JasonMaynard

foreign maybe I should get started what do you think yeah you're saying I was on time why do I have to be punished for everyone else that's late fair enough all right welcome everyone um I'm Jason Maynard I'm a field CTO for Cisco Canada focused on cyber security this session's all about the cloud and some of the complexities that it introduces how many people here are using Cloud today in their organizations okay how many people are using a single cloud provider oh interesting so I'm going to challenge that a little bit because I think a lot of organizations start there and I think CSA called that out earlier today where they talked about um you know a lot of people start with a single cloud provider and then sure enough there's a competitive reason why you might want to move to another or you want to diversify cyber resilience any of those mechanisms might drive you towards another cloud service provider and all of a sudden now they have their own security controls and that's really what we're going to talk about right those the complexity that exists there all right so we've got AWS we've got Azure we've got DCP we've got Oracle and we've got a whole bunch on top of that right but those are kind of the main ones probably in Canada Azure and AWS are the primary uh cloud service providers uh probably as you're leading I have no preference in either one of them uh but we will talk about their specific capabilities at a high level because it's going to highlight some of the complexities as we go along I could tell you this first and foremost the cloud service providers are providing security out of the box in comparison what we've done in the traditional environment so inherently they are more secure or have more capabilities that are inherent within their solution stack so that's a good thing but as you start building it out there is some complexities a thing that that you want to consider because over time what we found is is as we're talking to customers they've built in um certain controls within a cloud service provider that can't extend right and that's where things start getting tough you've got things like private Cloud right or your traditional Data Center and I've thrown kubernetes or any container or microservices based solution kind of off on its stack on its own even though it could be in the cloud service provider it could be in your private environment doesn't really matter but there's some complexity there as well and um and so we're gonna go through some of this we're going to talk about some of the capabilities I think if you haven't used Cloud um some of this is going to be wow I can't believe they have all this stuff and some stuff comes with cost and some things are part of the bundle or package that you get which is neat so let's walk through some of this so we've we're a single organization today and we're using AWS as our cloud service provider again tremendous capabilities in all all the cloud service providers when it comes to security so let's talk about some of these controls or capabilities that exist so AWS has AWS cloudtrail and what it does is it makes sure that it supports governance and compliance and operational auditing across your AWS accounts so that's a good thing do you do that in your traditional environment maybe maybe not right so so this is a good thing turn it on continuously monitor across your AWS infrastructure and you can see things like this right an instance being started up and by who that's probably good information to know especially if you have a hosts that you think aren't accessible but are accessible by an adversary because they were able to harvest credentials somewhere and log into an instance it's going to look like and feel like that user potentially but maybe there's some nefarious reasons behind it we don't know yet right as we move along you got event bridge now this is serverless event bus capability but really it's allowing us maybe to take stuff from other security capabilities and drive an event outcome and if you listen to the earlier session around CSA where they talked about a couple of things one is most organizations start with one cloud and they move to multi-cloud which essentially ends up being a multi-it environment right hybrid on premise you've got cloud-based infrastructure um and the other thing is and and I don't think we've done a good job here is the Cyber skills set shortage right I know everyone says it it gets a little bit of annoying right because you hear it all the time and you're thinking why isn't my paycheck reflect that right right but but at the end of the day there is a shortage and you got to think about all these different environments it's in the skill sets that you require in order to manage these environments it becomes very very challenging and expensive so again I could now take that event that I got and drive some kind of automated potential response using eventbridge and we'll talk a little bit Lambda Lambda can do some of that stuff as well you got it Amazon uh guard Duty and this is now where I start pulling in logs from guard tray or sorry cloud trail uh VPC flow logs if you're familiar with netflow or ipfix data VPC flow logs are similar right in the cloud environment and AWS DNS logs and so guard Duty can look for things like Recon compromise instance compromise and bucket compromise again cool stuff can you even do that in your own environment right you have to ask yourself that so these are all good capabilities that they have that you can leverage security Hub comprehensive view of security it helps you you know meet industry standards and best practices and look at some of the best practices that they call out now you got to remember every single technology and vendor provides you best practices of everything that you do and I've only called this out specifically because of the complexity imagine all these different disparate Technologies all having their own ways of doing things having their own best practices and trying to build the team to support that I'm not saying forego the security capability I'm saying understand the capabilities and where you might need them and how you might achieve it AWS firewall this is pretty cool because I can now manage my Waf in AWS I can manage my DDOS in AWS my VPC security groups my network firewall and AWS Route 53 um and I can also use third-party firewall capabilities here too and manage it now I don't know the extent of the capability and how well they manage third party but it is something that's there and this is a good thing because now you've got one hopefully platform that