Stephen Mathezer: Security Speed Dating

all right well that's three o'clock and there's a bunch of people uh here so i am going to get going uh again thanks for joining me for the last uh session of of b-sides uh like i said it's friday got up some people have better things to do so glad you're here i don't really have an intro slide uh i recognize a lot of the names i think a lot of you know who i am uh short version is i'm the director of strategy and technology for ion i've done lots of things in my day used to be a software developer ran some security teams i teach for sans in fact i get to do this all week on

munich time next week so that's going to be fun without actually getting to go there but uh um yeah that's my intro for those of you that tried to attend the ion and splunk technical deep dive earlier today our apologies for that we had uh some colossal uh miscommunications there but uh i will circle back around to that if we have time at the end of this session and of course you can ping me directly as well if you have some interest in that uh direction so i couldn't decide what to talk about so i decided to talk about a bunch of things because i have opinions i see lots of stuff um so i thought i'd try and talk about a

bunch of different topics i'm also going to try and ask you some questions as we go here i may not be able to wait for you to answer but i'll circle back if i can but feel free to to respond in the chat if i i ask some interesting questions which i will try to do and probably forget but anyways so what can you expect today here these are some of the topics uh i think i'm going to talk about or i am going to talk about well i'll touch the basics for just a minute uh talk about some trends some architecture for a bit people in influence and business-centric security all those fun topics that we don't

necessarily deal with so well i'll touch on ir and vm and cloud and i thought i'd throw in a couple of things i learned recently that i didn't know about so maybe you don't either uh this slide i have various versions of this slide over time it is starting to uh i'm starting to run out of room these are all the technologies uh you could potentially you guys can't see my slides all right that's awesome rookie mistake how about i share a screen

give that a second there we go i'll go back to my intro slide just so you can oops no i don't have focus just so you can see my intro slide um but now let me pre continue yeah you can tell i've never done this before all right i'm running out of room on this slide these are all of the not all of these are the things i could think of um the security technologies the concepts the things we should be doing um it's just it's endless it's not possible we're uh it's there's just too much out there so we need to to figure out where we're going to uh do the best or have the bet the best

impact the biggest positive impact and that's that's a thread that i'm gonna to come back to or talk about throughout uh this session today as far as where you start here's some things i've talked about in the past that uh you may want to to consider before you think about everything else uh that i'm gonna talk about right if you don't have mfa if you have a crappy password policy if you don't have egress filtering i mean endpoint firewalls i won't say if you don't have it because very few people do but that's sure that's definitely a good uh place to make great games with a little effort if you haven't fully configured the tools that you have

if you don't have centralized federated authentication um you know let's start there don't worry about the rest of what i'm going to talk about and i'll throw out there the concept of platforms right there we had all of these tools on the previous slide it's just unmanageable at one point i had a team of three people managing 15 technologies we couldn't do it uh it just we we couldn't make them all do what we wanted to do we can support them all we can do on call so the more especially in the the sub enterprise or the bigger than huge companies pick a platform if it's if it's you know get 80 of the way there with with the

minimal effort you'll be doing way better than someone who's got a ton of best breed solutions that they haven't configured and i'll talk about that again in a bit some of the things i'm seeing today obviously we see the insides or talk to a lot of different companies see what's going on um you know when i'm teaching i talked a bunch of folks that way too the cloud is a trend for sure uh just came out of watching shelley's presentation ir i have not seen this much ir this many breaches this many people calling for help uh then i ha i haven't seen this much in a long time or ever it's we see more requests for ir than than

i've ever seen uh of course with kovid there's untrusted endpoints that's never we're never going back on that it'll be interesting to see where we end up with endpoint security soaring automation i i saw next talk as well and i agree you don't need to go uh to the nines with with soar either figure out the simple automation things you can do but are you really ready especially if you want to bite off on a great big sore platform do you have the information available to you to orchestrate do you have access can you convince a bunch of other stakeholders within your organization to give you access to their tools so that you can automate or

