Skills to Build for Your Cloud Security Career

for

matters but it initialization

routines

right yeah I'm you're ready now okay

okay uh 11:01 uh 15 minutes ago yeah

okay there there are seats at the front can they hear us yeah so the next session is about to start in 30 seconds uh I am your track one

host for folks at the back there SE at the FR okay I'm your track one host my name is Angus Chen and our session is about to start so today's speaker Cassandra Yang and the title is skills to build for your Cloud security uh career again skills to build for your Cloud security career let's welcome SRA [Applause] young all right this this headph thing is really weird so can you hear me can you hear me in the back yes this is awesome uh so I'm Cassandra um I do a couple things in the cloud security space and I'm here to tell you how the hell I got here and some skills that translate really well if you're looking

to either get into Cloud security from it or from um from the security space in general so let's get started that's my intro slide I'm going to talk about my career but right now I am a uh senior consultant at crowd strike we have a Services Consulting kind of department so I do proactive Cloud security assessments which means I get to go into an environment with readon access tear it to pieces and then yell at Executives and get PID to do it that's my job it's awesome 10 of 10 would recommend um I also have a master in computer science from University of Pennsylvania where I used to work and I see a whole bunch of my former

colleagues here uh I also woot um I also used to work at a awesome company called Sr which is the first consulting firm I worked at uh which I'll talk about that too but there's some great folks from there too so see everyone I'm sure there's crowd Strikers too maybe but there's like five that I even know or even remotely near Philly so we'll we'll see and then I'm a director at Blue Team Village as well if you're not familiar we work mostly at Defcon to provide pre free blue team security uh just uh training and resources uh at Defcon so check us out so to get started we're going to talk about a couple different kinds of

technical skills that are pretty much necessary for transitioning into Cloud security depends on what you're interested in in Cloud security uh but some of those technical skills that really make a big difference are just understanding Linux and being really comfortable with command line tools um so if you're used to you know remoting into a Windows box and clicking a bunch of things most of the cloud resources that I deal with in Enterprise environments don't really use that kind of interface so you need to be comfortable with your command line skills you need to understand how to run command line only uh tools on remote servers essentially um virtualization if you don't understand virtualization it's really hard to wrap your brain around

anything Cloud so make sure that you're really comfortable in that space as well um having some knowledge of containers and roughly how they work is great I don't really deal with a lot of kind of data plane level like I'm not remoting into servers very frequently not um you know configuring containers that directly but having an idea of how they're used helps a lot because you'll deal with a lot of uh companies that are using very Advanced containerized infrastructure kubernetes things like that in the cloud and having just a base knowledge of how those work is incredibly important um and then the other so the other uh really important set of skills is basic networking and you

notice I say basic and I have an asterisk in it because if you're trying if you're really good at on premise networking and you go to the cloud it's not going to work the way you think it's going to work so having fundamental skills like understanding protocols you know you're you're good with tcpip you know what TLS is you know you know TCP versus UDP things like that like that's the kind of level of fundamental knowledge that you need roughly how sub Nets work how networks are divided and segmented so having that based networking uh experience is great but don't rely on it too much because you'll need that flexibility to really move into a cloud environment where it works

completely differently than you think it does and every cloud provider does it differently so that makes it even more confusing uh and then lastly firewall rules really important that you understand how firewall rules work uh because the cloud is kind of inherently public in a lot of ways and you'll see a lot of different Tools in different Cloud environments that control how uh connections are made to resources within that environment so understanding you know how you would configure rule what is um a stateful you know what is stateful or stateless what how does that work so you know you have traffic erasing and it makes a connection well that allows uh traffic to come back in

so you need to understand those fundamentals to really to really be able to do this um so some other skills I get a lot of people asking me if they need to know how to like you know write applications in Python I would say no that's a bonus but you definitely need good just command line basic scripting skills um bash really useful across AWS uh gcp Azure less so uh Microsoft Azure is Microsoft so having Powershell experience if you have Powershell experience you're going to be really comfortable in the command line and then that would make sense as a as a transfer into Cloud security um so Network application connectivity I wasn't really sure how to

