BSidesNcl 2021 A Muggles Guide To Security In The Cloud Ell Marquez

cool tell me if you can hear this hi everyone and greetings from the lone star state or is it just moving in no sound uh it might be moving with no sign uh sound you may need to share with sound but let me check all right well no i shared with sound if this doesn't work we're going to go live yep all right i'll play one more time and if it doesn't then we'll just go if you haven't been around the us that's texas and it's pretty far away so i'm really excited to have the opportunity to be here and speak with you welcome to my talk a muggle's guide to security in the cloud now note the term

muggle will never be used in a negative sense i kind of interject it with the word newbie and as the founder organizer whatever you want to call of the it's okay to be new campaign i would never ever use newbie or muggle in a negative sense so welcome one and all because you are no not only tolerated here but accepted i guess i should go ahead and introduce myself though my name is elle marquez and i am the linux and security advocate in innoser now you made me wondering what does that mean i mean it's not really a common title what it means is that my entire position is to work with our researchers to learn the latest

threats the latest types of malware and then come and speak to everyone about it because without education it's extremely difficult to mount good defenses what you also should know about me is that from the beginning of my career i have been taught the magic that i needed in order to cast spells to best defend my customers environments um maybe i should translate that to muggle okay i got it you all use the term scripts to refer to spells okay well i was able to use these um scripts in order to create the cloud itself i was even taught advanced magic that allowed me to break down what you all call applications into small little bits to put into potion

bottles i guess you all refer to them as containers i'm not gonna put you through all of that what you need to know is that this talk my friends this talk is going to be cheesy and i mean cheesy and i do it on purpose because look this is an online conference and it's difficult to focus we have kids coming in which i'm sure you will hear mine we've got dog sparking phone calls going on and some of us try to multitask listen to our outside check our email do other things work all thinking we can just hear things on the side and we'll remember them very few people can actually do that so by being cheesy i'm hoping to keep your

attention and if you are listening on the side then when you think what did she say about that one piece of malware you can remember the cheese that i put on top of it and hopefully be able to use that in your everyday work life on to our agenda what are we gonna be talking about today okay we are gonna dig into our spell books and talk about mudbloods and wizards and death eaters oh my from there we're gonna go on to really delve into the forbidden forest because we covered a bit in the harry potter books but we really go into what animals are there what attacks are there or what attackers are there and the forest

itself seems to be lost i think that the same has occurred in the security world and without understanding that forbidden forest we're put at a disadvantage then we'll dig in some poly juice who didn't enjoy hermione drinking that poly juice potion with that one cat hair in it and becoming that weird cat human hybrid and then we're going to go in to really understanding the world of protecting harry potter if that is as about as clear as mud all right i'll break it down to muggle for you we're going to be talking about the terminology without understanding that basically underlying communication the whole new language that we use we're at an extreme disadvantage at being able to

turn from muggles to wizards but we'll go into that in just a bit then we'll cover cyber criminals because after all without them we wouldn't have jobs it's very interesting way to think about it then we'll delve into the unknown because what we don't know is really at the base of every issue we face and at the base of all of our fears we're going to spend some time on code reuse because i think that this is a subject that just isn't discussed enough when we come to speaking about threats about malware about what we're facing on a day-to-day basis and we'll wrap up with how to defend our environment we'll simplify it and we'll

speak step by step on what we can do to work together wizards and muggles alike in order to form a good strong defense for our companies okay let's kick things off with spells and terminology now if you all could please get your two spell books out we'll be using them in just a bit when it comes to terminology i when i'm talking to you i'm going to mess up i'm going to say things wrong i am going to kill every term of harry potter that you are all going how does she not know how to say that in fact i was recently interviewed and i had a mishap and i said kryptojacker instead of cryptominer

and you know what the intention the point of what was occurring still got through even though i had that small mistake as as muggles we are almost afraid to talk because we're afraid we're going to use the wrong words we're afraid that we won't be able to communicate our message and this is just horrible it's a huge disservice to ourselves and to our teams because we're not speaking up when we have a different look at things we have a different view we can percent we can present different facts because we're too afraid of i might not know that correctly it happens to me all the time i was speaking to somebody and they kept using

