Dave Shackleford - Security as Code. The Time is Now - BSides San Diego 2017

so welcome guys and thanks so much for having me out here um I I showed up last night and I'm like what the hell's going on in San Diego what kind of weather you guys got going on here this is sort of ridiculous you know Kevin Lord me out here with the promise of you know beautiful sunny skies and warm weather uh actually I don't expect much anywhere in January but uh it is sort of bizarre when I come from Atlanta and it's more over there than it is here so um needless to say uh again you know thanks for having me um I I created sort of a overly dramatic title to this presentation right so anytime you have a

presentation that's like the time is now right it's all like come on uh but this is sort of a soap box if there was one I guess that I'm on these days and and have been for uh the past couple of years I've spent the last probably I mean got it's going on almost 10 years focusing very heavily on things like virtualization converged in structure um and by extension of that in the last several years specifically around software defined sort of everything and what I've started to realize is uh you know as a consultant which is what I do in my you know day job if you want to call it that um is that there's just

this massive Gap in the way that security teams sort of recognize the direction that not only their infrastructure and Ops teams as well as their Dev teams are moving so everybody knows Cloud right I I I will endeavor not to say the word Cloud too many times uh in this presentation just because you know whatever it's there we know it you know it's it's what it is but um the fact of the matter is Dev teams are doing their own thing we know this uh they're going to continue to do their own thing whether security really likes it or not and so what I like to tell security people which they don't like to hear and I spend most of my time hanging

out with security people uh you lost the battle for the whole idea of devops and and cloud and software defined stuff you lost it you didn't even know you lost it properly but you lost it because it's already happening so if you try to go take a look and say whoa whoa whoa let's put the breakes on right uh let's let's not put in those uh you know Network function virtualization platforms let's not uh you know go throw everything into anible uh you know let's not put together a hybrid architecture that starts shifting stuff out into the cloud at lightening speed um you're going to be just disinvited from the meeting and now that might be a good thing

because meetings suck but you know look there's only so many of those that you can you know that you can miss before things start going off the rails for you so what I've realized and again it's it's sort of being CED in the terms of devops but but really to me devops is a philosophy uh it's not necessarily this very specific thing that everybody's going to adhere to in the exact same way because you know they're sort of a purist model of devops and there are people that are doing it right so especially in technology companies and softwar driven organizations that's really happening but if you're an insurance company that's been around for 200 years uh or you're an auto

manufacturing firm or you know you're one of those old line stayed businesses um you know what you're not going to just throw out your classic waterfall models of Dev or your agile if you're doing some of that and immediately just Embrace devops so that you can say you did it what you are going to find yourself doing and speaking in the collective you know you here is you're going to be adopting some of those core principles and that's where security people are falling down frankly uh they're not in the mix they're not really involved they're not taking all of their security Concepts and principles and adapting them and molding them into these sort of automated

provisioning workflows and things and and what's going to end up happening is there's going to be stuff out in the cloud uh or even internally provision that is missing massive chunks of security and that's just the nature of how things are happening today so um this is again my soap box if there was one uh we're going to get left behind as Security Professionals and security teams um and the problem we have in security is that everything's a big deal right I mean it just seems to be I mean like yesterday uh uh you know and God forbid I don't know why I did this but I went out and spend a little bit of time

on Twitter um and it's like you know I I I mean I used to spend a lot more time on Twitter and I'm doing it a little bit less today and it's been very healthy for me psychologically um but I I spent a little bit of time on Twitter last night and what I found is that I was rapidly sucked into this sort of horrifying Quagmire of everything Rudy Giuliani um and and and like look the point is is that a big deal yeah it actually sort of is but is it a big deal that you need to be focusing on probably not it's not something that anybody in this room is going to have an

immediate dramatic impact on and so we tend to get spun up about a lot of stuff and so yeah it's the latest you know ransomware it's the latest you know insert name of uh attacker group from Eastern Europe here right it's the Russians no wait it's the Chinese no wait it's The Russians right so we have to sort of step back and ask ourselves where are we going to be in five years what's going to happen here right so you know maybe this was your day Center and I hope your data center looks a little better than this one I I I like I looked for just a nasty one you know for for like picture sake uh you know for any of