word this it's kind of like essentially the cloud resources are different services that you don't have much control of that are stitched together with apis so if you're not familiar with an API you don't know how it works that's going to be really hard to wrap your brain around so working with apis understanding HTTP connect requests and connections um kind of understanding how you would build request build request headers is going to help you a lot in understanding how traffic moves between the different resources in the cloud so definitely recommend that um I'm adding the software development and automation side as a bonus like this is more advanced stuff if you haven't heard of infrastructure's code if you don't know

you know what terraform is or or even you know if you don't work a lot with like anible and Chef and puppet and these like orchestration kind of tools um it's it's helpful to know that because in my experience the vast majority of Cloud environments I've worked with for my client engagements have used some level of that type of tooling cicd pipelines um git definitely no git I would actually put that under core skills um and then you know cicd pipelines again infrastructure as code more of that containers container orchestration it's going to help you a lot and uh personally in my job I actually write tools to pull configuration data from cloud providers and I'm using python to do that um and I

have a good application back where under understanding of software development that has helped me get jobs it has helped me grow in my current role and it keeps it interesting and exciting and it's it's a huge bonus it sets me apart from other candidates um so I I don't wasn't really sure how to put together like a security specific list of skills because I think that the vast majority of them are transferable um but the real key here I think is just understanding identity and access management so this is identity Federation every major cloud provider has some there's going to be some type of federation set up behind it you know you have like OCTA backing

AWS uh or Azure ad entra ID now whatever if you if you want to call it that like rename it every five seconds I guess um but understanding how that implementation works the majority of environments that I've seen in Azure specifically are on Prem environment with with active directory simple active directory setup federates into Azure actory or entra ID and that is that backs all of the permissions that are configured in Azure in the Azure platform so understanding the fundamentals of how that works is incredibly useful and and I I would almost say that's like really core core knowledge that you need to have um authentication flows types just understanding how sessions and tokens base authentication work um that type of

stuff also very useful just umut understanding like difference between like service accounts and user accounts interactive non-interactive logins things like that is is very helpful um and then DFI related skills like having a good understanding of log analysis Cloud logs are scary they're massive not going to lie like they're it's I've described them as basically like the default is a fire hose and you're going to get like way too much information so understanding how to like look through logs and and narrow down different parts of a log like an event type or you know IP addresses and things like that is really helpful uh Sim and logging logging log monitoring infrastructure I don't want to say sim because that

sometimes is a little bit more like Broad and expensive if you're using Splunk of course um but just understanding how logging pipeline is set up is very helpful as well uh and then being able to do some kind of threat hunting having familiarity of that process also very useful um and then application code pipeline security if you've done appc if you've been in involved in Dev SEC Ops it translates really well to Cloud so I put together a few examples and you'll note the giant Asters on the bottom yeah job descriptions don't usually mean job titles don't mean like I I was trying to look at listings on like indeed or something last night like okay what is what does a

cloud security engineer do whatever like who knows they it's just like that a company just rolled the dice and picked a bunch of things that sounded very fancy and put it on a put it on a job description then the pay ranges too are just like all over the place so I I can't really speak to that exactly but generally speaking an engineer is going to be involved in more the implementation side of things they may also act as kind of an interface between the security team and something like the developer team um you know and and Cloud infrastructure engineering teams things like that so it's really I would say if you have a lot of it experience this is

a great kind of position to go for um it'll be a little bit more Hands-On it doesn't invol it doesn't necessarily need the same level of um of technical depth that an architect would so on the right I put architect that's really around like looking at things from a much higher level perspective understanding how um you know how you translate OU on Prem to organizations in AWS or you know the other infrastructure the the way that you kind of organize an environment that would apply to the other Cloud platforms um and and really it's it's like a architecture is more developing strategies around things and you need the technical depth to be able to do that so if you're targeting any