or take action when you see things so you know absolutely head down the sore path but make sure again you've done some of those those initial things first today security's moved away from the perimeter a little bit or a lot depending on your perspective it's all about uh application data and user or identity today you know forget about the perimeter it's gone i'm actually starting to see ml and ai used a little bit um in a little bit more targeted way or sensible way they're they're still buzz words but we're definitely seeing them do the things that um you know they're meant to do a lot more and a lot less of the things they're not meant to do

and of course as i mentioned we still love our toys and our tools uh what i see with that though is way more overlap every day you have this thing that does um all of these things and you have this other tool over there that does 30 of what the first tool doesn't do but overlaps 70 and on and on and on and so then well you don't want to buy that because you got this that almost does that you don't want to buy that because it overlaps with this thing and that's where i come back to the platforms right um the uh get the more you can get under one umbrella the better off you are and i i

had notes that i forgot already i was going to ask here do you guys agree with me on the use of ml and ai are they becoming less buzzwords buzzwordy i know they are buzzwordy and are we using them a little bit more intelligently for for security oh i'll uh let that sink in and i'll come back to that so architecture plan then buy right the the impulse buying there's lots of cool twos tools like many of you i'm sure i love to to dig in and play with some new capability something shiny i want to learn all about it see what it can do but that doesn't get us very far when when we're

in an enterprise context or when we're trying you know when we have a defined goal to secure our organizations so what are we really trying to do let's take a step back here um what we want to do well i actually looked this up the goals of cyber security cyber security 101 confidentiality integrity availability let's dig into those concepts actually no let's not we've all heard a lot about cia and it is important don't get me wrong but that's already in the weeds for what i want to talk about in the next few slides so let's let's uh skip the cia for a second and and really talk about what we're trying to do business and technology they're they're

inextricably intertwined right you cannot separate them there's more and more dependence on uh technology in a business context today and we're not going getting away from that so really what does the business care about yeah sure they care about confidentiality integrity and availability but but that's that's not you know if you ask the business that's not what they're going to tell you what they care about is maintaining a safe and stable business or maintaining safe and stable business operations obviously the money part thriving growing making money reputation that ties directly into money as does beating the competition so it's it's really about the dollars and the safe and stable business operations so what can we do uh from a security

perspective starting with architecture starting from the beginning to help meet those business goals bottom line attack and compromise is bad we know that but what really leads to attacker success that was something else shelley was talking about a few minutes ago right yeah it's ransomware ransomware bad but what is it that leads to ransomware right what is it that allows an attacker to be successful in our environment what can we do to build networks and environments that are less susceptible to those attackers so what can we do about it i want to take a minute to talk about the crown jewels and uh you know call out to sean connery as well i was looking for a good

picture of a bank vault and that was the best i could do with him in it but uh we you hear the term crown jewels all the time and we are um it's our core assets our critical assets what we're trying to protect but a lot of the time instead of taking our critical assets and putting them inside a vault what we do in information security is we put the vault on the outside right this isn't a real vault but again best picture i could find we we build this awesome perimeter so imagine going into your bank and they've got you know armed guards at the door and they've got a big you know a heavy door a front and

they've got cameras and they've got badge readers and they've got all this stuff on the around the edge of the bank when you go into the bank and then all the money sitting on the table in the middle of the bank that's what it feels like we do sometimes right is we we build this this great big perimeter and then we just leave our money sitting on the on the table and ics is a great example of that right we we segregate it sometimes mostly kind of we segregate our ics networks but then we don't want to touch them they're so valuable we don't want to touch them we don't want to implement security so you look at the

the cyber security budget for the average ics based organization and i would wager 90 of it is spent outside of ics that's what we see for sure there is very little security budget or cyber security budget um dedicated to ics and and this is what it makes me think of is is we're building this great big outer perimeter um and hopefully we're segregating but i tell you the money's just sitting there on the table if someone gets through that front door and that's something i think we we could uh move away from a little bit so start building your defenses like don't get me wrong firewall that's table stakes these days those are things you have to do but

