already been made public this was after you know we'd already had news story yara rules were released like this should have been something that we were prepared for however that traditional endpoint protection those traditional

anti-virus programs that we've been used to using on-prem are not transitioning well when it comes to cloud environments and then we go up to april 4th right that's a bit of time well you know what if you look a little closer the shot has changed and that's because you know like attackers they know what they're doing they know when something has been released that we're going to start looking for it specifically so they start manipulating their code they start changing things in order to be able to bypass our abnorma abnormally or signature based detection so i'm going to dig in a little bit deeper and you see my first one that i looked at was

cloud snooper and malicious libraries okay i mean it's what you would expect like 97 of the code was written to do what we expect in cloud snooper and obviously they're going to implement malicious libraries i mean they're not going to write every single thing from scratch like developers i love you all but we're lazy right they're our friend developers back-end developers and stack overflow developers as corey quinn likes to say we reuse code whenever we can then i went in and looked a little bit deeper into the next piece of malware that i had access to we start saying new things implemented like recovey i never say any of these things right functionalities from the code that had

made recovery successful were being brought into the cloud snooper code this is something that they're able to do in order to make their malware more effective make it be able to target a specific target in the way that they want to so it's not just prey and spray it's this is the angle that i want with target a therefore i'm going to bring in specific attributions and specific abilities that i want to okay so there is a brand new thing that we need to be aware of right custom made even with a little bit of code borrowed um malware specifically designed for the cloud but we don't even have to go that advanced it doesn't have

to be that unique because one of the biggest issues if not the biggest issues when it comes to compromise is it happens because of misconfigurations to the point where and i believe this was gartner i will look up the source and ensure that i cite it correctly on our resource page that 99 of s cloud security failures through 2025 will be because of the customer's mis-configuration like we we're human we are fallible we make mistakes and yes even security professionals you're high level you're insanely well paid you're like you know gurus of security they make mistakes too i we had what i would hope is to be some very strong very able very intelligent cloud security and

security professionals that worked for the pentagon release a hundred gigabytes of data now this data was compiled from a joint intelligence program between the us army and the national security agency might have been some important things there to protect and you might say okay mistakes were made it was available for one an hour a day a week yeah it was several years that this was available on a way that we're seeing attacks kind of change because of this really targeting that misconfiguration is one of the malware that's actually my favorite to show because it's actually not that difficult for the attacker to do see this malware was called docking and docky is specifically targeting docker containers or

lord is targeting docker containers in environments that have open docker api ports now when it was discovered it actually had zero percent detection on virus total and at this point having worked in this field long enough and talking to researchers like that doesn't even make me blink at that point one percent zero percent to me that's the norm that's what i'm seeing all the time and that should scare you so much if you're relying on those you know endpoint protection the traditional anti-virus and i keep telling you that it has zero detection or 32 out of 58 after months that it's been out there that's a wake-up call for you when it comes to your cloud environments

now one of the cooler things that docky did i keep i mean like okay look it's bad that they're compromising it's bad what they do but if you're looking at the code in the abilities it's pretty cool and that's because it was able to bypass all pre-run time scans right all your container scans all your image scans because there was absolutely nothing malicious with the image itself it was all perfectly well and good what it did though is once it was launched onto a victim server it was able to use the curl command now look as an admin i can tell you curl was probably used daily in order to help troubleshoot so it's going to be on a

majority of servers and it called out to its c2 servers and it pulled down the malicious content the malicious packages that were enabling it to actually break out of the container and own the host all of this happened in the matter of seconds can you actually say that you as a security team would have the visibility in the moment to see that one container go up go down and be gone like we are so overwhelmed with the amount of environments that we have with the amount of deployments that are happening and changing because of this new cloud infrastructure that we have some protection for containers like we know what's going into them we have our pre-run scans we're looking at

the code but it's not enough it's not enough visibility into what's occurring for us to be able to do our jobs properly now because you know we found dakia i had a few more samples that i was able to play with and like let's take a look at this one right it's from january 14th this is the best detection rate that we could have gotten if you look at the others right we're at 32 out of 58 of these now i re-ran this scan two days ago i'm recording this on the 14th two days ago and okay and we got better like we have a few more that was over a year ago this information has been out there we

haven't kept it you know secret we've sent out the our rules and you know signatures and indicators of compromise to everyone that we can and we're still looking at this low detection rate once again i mean am i setting off the alarms for you on how security needs to change when it comes to the cloud environments if not let's look at things by the numbers in 2020 we saw an increase of 40 percent new linux malware variants new linux malware i apologize for using 2020 statistics we have yet to release 2021 and most organizations that i know of haven't either so i can't even quote other research teams and between 2010 to 2020 we saw a

