Misconfigurations & Scale

Season 01 // Episode 02

Cloud security is build on a simple model, shared responsibility. The number one problem facing builders in the cloud—with respect to security—is misconfigurations. Our guest this week is responsible for security of a service service built entirely on serverless principles. Here what he has to say on building systems to help make sure you're fulfilling your responsibilities in the cloud.

Guests

Details

This episode was original streamed on Tue, 19-Nov-2019 to multiple platforms. You can watch the streams (along with the comments) on-demand on:

Report card with check marks showing progressTranscript

Mark: Hey everybody. Thanks for joining.

This is our second episode of Let's Talk Cloud. We fired this up last week, had, Jeff Westfall and Fernando Cardoso, from, Trend Micro onboard, for great conversation.

[00:04:15] Three of us were talking about their experiences from the trenches and sort of real-world problems. we had a ton of feedback from folks, lots of great responses, and we want to keep that going.

I can see already on the Livestream we've got folks from Jordan, from Spain, from Panama, from the UAE, France, Germany, all over the world, which is amazing. We very, very much, appreciate that.

And we are streaming across three platforms right now. So we are, on LinkedIn Live. We're on YouTube, Events and we're on Periscope/Twitter. please fire off your comments, there.

[00:04:47] You can hit us up on the hashtag Let's Talk Cloud. or, respond directly on the streams. we've got a team, watching that. in order to, fire off the comments, my way so that we can interject them into the conversation. so please don't be shy.

We want this to be, very much community-driven, community-led. an-and that's goal here, is to really, you know.

[00:05:08] We sat around the table and we realized Trend's got a global reach. We've been working actively in the cloud, for years. But we haven't done a great job at sort of showing you that expertise and sharing and talking about the challenges that we see.

And not from a marketing perspective, not from a product perspective. Like we have a ton of people who are doing real work in the cloud all the time and we've learned a lot of things. S- a lot of the time, the really hard way.

[00:05:31] [Laughs] and that has, you know, with lessons learned moving forward. And so we want to start sharing, that with you folks. So that's the gist of the stream. So again, hit us up, hashtag Let's Talk Cloud.

[00:05:41]I see even more people joining, Turkey, Chile, Colombia, Angola, Senegal, Belgium. Welcome, everybody. Thanks for joining, especially for those of you who are like super late at night right now. crazy but you know, hey, it's awesome that you're joining and so keep this conversation going.

[00:05:55] Speaking of global reach, m- our guest today, is joining us, from a new team at Trend Micro, the cloud conformity team.

[00:06:03] They also have global reach. a little bit smaller than, Trend, but now they've expanded into the Trend family. and Paul is, joining us, from Australia.

So, Paul Horton is our guest today. He's the head of security of our Cloud Conformity unit. And so Paul, let me just unmute you here so, m-make sure that we, we can hear ya.

[00:07:14] Folks, there we go. Let's see. I think we had a no-sound glitch. So, we're back on there. You gotta love live streaming. so we're back onboard, which is good. but yes, so c-cloud, just really just quick summarizes as Paul was saying, he's got a ton of experience.

Not just, w- as a head of security, but also, helping guide the product and using the product, constant, you know, daily which is, which is huge.

[00:07:34]so let me just doublecheck with the stream that we're back online, for the audio. And, I think we should be good.

[00:07:42] So Paul, first thing I want to talk to you about here. because you are, in the trenches, because you're using this every day and you are the customer advocate as you said.

So obviously, you're talking to folks. You're dealing, hearing their problems. what teams do you see working in the cloud?

[00:08:00] Paul: So it's... th-there are a number of different teams. there are engineers, developers, security ops teams, dev ops teams. And they all have different challenges. So when I think about a developer, they're typically working on a ticket.

They're trying to fix something. They're trying to get something created. Get it up and going. And it's very easy to click through a whole bunch of different settings on the different interfaces. And before you know it, you've created a NC2 instance for example, that's open to the internet on SSH.

[00:08:35] And it's really hard particularly, you know, when you're working as a, as a developer. You're trying to fix that ticket. You're working really quickly. And it's possible to end up creating a lot of infrastructure that you can't see.

So for example, if your platform is running on a beanstalk, there's all kinds of different bits and pieces there. So for example, there's a load balancer. There's the auto scaling group.

And it's really easy to end up with the load balance of being public-facing. And you didn't even-even know that what you were creating created that.

[00:09:01] You, it's very easy to-to, spin up a new service. And there's all kinds of insecurity in there. And also, your-your platform isn't necessarily gonna be performing.

The way that it scales may not be the way that you want it to scale. So there-there's all of these different challenges. And-and so, that's the-the developer's challenge.

[00:09:21] And then y-you've got security teams. And the security teams tend to approach things from a-a couple of different angles. So the security operations-

[00:09:30] Mark: Yeah.

[00:09:31] Paul: ... they've gotta make sure that, the platform is secure. They're typically working with a security information event management system. And they've got to get to a position of visibility really quickly where they can look across regions and across accounts and be able to see the moment someone creates a S3 bucket, for example, that is public-facing.

And if it shouldn't be, they've gotta be able to identify that quickly and be able to remediate it quickly.

[00:09:54] And there's all those potential insecurities. They've gotta be able to see the moment that someone signs in as a root user. Because that almost never should happen. And getting that visibility of what's happening in real-time is really important.

But also they need to be able to get to a-a position where they can see the whole of their exposure across their virtual private cloud, across the actual infrastructure that they're building.

And then the applications that are running on top of that infrastructure and then how that infrastructure is interacting with say for example the internet.

[00:10:26] Because whilst you've got, so if we're looking at AWS, you've got the AWS infrastructure and how, the AWS console is telling you that your AWS infrastructure is working.

But then if you think about a database or a server that's connected to the internet, there's a whole bunch of other network traffic that is going straight into that. That y-you have to make sure that you're tooling covers, both of those things.