how about we start beyond that focusing our security on the things that we're actually trying to protect so what do we see these days well who has ever or recently bought a tool that didn't live up to the hype or that never got taken out of the box or that was never used to its full potential see all of that every single day we see great tools but they're 10 configured or they solve very very narrow or specific problems because somebody saw something that uh they thought was cool or why did you buy that tool right what's the goal what are you actually doing with that tool you know ask yourself why you are doing

something before you're doing it protecting all the things all the time is not sustainable for most organizations so what are you trying to do what is your goal it's back to those crown jewels if you will see lots of tools solving yesterday's problems because you know the the there was a problem it made it into a magazine somewhere someone picked up that magazine on a plane which they can't fly in anymore and uh oh by that time we're on to something new and we're solving yesterday's problems see a lot of of tools that fit into that category definitely people-intensive or people-dependent solutions where there aren't people to run them or manage them or configure them or deal

with them and and of course it's perennial catch-up right there's there's always something new uh both in terms of threats and in terms of defenses so what do we want to see we want to see companies figuring out what matters identify the attack surface and model the threats i i was gonna go into attack surface uh in a bit more detail and there's just not time but if you you know to get compromised you have to expose something to input generally if there's no input there's no compromise you're in a much better state so what is your attack surface what are those inputs not only that what are those inputs and what are the threats to those things

figure out where you have a tax surface that isn't protected and there is a threat how about we start there what mitigations do you have today technical and otherwise sometimes uh you know it's not about a technical mitigation um maybe you're just gonna pay a fine and maybe that's okay maybe it's not but uh where you want to be not today not tomorrow but three or five years down the road i always tell our customers that if there's if you do one thing well there is no one thing but if you do one thing um every decision you make have it not move you further away from your three or five year goal right that's the bare minimum let's

let's try and make all our decisions so that they're ideally moving us towards our long-term goals or not moving us further away that's all we can ask figure out those high return sustainable as well security measures again lowest cost highest value right bang for the buck build now for the future that's back to the one three five years again i don't have time to go into this in detail rfps procurement whatever that process is in your organization set the standards now the example i always give is we will not buy a sas solution if it doesn't support single sign-on or federated login bake that into your rfps bake that into your procurement process bake that into

your policies you just and and cut this stuff out you put i can't remember who was talking i think it was the ics uh round table yesterday the we have to put pressure on our vendors to make things better if you go to market with an rfp that says we won't buy your product unless it meets these requirements um you may still cave on some of those requirements but i tell you i've i've been a developer those sorts of things speak to to vendors who want to win your business um and of course bring together business stakeholders and how do we maintain three to five year goals when the landscape changes so frequently get out a bit of a crystal ball is one

part you have to make some assumptions or guesses but the other part is to really high grade those goals um so if you i mean i i say this like it's easy but if you can combine some guess as to where the industry and where your business is going to go with some fundamentals you know whether it's um it's back to data identity and applications right we we hopefully have a plan we're migrating to the cloud someone's got a plan in that respect or they've got a plan for where where the organization wants to go and all you can do is try to really high grade and say okay well we expect all of our data to be

um you know software as a service in three years or five years so therefore our focus needs to be on identity management and how do we build systems to onboard and off-board and centralize and monitor authentication and identity and so on uh i agree that is not an easy problem to solve though so moving on to my next uh topic like i said just going to try to rile through a few topics here people influence and the business centric view so this is what we what usually happens we've got our business goal on the right and we've got our our no person our security goals on the right uh we need to try and find

a middle ground here somewhere right um because if the business ain't getting what they want then uh we're not gonna win so on the actually oh sorry that's where i wanted to be so have you who's ever worked in an organization where you know there's a problem you might even know what the solution is maybe you can fix the problem easily maybe it's even cheap but you can't get buy-in to do that and well i mean of course that's everybody and you're not alone and we hear every excuse in the book and and again i'm not going to try and pretend it's easy to get past but there are some things to think about i mean we hear no budget