sass and i finally said stop what does software as a service have to do about any of this the problem arose when they said security is a service don't you work in security true story well you know what sas means software as a service with every place that i've ever learned i learned a different acronym for security as a service but saying that or getting to an argument wasn't going to do anything the point is that regardless of how we say something we need to find that middle ground in which we can communicate in wizards if you're watching if you're that person you're doing a disservice to yourself as well you know as wizards we

want to be able to have our strongest spells we want to learn we want to have the right tools the perfect one i mean remember what happened to ron whenever he you know used his wand incorrectly and it was broken if i'm using too many of these analogies and you haven't seen harry potter make sure to see it you're missing out in a huge cultural part of you know i guess our upbringing and my children are young and they're still watching it so all of our upbringing we have a way of communicating where we say things like okay our ec2 instance was able to be breached and they really took advantage of cve 2009-0021 yes i've heard somebody speak in that

way or we just say because of that cve and we talk about how you know it really was because of the certificate chain and the dsa and ecds keys what does that mean now imagine going to a manager asking permission to do something looking to be able to perhaps get more resources and you say something like that what we're trying to impress them no he's not gonna understand the gravity of what we're saying and let's say that he needs to go a chain up to somebody who perhaps hasn't worked in the trenches for a while and you're playing a game of telephone cause what exactly is he gonna tell them you are putting yourself in a situation

that you can't control now if we turn into our spell books the best way to be able to understand this is hold on i think i forgot to give the organizers the list to the spellbooks all right organizers i'm going to do that i'll also put up a resource page so you all can go and buy your spell books later on it's okay um let's just review what they are okay the first book is the standard book of spells grade one let's start at the basics folks i love this book you may also be able to find it in your muggle libraries or your muggle bookstores as intro to cyber security now this was written by a great

friend of mine and a colleague of his my friend jedi mammoth and he has a way of just breaking things down and being a great professor of the dark art i'm also fond of this book because he allowed me to spread that it's okay to be new message the reason that this book has been assigned to you all is you can use it as a dictionary you can go by and just you know look up a specific term i actually have used it to cram you know what let's start and let's do the first two pages let's kind of review i wish that everybody would break things down and just talk and muggle but realistically they're not going to so if

they're not going to do the work then we'll make some work yeah wait a minute then we will put in the work in order to be able to grow up into those wizards because i know that in harry potter the term mud blood was just this negative term to phrase or to refer to somebody who was you know human and who had human and wizard parents like screw that that's gatekeeping in the wizard world you are a wizard you just need the training the right tools the next book that i want to recommend to you all is dissecting the hack by jason a street if you can't tell by now let me point it out i learn in stories i use analogies i

you know loved sorry i loved learning world religions and christian theology because parables parables spoke to me in dissecting the hack is not as complicated as parables what it is is the story about two let's say young gentlemen who are out ward driving and practicing new tools and um you know just learning new techniques and having a blast being honestly criminals to some degree and they fall in with some real cyber criminals it's a great adventure the reason i recommend though this the reason that i the reason that i recommend this though is because when you hit a new term a new technology something that you don't understand a type of attack you just move over to the

back of the book and you'll see what the attack was the name you'll see a note explaining exactly what occurred and you know explaining what a tool does then from there it goes on to speak about the impact that that new technology the attack had on the story this means that you don't just know a definition you can actually speak to a real event that understanding of not just being able to cast a spell by saying some words but actually knowing what it will do is an amazing foundation for you as you grow into your powers okay let's dig into the fun part because i'm sure you've been waiting for this the attack attacks in cyber security are viewed

differently by wizards and by muggles and that's because honestly as a wizard we become a bit jaded you know we either lump it into er we can deal with that or oh dear god this is an advanced attack we're looking at an apt oh no the death eaters have shown up as muggles you ask more questions you ask why which is huge in understanding the type of attack we're facing by always looking at attackers as death eaters we are over complicating our security we start building those defense and depth strategies that i keep hearing about in okay defense and depth is good defense and depth also introduces a whole lot of problems is everything configured

correctly is everybody aware have we changed it to deal with the new environment has this been patched has this been updated and those are just a few i've even had people forget a few of their layers we need to approach things from a very simple stance before we go up to that you know to that strategy to that level this is not the cyber criminal that we're always facing yep muggles can learn to be evil wizards as well they when they turn into wizards they can use their power for bad i mean we can have somebody who is 16 years old playing around on their father's computer who takes down the internet they have the same ability the access to