[00:10:52] So that's, development, engineering side of things. That's the security operations side of things. And then you've got compliance and audit teams and they've gotta slightly different job.

What they'll typically take a standard. So it-it might be at the ISO standard or the CIS baseline for, cloud security.

[00:11:09] Mark: Mm-hmm [affirmative].

[00:11:10] Paul: And then they've got to be able to report across that. And some of the-the organizations that, I come across have got 500+ accounts. And so when you're trying to manage a challenge like that, you'll are multi-region, hundreds and hundreds of accounts. And you've gotta do a simple thing like just tell me every EC2 instance-

[00:11:31] Mark: Mm-hmm [affirmative].

[00:11:32] Paul: ... and is running a Microsoft server that is open on RDP, remote desktop protocol, and tell me that it's been patched against the latest vulnerability. Or just give me some assurance that the password that it is using is really good, if that's internet-facing.

[00:11:47] Mark: Mm-hmm [affirmative].

[00:11:48] Paul: So for example, if-if that password is winteriscoming, then yeah, its-it's game over. Because the hackers now are really good at identifying these instances and just doing a shotgun attack against them.

[00:12:02] Mark: Yeah.

[00:12:03] Paul: So those-those are some of the different groups that we see, working and trying to secure their cloud deployments.

[00:12:11] Mark: Lot's to pack there, unpack there. I-I-I joke at the winter is coming comment simply because I'm up here in Ottawa, Canada. And winter showed up today and gave us-

[00:12:16] Paul: [Laughs].

[00:12:16] Mark: ... about 15 centimeters of snow.

[00:12:16] Paul: [00:12:16] Wow.

[00:12:16] Mark: But, you know, very, very accurate. So there-there-there's a ton of stuff there that you did, you mentioned. But the first thing that I wanted to ask right off the bat is so you identified developers, security, compliance and audit. Are these people working together?

Or is it sort of independent efforts that they're just kinda going out there? Because especially if you have an organization like you said with 500 accounts, and if every developer has the power to just kinda go launch cloud formation and there's a ton of new stuff out there.

If they're not talking, that's a whole host of problems.

[00:12:52] Paul: It really varies. So there are some organizations and enterprises where you will meet head of security and head of dev ops. When those two sit down together, and say, "Okay, here's our cloud, posture at the moment. W-yeah we've got all of these issues. There's all of this technical there. But working together, what can we agree on that we're gonna fix this week?"

[00:13:16] Mark: Mm-hmm [affirmative].

[00:13:16] Paul: And that just works fantastically. Then you get a real sync going. Because there is so much. Cloud is hard to do. No one is an expert on every service. There's new services every day.

Everything is changing in this perpetual trend. If you built a workload a year ago, that need to be refactored now. There'll be cheaper instances, better capabilities, new security things.

[00:13:39] Nothing stays still and no one is on top of all of this.

[00:13:42] Mark: Mm-hmm [affirmative].

[00:13:43] Paul: And, you know, g-developer thing. You know, you're just fixing that ticket like you may not know what infrastructure your ticket, your feature is running on.

Whether that should be updated and hey, if that was created by someone else, why should you have to fix that stuff that someone else created? And, you know, it's not-not hard to build tickets.

[00:14:03] So it works really well when we see those teams coming together. But there are still a lot of organizations where because of size, because of the challenge, the teams that are split up and they're not necessarily talking to each other i-in the way that they should be.

But that-that's really hard. It's improving, but there are still cases where people have broken down in-into those silos. And then they bump into each other.

[00:14:25] Mark: Yeah, yeah and you know, bumping into each other is probably the best case scenario. The question, you know, when those silos what about the gaps between them, right? An-and that causes a host of problems 'cause you mentioned S3 buckets right off the start.

Those are you know, everyone who follows me, knows that's sorta my pet peeve soapbox. Because they start locked down and then-

[00:14:42] Paul: Yes.

[00:14:42] Mark: ... somebody makes a decision to unlock them or implicitly unlocks it without actually making that decision. And when you've got these teams not talking to each other, its-it's a nightmare.

[00:14:54] Paul: Yeah, it-it's really difficult. And there is so much that-that can happen that it is like that. So it's hard to get that visibility.

[00:15:04] Mark: Mm-hmm [affirmative].

[00:15:05] Paul: And if you're trying to do something, just something as simple as tag all your infrastructure and that typically starts from someone trying to control cost. And you're a control cost.

You've gotta get at view on your cost. And so it's great when that first starts because that starts to give you, that global view. But it's one thing to be able to identify a server that's open to internet on RDP.

[00:15:28] But if that's in a, fleet of EC27s and there's 300 of them, and 20 different business groups responsible, who do you send the email to saying this server needs to be sorted out?

[00:15:39] Mark: Mm-hmm [affirmative].

[00:15:40] Paul: So, in trying to get something in place like that, that tagging so that you know, who all of the infrastructure belongs to. And then that helps for those cross-roll teams.

But at the beginning, it's really hard. And it- and a typically journey that I see is an organization will start up with a proof of concept on, for example, AWS.

[00:16:03] Mark: 'Kay.

[00:16:03] Paul: That goes so well, it immediately turns into a production workload. And then you roll forward two years.

[00:16:11] Mark: Yeah.

[00:16:11] Paul: And they've got 150 accounts, stuff in every region. You've got sandbox accounts, development accounts, project accounts. Cost is totally out of control. No what - you can't see within an account cross regions. That'll pr- that alone across accounts.

[00:16:28] Mark: Mm-hmm [affirmative].

[00:16:28] Paul: Your monitoring may not be up to speed. And then you go, "Oh, my God. Where do I start?"

[00:16:33] Mark: Yeah.

[00:16:33] Paul: And so th-the first thing that you gotta do at that stage is, be able to get that view across all of your infrastructure. But then you end up at the next problem which is, okay, so before I didn't know what was happening here.