you guys that ever spent any of your time in your career doing cabling which sucks like you know cabling sucks it's one of those things that it's like the help desk you're supposed to do it and then learn and then you either survive or don't and you move on with your career um but if this is your cabling job you suck so okay we got uh we got a nasty data center but whatever it's your data center it's physical stuff it's things that are cabled together today you know this is sort of where things are um and and this is not a you know a plug for AWS uh I like AWS you know it is what it is but you

know insert cloud provider here um your data center doesn't look the same right your data center is somebody else's data center with a bunch of layers of abstraction and softwar defined components uh stacked on top of one another and and you know what Dev teams have figured this out they have right they're they're all about containers you know and coup clusters and you're like you know they know they know where they're headed but if you get a bunch of security people in the room and say so what does it look like in terms of your Cloud security strategy you know what you're going to find nine times out of 10 and I have a lot of conversations

with security folks just like you guys uh what they're going to do is sort of fall back to well I talked to the people at AWS and I got like a sock 2 report or something and so like we don't feel good about it because we feel like they're not being very transparent well no [ __ ] because why would they people are coming up to the door of Amazon with wheelbarrows full of cash I'm not going to do anything beyond that right so the security folks you're not my driver at all you're not the people people that are pushing business my way it's Dev teams it's Ops teams it's Executives that are looking at this

and going guess what all my competitors are doing it we got to do it too and by the way it's not cost I think most of you probably know this I don't know if any of you have anything to do with the billing associated with Cloud providers it ain't cost right cost you know these guys are doing just fine but what it is is rapid innovation scale and new capabilities and the cool thing is they're doing some pretty cool stuff on the security side too and and you know again what I like to see is that Innovation being driven by the needs of the customers which is exactly what's happening I mean whether it's a specific

vertical or whether it's uh you know a specific type of Team perhaps call it you know devops and whatever um you know look I only put this up here I assume most people sort of know what devops is at this point so it's not as though I'm going to spend a lot of time on this slide but there are some core principles involved in as I mentioned the philosophy of devops that I think are critical um and I'll tell you when I when I present this to security teams they get hung up on one particular element with this I'm going to leave this up here for you guys I know you guys are by the way being punished

you're the bad people that are over there right yeah yeah bad people over there um I I feel bad because I can't really like see you guys well so I'm sort of like arking myself around you special you right um but but you know but basically if you can see this slide hopefully you can it's this one it's this it's this it's this F word and it's not that FW it's this F word right fail right so the idea of devops is let's experiment right but let's put so many fail safes in place and be so on top of our workflows that if something fails who cares it doesn't matter we figure it out so fast that we just go and it goes

back to what it was but you know what if you you got somebody waiting to push a button you know it failed so I got to push this button and make it go back you're done that's game over it's got to be automated the whole thing has to be automated and if any of you guys read a book uh by a fine gentleman by the name of Jean Kim called The Phoenix project anybody read this all right so if any of you guys have not read this I'm gonna give a book plug for Jean Just For What It's Worth uh because he's a smart dude of course but what he does is he tells a

story about an organization that decided to reinvent itself and the intense pain they went through and trying to go from the old school it infrastructure mentality to the new and this whole idea of the Phoenix project is their story of moving towards an automated workflow driven it infrastructure and it's fascinating totally changed the game for me and I walked away with two core things that that stood out from this number one um automation is the future period now you say automation to security people right we sort of pucker a little bit um and we have for good reason so so and I give this example in some of my S classes and things and so I

say hey look how do you guys feel about automating opening up firewall rules just conceptually how's that feel just let that sit right you're like what could go wrong right so I I gave a talk at RSA a few years ago uh talking about the dangers of Automation and orchestration because yeah turns out things can in fact go wrong uh and if somebody hijacks your automation infrastructure uh you have Skynet which is a dangerous situation but the point is you have to do this so whether we like it or not whether there's the pucker factor or not we have to get to the idea of automation so that's the first thing I took away from je second thing and this is

something I'd like for everybody to at least least keep in mind throughout the rest of this talk not only that but but certainly As you move forward some of you may already be there it's the idea of directionality in workflows and so the way that he describes this and I'll do my best to to sort of get this across there's sort of a left to right and a a right to left model in place and if you think about this as you're pushing stuff out to the cloud that's the left to right that's you doing builds internally it's your Dev team it's your code repositories it's your automated unit tests it's the entirety of write code