the same tools we have malware as a service where they could go buy something we can download new malware and if you don't believe that a 16 year old can take down the internet well i'll have a resource page for you to read it as well but you can simply google mafia boy also known as the boy who took down the internet when you're a muggle you have more understanding of how much you can grow you're playing with the tools you're understanding the new attacks you're seeing yourself being successful when we're facing attackers we're not facing some guy sitting in his basement hoodie up more than likely it's somebody kicked back playing on a laptop

you know i mean i'd like to think that all of us will eventually get to that skyview apartment it's going to pay well or they're just sitting on their bedroom on their bed typing away learning something new and exploring your system we know who we're facing now now let's talk about the forbidden forest the forbidden forest was forbidden for a reason it was extremely dangerous nobody i mean the the new wizards the people going to hogwarts didn't know what all was in there because they didn't know what was all in there they didn't know how to properly defend themselves that's what we're facing in cyber security it's the unknown realistically and some of people might

not like me saying this we don't know anything we know the past we don't know the present can you speak to every single piece of equipment in your system and your company and if you can can you speak to every single cloud instance that you have every single line of defense every single ip out there every single configuration every single piece of code every attacker that you might be facing people who are mad at you is there you know do you know where all of your data is that's the one that really scares me is most people don't and if you think you do i challenge you to second guess yourself why i'm here today why i was so

passionate to give this talk is you i want you to start from the very beginning with your journey from being a muggle to a wizard to having the light that you need to see to be able to not face that darkness but to go in with an action plan the best way though that i have found to teach you this is interestingly enough by discussing polyjuice now as i talked about earlier with hermione taking it and becoming you know part cat we also see it whenever everyone takes it to take on harry's appearance now stop for a moment and really look at this picture yes we have a bunch of harry's but they're different you see different

clothes and even if they all changed into the same outfit you would see that they have different mannerisms a different way of behaving a different way of speaking and to a certain degree a different way to approach the same end goal that's a perfect analogy for polymorphic malware what polymorphic malware is it's malware malicious code that's run on a system that is programmed to be able to morph it changes its code it makes small adaptations by changing just one letter it changes its signature its thumbprint that we identify it by being able to bypass our detection and if people are going okay yeah but we already know that's happening we're keeping up to date with signatures

no you're not you do not have a database that has every single piece of malware virus you know malicious code in it it's near impossible because of how quickly they're developing and as they do so you know i talked about harry has different mannerisms or the other harry's have different mannerisms different ways of approaching the end goal attackers have the same thing they use this malware to all basically create havoc on your system whether that is bringing it down whether that's infiltrating data they go about it in a different way that's why we have you know different types of attacks different types of malware um because of the end goal someone's to get money some

is to get data some is to bring you down i'm being repetitive you get the point harry potter reference aside let's talk about it in a practical way the reason that i labeled this you know cloud security is companies are transitioning to the cloud in hordes you know it's just a constantly growing um phenomenon can i go with that that will not i'm willing to put this out there is not going to die down but as we transition to the cloud we kind of put ourselves at a disadvantage because we don't have the time to train on all of the new technologies as they're coming out containers are the big hotness in the cloud they have a deployment cycle

of what every couple of nanoseconds when you actually go into you know continuous deployment there are updates of container technology itself what every three months every six months let's talk openstack the cloud itself has a six month release cycle we can't keep up with all of that because of it we're seeing more and more opportunities for attackers to be able to get into these cloud systems it's like they say you know what attackers they only have to be successful once as blue teamers as defenders as wizards who use their power for good we have to be successful every single time one piece of malware that i like to use for an example is ipstorm now ipstorm was originally

written to work within a windows environment it took advantage of that peer-to-peer protocol not going to go into that once again i'll have a resource page with additional information about ipstorm when it comes to windows because i want to talk about how it's transitioned into linux environments and by transitioning into linux environments it very much can work in the cloud and really is being targeted specifically to that because the cloud is at last i checked 96 point something um percentage of the os's being used in the cloud azure itself is running over 50 percent of its servers um sorry azure has 50 of the servers that are being deployed there in linux probably is greater than 50 at this time all

right back to ipstorm ipstorm was found by our researchers to have transitioned to mac os and to linux and at the time that they found it it had zero percent detection on virus total now of course we published this gave out yara rules gave out information it's still bypassing our detection methods how because it's continuously morphing like we talked about i mean look at this screen okay we're seeing it and i'm gonna go over it so i can see it with you on september 29th we saw a new variant coming out and it's the top one the shaw has changed you can see from that entire label uh that entire row that is continuously changing and