Now I know I've got a whole lot of technical bit, with all this exposure and you've gotta come up with a plan to sort that out.

[00:16:56] But even that, you know, if you've got hundreds of thousands of failures and you're discovering things like oh, we've got, our main database in production. And it's running on Microsoft and it's not encrypted. And it's 15 terabytes.

[00:17:06] Mark: Mm-hmm [affirmative].

[00:17:07] Paul: And you've never taken an unencrypted database. An encrypted.

[00:17:11] Mark: Yeah, ah [laughs].

[00:17:14] Paul: So it's, it is so hard. And that's just one problem. And that a typical enterprise that can take them six months. By the time they make a copy of that database that they can play with in the development environment.

[00:17:29] Mark: Yeah.

[00:17:30] Paul: Where they can take a backup of it, create a new instance. Make that new instance encrypted. Restore from that, back up onto the new encrypted instance. Do that five times. Work out.

It's gonna take them 10 hours to do. And then go and tell the CIO, "We've never done this before, but we practiced it in development five times. We think that we'll have an outage of 12 hours. But we're gonna have to get on." It-it's tough. It's really hard to go through that.

[00:17:58] And those are the kind of challenges because and if that team had just turned on the encryption flag from day one, they wouldn't have any of that pain.

[00:18:07] Mark: Yeah.

[00:18:07] Paul: And there's so many gotchas like that. So with my SQL database, you can turn on order minor update. And say that's just updating the whole time. You never end up getting behind.

If you don't, you can end up in the scenario where you've been running your database for three years. And it's unsupported. You gotta jump through six versions. You've got two weeks to do it.

[00:18:32] And you have to do a product launch at the same time because you weren't planning that outage. It's like -these, these are the gotchas.

[00:18:37] Mark: Yeah, yeah. And there-there's two things in what you said there that really jumped out at me. Well, three things. So first of all, you're very polite in your phrasing.

Because I think a lot of things I would say. This is just how it happens and it's horrible. We need to fix it. The might's and maybes, very polite of you, Paul, very polite.

[00:18:52] But the, two things that you had said The one, the POC and then getting, you know, going to directly to production. For the record, there should be a step in between there where you tear down the POC. Evaluate your architecture. Fix it and go to production. But that never happens.

[00:19:08]and then the, you know, the not knowing about something as simple as turning on a feature, that will keep you up to date. And I think that's-that's the downside of the cloud is that things go so fast and move so quickly.

And things like little, tiny features like, you know, auto update aren't big announcements. They just happen. And maybe you notice it i-in the docs. Maybe you notice it in the console. but most of us never used the console. So you'd never see it unless you found in the documentation.

[00:19:32] And then something that could be a lifesaver, that-that never comes there. One of the things that, happens, in the end of next year, Hero Community After Reinvent is, [00:19:40] everyone always asks us like, "Hey, what's the cool new thing you found?"

And inevitably everyone I talk to is like, "Oh, I found this one basically checkbox that I can rip out this whole weird hacky infrastructure I had built to now actually solve this." Just let AWS solve it, because it's a checkbox now.

[00:19:56] Paul: That - there are so many of those. I found out the other day, and I just didn't know it. And I'd been looking for it for ages. The, if you are using AWS API Gateway, you can immediately just get a manifest of your API.

[00:20:10] Mark: Yeah.

[00:20:11] Paul: I was like, "Oh my, god. That's so amazing."

[00:20:15] Mark: [Laughs].

[00:20:15] Paul: And I'd just been walking around. I'd go, "Ah, that's something that I really need to do and really sort and do it by hand." But it was there the whole time. And it's like there are so many of these. Cloud can be hard.

[00:20:26] Mark: Yeah.

[00:20:26] Paul: And in particular if... When you're focused on that one feature, you don't necessarily really understand all the infrastructure, you know. That thing at the beanstalk, consisting of EC2s...

[00:20:37] Mark: Mm-hmm [affirmative].

[00:20:38] Paul: ... and auto scaling groups and low balances. You're a developer. You're coding. You don't necessarily understand what a load balancer is doing. You didn't go to load balance in school. It's- it's really hard [laughs].

[00:20:49]and we tend not to have, people looking at the databases anymore. Developers tend to run databases.

[00:20:56] Mark: Mm-hmm [affirmative].

[00:20:56] Paul: Which is, if it- if they had no background in running a database, then they're gonna be doing things like all logging in with the same user name and password and sharing it a-amongst the whole development team.

And before you know it, that same password is being used in production and everyone knows it. And people in as, and then you end up with oh, let's use the same password for every C2 and SSH.

[00:21:18] You start looking around an organization for all the SSH keys, all the AWS log-in credentials, it ends up all over the place unless, you know, you're really concentrating on that stuff from day one. But if you come in at the two-year point, there's a lot of technical bits to work through.

[00:21:36] Mark: Yeah.

[00:21:37] Paul: It all built - it's hard.

[00:21:38] Mark: Yeah. And the challenges, you know, the challenges of understanding it. So we're about to come up to AWS Reinvent and we're gonna get a ton of new toys which is amazing.

But then trying to keep, you know, up to speed on all that is almost impossible. But the-the-the frustrating thing I find is, you know, all the cases you're mentioning, I've seen. I've talked to people who have them. But there are easy solutions.

[00:21:58] Which means, you know, the gap isn't in the technology. The gap is in the, you know, keeping a pace or finding out and being aware of these changes.

[00:22:07]there was a question from the audience. I wanted to tackle. So I-I have a feeling I know what you're gonna say for one. So, but, Andrew Brown was asking. He's the CEO of Exam Pro based out of Toronto here in Canada. fantastic content creator in her own right.

He was asking what's, third party security vendors are good at that visibility problem you were talking about. So seeing across multiple accounts.

[00:22:27] Now I have a feeling you may say us with cloud conformity. but in addition to that, would you see some tools from AWS or open-source tools that will help you track down those 500 accounts?