not now or low priority too complicated too much risk to the business who's going to do it or maintain it not my call i i've i've worked in organizations or with organizations where you have to get 20 people to agree to do anything like come on uh and the the other person i've forgotten about or i didn't list on here is the person that just doesn't you know they want you to get off their lawn they don't want to see anything change about the way they live their life uh that's the inertia i guess right um we we just don't want to try something new do something new change anything i'm happy with the way it is no matter what

so how do you get what you want well the first thing i'll say is think of it especially for the the techies and and those that uh you know aren't dealing with management every day think of it as a social engineering exercise because that's exactly what it is although in a nice way you're not trying to trick people or fool people but you're definitely trying to influence people there's definitely some similarities there you're trying to convince management to do what you want them to do so find out what motivates them make them want to click right make them believe that it's important or urgent all the things we tell people not to or to watch out for when they're

reading their email right if you make a case it's not that hard you won't win them all but at all but think in terms of business risk impact and metrics right what is the risk to the business if i do or don't do something what is the impact of again an action or lack of action and how can i measure that how can i show that how can i prove it so any meeting when you are trying to get what you want the first thing to remember is to go in knowing what you want to get out of it if you can't go into a meeting and articulate what you want to come out with

then you're wasting your time so what do you what do you want to happen what exactly do you want someone to do who do you want to do it and of course the peer pressure what are your peers doing today right there's nothing that uh um i'll call them executives respond to better than what their peers are doing so if you can make a case for this is what is happening in the industry and what your peers are doing you're you're part way there costs are of course a key key factor management wants to know what levers do i have to pull what can i do what's it going to cost and what's the benefit so what's the

cost of action and inaction though there's a cost to not doing anything there's a cost to doing something and that should be uh um it should be cheaper to do something than not that's that's obviously those are the things worth doing and there may be ongoing costs and you have to be aware of those as well what are the benefits though show that you can save or make money um and have a metric or or be able to point to something that shows how you're going to demonstrate that what you're doing is working if you can put a metric in front of a decision maker that says watch this number is going to do this or this trend is going

to go this way then you're going to get better agreement or you're much more likely to get agreement because then your manager the manager the the board can look back and see whether what they're doing is working and if it's not then they can stop and keep it simple one of my my jobs i had to present to the board i got three slides three powerpoint slides i had to give them to the board in advance and they would maybe bring me in to ask me some questions if you can't fit your message yeah i've got a 44 slide presentation here in three slides then nobody's gonna listen nobody's gonna remember uh and and i read something while i was

looking doing some research around this and uh just a side comment almost is that ciso confidence decreases as solutions assets and attacks increase so help them feel better if you have more solutions more assets more attacks management's going to get more nervous going back to the platform comment right decrease the number of things you have to manage focus on the things that really matter that vault right around the crown jewels etc and stick with those and and you will make better gains that way on the people front none of these are written in stone by any stretch but people are are better than product right i will take in most cases again you have some some basics that you

have to take care of but in most cases i will take people over product and if you want people then they have to be motivated empowered trained retained all of that um who's read the phoenix project or who's worked in an organization where they have one guy i think it was brent in the phoenix project who is central to everything that you do and what happens when that person leaves you are out of luck so you do have to balance that with your people um but the but at the same time you know if you think of the cost especially in large organizations what we spend on some of our tools versus what it would cost for a single

person i'll take a person any day i'm not going to spend a lot of time talking about imposter syndrome other than to say yes it's real google there's lots lots written and said about it everybody has something that they know better than everybody else so leverage that with everybody again talking about people i will take experience over a cissp or um masters in information security management i think any day uh you know we were uh kurt talked about his experience becoming a pen tester yesterday and i i said it in the chat those those 18 was it years of experience in doing other things in it that is gold it's you know you can go and learn all about