500 growth in linux malware you'll be saying you know what like i keep my systems up to date don't worry every time there's a signature out there i'm not one of those i've implemented it our databases are as best as they can get really because there's about 560 000 new pieces of malware that are being seen every day and you know what maybe some malware is some days are more bad some days are better some days are worse some days the malware developers are you know having a bit too much coffee but it averages out to about 17 million new pieces of malware each month are you really updating all of your security posture all your security

devices really your signatures and your abnormally based detection to actually look for all 17 million of these every single month i really don't think so even if you told me you were i'd still be hesitant to believe it we're about halfway through this i think and so it's time for the big reveal yay all right okay maybe i didn't need to go with this ugly pink on blue i mean it's it's not a gender reveal party but on the plus side we are not going to catch an entire forest on fire or any of the other fun things we've seen on youtube so i ask you are you ready are you really ready what is this missing piece

that to our cloud security i feel like i should have a drum roll or something but okay i'm guessing if you were listening you probably hopefully already know and the missing piece is simply visibility hopefully you're not let down it really that that's what's missing if you've heard me go through all of this the issues with visibility is we don't know and to a certain degree sometimes we don't even know what we should know and it's extremely difficult to protect something that's abstract you know i'm going to protect myself from i'm going to protect what's in the darkness even though i don't know what i'm protecting let's go into the concept of visibility the big questions that you need to be

able to answer is first of all what's in your cloud environment now i've gone through that several times and kind of made out a list but truly sit down find some time because this is extremely important find you know whatever application if that's what helps you know obviously like i'm not going to pitch my company but it's one of the reasons that i know about this is you need to know not only what resources that you have on it but you need to know what is actually running on those servers you know like hey i've got 2 000 ec2 instances are they all needed are they all running code that we actively need or did somebody just forget to

delete something we have multiple cloud deployments for an application that we used to run two years ago that we deprecated and nobody remembered because that developer or that person left then where is it running it was quite interesting to talk to people and you know say okay okay what are you protecting whoever customers data law where is it located it's located in databases.l okay but where is it located like where do your databases reside it seems like an obvious question but a lot of security teams don't actually know they rely on ops they rely on other sides of the house to keep track of that they just say i'm protecting our dbs what if we had something that was

specific to a vendor that occurred for example you know we recently hacked azure functions if you didn't know that your teams were using azure functions maybe you wouldn't have been as concerned about that and then you know where is it being stored like um and kind of that is you know where is it running as well so just pull that in together sorry and who has access to it and who should have access to it once again these seem you know what really help if i was pushing the button so that you all could see this so this seems like an obvious statement like yeah we know that that's obvious but we're not doing it correctly i can

tell you that i worked for a major cloud provider and i i was really lucky hopefully i was doing well i was getting promoted and moving around to teams teams and i always got the permissions that i needed to be able to do my job i don't think i ever had any other permissions taken away so even though i was working perhaps on a completely different side of the house i could still log on to all my old accounts and actually was quite often asked to help other teams you know it might have been helpful but this is something that should not have occurred on top of that when i left the company um i left on good terms you know

everything was good i hadn't signed out of my company email and stuff on my phone i still had access to it like three days after i left i'm the one that actually took it off my phone so i don't know how long it you know took for them to realize that i still had access to something what if i had been a disgruntled employee what if i believed and just kind of acted like i'd left on good terms yet still had access to everything not only that but you know what accidents happen it doesn't need to just be a malicious actor that's having access to it um one thing that we saw and i don't

have it in my notes but i actually think it's very interesting is uh malware by the name of evil gnome and people kind of get annoyed with me when i talk about it because they're like it's not about the cloud that is like completely desktop based but as a linux admin and a lot of the security people that i know we run linux as part of our day-to-day what if my system after i left because i'm not you know working on best practices but i did happen to use my personal advice to get a device to get into systems was compromised like what if all of the information they have because now they have the ability

to look at my screen to use my camera to record things all of this could be used in order for somebody to take that information and you know access access the company later because my device still has access to it hopefully that made sense and finally what code is running on your system we keep talking about you know what applications and what are we doing but one thing that all you know effective cyber attacks that are able to compromise our environments and you know exfiltrate data turn it into you know a bot you know turn it into a crypto miner share they have to execute code like i know that it's maybe an unpopular thing to

say but you could have all of the back doors that you wanted and probably don't want it but all the back doors in the world your system could be you know just a cheese grater at this point and if nobody ever went into your system and executed any code does it really matter now i'm not telling you to do this but we have to understand what code is running on there so we can understand is there actually malicious code occurring like with cloud snooper everything looked fine but in the end things were happening that shouldn't have and that was code within the system oh okay so let's go with it's all about i couldn't help myself all right i wish

i could sing i really do because that's what i want you to understand is it doesn't even always have to be malicious code it can be unauthorized code you know we talking about living off the land attacks a lot of times people speak to these as well that's what we're looking at when we have things like abnormally abnormal oh abnormally sorry anomaly based detection which i guess technically fits with that you know we're looking for patterns that are things happening that shouldn't be yes but what if it might look right but then it is it that's exactly what you saw when it came to a cloud snooper and as i'm talking i'm remembering new examples so