See what's going on? What's- what's your trick there beyond obviously checking out the free trials of cloud conformity at cloudconformity.com? Not that my marketing people would ever let me say that.

[00:22:48] Paul: [Laughs] certainly. So th-there are a number of tools that do do that for you. And what we would always recommend is take some tools. So for example, when I was a customer, I looked at 10 different tools and I-I did a paper review of 10 and then I deployed two.

[00:23:04] Mark: Mm-hmm [affirmative].

[00:23:05] Paul: Take your worst account where you know stuff is really bad. The tool should find all of that. Take your best account that your best engineers built and you think that it is totally rock solid. And particularly if it's being done by a third-party provider that you paid a fortune to.

[00:23:18] Mark: Mm-hmm [affirmative].

[00:23:18] Paul: They said this is top-notch. And run the tool over that and see what you find.

[00:23:22] Mark: [Laughs]. Uh-huh [affirmative].

[00:23:23] Paul: And [laughs] and at that stage as well, you should also see things that you just didn't have visibility of before that should or typically scale. When a- when a enterprise doesn't have tooling like this deployed, they'll run the tool and they'll go, "Oh my, God. We need to sort that out now."

There is a database server that is facing the internet that shouldn't be. There are numerous S3 buckets that are facing the internet.

[00:23:49] All of these kind of things that can be really scary. And then there's another bit of it-, of it as well. And that is your tooling should enable the Chief Security Officer to be able to say when he goes to the board, "Since the last time I came and spoke to you, we've not had a breach. We don't have a breach now because I'd know. Because I'd get an alert to my mobile phone the moment there was an S3 bucket that was public. I would know about it within two minutes."

[00:24:13] Mark: Mm-hmm [affirmative].

[00:24:13] Paul: That's the kind of confidence the Chief Security Officer of an organization that is running cloud, architecture should have.

[00:24:22] Mark: I like the should have. And-

[00:24:24] Paul: [Laughs].

[00:24:24] Mark: ... hopefully... I mean the tools that-that's like you say, keep saying. The frustration part for me is that the tools are there. The tools are there-

[00:24:30] Paul: Yeah, they are.

[00:24:31] Mark: ... to find that, you know. And one of the things I noticed some of the comments in the stream we're talking about and because you've mentioned multiple times like, you know, people with 150 accounts with 500 accounts. multi-account is an actual security strategy, right? Like setting up accounts-

[00:24:44] Paul: Oh yeah, it's a- it's a great segregation between accounts. If you're trying to protect things, you need to have those account boundaries. That's the best boundary that you can have in the cloud.

[00:24:54] Mark: Yeah. And especially in, you know, in all three of the clouds, it-it works similarly. But you can do cross-account permission roles.

[00:25:01] Paul: Yes.

[00:25:01] Mark: so that you can protect things, right? And then that way you get that immediate blast radius because you know that hard boundary. But then the flip side is you get this challenge of hey, we've got 500 accounts now. What's where? How do we know?

Similarly, with tagging, right? I-I-I laughed when it came out. But when AWS two or three years ago wrote a white paper only about how to tag things, I was like, "What are they talking about?" But that is one of the most useful resources out there.

[00:25:30] Paul: It is amazing. It is so good. You can use it for doing your identity and access management. Just identifying who owns a SAC. things like versions. So quite often when people are deploying into production, you seen some funny practices there where yes, it's blue green deployment, but they leave out the three deployments in production because-because and the reason for this is people are really scared in production.

[00:25:57] Like g- as a developer, logging into production and doing something, that's scary stuff. I- and I totally get that. So you do the new deployment and you've got the previous deployment that is the known good.

Then you've got the one before that, that is your backup one. And then there's the two that you forgot about. And I have seen at least five versions being deployed in production. And if you are not putting a simply tech that says ver- so you'll have your application tag.

[00:26:23] Mark: Yeah.

[00:26:24] Paul: Then you do a version tag. And that version could be 70423. But that allows you to pinpoint exactly what's there. And that this makes everything so much easier from monitoring to investigating issues to security so that you know.

When you can review some infrastructure best practice, you're only looking at the latest deployment. And you can see that all the way through and it allows you to really, you know, identify.

[00:26:48] Because we end up with multiple version of an application. And if your tag just says corporate application.

[00:26:54] Mark: Good luck.

[00:26:55] Paul: Y- yeah, y-y-you're not gonna know where you are. And there are all these sort of approaches to how to tackle doing things in the cloud that are different from the stuff that we were doing in beta sensors.

[00:27:06] Mark: Mm-hmm [affirmative].

[00:27:07] Paul: And the stuff thought we were on-premises. It's a new world. And new challenges, and these are the bits that are hard.

[00:27:13] Mark: W-well it-it's a lot of these come down to scale, right? Like if you're... So in those 500 accounts if everything's deploying, you know, two or three apps. trying to track this stuff down, if you don't have these good sort of hygiene practices like tagging like clear usage for each of those accounts, how long?

You know, you can't take advantage of this wonderful power of the cloud because you're chasing your own tail trying to find out. Like oh, okay, I know there's a problem with the app, but where is it? What account's it in? What version is it? Wh-what's it running? What's going on?

[00:27:44] Paul: You've got to move over to managing infrastructure as code or-or as templates. And then driving all the changes into that. So, by doing that you avoid the whack-a-mole. So if you take - if you're running a production account that's an EC2 fleet.

There's a whole bunch of servers that are open to the internet on-on SSH. And you don't want to see that anymore, if you just tell the developers stop that. And go and fix their current versions, next months, they'll just pop a-all-all back up again.

[00:28:16] Mark: [Laughs].

[00:28:16] Paul: But as soon as you start to adopt templates and ensure that all the changes go into the original templates that live alongside the infrastructure that they represent, and that that becomes your working gird and you agree that you're gonna resolve something in the environment. The changes go into the templates. You don't fiddle with the infrastructure live.