policy if you've never put hands on keyboard then there are some roles that just aren't going to work value those other teams sysadmins for example again same same idea they know where all the holes are they know what all the gaps are because they created them and also if you make their their lives easier they'll repay you uh in kind as well and you can get a lot of benefit from your system if you have a good relationship with them and beyond that build the bridges create the common ground there's tons and tons of stakeholders i'm going to touch on that later that very rarely talk to each other so take it upon yourself bring them

together and people generally want to do the right thing just help them do it something else i also talk about a lot is business centric or organizational context business centric security if you don't know where you fit in the organization and we see this a ton as a a service provider right we have customers who want us to do something but we there's so much about their business that we need to know to make that happen it's got to be a partnership so that's true as an outsider that's true as the security guy with the business you need to understand why does it matter to the organization who's the decision maker who benefits what are the processes you know i'll use

change management as an example if you don't understand how the organization makes decisions decisions you're not gonna win um is there a history that you don't know of who blew what up in the past by making a bad call or you know rebooting the wrong thing installing the wrong thing whatever that's relevant um but most importantly what's relevant or important to the business again if you are not in line or aligned i should say with what the business wants and needs then you're not going to get anywhere which means that you need to compromise you're not going to get everything you want but it's probably a good idea returning to the bicycles here that you achieve something notice

where that lock is on the bike over there if you didn't notice that up front so you're gonna have to compromise take the wins where you can get them but but do try to get something done and this picture of the bike actually reminds me of the the pci myth or legend or whatever right all your data has to pass through the firewall if you want to be pci compliant so someone took i think it was a pix at the time drilled a hole in either side ran the fiber through the middle there you go data through a firewall that's uh that's what i think of when i see that that picture of the bike lock

so incident response as i mentioned we we're seeing a lot more there are more breaches more ir it's everybody um whether they like it or not is mired in instant response these days a little bit of uh you know the yeah duh prevention is ideal detection is a must detection without response has little value or is pretty much useless um and in your breaches aren't inevitable it's how you respond that is the ultimate determinant of the impact i think i stole this slide from sans actually but uh but the point is valid you need to have response detection all detection in the world doesn't help you if you can't do anything about it uh and you know the the example i'll

give on this you know with ir and being having capability is okay if i give you an ip address and i tell you that it's evil can you take that ip and figure out what the computer mac address switch port physical location owner of that computer other things that person has logged into other things that have logged into that ip websites they've been to other computers they've talked to authentications to that computer and from that computer i'm sure i'm forgetting stuff though that's the kind of uh information that we we need to be able to or need we need to be able to generate if you will in order to respond so the ir process

is the preparation identification containment eradication recovery lessons learned but there's a reason preparation is in a massive font because that's what we don't do and without it um and when i say we i mean people in general a lot of the organizations we've dealt with they're just not prepared they don't get their boy scout badge so preparation is where the focus has to be at a bare minimum um and and i'm going to the next few slides i'm going to talk about a few things the don't this is by no means an exhaustive list but these were the things that came to mind bare minimum number one if we show up and you um have an incident have a breach you want

us to help and you have zero logs why are you calling that's bare minimum turn on logging and honestly i don't care if you have a sim i don't care if it's centralized if if your logs are sitting in the windows event log on each individual server and workstation if you've got seven days at a minimum more is better i'm happy i don't you know you don't need a sim you don't need splunk you don't need all this fancy stuff just have the logs somewhere and we can go get them yes they can get erased by attackers and manipulating yadda yadda but we're talking about bare minimum here not centralized is better than non-existent and

you know will you have this whole list maybe maybe not but workstation servers av dhcp network firewall email cloud remote access those are the the ones that come to mind off the top that i'd like to see it's clear objectives what do you want to get out of ir keeping the spice flowing is usually the answer or more formally there's rapid business resumption there's maintenance of compliance there's identifying perpetrators identifying a root cause controlling the flow of information or engaging with law enforcement do you want to contain and clear or watch and learn do you want to prevent reoccurrence probably a lot of those things but you should know what's most important to you backups are good things ransomware you

