Fantastic Cloud Security Mistakes by Sarah Young

okay well cool thank you for having me everybody maybe I'll go a little bit faster because we lost seven minutes but that's cool so gonna um crack on and talk about some things first of all I'll tell you who I am just we're going to talk about how like Tech has changed and how security has changed with it we'll talk about the threat landscape I'm gonna give you some fun I mean we've been talking about the threat landscape all day and other people's talks but I'm gonna do more we'll talk about some stuff you shouldn't do and then some really high levels some capabilities that if you're doing Cloud which I assume everybody is in some way shape or

form you should be knowing about the stuff you should be doing so first of all who am I real quick um I'm a senior Cloud security Advocate and Microsoft these are my dogs they're very cute clearly they're not here with me I live in Australia um but uh I am here hooray I think I win the prize for coming the furthest you know with some conferences they're like who traveled the furthest and I'm like pretty sure it's me uh because clearly it's a competition right um I like talking about security I've been doing it for ages um I'm definitely a crazy dog woman but one of the reasons I'm at besides leads and because I think that besides these

crew were probably a little bit confused when I like submitted to the cfp they were like why is this woman from Australia like submitting all these talks well it's actually because I did actually grow up in Yorkshire this is like my hometown besides I actually this is me I used to work at Betty's this is me at the front of the Oakley Gazette like quite a long time ago when I was 19. and so I I actually do although I people hear different things in the accent now genuinely I actually am from around here I just haven't lived here for a very long time so I was super stoked to come and do my hometown

b-sides um so hooray yay I promise I'm actually from Yorkshire um um and uh yeah so that's why I'm here um also I literally just came down on the train from my mom and dad's house so because I went to see them um so let's talk about some stuff rather than uh me and my strange accent look the world has changed um who also if you ask questions or if you put your hand up and you confess to your security sins I will throw a Tim Tam at you for those of you who don't know what tim tams are the Australian biscuits they are individually wrapped for covered so you know um we're nice and hygienic here

um and you need to go online you don't just eat them now you need to go online and look up Tim Tam slam and do that it's not dodgy I promise like for any they're all dirty minded it is legit it is a completely clean activity and now I see everyone going on the phone like okay so look there are a lot of things that have changed right um I started in security about 50 well I started in Tech about 15 years ago ish you know we've changed things like we have the hybrid of everything so we don't just have on-prem anymore like we used to um you know the threat landscape is changing every five minutes now we've

got AI that we're talking about which no one was talking about six months ago by the way I'm not going to talk about AI because there's a lot of armchair AI experts out there and I'm not going to pretend to be one of them um when we're using cloud and it doesn't matter what cloud it is we've got this shared responsibility model that you need to understand um and um what I find is we're getting better is that we tend to have two we we vary between two extremes though the people who are like oh I'm putting it in the cloud oh that's someone else's responsibility now I don't need to care about the Security Suite that's

Microsoft Amazon Google's problem and then you have the people who are like oh no I still need to 100 secure excuse me can I walk through your data center because I don't trust you which you also can't do the time and then we've got all of our aging processes and architectures so we're doing Dev circles we're doing shift left infrastructure is code blah blah so there's a lot of things changing more generally in it that change the way we need to look at security and it's a big change if you were born in the cloud as in you've Maybe started in the last five years maybe you only know this but for those of us

who've been around a bit longer you know that there have been changes and even if you were born in Cloud you will notice that there are still architectures and Legacies and hangovers that you need to understand from how we used to do things because it's still a thing this is a really sweet ass diagram that I love just to explain see if it looks familiar to people so you can see here we have uh data center that has five firewalls I don't know why it has five because because we love firewalls right if on on-prem security the more firewalls you have the better particularly if you you know um deconstruct the traffic and reconstruct it six times that's

extremely uh secure and then generally businesses have started using SAS they would still have everything in data center maybe use the odd SAS thing whether it's office G Suite whatever then we started well we I put first class mobile experience but BYOD people are like I want my email on my phone I want my email on my tablet I'm not going to use my work laptop all the time and then you might have internet of things that might be a thing as well and then essentially what you see here though is now we have a completely different perimeter that blue perimeter that we used to have that is your traditional on-prem but nowadays our Enterprise perimeter is completely