checkin Code test code make sure you test the code a couple more times and then ultimately shove the code out somewhere okay cool right that's the left to right model stop for a minute and ask yourself where are you in the mix as a security professional people are trying to do that in an automated way and they're trying to do it as fast as humanly possible because guess what CIO has a quarterly bonus it's built on getting it out the door right which is going to Trump your security conversation every single time by the way uh so move fast left to right get it out the door okay I'll come back to that in a minute number two is the right to

left piece that's your feedback loop the only way you can fail fast and often without having significant and SE severe security ramifications is to immediately know exactly what state everything's in and if it has a problem and fix automatically and have a pre-built plan to fix it so you can't have a problem and go guys meeting intent let's figure it out that doesn't work when you're trying to do massive Auto scaling in Amazon or something like that this doesn't work you got to have a plan if it fails do X if that fails do y so you start to get into this model where I mean you'll hear people calling it Dev SEC Ops it seems to be the term that's

sticking I don't know if it's the one that's going to stick long term but it's the one that people are adopting or at least adhering to to some degree right now and this is the idea that we need to get into both of those directions right so we start talking about the leftand side right the the pushing it out building it testing it pushing it so left to right that's where we have to start thinking about hey what kinds of builds do we want to even see configuration management patch management what's the approved instance build that we are going to allow to go out the door how do I Define that in such a way that you know nobody's going

to come and ask me about it it's just done it's automated right I got to think about the users and the Privileges involved I don't know if any of you guys have spent time with Technologies like openstack or uh you know any of the major types of provisioning or orchestration platform so Chef puppet an all these types of things well guess what every single one of them has an enormous number of places where things like passwords and credentials and stuff can be improperly l hanging out there if not planned for right so this is an area where yeah we're moving fast but we're sucking wind in terms of security so you have to be there you got to be in it um

on the other side of things the right to left that's where we have to have logging and event monitoring that is automated so it's not as though you can have stuff out in the cloud generating logs going off to some Sim platform that you've got somewhere and 24 to 48 hours later somebody goes hey you know what we had a problem the other day day that sort of doesn't help you right it needs to be a problem trigger fix and then you get notified oh that thing happened well that sucked let's figure out how to make it not happen again that is a vastly different conversation than what we're traditionally having in the sock at the moment right so and you know

this vulnerability assessment so you guys probably scan stuff everybody scans stuff it's fun right it's good times for everybody because nothing ever breaks and everybody loves it when you scan stuff and then come to them with problems it's great times right it's why security people would belove it everywhere uh but aside from that how do you scan automatically so let me give you an example people want to push code out into AWS or Z okay cool I me it's what we're doing well can I scan it automatically the minute it shows up can I have some sort of you know Quantified responses that come out of my scanner that's by the way integrated into the

cloud holy so you know your Flawless or your nessus or your you know netos or whatever the heck scanner you're using these days it's got to be in the cloud and it's got to see the asset show up scan it report on it and then the report it doesn't show up as a like PDF attachment it it's actually going to trigger an event this thing is an okay asset or not BAS based on some predefined policy posture right we're not there in a lot of cases most security teams that I work with aren't quite at that point where all of that is just happening in the background and in order to get there we really have to

start moving towards this idea that I'm calling security as code I think people are starting to get around this it's the idea that we've got to embed everything into code is sort of a strong word here because not everybody's a developer right not not everybody in the security Community comes from a development background uh in fact based on my you know I'll call it 10ish years teaching for Sans uh I think maybe 5% or less of the Security Professionals I talked to really do come from a background of doing development work uh I did about a year of development work and I suck at it I'm a terrible developer and I'm okay admitting that right I know my code is

is bad but I get code I understand where developers come from um lot of people come from networking backgrounds a lot of people come from CIS admin backgrounds other backgrounds and so when they hear code they're like a crap right you know I gotta like roll back to my C++ classes or whatever um you don't but it's a mentality it's a mentality that you're going to need to be a part of the mix anybody here ever work on an agile team anybody ever be involved with an agile team okay right so agile essentially became security team's worst nightmare when that methodology came out because it was like hey you know what we're going to just do stuff and we're