you can manage all these different control points Amazon detective you thought it was done didn't you we're still in AWS think about gcp think about azure right um but Amazon Detective it can extract time-based events login attempts API calls network from AWS cloud trail and flow logs wait didn't I wait go back didn't I say flow logs here earlier too oh Amazon guard Beauty explore some behaviors failed logins suspicious API key calls but again now I'm Now using another tool to analyze some of the stuff that I'm already analyzing by another tool right but again it's available to you to Leverage Lambda again event driven outcomes this is pretty neat because I don't think we do enough of this in the industry as a whole is having the ability to automate some of the responses so you see something interesting potentially nefarious can you drive an outcome can you make a decision can you isolate a host right can you quarantine a host um can you shut down a port maybe right whatever it might be you might use something like this to drive that outcome again Gathering evidence eradicate the incident uh recover from the incident and then do post-incident activities so AWS Lambda is the event portion of this that can drive an outcome so anyways it's it's interesting then you have um all these logs right security Hub guard Duty uh Macy which is around machine learning AWS config event Bridge right and it goes on what happened what happened uh but anyway I'll keep going anyway because I don't think it's going to hurt anything um but anyways now I'm centralizing all that log data right the the cloudtrail data the access logs the DNS logs and the flow logs from AWS which is probably a good thing right but what about your on-premise environment how do you get that data in there can it can you do that I don't know right what about Azure because I have two cloud service providers how do I get those logs do I get them in and everybody knows here getting data in is easy getting data out is costly typically right so do I even want to do that and now do I start breaking things up and data is the new gold right everything's about the data if you're going to do any kind of mining it's in data not gold or oil and gas right hey yeah you can call I'll keep like the most exciting stuff right now but um but anyways um so this is a visual of of the cloud right you could see the cloud and there's stuff in the cloud but this is showing you uh an example of some infrastructure and so it's showing you the cloud service provider where you have inbound vpcs so they're virtual private Cloud right you've got Nat you've got uh maybe IPS and IDs maybe that's your third party you've got flow logs right those VPC flow logs or netflow or ipfix data right if you're trying to translate it across you've got Route 53 you've got AWS um uh Cloud shield for uh DDOS you've got Waf uh all of these guard Duty you know Knuckles that are stateless and you've got stateful inspection as well they'll just leave it on this slide just real quick just so that people in the room can see it I'm sure everybody online can see it all right so do you want me unplug and plug it back in the HDMI reboot we don't have time for that okay anyways it's just a diagram it's all it's you know you can get this from Amazon they've done a good job even Microsoft they've all done a good job around security best practices around their cloud service provider let's move on right you think I'm done with AWS right I'm not AWS I am so their identity access manager analyzer so looking at S3 buckets and IM roles and who has access are they externally accessible all those things that are you know pretty important if you're putting your data in the cloud um and then you go on to Secrets manager this is for passwords um API Keys things like that where I'm pretty sure API keys are included but but basically where I could put my password securely encrypt them and programmatically use them as needed but there's an encrypted channel to get the password or validate the password um and there's a life cycle that supports that then you've got AWS inspector so I don't know I've heard guard Duty detective inspector right you need probably all of them I'm sure but this looks at vulnerabilities um and you know they're intended or unintended consequences on the network resources that might be applied and then I've got Anonymous that says wow cool capabilities um yeah but uh but who is on Anonymous right this is perfect Cloud Anonymous it doesn't exist right but uh but that's a lot of capabilities and I'm only touching the surface is there anything you guys want me to do or no no so we're all yeah yeah fair enough um anyways a lot of capabilities again there's probably tons more I'm not an AWS Guru right but these are some of the the complexities then we got Azure okay and I'm not going to do the same thing in the same level of depth but you have Azure and you know there's some differences as you can see up in the top right corner uh yeah um top right corner that uh you see network security groups um I think ews just says security groups and in a network we call them netflow jflow ipfix right or sorry NSG logs sorry those are controls my those are L3 L4 stateful controls and then you've got NSG logs which is flow data in the Azure environment right like VPC flow logs and netflow and earlier if you heard if you're in the session where they're talking about iot and things that happen in that that X iot environment and how would you know well you should probably be baselining your network so you know when there's Communications that's happening you don't need to find out that your power bill is a a billion dollars because your traffic in the network should be an indicator that something nefarious is happening right there's got to be a Communication channel to make that magic happen on those cameras and if you have a baseline of the environment you can look for anomalies so that's why flow logs are critically important so Microsoft there's some been some name changes right it's Defender for the cloud or Defender for everything again a lot of great capabilities they've got the um security Center that gives you a good idea of where you sit in regards to security and opportunity there you have uh monitor where now we're looking at activity logs and resource logs and we've got some automation that supports that again beta is the new gold right tremendously valuable especially an incident response then you have Azure advisor now we all can use an advisor um and so uh you know why not have a consultant that can help you better you leverage the resources that you