different so it's not just in the data center and this is the thing that we have as a challenge oh and of course I just realized I completely forgot to mention we have Cloud providers there as well so whether that's infrastructure as a service platform as a service but basically this has changed a lot and we need to change our thinking and we're still getting that like we still have I I was talking to a developer two weeks ago who was telling me I'm trying to build an application in Cloud but the security team insists that we happen all the internet through on-prem which breaks my application because I'm not allowed to directly break out the

internet and I don't understand how that is more secure and I was kind of like me neither sorry um and so you know we need to think about these things um and then real quick um just there's a oh I might you know what whatever we'll go past that because I'm running out of time not running out of time but I have short time this is one of my favorite let's talk about the threat landscape so I'll put the whole slide up so you can also read it in your own time as I go around this kind of stuff comes from um this these figures come from Microsoft research they're US Dollars we have loads of research teams but always

remember and this is something that Holly uh said um said this morning that attackers do not just they're not going to spend loads of time and money doing something complicated if um they can do something easy so you know we worry about zero days right we think oh zero day is scary scary scary it's unpatchable what are we gonna do but if you look a zero day costs quite a lot of money to develop and quite a lot of time whereas denial of service you can get uh for a hundred dollars a day you can deed off someone or um if you want to bargain you can get it for like 750 a month um the one that gets me on there I won't

read them all out is ransomware so to buy ransomware on the dark web it's about 66 or and this is quite disturbing you can essentially go on the dark web and get ransomware as a service so instead of you buying the software and doing it yourself you commission them to do it for you and when your victim pays up they click they clip the ticket and take 30 of the profit and so this is how accessible this stuff is becoming um I have a friend who works in the New Zealand cert and so the Cyber emergency response teams like um I don't know what the UK equivalent is I'm sure the UK has one um it's essentially the government

Department that anybody in public in the public can go and talk to you for cyber security advice and do you know what their number one call is about just from the general public with cyber security concerns any guesses through your Tim Tom guesses no but you answered the question so you are literally at the other side of the room let's see oh ah there you go someone I think we'll just we'll just do the the reload lay along so um and then number one uh their number one call is DDOS but not not just any DDOS it is teenagers ddosing each other at stuff like fortnite okay so you can go online you can like get a DDOS

service for like a dollar um and you can DDOS your fortnite rival and take them offline so you can win that is a thing so think about this if teenagers can access you know basically cyber attacking Services albeit low level ones to just get each other at fortnite think what someone who's slightly more serious can do it's really scary so whilst we often think oh these attackers there'll be black cats they'll be there'll be this they'll be that they'll be doing complicated things it's really not the case like it's like it's so easy and so accessible virtually anyone can go and do attacking now obviously don't take away from this that you should go and

buy things and go do attacking but it's it's crazy accessible it it will happen to you so I think we still are not quite there in thinking this but but to look at this kind of cloud security because that's what I'm talking about um and again it doesn't matter I don't care what cloud here I realize I work for Microsoft but like principally this this doesn't change and these are the kind of capabilities you need to look at those main problems that we have I'll just put the whole thing up but you can see you need stuff like threat detection obviously for you that will look at look for ransomware that will look for compromised PCS and

devices um you'll want it for spear phishing really you need stuff like MFA I mean I know spear fishing if you're super clever they can sometimes get around MFA but it makes it harder right and passwordless and then for DDOS of course we still need our good old firewalls I don't want to bad mouth the firewalls because I was a network engineer before I did security but you know what I don't want there's still too many security people who think firewalls are the be-all and end-all and they are not like we need other things and then we also have best practices and standards and there's loads of them out there I'm not gonna mention them all but you know this

is this is kind of where we need to be and hopefully you have all of these things in some way shape or form but yeah and the reason this is important I love this um every year Microsoft releases something called the digital defense report it's usually in about November so we're we're not due another one quite yet but all of our research shows that like if we just did the basics right doing MFA least privilege hatching things the stuff that's not super sexy or super cool you would get rid of like 98 of the potential breaches because attackers look for the easy stuff you know it's it's and and it's I think it's difficult you know from because

it's not super sexy patching is not sexy I'm keeping things up to date is not super cool but this hygiene piece is so important and we still don't do it right and traditionally before we're in Cloud it was like really onerous and boring to do hygiene stuff whereas now we do have a lot of tools um that will do it easier which I'll talk and capability so I'll talk about that later I'm going to skip a couple of slides just because I'm conscious of time and I've already talked about them I promise I'm not skipping anything important and I'm sure I will put the slides somewhere later so but let's talk about some stuff you shouldn't be doing

