Security Teams & Tech In A Cloud World

Security Teams & Tech In A Cloud WorldMark Nunnikhoven, Vice President Cloud Research @marknca

Audience: Public

Security “Facts”

Security “Facts”* About your organization or one just like it

We will respond quickly to an incident

Attackers are on a network an average of 154 days

We need more tools

Canadian companies spend just under 10% on IT security

Canadian companies spend just under 10% on IT security* 60% of companies didn’t mention people or process as an area of focus

Users are a major problem

Security is considered the opposite of usability

Security is everyone’s responsibility

You have one, isolated security team

You have one, isolated security team* …and a wildly unsuccessful “awareness” program

Mark NunnikhovenVice President, Cloud Research Trend Micro@marknca

https://twitter.com/marknca

Modern Security

Video available at https://vimeo.com/111631197

https://vimeo.com/111631197

© Trend Micro, 201615

Automated Response

Web UIWeb UIWeb UIVM


Automated Response


SIEM / Log Store


Automated Response


SIEM / Log StoreMonitoring


Automated Response



Event-driven Function


Automated Response



CSP API Event-driven Function


Automated Response


SIEM / Log StoreRestrict Access Monitoring



Automated Response


SIEM / Log StoreRestrict Access Monitoring

Web UI


What’s the hold up?

Running in the Cloud

IaaS(Infrastructure)

PaaS(Container)

SaaS(Abstract)

Data

Application

Operating System

Virtualization

Infrastructure

Physical

Data

Application

Operating System

Virtualization

Infrastructure

Physical

Data

Application

Operating System

Virtualization

Infrastructure

Physical

Shared Responsibility Model

Setup

• Lock down operating system, applications, and dataHarden system according to NIST / best practices Encrypt everything

• Enable service health monitoring featuresCheck your CSP’s documentation

• Monitor service API activitiesLook for unauthorized; replication, start up, termination, etc.

Steps:

IaaS

Setup

• Read all the documentationSeriously, RTFM

• Implement strong code quality systemsAutomation is critical to success

• Configure access control and other security featuresCheck your CSP’s documentation

Steps:

PaaS

Setup

• Read all the documentationSeriously, RTFM

• Configure access control and other security featuresCheck your CSP’s documentation

Steps:

SaaS

Setup

• Evaluate controls against acceptable level of risk for data used in serviceI shouldn’t have to say this

• Monitor all service provider status updates and communications channelsRemember to include them in your IR plans

Steps:

Any Cloud Service

IaaS(Infrastructure)

PaaS(Container)

SaaS(Abstract)

Data

Application

Operating System

Virtualization

Infrastructure

Physical

Data

Application

Operating System

Virtualization

Infrastructure

Physical

Data

Application

Operating System

Virtualization

Infrastructure

Physical

Shared Responsibility Model

Opportunity


PhysicalWeeks

VirtualDays

CloudMinutes

ContainerSeconds

FunctionImmediate

{ Time to deploy }

{ Environment }


Move faster Focus on value

Goal


Deploy using the method that delivers the most value

Goal


Every tool adds overhead

Constraint


Automation allows for the speed, scale, and consistency required

Relief



Goal


…with minimal operational impact


Goal

DevOps

Flickr deploys 10+/day

Success

Etsy deploys 50+/day


Success


Amazon deploys 11.7 seconds


Success



Adobe +60% app development


Success



Adobe +60% app development

Fidelity $2.3M saved for one app


Success

Where’s security?

…can have a much stronger security posture in AWS and the cloud than they can on-premises

Andy Jassy, AWS CEO

* From an interview with the Wall Street Journal, http://www.wsj.com/articles/amazons-andy-jassy-on-the-promise-of-the-cloud-1477880220

http://www.wsj.com/articles/amazons-andy-jassy-on-the-promise-of-the-cloud-1477880220

Security is everyone’s responsibility

Security Everyone

Team Challenges

New Skills Needed

• Basic understanding of development practices & ability to write simple code Everything in the cloud is an API. Security MUST BE automated

• Puts the user f irst We make the tech that they “can’t use right” … not their fault

• Perspective & understanding of practical securityNo more “the sky is falling”

• EducatorsWritten, video, presentations, Slack,…anywhere teams are working

Steps:

Security Specialist

Your Org Chart Is Wrong

Typical Org Chart

CISO Dev

GRC Ops

Infrastructure

CIO

Ops

Updated Org Chart

CISO Dev

GRC Ops

Infrastructure

CIO

Ops

Updated Org Chart

CISO Dev

GRC

OpsInfrastructure

CIO

Ops

Updated Org Chart

CISO Dev

GRC

OpsInfrastructure

CIO

Ops

GrC

@petermePeter Merholz Kristin Skinner

@bettay

Specialist Distribution

Coffee Shadowing Teaching

Bridges

Fabric

1 min

Slow lane

1 min

Slow lane

Fast lane

1 min

Is this bad?

1 min

Is this bad?

Is this malicious?and

1 min

Is this bad?

1 min

Aggregate information

Is this bad?

1 min

Aggregate information

Is this bad?

1m, h, d, w, m Trends

1 min

Aggregate information1m, h, d, w, m Trends

1 min


Evidence of compliance

1 min


Evidence of complianceConfiguration Processes

1 min



Deployment data

1 min



Deployment dataPerformance Debug

1 min

SecOps

1 minAggregate Evidence Deployments

SecOps

Get stuff done


Thank [email protected] | @marknca

Security Teams & Tech In A Cloud World

Internet

Transcript of Security Teams & Tech In A Cloud World