Security Teams & Tech In A Cloud World

Security Teams & Tech In A Cloud WorldMark Nunnikhoven, Vice President Cloud Research @marknca

Audience: Public

Security “Facts”

Security “Facts”* About your organization or one just like it

We will respond quickly to an incident

Attackers are on a network an average of 154 days

We need more tools

Canadian companies spend just under 10% on IT security

Canadian companies spend just under 10% on IT security* 60% of companies didn’t mention people or process as an area of focus

Users are a major problem

Security is considered the opposite of usability

Security is everyone’s responsibility

You have one, isolated security team

You have one, isolated security team* …and a wildly unsuccessful “awareness” program

Mark NunnikhovenVice President, Cloud Research Trend Micro@marknca

Modern Security

Video available at https://vimeo.com/111631197

Video available at https://vimeo.com/111631197

© Trend Micro, 201615

Automated Response

Web UIWeb UIWeb UIVM

© Trend Micro, 201615

Automated Response

Web UIWeb UIWeb UIVM

SIEM / Log Store

© Trend Micro, 201615

Automated Response

Web UIWeb UIWeb UIVM

SIEM / Log StoreMonitoring

© Trend Micro, 201615

Automated Response

Web UIWeb UIWeb UIVM

SIEM / Log StoreMonitoring

Event-driven Function

© Trend Micro, 201615

Automated Response

Web UIWeb UIWeb UIVM

SIEM / Log StoreMonitoring

CSP API Event-driven Function

© Trend Micro, 201615

Automated Response

Web UIWeb UIWeb UIVM

SIEM / Log StoreRestrict Access Monitoring

CSP API Event-driven Function

© Trend Micro, 201615

Automated Response

Web UIWeb UIWeb UIVM

SIEM / Log StoreRestrict Access Monitoring

Web UI

CSP API Event-driven Function

2014

What’s the hold up?

Running in the Cloud

IaaS(Infrastructure)

PaaS(Container)

SaaS(Abstract)

Data

Application

Operating System

Virtualization

Infrastructure

Physical

Data

Application

Operating System

Virtualization

Infrastructure

Physical

Data

Application

Operating System

Virtualization

Infrastructure

Physical

Shared Responsibility Model

Setup

• Lock down operating system, applications, and dataHarden system according to NIST / best practices Encrypt everything

• Enable service health monitoring featuresCheck your CSP’s documentation

• Monitor service API activitiesLook for unauthorized; replication, start up, termination, etc.

Steps:

IaaS

Setup

• Read all the documentationSeriously, RTFM

• Implement strong code quality systemsAutomation is critical to success

• Configure access control and other security featuresCheck your CSP’s documentation

Steps:

PaaS

Setup

• Read all the documentationSeriously, RTFM

• Configure access control and other security featuresCheck your CSP’s documentation

Steps:

SaaS

Setup

• Evaluate controls against acceptable level of risk for data used in serviceI shouldn’t have to say this

• Monitor all service provider status updates and communications channelsRemember to include them in your IR plans

Steps:

Any Cloud Service

IaaS(Infrastructure)

PaaS(Container)

SaaS(Abstract)

Data

Application

Operating System

Virtualization

Infrastructure

Physical

Data

Application

Operating System

Virtualization

Infrastructure

Physical

Data

Application

Operating System

Virtualization

Infrastructure

Physical

Shared Responsibility Model

Opportunity

© Trend Micro, 201627

PhysicalWeeks

VirtualDays

CloudMinutes

ContainerSeconds

FunctionImmediate

{ Time to deploy }

{ Environment }

© Trend Micro, 201628

PhysicalWeeks

VirtualDays

CloudMinutes

ContainerSeconds

FunctionImmediate

{ Time to deploy }

{ Environment }

© Trend Micro, 201629

Move faster Focus on value

Goal

© Trend Micro, 201630

Deploy using the method that delivers the most value

Goal

© Trend Micro, 201631

Every tool adds overhead

Constraint

© Trend Micro, 201632

Automation allows for the speed, scale, and consistency required

Relief

© Trend Micro, 201633

Deploy using the method that delivers the most value

Goal

© Trend Micro, 201634

…with minimal operational impact

Deploy using the method that delivers the most value

Goal

DevOps

Flickr deploys 10+/day

Success

Etsy deploys 50+/day

Flickr deploys 10+/day

Success

Etsy deploys 50+/day

Amazon deploys 11.7 seconds

Flickr deploys 10+/day

Success

Etsy deploys 50+/day

Amazon deploys 11.7 seconds

Adobe +60% app development

Flickr deploys 10+/day

Success

Etsy deploys 50+/day

Amazon deploys 11.7 seconds

Adobe +60% app development

Fidelity $2.3M saved for one app

Flickr deploys 10+/day

Success

Where’s security?

…can have a much stronger security posture in AWS and the cloud than they can on-premises

Andy Jassy, AWS CEO

* From an interview with the Wall Street Journal, http://www.wsj.com/articles/amazons-andy-jassy-on-the-promise-of-the-cloud-1477880220

Security is everyone’s responsibility

Security Everyone

Team Challenges

New Skills Needed

• Basic understanding of development practices & ability to write simple code Everything in the cloud is an API. Security MUST BE automated

• Puts the user f irst We make the tech that they “can’t use right” … not their fault

• Perspective & understanding of practical securityNo more “the sky is falling”

• EducatorsWritten, video, presentations, Slack,…anywhere teams are working

Steps:

Security Specialist

Your Org Chart Is Wrong

Typical Org Chart

CISO Dev

GRC Ops

Infrastructure

CIO

Ops

Updated Org Chart

CISO Dev

GRC Ops

Infrastructure

CIO

Ops

Updated Org Chart

CISO Dev

GRC

OpsInfrastructure

CIO

Ops

Updated Org Chart

CISO Dev

GRC

OpsInfrastructure

CIO

Ops

GrC

@petermePeter Merholz Kristin Skinner

@bettay

Specialist Distribution

Specialist Distribution

Specialist Distribution

Specialist Distribution

Specialist Distribution

Specialist Distribution

Specialist Distribution

Coffee Shadowing Teaching

Bridges

Goal

Fabric

1 min

1 min

Slow lane

1 min

Slow lane

Fast lane

1 min

Slow lane

Fast lane

1 min

1 min

1 min

Is this bad?

1 min

Is this bad?

1 min

Is this bad?

Is this malicious?and

1 min

Is this bad?

Is this malicious?and

1 min

Is this bad?

Is this malicious?and

1 min

Is this bad?

1 min

Aggregate information

Is this bad?

1 min

Aggregate information

Is this bad?

1m, h, d, w, m Trends

1 min

Aggregate information1m, h, d, w, m Trends

1 min

Aggregate information1m, h, d, w, m Trends

Evidence of compliance

1 min

Aggregate information1m, h, d, w, m Trends

Evidence of complianceConfiguration Processes

1 min

Aggregate information1m, h, d, w, m Trends

Evidence of complianceConfiguration Processes

Deployment data

1 min

Aggregate information1m, h, d, w, m Trends

Evidence of complianceConfiguration Processes

Deployment dataPerformance Debug

1 min

1 min

SecOps

1 minAggregate Evidence Deployments

SecOps

Get stuff done

© Trend Micro, 201660

Thank you!mark_nunnikhoven@trendmicro.com | @marknca