going to do it fast and we sucked at securing a traditional sdlc we tended to really suck at agile well I ended up managing a h small agile team a couple years back um long story I won't worry with details of it but uh what I discovered very very quickly and this was news to me so you know everybody can learn things uh along their career trajectory what I figured out was um I can't show up once a week and ask what happened you know what I mean like you got to be you got to be there you got to be in the scrums you got to talk to the people all the time you got to be embedded in it

and when you move towards a devops mentality it's that times about a thousand it just is we've got to be in that mix right so I'll take a look here and say okay you know where am I focusing and all I'm doing here and by the way this diagram really has no bearing whatsoever on The Talk per se simply to illustrate the two sides of the coin that we have to address when we're moving towards of devops mentality one of which is the left to right the other of which is the right to left um this is us right this is us over here and what that means is that number one we need to be thinking about the

deployment pipeline in its own right which means uh you know let's call it the test and staging aspects of our development practice so you're writing code your checking code in um you're cropping it up so that you can see if it has issues but before it goes anywhere ideally you're putting some security around it whether that's data security whether that's privilege management you know you name it but ultimately it's going to end up out here somewhere well once it's out here hopefully you've done everything you can to secure the code base and thought pretty seriously about you know encryption Keys stuff like that because that matters but what you really need at this point is you need a

feedback clue because this is not your house this is somebody else's house and last time I checked you can't call Amazon up they don't have a hotline that you can call up and be like I need you guys to check on my stuff right they don't care um that's not how they roll and so you better embed it in there which means if something goes wrong you've thought about it beforehand and you've embed it in there so you have to think about the feedback loop which means of course whatever the provider has and you're going to get some controls from these guys whether that's web app firewall whether that's logging event management whether that's you know

security groups you know whatever it is but you also have to integrate your monitoring and infrastructure in such a way that it's there immediately upon arrival and it continues to inform you as to the state of your infrastructure and ideally again trigger some sort of an automated response workflow if needed that is a dramatic shift it's all automation it's just a different model of automation ultimately to start us off right so if you're just sort of heading down this road uh I'm a big fan of threat modeling I think it's a good practice to get into what I tend to find is that most organizations don't really allocate enough time to it and that's not always their fault uh if you go to

your boss and you're like yeah I'd like for half my week to be allowable in the threat modeling area I'm gonna go sit over here and just don't bother me um that doesn't work in a lot of cases because you have you know stuff going on but even an hour a week with your team brainstorming with a whiteboard goes a very long way because really the idea of a threat model to me is what could go wrong and we have a pretty good idea now some of the things that could go wrong in the cloud is it going to be some nasty Insider in Amazon or Azure or Rackspace or whoever probably not I mean

I think realistically that's a threat but it's a low one because those guys building controls that mitigate that it's going to be somebody screwed something up and pushed it out there and then we got to figure it out that you know that happens whether malicious or not it's going to be things like you know hey we left the front door open accidentally because we had a configuration error I'm sure you guys have heard the sad sad tale of a company called code spaces from a few years back um don't feel sorry for them I mean you shouldn't because you shouldn't put your entire infrastructure into AWS and then not secure the admin console with multiactor authentication just saying

right like basic stuff but they got owned they got destroyed one of the very few organizations that in fact got put out of business wholly as a result of a breach and it did in fact occur in AWS but that had nothing to do with AWS it was entirely because they suck and they didn't do this and they didn't say hey do you think somebody might actually try to hijack our entire infrastructure and then hold us for ransom no who does that um so they didn't do that but in fact you are putting your stuff in somebody else's house behind one front door maybe that you better figure out how to protect so go through this process and

ask yourself you know what could right this is a simple math that I like to do and this is really just intended to sort of delve into the shared responsibility model that goes along with cloud in the first place uh what stuff can you do in the cloud and what can't you do there's always going to be something that you can't do and so this gets me into my uh you know sort of classic conversation around layers of the stack um has anybody ever encountered a cloud provider that welcomed you into the hypervisor configuration Management console no because it's like asking me inmates to run the Asylum right there are layers of the stack that those guys

are never going to let you hang out in and so if traditionally internally you guys have been used to managing your VMware stuff or your Zen server or your kbm or your hyperv you know whatever it is it really makes no difference you've got that layer that abstracts resources and allows you to run a virtual infrastructure those guys have it too but they're never going to give you the ability to get down to that layer because if you screw it up it screws up everybody right it screws up all the other tenants in a multitenant structure so take that one off the off the list right you might get some networking might right networking is still the