only 23 out of the 72 engines on virus total were able to detect it let's go down to september 22nd okay look 0 of the virus total engines were able to detect it we can't rely on those same old defense mechanisms that we used when we were on prem it's too easy to continue to deploy a malware to continue to attack systems when they're constantly changing in the cloud we're trying new things we're trying new services we're trying to keep our configuration because it's new it's exciting it's easy we can change back and forth it's not like the rules that we had when we were on-prem attackers have more time to target to our systems than really we have to

defend it we have our entire environment that we need to keep take care of attackers can focus on one thing i mean we're seeing attacker farms out there meaning that we watch attacks start at 9am i'm not going to pick on a specific country if you want me to go watch my apts in the cloud talk and they clock in at nine they walk out at lunch for like 12 we see them come back and then the attack ends at 5. it's their job to go after that one system it's i'm sorry i think it's scary to be honest with you all the cloud is very much full of the unknown please excuse that weird edit my

children are obscenely loud right now and slamming doors and walking in welcome to presenting in the pandemic gave me a chance to breathe i got off my high horse so let's continue with the idea of harry potter as our story line let's talk about our professor of the dark art now he really was portrayed in i believe the book and the movie you tell her watch the movie more as i kind of think somebody you shouldn't take seriously he was a big goofball you know he ran away when the sprites were loose in the room he he just wasn't seen as somebody that was that powerful however we did suspect that they were probably malicious

something just wasn't right we need to take that mindset into our systems as i've said several times that lack of visibility to not knowing what's running within our system to knowing whether it's good code malicious code trusted code is the same scenario here we have a professor it's running on our system it's in our castle it's teaching our classes we we figure it's okay even if it raises a few eyebrows when it comes to our cloud-based systems our linux-based systems our entire environment we need to assume that an attacker has somehow gotten in already now i'm not alone in this statement it's said time after i'm by the fbi you need to have an assumed breach mentality assume the

attacker is already inside of hogwarts he's already making his move but doing it as stealthily as possible our attacker is not always he who should not be named but sometimes our innocent attacker is able to our innocent attacker is able to morph his dna more of his code into becoming more than he could actually be on himself attackers are using tools that were written for blue teams that were written for pin testing because they work or we wouldn't be using them we have services such as malware as a service we can hire people to teach us i mean there is a whole underground network of individuals looking to train that 16 year old kid to

be even better we have malware that has been open source such as mirai and it's still effective let's talk about this morphing of dna like i said mirai has been around i believe since 2016 it was open source everybody has access to it therefore we should probably have the signature in our databases right we it's fine mirai is still an effective tactic to this day to creating botnets to getting into our systems and now not just creating botnets but actually changing its behavior corey quinn once said he's from screaming at the cloud we have front-end developers we have back-end developers and then we have the rest of us who are stack overflow developers i've written some code and i know

anybody out there who has knows that stack overflow is a very helpful place you can go in you can look for hidden keys in code but that's something else and you can find a function you can find somebody that's already written what you need you copy and paste put it into your code and you don't have to reinvent the wheel malware developers are developers why are they going to reinvent the wheel with their code if they already know a piece of malware is effective but they want to change what it ends up doing so they take malware a they take malware b we form it together and form a new baby malware i really like analogies um and this new malware

obviously has a different signature and it has a different way of acting once again bypassing those traditional base detection methods i've skirted around it i've kind of mentioned it so let me introduce a new term to you it's called runtime protection it literally is what it says runtime the code is running at that time protection we are protecting ourselves from any malicious code running at that system i don't mean to speak down to anyone but i wanted to make it clear how easy that concept is right now we focus on pre-run time detection that means we're scanning code as it's being deployed we have all of our checks that are going and the issue here is is that developers

who are malware developers attackers they know that this is going to happen a great example of this is docky now donkey once again when found had zero percent detection rates on those virus total engines why well because it wasn't really malicious yet what happened is the system got infected then a container was spun up and it would use the curl command and it's on a lot of systems we use curl for troubleshooting for reaching out to the outside world on a host quite often and it pulled down the malicious image it ran within a matter of seconds and that's it the payload was in do you really think that you could catch that could you attach that attack that