get the picture and know who you're going to call because most organizations are not going to be able to handle an incident on their own one step up from bare minimum anything that resembles a plan it may not be up to date it may not be com comprehensive or complete but hey something to follow that's great out-of-band collaboration i don't want to spend forever on this but the example i always give is you know what as an ir team if you have a separate office 365 or what is it microsoft 365 environment independent of your your corporate tenant now all of a sudden you've got email screen sharing chat file sharing audio video uh i'm forgetting something but uh you

know something like a onenote where you can keep notes sharepoint where you can keep your documentation and so on all of that completely out of band obviously secured appropriately and now you don't have to worry about either your assets being down and not having access to all of that stuff or the attacker being in your communication path so you know but it doesn't have to be that complicated have something have an ability to act run scripts on endpoints yank email out of mailboxes right have some ability to communicate to stakeholders whether that staff customers whatever have some level of access and authorization so you don't have to go begging for stuff in the middle of an instant you know

credentials ability to act can i take this down well actually that's a business decision but some authorization to act and now centralized and longer term logging yeah please i mean the seven days is a starting point even better logging turn on powershell logging as an example and have more and be able to act without relying on brand just that one smart techie right you want to have a little bit more capability than that and then if we get more advanced you know the pre-authorization i guess i mentioned that on the previous slide but you know what you're going to do when you have you've already decided you know when this happens i'm segregating my networks i don't have to

go and have a conversation have a bunch of meetings and talk about it when this happens i turn off the internet hopefully not but you get the idea contracts vendors whether they're i.t vendors or business side vendors that will actually work with you some capability to control applications to stop malware if you have an ioc to act on that ioc now a documented current and tested ir plan defined roles and responsibilities people in the business that understand what you're trying to accomplish what the goals of ir are so that you can work with them to keep the business operating standardized templates and checklists and and things to do during ir established and tested and validated

third-party relationships so they've been part of your your tabletops a well-tuned sim or something similar asset inventory and baselines and i don't know why i put that one last i think it fit on the slide better but bass lines know what things should look like so you can tell whether they are like that now so that's that's my i could go on forever about ir those are the three slides you get today vulnerability management is something i've been been thinking about a little bit lately and we all know what vulnerability management is cis has a definition i'm not going to really read it to you other than you know to point out some key words

organizations that do not scan for vulnerabilities um and that happens there are challenges in scaling across an enterprise prioritizing conflicting priorities and of course uncertain side effects although i'd say suck it up and figure it out if you can't patch today then with all the virtualization then you're not doing it right but it says vulnerability management for a reason scanning is step one that's uh and yes the to do's do get uh harder and harder um all i can say there is make the list prioritize the list and start with the things that you think will give you bang for the buck that's where i always get back to it's bang to the bot bang for the buck but vulnerability

management scanning yeah that's maybe 30 of the job aggregating prioritizing results so instead of a 6 000 page report you have page one says you have these six thousand assets with this problem not six thousand pages about those assets uh reduce your attack surface i talked about that a little bit earlier um have real conversations about business risk traceability doug was talking about sabsa yesterday i don't blame anybody for not knowing what sabza is uh but the whole point of sabsa is uh tracing your actions all the way back every action you take all the way back to the business so again you don't have to fix all the vulnerabilities i'll talk about that in

a second it'd be ideal but you don't have to metrics and measures if you can't tell whether you're doing a good job or what you're doing or what progress you're made you've made again you're not gonna have any buy-in for management and you're not gonna know what you're doing fixed by vulnerability not by asset so don't say hey you own server one you gotta patch this stuff you own server two you gotta patch this stuff it's an organizational decision that this vulnerability is the most important thing and we're going to fix it across the enterprise now there may be some exceptions and some delays and so on but there is one person or one group that decides we're going to

fix this across the board and then assign the authority to get it done but still have that ownership where it's it's one decision maker who makes that that decision for the organization i really like this slide this is actually um this diagram is from dhs it's like 2009 now and it's for patching in uh industrial control system environments but it's it applies anywhere and it's really simple there is a vulnerability and an available patch we've identified it does it affect here it says ics but does it affect operations no all right then away we go yes is there a workaround okay let's apply the work around and schedule this for a routine outage do our operational needs