[00:28:37] Mark: Mm-hmm [affirmative].

[00:28:37] Paul: You make the changes to the infrastructure. The next deployment, those changes go out. Your version or the templates that re-represent your infrastructure and you drive the changes there. It's a much more, streamlined process for managing.

You end up fixing things once. And you work through that technical there. And that mean, you're able to tackle. This month's you tackle EC2s. Next month you tackle RDS and it goes on like that. And every time you uplift it, you're just improving your baseline.

And you're going for that biggest improvement and when you get that sync between security and compliance, develop operations.

[00:29:13] And you just go what are we going to do this week that is going to make a difference? Okay, we're gonna go to all the, my SQL databases and we're gonna turn auto minor update.

And just getting into that flow a-and driving that into those templates and it-it just makes things so much more efficient. If you fix things just once and they go away. And then you're just looking for the edge cases.

And those edge cases are typically when-when you got other, deeper problems. You start to be able to see the wood from the trees.

[00:29:43] Mark: Yeah, yeah, yeah. And I meant that's... It's funny. If we, you know, th-these streams so again, you know audience half day let's talk cloud if you wanna get involved. one of the thing... I'm sure if we look back on the on-demand when you said logging into production, I'm sure I made a face.

[00:29:55] Paul: [Laughs].

[00:29:56] Mark: I always make a face. Because I-I 100% agree. It's one of those things where mentally people have to everything out of that thought process of the old way of doing things.

We now have essentially unlimited capacity, right? It's-it cost you a couple bucks to duplicate your-your production deployment, to do those blue green, right?

[00:30:14] You have unlimited capacity so don't log in and fix things. Like people always freak out when I give a talk and I say don't patch production. And they're like, "What do you mean?"

And I'm like, "Well, never touch production. It should always be stable. If you identify an issue, go back into your infrastructure's code. Fix it there."

[00:30:30] Paul: Absolutely.

[00:30:30] Mark: And redeploy because now you've got consistency. So even if you mess up, you've got consistently messed up things which are easier to fix.

[00:30:37] Paul: Your, you're at a known good.

[00:30:39] Mark: Yeah.

[00:30:39] Paul: And it's going from this kind of wild west to enforcing your vision of how it should. You're not gonna fix everything. There are so many things that need fixing that can be, you know, nonoptimal.

[00:30:51] Mark: Mm-hmm [affirmative].

[00:30:52] Paul: But if you go looking for the big things that make a big difference, and that also makes things easier for the developers. Because they're not having to go. Being told to go and sort something out that they sorted out last month.

And your infrastructure becomes better all the time because, you know, it's a usual 80/20 thing where the 80% improvement will come in that first 20% of improving stuff.

[00:31:15] And then you're able to go after how you improve your application in the business that you're about. 'Cause you're not in the business really of running cloud infrastructure.

You're in the business of whatever your business is. And the more time your team's able to go back and purpose that, that's gotta be the winning strategy.

[00:31:31] Mark: Perfect, yeah. Well said, very well said. so a couple things your, or a couple pop, things have kind of popped up briefly in the conversation. But I wanna, I wanna turnaround and be a little more explicit in the focus.

So one of the things you mentioned, if you're not keeping an eye on your applications, if you're kinda leaving them sit for a while, you may be missing out on, things like cost, right?

[00:31:49] So cost, you know, the cloud I say a thing from Right Scale a-a while ago, that they did a survey and people were shocked at their cost, in the cloud. and I fi- I always find that frustrating because I think you've got better visibility with the granularity and yes, it can be hard to figure out that granularity because all these little micro transactions.

But I find it's much easier for a business to align, you know, Action A to Cost B. And you get that direct like okay, I know what I'm spending on. I know what I'm getting out.

[00:32:18]based on, you know, your experience as a user, as somebody who-who's-who-who's managing security, has that pay-as-you-go approach adjusted how you think about your monitoring and security tooling at all? what's the impact there?

[00:32:32] Paul: Certainly for the-the pay-as-you-go thing for me means that you can experiment much more quickly. If you're not locked into a year contract where you're buying a security product that's $150,000, you can just turn it on and run it from...

So for me GuardDuty, is a great example of it. You just turn it on. Run it for a month. It costs you nothing to evaluate it. And by the way, we would always recommend using GuardDuty.

[00:33:00] But in the old world, you would have to have run a proof of concept maybe a number of different products.

[00:33:07] Mark: Mm-hmm [affirmative].

[00:33:07] Paul: You'd have to have done all the commercial negotiations. And it might have taken a year. And for a product like that, you'd have been paying $150,000. You can turn it on. And it costs next to nothing.

[00:33:18] Mark: Mm-hmm [affirmative].

[00:33:18] Paul: And it comes with some unique features. So, you know, GuardDuty is able to l-look at the BPC flow logs, the DNS look-ups. It is also matching all of that data against third party threat information.

[00:33:32] Mark: Mm-hmm [affirmative].

[00:33:32] Paul: And then sending you alerts on-on anything that it finds. So for me that-that's a fantastic capability. It's really easy to turn on. And if you're experience is bad, you can turn it off.

[00:33:43] Mark: Yeah.

[00:33:44] Paul: At the end the trial or at the end of month two and go, that's actually more expensive and we've already got a different capability that takes care of that.

[00:33:50] Mark: Mm-hmm [affirmative].

[00:33:51] Paul: That's fine. But what, what that allows you to do is do that. Have a look at stuff. If it doesn't work, you-you can actually do the real trial rather than that really formal one process which t-to me is too old and n-not doing that anymore.

[00:34:06] I think the other thing that does as well is you don't need to involve sales. You can go to marketplace. You can choose a product. Deploy it. Run it. And at no stage have you spoken to sales.

And for a number of people, that is really attractive. You know, I'm totally capable of downloading a, a set of rules for a web application firewall.