happened in just a matter of seconds no what you can catch though is what's occurring on the system at that time you need to have visibility into that code you need to know you know what we didn't deploy this code or hey okay this application what i'm seeing some of it is normal but there's a certain percentage of this that shares code with mirai ipstorm whatever it is we need to not be afraid of the unknown we don't need to ignore it we just need to shed a little bit of light on it and dear muggles you are perfect for this because you once again you ask why you look at it you say what is this code

doing why is this running we need that fresh look because we get cocky we're like oh yeah yeah that's happening i don't know how many times i would see a paging alert and i'm like hey what's going on here now that's over paged it's cleared let's just close the alert it's common practice we're under a mountain of uh we're under a mountain of work as attack we're under a mountain of work as defenders keep an eye out for the things that have changed okay hagrid my favorite defender he's out there he knows what's in the dark forest he's a kind of obvious so i think i lied a little bit here because i think in order

to really offer you a simplified explanation that really summarizes everything that i've discussed about i'm gonna have to add a little bit more cheese and i'm gonna have to make it a bit more relatable and concrete okay here we go we have harry think about harry as our application yep i'm going there our application is what we want to defend right the entire point of the harry potter series is you had this boy who they were attempting to attack who they were attempting to get rid of who they were attempting compromise to bring down whatever you want and we had individuals who were trying to protect it sound familiar all right there's another part of the story though

is we also have dobby we didn't love dobby dobby is our developers hoping that i don't insult anyone and if i do well at least you'll remember this part they're well-intentioned they they want to help that application right they know something can go wrong so they spin up a cloud server and you know what that cloud server from in its inception will have outdated libraries they'll have things out there that have cves this screenshot is from a scan of a server that i spun up and ran it i did nothing else or developers aren't going to do that right they're going to update it they're going to clean the code but they're constantly changing we have

constant updates how often are we actually doing vulnerability scans on every single deployment which brings me to the next point we want to say we do we want to say every single piece of code every single application is scanned we are snape we are the ones saying slow down devs we need more checks we need you to run the security check we need you to do this we need you to have more secure deployment hey you know what we were attacked and everybody's you know putting it on us but it was your code that did it it's a bad problem when it comes to culture in a lot of companies it's who's to blame the security team who didn't

detect it the security team who allowed it to happen or the developer that created that code doesn't matter our end goal is all to have the most secure application to have the most effective application that we can in order to be effective for our companies talking a little bit in circles there basically we get paid to make sure that our company makes money let's just put it out there our security team needs just as much visibility into everything that we do as developers i keep changing who i am like that so security teams need visibility into what developers are doing and with deployment cycles of every minute a very few seconds there needs to be more

communication and that communication it's all about code by understanding that one thing by having visibility into what's running into our systems our our defenses can be mounted we can in fact just like in harry potter at the end of our book right the end of the movie they all come out you know wizards from the beginning who are just learning to our most advanced about to graduate from hogwarts and they have their wands out and they're ready to protect their castle their environment hogwarts from the death eaters who have breached the defenses that's exactly what we're looking to do the attackers have breached our environment and we need to form that last line of defense and that starts

bringing me towards the end of our presentation so let me sum everything up dear muggle you are a wizard i really hope somebody's name out there is harry and you just need some training you need to get into that environment you need to get into hogwarts you need to learn and you need to ask questions because it's all about visibility it's all about knowing what you don't know what you need to know and it's all about working together okay i've presented a ton of information and i know i'm guilty of falling too much into the story or talking too fast when i get excited i will provide and i'm trying to show it my screen is this way with my slides um

i have a site lopunk.com if you go backslash newcastle i've got screenshots of the malware that i was showing links so that you can run in the analysis again and see any changes that have occurred no paywall nothing just click the button it's all available for free i have news stories on effects that malware has done on mafia boy i love that story tools that you can play with news articles as i find new things i'll continue to update it don't worry i love sharing information but let's sum all of this up you're a wizard i really hope somebody's name out there is harry but you're a wizard you're not just a muggle you're not a mud blood there is nothing wrong

with being you you just need to continue to have that curiosity so you can have that visibility into your things you have you learn visibility you you increase your visibility by asking questions by trying to figure out what's there you are the key of what we need in order to mount that last line of defense think about it the end of the book the end of the movie really is everybody coming out of the castle to protect it from what the death eaters have already breached they're out there newbies and older wizards themselves wands and hands ready to lay down literally forming a last line of defense to protect their environment with that i will take the cheese away