outweigh our risks if yes then we defer the patch again no well now this and now we patch immediately and how do we arrive at that decision there's some vulnerability footprint there's the impact the exposure the deployment the simplicity and the impact to the business both of patching and failing to patch we do some risk analysis we decide whether our operational needs outweigh the risk and then we patch it's not about doing everything all the time even though that would be ideal and i would be remiss if i didn't point out the document piece down here at the bottom and yes this same document and there is a link in the uh slides which i'm sure will get shared

somewhere along the way there's a separate um flowchart for how to actually go about patching and that involves testing testing on your redundant system your secondary systems because if it's important enough that you're not you don't have an outage then you've got secondary systems to test on right and leverage virtualization and roll back and so on so this same document has actually a separate uh flowchart um along those lines as well and but there's more than just patching you know ask a pen tester what they take advantage of more vulnerabilities misconfigurations or credentials probably from the bottom up right credentials followed by missed configurations followed by vulnerabilities are the things that i would say are most um taken advantage of

what if there isn't a patch you should know what you're going to do can you get a change window or how do you get your change windows and who is ultimately accountable for those uh patches should be one place again across the organization here's some food for thought i spend a lot of time in the ics world so that's why ics keeps coming into these these slides the dragos ics vulnerabilities urine review 2017 and 2019 64 of patches don't fully eliminate the risk because the components were insecure by design so why are you wasting your time on those patches figure out how to put additional protection around those assets so that they aren't insecure by design or so

you're mitigating the insecure by design component 26 of advisories or vulnerabilities were disclosed before the patch was available 30 of the advisories were inaccurate which led to poor prioritization 40 required user interaction and or internet connectivity to exploit so it's still a risk obviously fishing's a thing but maybe not quite as bad um and but take all of that and then 61 could still cause severe impact which was defined as an outage in ics so i guess my point is it's not really as simple as you might think a couple more sections here i'll go through cloud uh relatively quickly and then i wanted to touch on a couple of cool things i've i learned about so

cloud security who can give me a definition of cloud security what are you securing applications access configuration data you know who knows i'm pretty sure that there's acronyms involved though um i'm not going to go through them all but all i know is every one of those acronyms is involved in cloud security somewhere um yeah just just fire your firewall up in the cloud you're good one of the things we've seen a lot is m365 or azure migrations driven by an infrastructure or a windows centric team i'm not throwing anyone under the bus they just have different goals different priorities the windows team cares about functionality reliability and performance but they're the ones with the keys to that

m365 environment and quite often they're there long before you have any idea that they are there some of the things we've seen domain controller in azure rdp exposed password123 that was a fun incident um erp system in the cloud which is fine but the firewall was over here beside the erp environment not in front of it in the cloud they accidentally routed around it on-prem email anti-spoofing and all of the rules you've taken care to put on your email system on-prem never made it to the cloud global admin for everybody or at least too many people and of course the lack of mfa for even the administrator accounts all of those things happen in cloud

migrations you know in calgary i would say we're a little bit less devops focused a little bit more enterprise i'm not taking my stuff to the stinking cloud we don't see as much of the application development and deployments and devops and ci cd in calgary but it's definitely out there don't get me wrong it's just certain organizations coming back to people they are involved and probably not talking to each other these are the teams that i have seen involved in a single migration to the cloud what do you think the odds in a large organization of getting all of those people in a room agreed on something working towards a common goal are the odds are pretty

slim so what can you do ideally get everyone in a room talking hopefully aligned uh at least at least talking right so that everybody has some idea of what everybody else wants to get out of it out of a migration i go back to the procurement provide that whatever as a service guidance and baseline and requirements if you are going to do that whatever as a service here are the the core things and keep it simple but but you know again 80 20 rule bang for the buck like i said federated authentication mfa good telemetry logging and monitoring that's one of the requirements etc etc set some baselines so that at least when someone is going