[00:34:27] Mark: Mm-hmm [affirmative].

[00:34:28] Paul: Setting them up. Running them and evaluating them. And I'll decide if I'm gonna buy them. There's a lot or people who like to buy like that. And they can do it 24/7.

[00:34:36] Mark: Yeah.

[00:34:36] Paul: You know, so when I look at how Amazon revolutionized buying a book, I think the marketplace is revolutionizing how you buy software.

[00:34:45] Mark: For sure, 'cause then also, you know, I find, you know, 'cuase I used to... So I've been with Trend for 7-1/2 years or so. Before that I was with the Canadian federal government. So very traditional buying infrastructure.

If we wanted to buy anything, we had the vendor come in. Set up a POC. They would s- normally come and say here's how you can test a whole bunch of stuff. and I find that ability in the marketplace to try something and test it against my own criteria, right?

As long as there's good documentation there so that I, you know, I can help if I need it. that's changed how I, as a customer, and doing things.

[00:35:15] Because I go, you know what? This is my problem. This is my use case. I don't really care about the rest of the big bubble. I wanna solve Problem X. And I'm gonna test against Problem X.

And if this doesn't do it, I'm gonna move on. And at the end of the week, it cost me 10 bucks in various fees to various vendors. But know I know, right? I have had hands-on experience with all these things whereas before that was really, really difficult to pull off.

[00:35:36]all right, Paul, I'm gonna, I'm gonna hit you with a couple things here. I want,

[00:35:39] Paul: [00:35:39] Sure.

[00:35:40] Mark: ... I want... So this is where... We tried this out on the first frame and it worked really, really well. I want rapid fire sort of one, one, two word, responses. and then we'll, then we'll dig in a little bit more, depending on what you say.

So no wrong answers expect, you know, all the wrong answers I don't agree with.

[00:35:55][laughs], so, [

[00:35:56] Paul: [00:35:56] Laughs].

[00:35:57] Mark: Compliance, useful or just a checkmark?

[00:36:00] Paul: really useful. So, you were after the short answer.

[00:36:04] Mark: Yeah, yeah. You gonna [crosstalk 00:37:02] you gotta hold to the short because then that-that makes it. We'll come back. We'll circle back.

Don't worry. All right, we're a year plus in the GDPR. Has it advanced security or has it isolated it more as an organization or an activity?

[00:36:18] Paul: Definitely advanced.

[00:36:20] Mark: 'Kay, bucket permissions on S3, real issue or just headlines that are, attention grabbing?

[00:36:26] Paul: Real issue.

[00:36:27] Mark: 'Kay, PCI DSS, modern or outdated? Yeah.

[00:36:35] Paul: Still relevant for today's customers who are happy to use it.

[00:36:38] Mark: Oh, very safe answer, my friend. Very safe answer.

[00:36:43] Paul: [Laughs].

[00:36:43] Mark: security automation, lip service or really, real activity?

[00:36:47] Paul: If you're not there, you're struggling. You gotta get there.

[00:36:51] Mark: 'Kay, last of the rapid fires. Audits, over vo- over bloom panic or legitimate concern?

[00:36:58] Paul: legitimate.

[00:36:59] Mark: 'Kay, let's tie that with compliance a-and the audits. so where- where, I mean you live this as head of security, right? This is your bread and butter. You have to deal with that. you know, auditors are real people. We give them a chance.

Once you get to know them, they're nice. You know, initially not so much. but, what... So what's your take? Compliance and auditing, what's the advantage for an organizations?

[00:37:21] Paul: You don't know what you don't know. So-

[00:37:23] Mark: Mm-hmm [affirmative].

[00:37:24] Paul: ... if you're going back that, you've had your POC. You've been running for two years. another way of tackling that would be to run an audit across the infrastructure.

So I would take something like the CIS baseline for cloud security and, yeah, if take a scenario and this is not uncommon, an enterprise has been told, the security team, one of the big four auditors in company is coming in a year's time.

They're gonna audit your cloud infrastructure. How do you prepare for that?

[00:37:51] And what we would advise in that scenario is take a baseline by-by the CIS baseline. And then apply that against your infrastructure.

[00:38:00] Mark: Mm-hmm [affirmative].

[00:38:00] Paul: See where you have the failures on day one. And make that your baseline. And then every month for the next 12 months, you're gonna tackle the top five issues.

And when the auditors come in, you wouldn't have done all of it. But you can tell a really good story about we've adopted we've adopted this baseline.

[00:38:17] Mark: Mm-hmm [affirmative].

[00:38:17] Paul: And this how we're working to uplift our infrastructure. And sure, some of those things within the baseline won't add a great deal of business value. But you... some of them really will and some of them will identify s-some major issues.

But you've got to align to the whole standards. The standards written for every type of company, every kind of environment. So there are gonna be some, some [inaudible 00:39:42] there. But generally speaking, again, 80/20. I'd be happy if 80% of a baseline added real value and 20 didn't.

[00:38:47] Mark: Okay.

[00:38:48] Paul: That's fine. You gotta start somewhere. And hey, they've come up and they've come up with that baseline. If you had to come up with your own control standard for internally, you know, you-you could spend a year working that out. Take someone else's. Get going.

[00:39:01] Mark: Yeah, fair. And that-that's solid, practical advice. You can tell you've lived it. 'Cause that's a reasonable, pragmatic approach, right? And, you know, you keep using that word baseline and I think that's a key one, right.

That's the baseline you should be at. And then once you've achieved that, you should be looking at your specific threat model to move beyond it, right?

[00:39:18] So maybe-

[00:39:19] Paul: Absolutely.

[00:39:20] Mark: [00:39:20] Yeah, you know, 'cause everyone's got a unique scenario. And I-I d-, we deal with this quite often when people ask about hacks. And they're like, "Oh, was it, you know, was it a nation state?"