and just say dear muggles there is room for you in the security world and i'm happy to answer any questions that you might have

ah i cannot hear you hi everyone local mute fantastic um right um so we we do actually have a few questions uh kind of let's let's work them in we have a qa so this is fantastic we have the time for it um so uh first one would be so you kind of went over on your talk kind of you know like people speaking throwing out technical jargon all the time you know kind of crazy when you don't exactly know the technical jargon the difference between you know sass and sass like you mentioned um so how in your workspace how would you handle people just throwing around words like that it's actually differed depending on my

workspace when i'm at right now is very just blunt and so what the hell are you talking about is extremely accepted um when i was starting out though i was working in a very corporate environment you know behave yourself speak well very i had to say it but very judgmental when it came to our upper level admins my entire career i say started from somebody saying you know i could automate you and i was like okay let's prove you wrong and that's why i became what i was so it was hard at the beginning just to call them out what i have learned though and i'm going to pass this lesson on to you half of the people who are using the

over technical jargon are doing so because they have no idea what they're talking about and they're trying to hide that fact if you really want to learn call them out on it i've always said if you can't explain it to me like i'm five you don't actually know it um it's the only way that you're gonna break that cycle is to actually ask the question and learn how to explain it yourself admit what you don't know and hope that that kind of transcends uh the culture at where i was though it was bad enough that i kind of felt like i was fighting a losing battle so i left i know that's not possible for everyone

but it's all about culture and having to fit in and if this is going to be a career something you love and not just a job it you've got to stand up for yourself so don't be afraid of ruffling some feathers the people who are out there and are actually going to explain this to you those are the people you need to impress it's fantastic um it's yeah not everyone can leave a company like that it's it's a bit complex or like call out someone yet not yeah but like imagine you're on the other end of this like you've done something that is let's put this way uh not exactly ideal you've made a mistake

you've said something that was wrong to someone not in a sense like you insulted them but you like technically inaccurate to someone um so let's say you were in a company that had a very low tolerance for that right uh how could you learn your spells as you go as you say um i love companies who do actual blameless root cause analysis that whole concept i think is like is it really blameless because let me tell you in a lot of companies it's just a way to get you to let your guard down um it all ends up coming back to culture right and when you actually have that postmortem where people are explaining you know this occurred this

occurred because it's never just one person's fault it's never yep okay so three weeks into my very first job i took down the production system of an entire banking system we found out that i had taken down the atms because people were yelling at the company on twitter like that was my fault it was my fault because i didn't understand the instructions that were given to me like what's a cluster and i was too afraid to admit it i didn't you know speak up and that's what happened luckily i was at a team that went oh wait we should have taught you that so a few months later when i was you know leading somebody and had somebody take

down a web server not quite as bad but still i was able to take a moment say you know what hold on that was my fault i should have explained what this was i'm gonna take ownership of it and at that point we kind of already had i mean i guess i caused us to have it but we already had a process on how to handle that how did i continue to handle that is lab environments do everything practice it first before you do it like i know that that's kind of hard at some companies because there's three of you on a team but if you want to continue to learn you want to you know craft your spells

you have to be willing to push back and have them you know make time for it because the more you push back the more time they give you the less likely you're going to take down that production you know environment yeah we we've all taken down fraud at some point might be something it happened live on twitter yeah that's the moment where you realize like i might have taken down prod but addy i can brag about it later scale um but yeah um so you do also at some point in your talk mention uh you know cloud service as you mentioned azure you mentioned how they represent a lot of what is available on the internet

how do you think [Music] is it always an advantage to have all your services in the cloud because does that make your security team have less work or more work it depends how it's implemented um when you just go okay you know we have a six month goal to have everything in the cloud who has the six month goal to give your security team time off to actually learn everything you're going to be using and while we're at it you know who's teaching the devs because it's just like yolo deploy all the time it's continuous development we'll go back if it breaks uh ends up causing a actually really big rift between uh dev and you know devon

sack the devsec ops just makes me laugh because i'm like that that's just the name of the fight we're gonna have like it hasn't been implemented correctly at many places um but one of the problems and i hate the term the cloud responsibility model because it's ridiculous when you get breached not if you get breached when you get breached i don't care that your stuff was on azure aws i care that you failed and my data is now out in the end there is no shared responsibility you're it and we've had attacks like uh recently we published an article called you know how we hacked azure functions like most people are like oh it's azure