out towards the cloud they know what they should be asking the vendor i mean we have a a many page long vendor questionnaire for uh for some of the sas apps especially but but build that simple list of things that people should be looking for get integrated into the tool chain that's a little bit harder that's a bigger ask but you know there's automated qa there's validation of of applications as they're deployed well you should be doing regression testing and validation for security as well and and if nothing else identify and try and find those gaps right what isn't being done or taken into account today with the cloud migration vulnerability management instant response how do you

do ir in the cloud it's a different world you're not pulling hard drives i'll tell you that much and of course how are you going to back up or do disaster recovery or deal with the result of an incident gone bad right there's i i still don't know what cloud security means it is such a broad broad topic it's everything from securing your infrastructure in the cloud to making your sas providers do things well you know there's what is it your sas 16 turn king became something else um the compliance rules there's there's like i said there's the devsecops it's it's all of those things all you can do is get more engaged within your

organization figure out what are the important things that are happening in a cloud context within your organization so that you can at least get involved in the conversation and because those conversations aren't happening if you facilitate them then you can guarantee that you're engaged in them and um and that they are actually happening yeah i forgot about the opens3 buckets there's hopefully we don't see that as much anymore so i thought i wanted to throw out a couple of things that i figured out or learned about or heard about recently that i wasn't aware of so if i wasn't aware maybe you weren't either first one i don't know why i stumbled across this there is such a thing as a dns

caa record a certif certification of authority authorization which essentially says for my domain these are the cas that are allowed to issue certificates for my domain and support on the ca side was mandatory as of september 2017 so this happens on the issuing side basically a ca must check your dns before issuing a certificate for your domain so if a bad guy tries to spoof your identity and issue or get a certificate from somebody else and it's not the ca that you deal with they can't actually issue a ca so you can you know if you look at your certificate authorities on your own devices you will see that there are a lot of cas from a lot of countries

around the world so you can um at least ask or require that all those cas don't issue certificates for your domain and you'll note there is a the inability to issue certs and issue wildcard certs and it is tiered you can cover off subdomains and so on i just didn't want to head too far down that path and if you want to check facebook or google are a couple of examples of people who do this um it's a type 257 record and you can see who's allowed to issue certificates for facebook um it is as matthew says it's it's a bit of a slippery slope it's a bit like driver signing but it also it's a trivially easy thing you can do

that doesn't hurt um you know especially if you want to uh remove let's encrypt if you don't use let's encrypt and you don't want anyone else to then then that's a good option for you the other one i wanted to point out is racine which is uh what's his name florian roth released this very recently as originally a defense against ransomware the idea is it's a tool that you register as a debugger for an executable such as vss admin for those that don't know vss admin is an executable that attackers often run to delete all your shadow copies or to use your shadow copies to steal your passwords um and and so it's very rarely honestly used legitimately

so what racine started with is it registered as a debugger for vss admin so every time someone tried to run vss admin it would kill the process unless it was an authorized use like you could whitelist a specific command line believe it or not it works on windows 2000 and later and it's not a running executable it's not a service it's not killing any cycles on your box it gets invoked when the command that you are debugging gets invoked it's generic it doesn't change the os at all and whatever they're at now version 1.3 actually comes with yara rules so now you can build a list of yara rules the pattern match on a wide variety of executables

and if you see this kind of command line then don't allow that executable to run basically kill it um is this perfect no of course not if you know it's there then you're probably going to find a way to bypass it but again it's a nice clean simple way um what was it zero login log on i think they quickly that's when they added the yara rules they basically added a rule set it was just a quick registry key and it would block most of the or all of these sorry malicious invocations that led to zero log on success so i don't know it's just a cool new new tool that's out there something else you can put in your uh

toolbox so uh i thought that would be interesting sharon's definitely under active development so look at that one minute to spare sorry i didn't leave as much time uh as i thought i would for questions but uh i do have opinions so i will stick around and answer questions if if you guys want to throw them out there otherwise happy friday the 13th and enjoy your weekend