one position engineers is probably a good place to start if you have that security experience probably even if you have the some of the it experience uh if you have it experience but not any security experience then it may be you know you may be targeting something that's a little bit more um you know starter level like generic security career um and then I'm personally in Consulting I love Consulting but my God you need to be you need to be um completely willing to jump into the deep end be confused all the time and have your brain hurt like hell at the end of the day the I think one of the first like Consulting

engagements I was on it was like oh this is going to run for like you know a couple weeks to a month and I'm and you know they put up like architecture diagrams of their Cloud environment I'm like I am so overwhelmed right now I don't know what any of these things mean I think like we we recorded meetings that I would like play them over like three times to understand all the words and then like write down the acronyms and Google things it was it was nuts so Consulting is a lot of fun if you have the bandwidth for that if you have flexibility you know if you if you're just willing to like

lose your mind a little bit it's a great way to get started um but it is very challenging to do um and I can say so I work at croud strike right now and you know we we're eventually going to be expanding our team to get more Cloud assessment folks and some of the things that we look for are going to be a little bit more higher levels so we're going to look for experience with like threat hunting cloud and um you know maybe more of the like Cloud actual Cloud engineering people with a lot of hands-on experience so that's definitely comes in there and then there are other roles too like I would say if you just search for cloud

on indeed or whatever or you know your job sites what you're going to find is almost every regular security position references Cloud so if you have some some security experience and aren't ready to hyperfocus on cloud you find something that actually has a cloud element where it's you know Cloud skills preferred or you'll be handling a lot of this and then you can use that as a way to just build that experience up over time um so the other question I get a lot is um what which Cloud should I go with and uh this is this is a great question I love not answering it honestly it's like it's so subjective um but I was kind of

thinking about this and like well I started with AWS and the reason I started with AWS is because when I did my masters in computer science I got to just like put projects in the cloud and AWS was like the most documented the most widely used it's every every place probably has aw if they have anything so it's it's kind of an easy thing to transition into but if you have already have experience with on-prem ad if you have IM am experience um if you've ever been a Windows sisadmin I honestly I would probably pick Azure uh and or M365 so that's your Office 365 kind of Suite of services where you're not really spinning up you know VMS or anything but

you're configuring platforms um and honestly that's a really good segue into Azure so if you get that M365 experience it's like Azure is like right there so it's kind of like a you can use it as a pivot point um yeah and then I am also if you really like IAM I mean M365 is great work with Entre Azure ad whatever you want to call it um and that's a pretty easy transition point and then my favorite one if you're a masochist pick gcp guess who's a masochist I actually work in all three Cloud platforms and I kind of like gcp the most because no one else knows what the hell it is and what it does and it's

really fun to just be the person that's like this is weird let me figure out what the hell's going on here it's a lot of fun and then there's other ones like Alibaba cloud and I don't even know the others Oracle Cloud really weird don't touch Oracle Cloud their their like claim to security Fame is literally oh our VMS are like Network perimeter and the thing about cloud is it's all I am so your network perimeter doesn't really mean to me and that's their whole thing and then they say lift and shift it's bad don't do lift and shift anyway the other question I get a lot that I also hate answering is certifications folks I hate

certifications I think they're really dumb and I have several I still think they're dumb but what I actually do recommend is if especially if your job is willing to pay for a certification like they're willing to pay for any kind of cloud go for it like that's fine um but I actually like using some resources from studying for those certifications to essentially look at like what areas I'm good at so I did an Azure certification I looked and there's like a whole section that's just about Azure ad at the time and that was great because I was looking at that I'm like okay what parts of this like little review am I confused about and

then I can focus on those and and round out the skill sets or they'll talk about you know kind of like the your VMS your storage like you know S3 and AWS for example really great way to just assess where you are and then like drill down a little bit so they're very useful um honestly I mostly recommend and if you're going to get a certification especially if you're paying for your own money or paying with your own money I would recommend just sticking to the platform Sears so your AWS certifications um you know gcp if you really feel like going down that that road uh and then um azer has a number of good ones as well they almost