And you're like, 'Ah, that's not the risk model you should be worrying about for your company, right?" Most companies-

[00:39:33] Paul: Yeah.

[00:39:33] Mark: ... standard cybercriminal, so let's defend based on your risk model. What's your secret sauce, right? So, the example I always use. It's very flippant, but it works well, is, you know, you don't put a ton of effort into protecting the cafeteria menu.

But you darn well better do your best to protect customer data and financial information, right?

[00:39:52] So-

[00:39:53] Paul: Yeah.

[00:39:53] Mark: ... wh-what's important to you? What's important to your business? and that's what you go after. So that baseline and then-then move forward. what's your take on audit evidence?

I find this really interesting. so l-let me just get you to give me a little spiel on audit evidence. And then-then I'll ask you a little more depth.

[00:40:10] Paul: So to me, when it really comes to an audit, what I'd be looking for is a policy that says this is what we do.

[00:40:17] Mark: Mm-hmm [affirmative].

[00:40:23] Paul: And then I'd expect to see a process that is how you do the thing that you say that you're gonna do. And then I'd expect to see the evidence of you doing that.

And whatever that reasonable evidence is for that. With automation, so for example with DCIDSS, you used to say, okay. So there are 100 servers. We're gonna go in five and you'd put that in as your evidence. We selected five out-out a hundred. But with automation you're able to check all of those servers and you're able to check them 24/7.

[00:40:45] So that would give you an advantage because if you're going out of compliance, you'll know it about as early as possible and you'll have the largest window to be able to fix it.

You're also able to show the whole time that you are in compliance which is unusual. Because in the olden days how could you prove that? So it's really easy for anyone to say any compliance that are at the time they got hacked, they were in compliance.

[00:41:06] Mark: Mm-hmm [affirmative].

[00:41:07] Paul: Who knows? Who could prove it? Whereas today, you could actually say actually that workload was compliant with the standard and it was still hacked. So we did our best job but-

[00:41:17] Mark: Yeah.

[00:41:18] Paul: ... and that-that could potentially happen. when it comes to the evidence, if you're looking at something like AWS or cloud infrastructure in general, you go looking for the lowest level API core.

And if the tooling that you use is using that and you're able to go and test one thing and then go and check it in cloud trial and be able to marry up the two and say-

[00:41:41] Mark: Mm-hmm [affirmative].

[00:41:41] Paul: ... we're showing that says there." When w-wouldn't you share in an order to that for one thing? They're usually happy enough with-with what you're doing. That's-that's quite often a customer concern. But when the tire hits the road, I rarely see auditors challenging that.

[00:41:59] Mark: Yeah.

[00:42:00] Paul: Because typically by that stage, the enterprise involved has done so much work on their security, their resilience, even making sure that-that platform is optimized for cost because that's an important thing.

Like you can't build a workload that's gonna cost a fortune to run. Because you're not gonna be able to run it like that. And that's not gonna prove anything to the auditors.

[00:42:23] Mark: Yeah.

[00:42:23] Paul: And they also want to be able to say that it's resilient. You know, it-it doesn't matter whether it's secure if it falls down every two minutes. And what are you gonna do if that AZ goes down or that breached goes down? And having that kind of approach in your planning is-is really useful.

[00:42:38] Mark: Yeah, 'cuase I think unfortunately, this week a lot of people are gonna have to deal with that scenario because GCP a bunch of the compute services went down, Monday morning North American time. and that-that's great advice. Plan ahead for that. Show that there, that disaster recovery, that resiliency.

[00:42:52]one of the things that really jumped out at me in your answer there was that automation. so the traditional way of handling an audit was, you know, you freak out on Friday 'cause you remember the auditor showing up on Monday.

And you scramble to get a whole bunch of evidence. But if you're d- I see you've had this experience. if you're dealing with the cloud if everything's infrastructure is code, I-I always try to advise people to think about that when you're doing deployments to have as part of that deployment audit evidence that gets recorded at the time to say, you know, here's what's out there. Here's what's changed versus the last time.

And if it's if the system is taking care of it for you, that makes your job so much easier as far as monitoring that compliance and then proving it to the auditors. And self-auditing so you get that continuous compliance going, right?

[00:43:39] Paul: If y- any of your audit evidence or the way you're managing controls is in an Excel spreadsheet, you've got a fantastic opportunity to automate that. Yeah, you've gotta go-go beyond that. Y-you're staying in a very painful p-place if that's where you are.

[00:43:55] Mark: Mm-hmm [affirmative]. Yeah, and that-that's a-

[00:43:57] Paul: Big, big opportunity.

[00:43:58] Mark: Yeah, and I-I get it. You're so positive [laughs].

[00:44:01] Paul: [Laughs].

[00:44:01] Mark: It's amazing to find somebody who's still doing like hands-on security work who's positive. Normally we're, you know, like four days of beard, grumbly in the corner with a drink going, "Oh, it can't believe this."

But it's good. That's good. That means, you know, you're making progress.

[00:44:16]let me ask then. So 'cause you are so positive, you, obviously, you know, you have, buy-in with the people you're working with, right? Because is, you're head of security of cloud conformity.

You've gotten the buy-in from the people and you're implementing this stuff, right?

[00:44:31] Paul: We're a cloud security company. We were born in the cloud. So yeah, this is our bread and butter. We do this every day and everyone passionately believes in it.

We've got a company who are incredibly passionate about cloud security and what our product does and helping people.

[00:44:47] And there's such a-an opportunity. So, you know, within the cloud shared responsibility model. There's a lot that's back on the customer side that's hard.

[00:44:55] Mark: Mm-hmm [affirmative].

[00:44:56] Paul: Like we all see it's our opportunity as making that as easy as possible for-for everyone. Yeah, so for example, our knowledge base is public-facing. There's over 500 AWS best practices anyone can look at. And it tells you why it's bad.