great Frontier we haven't fully sort of jumped into in the world of public Cloud providers yet we're getting there I'll get to more of that in a second but you are going to have the ability to manage things like your images you are going to have the ability to configure your stuff the way that you want it you are going to be able to set up increasingly today things like anti-malware controls um albeit perhaps different than what you're used to because if you go slapping a sanch agent into every virtual machine no so like there's a whole lot of reasons why you don't want to do some of the traditional stuff but you've got options and that is great news for us

the difference being look I'm not going to have a traditional security talk here I'm not going to talk to you guys about anti mware all other things what I am saying is you gotta plan all this stuff ahead of time you can't come in after the fact right so you're the security team and you're like hey Dev folks uh we need to come in and secure everything that you guys have deployed now you can't do that anymore and one of the reasons you can't do that anymore is because you have a dynamic infrastructure today you have a thousand instances tomorrow man sales are good you got 2500 you can't come in after the fact anymore so we have to think ahead of

time and start putting this type of stuff in place uh and ask ourselves you know where do our traditional models fail where do the traditional controls sort of start bring breaking down on us and these are just some examples right we we still tend to think in terms of perimeters it's a it's a horrible thing right but I can't tell you the number of Enterprise level security teams I still go hang out with where I talk about security architectures and models and I get that horrifying concentric ring model you know what I'm talking about right like we're rolling 1995 era multi-layered right and and it Sans I I'll just I'll beat up on Sans a little

bit right so like I'd say half the sans's classes out there still sort of espouse this defense and depth model defense and depth and God help anybody that uses a castle analogy oh my God Smack them right like no it doesn't work anymore because it's not concentric Rings like oh there's the moat and the wall and the no what it is is it's a vertical stack model now right at least this is how my lizard brain tends to work you don't have the same perimeter you got to protect things at the identity layer or you have to protect things at the data layer wherever it's going doesn't have anything especially with mobile I mean you guys all know

this um people tend to still like Change Control how do you do traditional Change Control models in a legitimate devops shop you don't right how how do traditional Change Control models work you put in a change request there's like a Change review board that mols it over and they talk about it and then somebody with that's like you know a senior manager gets the notification and they can approve it no that's done right you can't you can't do that anymore right I mean you may be able to pull it off in some cases today but it doesn't work so the slow rate of change scheduling of things it goes out the window now uh you

know these are all the types of things that I tend to see consistently happening in environments that just don't merge well into the world of cloud so security is code yeah you know again infrastructure is code is sort of the Mantra that's been adopted with most of the devop shops out there and really what that means in an nutshell is that you're defining everything as variables you're pre-thinking how everything is going to be created and populated and managed and maintained and there's this fascinating idea that I I've seriously rallied behind that some of you guys might be familiar with already so bear with me if you are but it's the idea of pets versus cattle right and if you

don't know what that means how many of you throughout the course of your careers it security both have gone into a Data Center and seen those little sticky labels on the front of servers with names they're names a right and they're and they're usually like I love the the classic naming conventions right they're like Greek gods is a very popular naming convention right like it's zeus. abc.com right or it's like Lord of the Rings characters or you know like nerds are predictable we we know this right so like you know this right but those are pets right who's the admin for Zeus and it's Bob and you're like we'll call B cuz Zeus is having a bad day and

so like you have to find B who knows about Zeus and he's like yeah yeah yeah he he's going through a rough time right well that doesn't scale right Zeus doesn't scale Bob sure as hell doesn't scale so you need to move away from that towards this idea of cattle which means if the thing acts up you shoot it and it's dead but you know what you don't care that it's dead because there's another cattle ready to replace it right you just roll back to the other cattle that's the better idea so everything's templated everything's predefined everything has a known good build image model posture that you can immediately roll back to if something doesn't work guess what we just did we

just hit fail fast and often and automation Allin one that's the whole idea and that's exactly what you need in terms of a feedback loop in the cloud right so deploy pipeline this is the internal side this is code security but guess what it's not code security if any of you guys have ever done code reviews and survive to to like talk about it right um You can't sit and pour over that code no this is not somebody handing off their code to you and saying Dave get back to us in a month when you've had the chance to go through this no right so if you're familiar with things like static analysis and dynamic