all have entry-level ones which are great I don't say that they're going to differentiate you in a in a pile of applicants that's they're not necessarily great for that but they're great entryway into just having something that's going to get you flagged by recruiter like someone's going to search for that and find it and then they might help you get just like one step further in the application process um and there's some other ones as well if you have a lot more experience there are you know Cloud security Focus searchs that are more applicable if you have a lot of security experience already um training resources I'm a big fan of doing anything that's free or

covered by your employer already again um the trainings provided by the cloud provider really very helpful they provide pretty thorough study guides for those certifications that you can use as general resources heard good things about acloud Guru um and then Udi has usually they'll have like a fire sale and like Black Friday so you get these courses for like five bucks great intro quality you know maybe a little Hit or Miss uh but it's really just great to be able to to kind of that'll get you started and then you'll you'll figure out like what's interesting what do you want to focus on next that kind of thing uh and then I'll post these slides uh at my on my GitHub afterwards

um but I also got some colleagues to recommend some link so these will be on the slide deck that I that I upload um so the last the last slide I'm going to do or the last major slide is my own path into Cloud security because I can talk about this because I've literally done it so I started out uh working in higher ed as generic it desktop support yeah desktop support I see you I see you people I used to work with um and man I didn't know anything I think like I like couldn't figure out how to like turn Wi-Fi on on Windows 7 which was kind of sad but I learned I

also made the interesting decision to um help with an 0365 migration when no one else wanted to touch it because I was like I don't know anything let me just use this so that the connections I built and the knowledge that I acquired helping with that helped me move into a position at Central it that was a Windows system position so I basically went from generic desktop support help desky stuff to Windows system in just because I was willing to to actually just Embrace 0365 and and deal with it um so from there um I also got a uh Masters in computer science which I did one class at a time over like seven years for a two-year program I used my

tuition benefit because I worked at a university that's another recommendation higher ed there are other benefits besides the minimal pay so definitely hear some laughs from that one um but while again while I was doing that Master in computer science I also um used every opportunity to just study cloud and like try to use it get hands- on um and then I moved into my first consulting position I actually went up doing Azure engineering for an xdr service that we created and that that was a great pivot because I went from 0365 and M365 Services Cloud experience with the Masters and then used that to focus on Azure and then I moved into AWS Cloud assessments afterwards and then uh

my last pivot I moved to croud strike and I do most of Azure and gcp assessments proactive assessments but I also advise on other um other exercises like tabletops um we do some like purple team exercises uh thread hunting Cloud things like that so it's that's kind of the procreation that I took and I I used a lot of those skills that I had focused on to to build up to that point and then my my last real slide here just some tips and tricks be flexible be will to learn that is like absolutely number one you have to be that person that's like I don't know what this is let me go figure it out

because a lot of people are really afraid to make that move or afraid to change their mindset or afraid to embrace that they don't know something and that's also kind of also another another important part of that as well um getting handson AWS has free tier gcp and Azure have uh have their uh free resources as well so use them they're great um and then I think you know human networking to go to conferences meet people talk to people um Cloud meetups security meetups just start talking talking talk to me after here I'll be somewhere in the over there probably um in the back maybe in the hallway might go to the hallway it's a little get a

little nuts in here um and then the last one I I'll say is just apply for the job I mean worst I can say is no so don't sell yourself short really focus on all the L the skills that you have that that can transition you have base knowledge you can apply that you can learn something new you're golden that's all I want out of anyone that I am involved in hiring so um with that that's it thank you very much so I don't think I can take questions up here um can I take them out in the hallway so I'm G to go out to the hallway for Q&A I'll be out there in a

second and uh there's my GitHub is on there um I'm on all the socials as mutki mostly uh so find me thank you so much