y'all just run with me but there was a recent new piece of malware that was found that was called red xor rexorb was very successful because it was able to hide itself as the polk kd demon and it was doing everything that you would expect right it's running in the background it has privileges it's communicating out as one would expect except it's also bringing in code that it probably shouldn't it's executing that code but it's behaving exactly the way that you would expect that system to look like and so you need to understand you know what if you see something that's a living off the land attack is it actually something that can be trusted and you know what like

attackers aren't going to name things like hey this is a minor this is whatever i just did this because it's easier for me to show you but you need to see what's actually running on the system at that time if you do have an attack uh one of the biggest issues that we're having right now is things like fileless malware there is nothing on disk for us to be able to investigate what happens in the cloud you know we either windows the issue turn the server on turn it back off again and then we wipe everything out or in the cloud we have automation set up to you know what that server really isn't acting the way

we want to just delete one and put it in its new place and this is even decision that we're making we're completely automating this process which makes it take even longer for us to actually see for us to have that visibility to there's actually an issue it's not until we've seen maybe the hundredth alert within a team or somebody's going like why do we keep getting these i know that at my i'm making the company i used to work at look horrible but i promise like it's across the board it's not just this one but we would get alerts like oh my god you know high cpu usage high procedure usage and it would clear out

and we'd be like eh it's cleared whatever and we just move on it was until about like the 50th time you start going you start recognizing that server that you're going you know it cleared but i should probably look into this if they're hiding their attack correctly how long could that actually take how long could they already be in that system and have pivoted into other systems before you even realize that it's occurred okay i want to make sure to leave question time for questions so let's go to my actionable suggestions okay pat your systems yeah you know uh yeah patch your servers and some of you may be laughing going like really that's the advice we're

gonna give you everybody gives that we know that if you know it and you've been told it before then why are we still being compromised almost on a daily basis for servers and environments that weren't patched it is not the cloud's responsibility to patch your stuff i wanted to say another word there you might have the agreement that is you might think that it is the buck stops with you make sure that those servers are patched make sure that they're up to date if they're not then you your developers your company need to have a serious conversation about this issue because i've heard oh well it can't be patched because it'll break this application and this is

mission critical what i hear when you tell me that is this vulnerability is mission critical for our company to work when you phrase it like that do you see what the issue is there has to have serious conversations that occur not only on how we can mitigate this by you know updating the application in this long term what is our plan right now if we assume that there's already an attacker there or there's already an attacker specifically going for that resource patch your stuff that's where i'm going patch it patch it and patch all the things have i said that enough times uh when we spin up thing you know servers on in the cloud we're like okay

hey it's a brand new image i just spun it up their image is obviously up to date because this is what they do for a living i spun up a web server and then i went looking for what the problems with it was yeah i had quite a few libraries that had critical cves and a lot of them on highs and i literally ran the scan within minutes of the server being up breathal all right here are your actual steps you need to assume breach the wolf is already in the castle you can build all the walls that you want and that's currently our strategy you need to go hunting you need to know what resources you are where are you

hunting at you need to know what code is being used you know where are those wolves going what are their intents who are they hunting after you know are we are they hunting after i don't know deer or chicken whatever it's going to impact the way that you approach things and know your configurations it's not just all about the deployments it's not all on the developers we need to work together this fallacy of devsec ops needs to become reality i've sat down with teams before that have told me the decision is eventually made that either it's come to mark because we've said hey we're going to release this function on april 3rd april 2nd comes the code isn't

quite there are we going to lose more money if we don't put out this function and fix it later in production than we would if we were compromised like these are budgetary decisions that are being made that should never have to be made i'm not saying not to do your pre-run time scanning i'm not saying don't do your firewalls i'm not saying do you use any version of you know antivirus i'm i'm not telling you to stop the good things that you're doing but i'm telling you to take a big look into those and see what else is missing but you don't have visibility into and finally my last suggestion and this might be the one that all of you love

the most what's missing is really our abilities to keep up with what the company is looking for for us too and you're tired of hearing this but you're going to remember it for us to have visibility into what excuse my language i must go with hell what the hell we're supposed to be protecting what the hell we're supposed to be using we need to train our security professionals to have the ability to keep up with what the latest products are release cycles and you know things that are changing we need to have not only the oh we have these resources available but we need to have dedicated time to learning what it is that we're

working with and at the same time to have the tools that we need to be successful and training on those tools all right here's my summary i'm almost done the wolf is in the 10 house and it's time to go hunting please note that this is not an endorsement to actually hunt wolves with that being said hopefully i've left enough time for questions and there is the link to my slides and additional resources that i have thank you all so much for having me here