analysis tools pick your poison here whatever it is uh need to be automated right code goes in gets scanned we find the issues they get notified this is just part of the automation of development more so than anything else but we've also got to start thinking about how we can embed security into code repositories that's the idea of security is code so the whole idea of checkin stuff before it moves on from that check-in phase it's been vetted it's gone through a whole series of tests to ensure that it doesn't suck well security needs to be a part of that so code security is one of those things but what's your standard image build so

we're going to deploy that code onto an application stack maybe we're using Docker maybe we're using some other sort of container technology but there's probably an OS layer in there there's a very specific sort of set of layers that have to be defined what's the security configuration of those you need to be able to Define that and it needs to be able to be put into a definitions model or file or code uh you know sort of example that works we also need to think about where the code is going where it's being pushed from and to and of course think about things like security and transport so is it moving over an IP sect tunnel

that's been established between a Gateway we have versus where our Cloud sits are we securing the data itself in transit what kinds of database security are in place um probably one of the biggest headaches for a lot of organizations is figuring out things like credentials and authentication and authorization specifically around things like embedded encryption keys and credential so that they're not just floating around out there and that's where you have to start looking at tools like you know anible Vault or uh you know Tower things like that where you have sort of like a check-in process I again I won't get into all the details of those things but these are foreign ideas to a lot of

security teams they don't even know that they exist they're not paying attention to this stuff so this is a huge place that needs love from the security Community right you need to be doing static and dynamic analysis you need ask hey what what libraries are approved turns out in the last couple of years we've had a few issues with open source libraries few right when you got into security as a career did you think that you would be getting down into the minui of libraries and the approved libraries needed to just survive I I know I did not I I I didn't think that was where my head was going to have to be it is it's just

another aspect of your builds and environments and you've got to think that way later again we'll be thinking about monitoring and control that starts to get over into the other side of things so these are just some examples right so and I'm by the way not endorsing anybody here I'm just throwing out some examples for what it's worth but I mean you know these things like fortify on demand very like if those are your vendors you're using them look at the cloud enabled models that they have because that's what you're ultimately going to need from them it's not all going to be inhouse anymore in most cases um you're going to need to trigger things like web app scans or application

scans so again this is that Dynamic and static level of analysis you're going to need to orchestrate you're going to need to automate and so that again might mean that let's say you guys are using uh you know puppet or Chef to Define configurations well if you know anything about a multi-tier chef of puppet deployment there's all sorts of configurations there that need to be addressed to ensure that those don't become the weak links in the chain and and you go out Amazon right now and look for a book on securing and locking down orchestration and automation platforms nobody's written one nobody's even talking about this stuff hardly really and it needs to be discussed uh

in fact a friend of mine I don't know if you guys saw it um just sent me a pretty significant exploit that was just announced in an any of you guys see that in the last week or so it's huge we're talking like remote code execution for your anible controller Skynet again right seriously somebody takes that over and that's your repository for like defining everything and pushing it uh it's not your Network anymore it's somebody else's Network single points of failure we have new ones right I mean we have to start thinking about this kind of stuff you need to be thinking very seriously about roles and privileges right I would love a happy rainbow unicorn world where

everybody an admin and we're all just happy about it but that's not real right um and so that that problem still exists I mean I I hate to say this but this is the Dirty Little Secret of a lot of devops teams right they they've taken 18 steps back on that because they can and they'll argue in some cases that they need to but security needs to be involved again right so You' got to be in the mix to make sure that these guys have just overallocated privileges in places that you know need to be secured a little bit more authoritatively you need infrastructure security so you need to Define your configurations ahead of time and really be thinking about how to

put those in place now again I know this is probably impossible to read right but this is just a simple example of a role that was defined for a well-known configuration standard if you're in the federal government or specifically in the defense industry uh you got to lock all your stuff down with this awesome set of configuration guidelines called the stigs from daa which basically means that if you follow the guidelines all the way you have a lovely door stop um but but that's a different you know it's different question and different answer um you can Define all of those configuration checks right up front build it into your ansible toolkit and essentially say look any instance that