Auntie Patton patterns now if you don't know what an anti pattern is an anti-pattern is basically a common response to a recurring problem that isn't effective um I'm sure you can all think of things we do here um whereas what we should be doing is best practices and it's a best practice is something that if you do it consistently it will actually improve and actually improve your outcomes unlike an anti-pattern so hands up if any of these seem familiar positioning security is an adversary to business and I.T anyone seen that yeah yeah yeah using on-premises controls to secure the cloud yeah yeah like I see there's a solid like block over here yeah um trying to secure workloads after they

are fully architected or deployed yeah yeah let's just do it afterwards that's easy and then this is this is my favorite one and as a room full of Security Professionals or aspiring Security Professionals this is the one I probably want to talk to you like impress upon you the most security owning the risk who here has met or may have been at one point in their life and I will confess I am a reformed person who did this earlier in my career that you feel like it is your mission to secure to do the security properly and it doesn't matter whether you know the risk is really yours you're gonna act like it's yours and be like no no no no

we have to stop we can't do this you know they take it as a god-given mission usually causes problems right anyone anyone want to confess to doing that again I'll throw biscuits at you it's always the people at the back far my friend I can't talk but you can come get one this gentleman is there so I can throw one we don't own it right in any yoga I'm not getting into a breast discussion here but in any organization as a technical security professional you should not be owning risks you don't make enough money you've got not got enough seniority you should be advising business people about risks and if your organization doesn't work like that like

you need to be looking at your functions and stuff and again I'm not like one of those people who's going to talk about business functions and how to structure that today but you should you don't own the risk somebody usually with a c in front of their job title should be owning things and taking responsibility so even if you don't 100 agree if you say hey this is like super this is super risky and I wouldn't do it I would resolve this issue if you can't like if the business decides to keep going that's fine because they're owning the risk just remember that because it's fine I promise so let's talk about some capabilities the stuff you should know about and

stuff you should be doing now again I realize you can't do everything um and I might throw in a couple of Microsoft names here but generally I just want you to know I'm talking about capabilities so if you don't use the Microsoft version I'm okay think of the capability um so you know an identity you know store user identities I say Azure ID but again if you're using a different identity store fair enough use conditional access so this morning um Holly Grace was talking about the number of lockout attempts uh that there were five that it was you could do five in 30 minutes or whatever it was we shouldn't be using that at all I totally wanted to

Hackle but that's rude and it's a keynote so I didn't but we shouldn't be using lockout attempts anymore it's extremely old school like nowadays identity stores are smarter than that they can look at the the in short and again it doesn't matter which one you're using essentially what they do is they look at the attributes of a login where it's from what time it is what things they're accessing what device it's coming across and they assign it a risk high medium low and then you can Define what happens it might be a lockout action it might not be but we shouldn't be using the the number of lockout attempts but I know it still does exist

and for those people who are pen testers that stuff is gold so use use modif and look I mean we've said it again I'll say it a million times use MFA and use a key Vault or a Secret store don't just Chuck things in don't Chuck creds in places and also don't just put strings in things it's horrible um make sure client Secrets have relatively short expiration Lives who here has configured a secret or a certificate for a thousand years yes how many years was it 999 oh there you go there you go there you go [Music] um yeah it's it's it's been reduced yes um but but it does it also depends on some other policies as well two years

not bad I've seen a lot worse yes oh hello like would you do you want more 10 times you're just throwing out my product names here um so you know like things like look look yeah I don't use my dog's name as my password by the way but like whatever it would be far too obvious um in terms of connectivity like be using should be using a secure Bastion or a jump house who here has seen or uses if you want to confess for a biscuit like confess your security sins we're in a safe place a random Bastion that they spun up that never gets patched that is completely outside everything else and they actually use it