functions i just run my code they take care of everything else cool i can now have your code uh if the cloud was so secure then why do we keep seeing breach after breach after breach of personal information now tell me like let's say the tesla bleach how many people actually know what cloud they were hosted on or did they just know it was a pretty big breach and information's out there if you could have the time to teach security in the cloud to every single one of your devs and everyone in your security uh team that would be optimal that would be amazing i think it would be a stronger security you know posture

but given the way that things are happening now it's just another level of complexity and i don't know i mean i hate laughing about it but the whole concept of i'm in the cloud and i'm secure is the old time saying oh i'm running linux linux is secure by default yeah or mac don't get viruses you know it's it's an entire world of so let's say you have let's say a manager that's been sold on some cloud service uh or has been told that this thing is the most fantastic thing and uh they basically go on to their um you know into their company somewhere and go hey now we need to do this and uh damn the

risks them or you know asset inventory and just plug this in and pray for the best how would you as you know a person working in security or even like if you were a developer how would you react to that in such a way that maybe this not a good idea uh it made because as soon as i started asking the question i was like oh kubernetes like banner doesn't actually know but he knows containers are good so we're gonna do that now guy i i feel bad saying that everything goes back to culture but it really does there are some companies that you know what you're screwed like i'm just telling you right now you're screwed go

and do it the only thing you can do is push back on hey i need training for this i don't know this and like attempt to have a real sit-down conversation with them i've worked with other companies that security teams opinions are valued and they can sit down and say okay fine we're going to implement these are the reasons that we need training these are the issues that we see these are the security concerns that we need to address beforehand that's why conferences like this are so amazing because you can have cross-company communication and i don't have to tell you exactly what's going on in my environment but i can go to a talk or talk to somebody who

is running it and go these are the flaws that we have document them down and go back with concrete stories and concrete reasons and you know actual information that's not theoretical and say okay so what i found out is the company was breached with you know leaving um i'm trying to think leaving a docker api open and actually if you look at showdown there's like you know 5 000 companies that are currently still doing that probably more than that how is our company going to handle this once you actually start presenting real world examples with real world information to a manager it gives them pause because you can say hey we stand to lose x amount of money

suddenly we're not in such a rush right well one of the fun things and i mean you didn't mention that you know events like this right well i mean you're uh someone from living in texas speaking at a conference in the uk so uh rip your sleep cycles but um uh but yeah it's i mean i think the the culture um in you know uh information security cyber security at least on both sides of the pond are somewhat didn't have to communicate not how they network but let's say how they communicate uh about certain issues but how do you do you think this is kind of international can this kind of spread out to countries in asia countries in

the middle east uh countries that sometimes are very involved in developing tons and tons and tons of services very fast without necessarily backing it up as security-wise i so i've had the opportunity and hopefully you know i can be their person next year but i've had the opportunity to teach at what like six different countries now um three of them in the matter of like four months that was fun all the freaking flyer rattles and what i noticed the most is i do have to go into some corporate environments right where they i'm expected to wear a dress in heels and act a certain way and yeah i could push the button and push against it but i'm like this is the

culture that they're this that they have this is actually the culture within the country i'm gonna respect that at that time but then we get into the security room where there's not so many people and it's all the same we're all laid back we're all saying things we probably shouldn't in an hr free environment you know we tend to be more real and that has been my experience with security teams you know cross-culturally i mean what there is one b-sides conference almost every single day in a year because there are there are so many of them and it all has the same attitude so i think that's one of the reasons that in the security world we can really kind of

form a good foundation because borders don't really hold us back right we're doing this together we have a lot of the same terminology i went to mexico and i kept trying to talk about servers and i was like i speak spanish so i was like and the guy turns around and says why are you trying to install docker on your waiter [Laughter] so yeah to a certain degree we really have a unified language that i mean oh god i'm always trying to watch my language here but like at some point security teams just say screw cultural boundaries you know yeah i'm trying to think of the words right now i'm sleepy uh and we just go with it we're

interested in the game we're interested in the hunt we're interested on whether that be the hunt for the attacker or the hunt for knowledge so i don't know there are no boundaries fantastic well sleeping speaking of being sleepy uh i guess we've kind of uh hit the end plus five minutes uh of our session um we'll be having a ten minute break before next speaker because that's how it's programmed but uh yeah uh thanks for joining in that is fantastic