gets built deployed it's got to meet all these these are your unit tests you want to call those you know there's there's a unit test for every single one of these things you got to have a feedback flute right I'm sure you guys have heard the term continuous monitoring it sounds sort of buzzwordy right but it's real we need it and that means you got to embed stuff in there to make that happen so the time is actually now for continuous monitoring more so than ever before question is how you going to do that so when you throw things out into the cloud you're going to have instances out there running you're going to have various ele of your

application stack there uh ask yourself what can I embed into that environment that's always monitoring and what is it looking for I I run into a lot of sock teams that still don't really know what they're looking for we got a hell of a lot of log data and and like we can see stuff but you're still waiting through false positives and you're still sort of waiting for a system to pop up on the radar and blink red and say hi I'm an evil Chinese hacker right but that doesn't work you got to think of those conditions beforehand right if this system goes over a threshold of X let's call it weird let's treat it as cattle

let's shoot it cool that's a good mentality to have right configuration state is huge you got to Define these baselines you got to monitor everything and really this is just sort of finishing the statement I made a minute ago you got to roll back if something fails so hey we got a new we got a new version we're pushing it oops that doesn't quite Jive it's cattle it gets killed we're back to square one again so that's not a bad philosophy it's a safer one in fact so this is where over the last two years or so as I've been getting pretty heavily invested in this stuff what I've actually come to realize and this is

just an opinion so opinion warning for what it is um I I really think if we Embrace this mindset security goes up security gets better because you're taking human error out of the mix and you're thinking ahead of the problems more so than being reactive right in order to build that feedback loop and really get to a point where we're looking for stuff sort of coming back and vulnerability scanning is a big part of that feedback loop right it shows up get scanned results trigger yay or nay if it's good it's good if it's bad it gets shot it goes back we get a result set that comes back and tells somebody here's why it was shot and here's what

you need to do to fix that before you try to go pushing it again cool awesome but you know what that's not you waiting at the nessus console to click go that's got to be automated and in order to build those triggers that's where you start looking at things like Lambda functions and stuff that you've never had to deal with before you're moving into new places that as Security Professionals you know we haven't been thinking of that degree of automation but you also have to right privilege management I think I've already talked about this one so I won't spend a lot of time on it but this is probably the most common issue I tend to encounter when

I'm performing some degree of alignment between devops and security teams is there's just not enough attention on this and it's not handled well in every case and again it's not because anybody's bad it's because we are having to change the models that we're used to using and we're going back to this you know how many of you guys have seen scripts with embedded credentials in them yes it lives on my friends right that is a problem that lives on but thanks for doing that um in any case uh you know the whole idea is embedding scripts you know credentials embedding things like tokens or uh you know other types of keys in your code is going to be part of life it's

how you manage it right so you're going to have to get past this you're going to have things like embedded credentials you're going to have things like embedded Keys it's a matter of how that gets managed and who's in charge of it um you're going to need to collect a lot of log data and you're going to need to put it somewhere interestingly enough because uh you know storage is cheap especially in the cloud actually this is one of the promises of cloud that I think really is a bit more effective right so next time that um you hear somebody say storage is cheap check out the kind of car your EMC rep is driving

it's not that cheap actually right it turns out that they're doing just fine uh you know just hijacking people storage but in the cloud it is because object level storage is just it's a blob and those guys have lots of places to drop those blobs I've got Enterprise clients of mine I mean classic Enterprises not Cloud sort of oriented uh customers that have completely shifted away to moving all their logs into places like S3 because it's cheaper and then they can roll all that stuff to you know spunk cloud or Sumo logic or someplace else and do the analysis there so like that's a pretty cool model and it's working but that's probably where you're going to have to get because

you're going to have all this data sitting out in the cloud that you've got to really be thinking about um you know where it's going how I'm going to analyze it Etc this comes back to the idea of defining our policies up front configurations for systems uh you know looking at application deployment scenarios and sort of building on those so whether you're using stuff like Jenkins or anible you know however you're defining this and sort of meshing these pieces together uh you'll still find a lot of people out there using you know GitHub and and other types of sort of everpresent repositories that are online there is good and bad as with all things uh in that but um you know you've