have and reduce cost and increase security and optimize and all those good things again another tool and then you've got yeah you know Azure Sentinel I think that's Defender I don't know but no it's not just still the same yeah so anyways they've got some orchestration and Automation and Playbook running with that as well again all cool stuff uh that you can certainly Leverage and this is an example of a Playbook right and A playbook for those that aren't aware is something that maybe an event that takes place and based on that event we want actions right so if it is bad then I may want to do a triage of some sort maybe send a sample to a Sandbox detonated get the results and share it to my analysts I don't want my analysts to have to manually go and do that right and then if the if it comes back as a disposition of bad you know electrocute the person on the key no that's a feature release the future but uh but do something like block the account or or out of a firewall rule in the next gen platform somewhere right and then this is what I was showing earlier on the Azure side very similar you've got uh the security groups you've got um you've got Knuckles right all three L4 based controls you got web application firewalls Defender DDOS Azure firewall Azure MFA right a lot of stuff right so that's just two Cloud providers right how do you become proficient in all of those different disparate capabilities right they all do their things differently and we haven't forgot about the traditional data center that you've been managing and supporting and securing forever right where do those skill sets go do they just get tossed out the window so um yeah it becomes tough right because you've got probably a fairly decent or mature practice within your traditional environment and now you're plugging in and extending into these cloud service providers and maybe turning these things on what's Happening is as customers are coming back and saying this is crazy like I I'm having some challenges here right I can't the stuff I'm doing in AWS or Azure it doesn't do anything to help me on the on-prem so now I'm managing these all disparately and do they come back and start talking to each other that's a whole other problem that I have right and every time they change stuff in their infrastructure it impacts us and you know the the complexity just continues to get added and forget about we haven't really talked about containers we haven't talked about SAS Based Services what about the work from home user right there's a ton of things on the security space and we haven't even talked about the operational environment so you can see all kinds of stuff here right next-gen firewall flow log Sim NAC these are all things in a traditional environment that still exists they're not going away and in some cases anytime soon right we're talking years especially in large Enterprises and government institutions we're talking a long long time before this stuff starts to to be Cloud only or Cloud native a hundred percent of everything we do so again um you know from an adversarial perspective they have the advantage here right the more complexity we add within the security space the more Advantage the adversary has um even if it's for good apparently right nope no judgment here so let's go through a little bit of a scenario this is really going to start putting it into perspective right you've got work from home work from anywhere branch office main office right these are all things that exist today the hybrid work that's not going anywhere you've got public Cloud private cloud and internet right that exists you've got your SAS Based Services obviously the channel between internet and SAS is is typically there you've got private and public Cloud access and then you've got I picked the three main players right Google is you're an AWS and I might be wrong but it doesn't really matter you've got threat intelligence everybody hears and that's defending networks got to think about that right or environment's got to think about threat intelligence and how does this work across the entire ecosystem of capabilities and then you've got detection response orchestration automation right if you can automate and orchestrate within the cloud service provider and you can't in the on-premise environment um you still got a big gap right you've still got a challenge here so let's walk through some of the capabilities so you got endpoint protection endpoint detection response on the endpoint right these are almost like non like these are Staples you can't get away with securing an environment without Epp or EDI right endpoint detection response Advanced malware protection sandboxing all of that stuff right um and you're going to have that on your work from home work from anywhere branch office the main office on all those endpoints you're going to have it in your private Cloud infrastructure you're going to have it in your um workloads if they support it in the cloud right that makes sense you're also going to have DNS zero trust network access right zero trust earlier we heard this was CSA it's not a product I don't know if they said this but I think that's where they were going it's not a product right it's a framework an initiative that you're driving towards there's probably no end State ever it's not a single vendor that provides the entire ecosystem that gives you zero trust but zero trust network access is one component that drives towards zero trust um Cloud delivered firewall intrusion prevention data loss prevention remote browser isolation so this is the ability to be able to have the browser delivered in the cloud and for high targeted individuals maybe c-suite it security Ops right Financial controllers you may not want that browser to ever be rendered on that endpoint why well because if an adversary is able to run an exploit kit against it and final vulnerability and expose it they're on the asset but if I render the browser in the cloud and the underlying operating systems hardened and if it gets compromised it's never that asset so that's what remote browser isolation is for for those that may or may not know Nick's gen firewall again I'm not a big fan of this I've said this at every single talk next gen next gen next gen problem I don't I'm not a fan of it um is because what does next-gen never do expire so right it never expires so if I build an x-gen firewall and do nothing with it for five years and still have that label there it's still next gen right and you're going to look at it right because you're looking at the market and now you'll probably figure it out very quickly it's