How to check for it using the console and [inaudible 00:46:22] interface. How to fix is using manual interface and the console. You don't need, you know, hot to buy or tool or anything like that. And that's out there the whole time. That's how passionate we are about making the cloud easier to secure.

[00:45:25] Mark: Yeah, an-and that's a fantastic, resource. I just the link and the LinkedIn chat. We'll put it on a twitter as well. 'Cause I love it as well. The KB's very straightforward.

Like here's how you do it in the browser. Here's how you do it in the CLI. Awesome. we had a comment, from Andrew, who I know well. He's a great guy. he made, you know, a f- a-a joke remark. But said, "you know, if-if your audit evidence is in air table over Excel, it's okay.

And, I would say, you know, as much as he's joking 'cuase air table's the new web-based excel.

[00:45:52] Paul: Yeah.

[00:45:53] Mark: I would say if your output is in air table, that's a great way to visualize what you're automating in the backend. And feed that into the air table API to get a human readable f- you know, red light, green light.

[00:46:04] Paul: Yeah, absolutely.

[00:46:04] Mark: You're good. so, you know, a-as much as Andrew was joking, air table is great. quick site is great for that in AWS as well.

[00:46:11] Paul: Yes.

[00:46:12] Mark: You can dump your evidence into an S3 bucket. Visualize it in quick site and then, I find the strategy there is really good to have for the team's hands-on, very granular dashboards.

When you get higher up the level to the execs, you get simpler and simpler. you know, think like going from like really high art tools to like crayons at the top. because that's their level of concern. Are we good or not?

[00:46:33] Paul: Just sho- just showing a simple percentage figure on where you are with security, where you are with cost optimization.

[00:46:41] Mark: Mm-hmm [affirmative].

[00:46:41] Paul: Where you are with your workloads being performed. Makes it really simple to be able to compare account-to-account team-to-team and we find that people find that a really easy way of doing things where-

[00:46:53] Mark: Yes.

[00:46:54] Paul: ... when it's accepted look-looking at their posture.

[00:46:56] Mark: Absolutely.

[00:46:57] Paul: And-and if it's automated. Then it's unarguable.

[00:47:01] Mark: Right.

[00:47:01] Paul: And then when you make changes when, then when you improve it, it really is improving.

[00:47:05] Mark: Yeah. And you're moving to quantifiable, right, as opposed to the, you know, this has always frustrates me with threat models where it's like oh, it's high. Based on that?

[00:47:14] Paul: [Laughs].

[00:47:14] Mark: Whereas, you know, h-having evidence-based security is really fantastic, right? so this has been a great conversation, Paul. I really appreciate it. I do have one final question for you.

[00:47:24] Paul: [00:47:24] I thought you might.

[00:47:25] Mark: Yeah, it's more of a personal one.

[00:47:26] Paul: [Laughs].

[00:47:26] Mark: And it's not a bad one. but what's-what's your favorite cloud service? So, you know, something specific within AWS or GCP or Azure. What do you like personally?

[00:47:36] Paul: it's really easy. We're-we're serverless. So for us it's Lambda. We can fix pretty well anything with a Lambda. They're just, they're so cool. It's the future. A-and we love it. So, we're really passionate about serverless AWS Lambda, awesome.

[00:47:51] Mark: Fantastic, and think knowing how much that's been sort of through the AWS summit series since this spring has been getting talked about more and more. I'm pretty sure we're in for a lot of cool new toys to help us manage Lambdas in Lambda itself come Reinvent. you'll be at Reinvent this year?

[00:48:07] Paul: Yes, looking forward to it.

[00:48:09] Mark: It's gonna be crazy, 65,000 plus people. you... so Cloud Conformity is a new part of the Trend Micro family. We'll be at the Trend booth, i-in there. but, so you were at Reinvent last year. Do you have any tips for attendees at Reinvent at all based on your experience last year?

[00:48:27] Paul: Yeah, I-I would say don't get too hung up about getting to every single presentation. You can always catch up with those afterwards.

[00:48:35] Mark: Mm-hmm [affirmative].

[00:48:36] Paul: So those are gonna be recorded. for me it's the interaction with the AWS people with the people from other companies, with customers, all of those things, that's the value of Reinvent that the event itself, meeting people and spending the time there. That's fantastic.

[00:48:50] Mark: That's great advice. Yeah, and this year there's a whole bunch of new events. I know talking to Andy and Jill who run Reinvent for AWS, they've... The pub crawl had kinda gone away.

There's still some pub events. But they brought in board game night, movie night, a whole bunch more, sorta social networking events to get people together because yeah, everything is up on the AWS YouTube channel within a week or two. and, you know, there's tons of stuff going on, on Twitter.

Which we've got our Twitter handles up on the, on the banner below on the car on below.

[00:49:17] But yeah, that's great advice. also bring a good pair of shoes because you're gonna be walking a lot.

[00:49:22] Paul: It's a big area [laughs]. It's huge.

[00:49:25] Mark: It is crazy and it's gotten bigger. so with that, Paul, I think we're gonna wrap up this stream. I really appreciate you taking the time. This has been a fantastic conversation.

Thank you to the audience. We've had a lot of great talk, around the hashtag #LetsTalkCloud.

[00:49:38] This was Episode 2 of many too come. you can see online or on the stream right now, Paul's Twitter, follow him, on Twitter, reach out, you know. Tell him what you thought of this. ask him any questions, all that kind of stuff.

Always good. I'm just randomly roping you in for extra work at this point, Paul.

[00:49:52] Paul: [Laughs]. Thanks, Mark.

[00:49:53] Mark: Yeah, you know, well hey, it's welcome to the team. so…

[00:49:56] Paul: [Laughs].

[00:49:56] Mark: ... with that, thank you very much, everybody. We appreciate it. remember, keep this conversation going. We will monitor the comments and reply on LinkedIn, on YouTube, on Twitter. and we'll see you next week for the next episode. Thanks a lot.