got to find out basically what are the tools that your Dev teams are using and what's that deployment pipeline look like and where can I get in the mix right and what policies can I put around this how can I define the entire infrastructure as one big template so this is you know something called cloud formation in AWS it's awesome actually it just is I can literally Define an entire network infrastructure as one template I can spin up an entire virtual data center with one template that's awesome it's not awesome if the security team has no idea what's in the template and that's the point we've got to get in the mix and start putting this stuff

together and that means we need stories you know we need to be thinking very seriously about what's the what's the end game for us here right when this stuff shows up in the cloud or in some sort of a deployed scenario what do I need to be in place have I tested things like input validation for the app beforehand have I ensured that I've defined certificates and TLS versions and cyppher Suites beforehand so that I don't end up with some nasty ssl2 thing that's living on um like Rudy giuliani's website uh you know hardening to configuration standards I mean like there's no more boring conversation by the way at a cocktail party if you want to repel people from

you start talking about configuration management immediate seriously like you know they'll they'll move away um because it's boring seriously like oh yes which registry ke okay yeah it's War but you better think about it beforehand because you're not going to come into the cloud and go oh my God we got a thousand instances running we better run that script that locks down that registry key no when you have pets you can do that when you have cattle and the herd of cattle is dynamic you can't you got to have it baked in all right so again moving towards sort of me wrapping up here um these are the things that you guys should be thinking about moving on

right thinking about automation on code scanning app scanning automated config checks in a policy that You' defined doing some form of continuous monitoring internally in that deployment pipeline so in other words if uh Dev you know Dave checks something in and you know he's trying to push it without uh you know going through some sort of discussion or whatever you know you're notified about this you need that feedback loop internally too right people still do stupid things regardless of how automated you've got stuff um you need to test them so go and test your stuff do sort of spot test call it a pen test if you want but that doesn't necessarily have to be a full

board pen test do scans make sure only the right ports are open make sure you don't have exposed management consoles make sure that the junior Dev guy hasn't come in and screwed up the permissions on things uh make sure that the devops team hasn't gone Rogue on you um and decided to just create a shadow ansible infrastructure something right I've seen it it does happen um but you need to be checking for this stuff all the time you need to automate production feedback loops right so yeah it is time for continuous monitoring you need to be thinking about some sort of automated triggers and what those triggers will do I'll tell you A lot of people tend to

start doing this by just generating alerts so you're not going to automate any response actions yet because that's scary but you can automate the alerting to know what happened and then say well you know we're seeing this what do we want it to do and you can do this over time without that much pain the tools are there you got these tools but if you really want to get sophisticated about it you could get really deep and you could do things like automated cortine of an instance by essentially moving it to a nasty sort of dirty VPC or to a different network subnet and isolating it and even doing a forensic uh capture of the thing all in the cloud all

scripted and automated that's again that's pretty cool but that takes a level of sophistication that most people haven't quite gotten to so what does it all mean again we have big gaps in our knowledge we just do we have a big sort of Gap where most of us in security are sort of like Blinky things apts and more Blinky things in APS and it's like that's that's fine you got to fight the good fight there's not enough people and time in the world of security but this is the future right in 10 years mark my words I hate predictions because I suck at them and I'm usually wrong but in 10 years you will definitely see

vastly more softwar defined infrastructure Than Physical right physical stuff is dinosaur it's it's it's going and it's going quickly so 10 years is me being really really conservative uh I'm I'm pegging it probably at five where you're going to see 7030 split or even traditional ORS uh in terms of their software versus Hardware defined infrastructure and this is exactly how people are going to be operating so it is time to shift from that to the idea of defined code based security groups things like firewall rules things like configuration standards I mean this is a very simplistic AWS Security Group definition and look uh I'm a little bit alarmed at how pathetic security groups are as well

right so it feels a little bit like we've moved back to like Cisco ACLS from like 96 um but that's what you got now you can do other things I don't have enough time to go into those other things but this is what you got and this is your starting point so you have to start integrating in learn these tools if you hav't right spend a little time go out there and dig around uh it's not that hard actually to start spinning stuff up um you know looking at things like you know situational awareness and countermeasures in your threat modeling but for the cloud and for the entire deployment pipeline right this is a checklist that you guys will all get

these slide decks Kevin yes okay so I won't leave this up here because it's sort of like a final part of shot um but that's it I think I've set my

pce and thanks again for having so enjoy the rest of you guys day