as their secure thing to access the rest of the environment I've oh it doesn't belong to you so it's okay oh okay that's pretty much worth a biscuit I feel like that's worth a biscuit like um like for API stuff now we're not in Australia you may or may not know that there have been a couple of very high profile reaches in Australia at the end of last year one that involved a very big Telco that was to do with API security very embarrassing for them um so API is hot hot stuff over there but you know you should be using API management tooling load balancing we think that that might not be security remember security is Cia confidentiality

integrity and availability low balance has helped with availability also encrypt stuff you know because it encrypt off it should be pretty easy in terms of logging and monitoring like you should have your logging on for everything I mean I know logging creates a lot of noise but have it all on collect it into a central place don't just send it into the send it nowhere or send it into lots of little disparate stores where no one can do anything with it and also by the way I have a sticker sadly I managed to not pack it and it says collection is not detection so if you collect the logs and do nothing with them that is not that

useful yeah collection is not detection okay um you know and automate everything okay I'm not like I said I'm not talking about Ai and stuff but like a lot of the stuff is very tedious in Cloud again no matter what cloud it is we can automate loads and loads of loads of this stuff don't be having someone do this manually because we just don't have enough people it's a couple of interesting scenarios we've got signing into disabled accounts inbox rules failed log on to terms files and folders shared externally these are the kind of things you should have as some scenarios that you should monitor for but use out of the box things if you're not sure it's a start

right posture management this is something I'm extremely passionate about I already talked about security hygiene um now cpsm tooling is cloud security posture management um Microsoft's version is called Defender for cloud it is the artist previously known as Azure security Center if you use Azure um but basically cspm tooling we'll have a look at everything you've got in your estate usually across multiple clouds and say hey you've got an unpatched machine hey did you know that storage thing is completely open to the internet maybe you should fix that and it makes it way way easier and actually some of these things will if you want them to it will automatically remediate it so that really tedious security hygiene piece is

so much easier with cspm tooling so if you're not using that the skin if you're not don't do it because it's super it's actually crazy easy to set up and really really nice and and lifting your security hygiene is by far and away the best thing you can do to like lower your your risk of getting owned and then last but not least for the devs in the room or people who are working with devs don't forget your code staff I mean you you should be using secure development practices and then your Cloud native stuff I want to talk about secure development so much but you know infrastructure is code security that needs you know there are tools out

there for that there's devops Security Management you know doing pipeline security all important stuff and I was finished on this one oh I love that transition um this is um um and I'm going a little bit fast because I do want to finish on time because um I like to be respectful of people's breaks uh but here's like a nice overview of some security capabilities you should have as you can see you'll notice um I it doesn't matter what cloud it is you but all I'll say is don't have tooling that just looks like one Cloud it's completely useless if you've got a multi-cloud or if you've got cloud and on-prem and hybrid which most people

will you know your security tooling needs to be looking across everything absolutely everything because you know attackers don't just look at one thing they don't look in silos you need to have the view across absolutely everything so really really important I've gone a little bit fast on this but that's because we kind of had a seven minute delay um but I will stop there if you go to the QR code um you can that's a link to lots of um cool um interesting links it's not dodgy I promise because I know people are suspicious about QR codes and security conferences that just takes you do a GitHub page where I have a lot of useful

links it's easier I found it's way easier for people to get to them some of it's Microsoft itself some of it isn't um a lot of it is very generic guidance about things you should do um come and have a free-for-all on the tim tams I'm not taking them home with me um so um I've also I do usually have stickers but I did take them upstairs to the sticker table for charity so if you want some cool stickers I do have cool stickers I promise I'm biased but they're all upstairs so you can go donate go do good things and donate to charity that's such a cool idea um I'll hang around here for a bit

whilst people go and get tea and biscuits sorry I went a little bit fast but hopefully you found that interesting a bit of a Whistle Stop tour in 20 minutes through through the talk but thanks very much Leeds um super stoked to have got to come and deal besides in Leeds so thanks very much