Meanwhile in Security
Jesse Trucks
Subscribe
Cloud security is a minefield of news that assumes the word "Security" is lurking somewhere in your job description. It doesn't have to be this way. Weekly cloud security news for people with other jobs to do. Cloud Security For Humans.
Available episodes
Newest first
Oldest first
Sep 2, 2021
Standing in the Rain Isn't Diving in the Sea
Links:
* Microsoft Azure Cloud Vulnerability Exposed Thousands of Databases: https://www.darkreading.com/cloud/microsoft-azure-cloud-vulnerability-exposed-thousands-of-databases
* Google, Amazon, Microsoft Share New Security Efforts After White House Summit: https://www.darkreading.com/operations/google-amazon-microsoft-share-new-security-efforts-post-white-house-summit
* New Data-Driven Study Reveals 40% of SaaS Data Access is Unmanaged, Creating Significant Insider and External Threats to Global Organizations: https://www.darkreading.com/cloud/new-data-driven-study-reveals-40-of-saas-data-access-is-unmanaged-creating-significant-insider-and-external-threats-to-global-organizations
* Researchers Share Common Tactics of ShinyHunters Threat Group: https://www.darkreading.com/attacks-breaches/researchers-share-common-tactics-of-shinyhunters-threat-group
* How to automate forensic disk collection in AWS: https://aws.amazon.com/blogs/security/
* Confidential computing: an AWS perspective: https://aws.amazon.com/blogs/security/
* New in October: AWS Security Awareness Training and AWS Multi-factor Authentication available at no cost: https://aws.amazon.com/blogs/security/amazon-security-awareness-training-and-aws-multi-factor-authentication-tokens-to-be-made-available-at-no-cost/
* Use IAM Access Analyzer to generate IAM policies based on access activity found in your organization trail: https://aws.amazon.com/blogs/security/
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Corey: This episode is sponsored in part by Thinkst Canary. This might take a little bit to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, or anything else like that that you can generate in various parts of your environment, wherever you want them to live; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use them. It’s an awesome approach to detecting breaches. I’ve used something similar for years myself before I found them. Check them out. But wait, there’s more because they also have an enterprise option that you should be very much aware of: canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment and manage them centrally. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files that it presents on a fake file store, you get instant alerts. It’s awesome. If you don’t do something like this, instead you’re likely to find out that you’ve gotten breached the very hard way. So, check it out. It’s one of those few things that I look at and say, “Wow, that is an amazing idea. I am so glad I found them. I love it.” Again, those URLs are canarytokens.org and canary.tools. And the first one is free because of course it is. The second one is enterprise-y. You’ll know which one of those you fall into. Take a look. I’m a big fan. More to come from Thinkst Canary weeks ahead.
Jesse: Disaster befell much of the middle south of the US when Ida slammed into the coast and plowed its way up north through the land. What does a hurricane have to do with security? Business continuity. Business continuity is the discipline of maintaining business operations, even in the face of disasters of any kind, such as a hurricane-driven storm surge running over the levees and flooding whole towns. If you have all your computing systems in the cloud in multiple regions, then such a disaster won’t fully halt your business operations.
However, you still might have connectivity issues and possibly either temporary or permanent loss of non-cloud systems. Be sure your non-cloud systems have appropriate backups off-site to another geographically disparate location. Better yet, push backups into your cloud infrastructure and consider ways to utilize that data with your cloud systems during a crisis. Hmm, perhaps you’ll like it so much you will push everything else up to the cloud that isn’t a laptop, tablet, or phone.
Meanwhile in the news, Microsoft Azure Cloud Vulnerability Exposed Thousands of Databases. Security for cloud providers can potentially have catastrophic and large scale repercussions. Keep an eye out for any problems that come up that might affect your operations and your data. Do keep in mind your platform has a direct impact on your own risk profile.
Google, Amazon, Microsoft Share New Security Efforts After White House Summit. The National Institute of Standards and Technology—or NIST—is building a technology supply chain framework with the big tech companies, including Apple, Amazon, Google, IBM, and Microsoft, and this is a big deal. I’m sure the fighting amongst those companies will make this initiative die on the vine, but I hope I’m wrong.
New Data-Driven Study Reveals 40% of SaaS Data Access is Unmanaged, Creating Significant Insider and External Threats to Global Organizations. Back to basics: secure your data; lock down those buckets; don’t be stupid. Also, when we’re talking cloud apps and services, there should be no assumption that anyone accessing the application via an obfuscated link or permissions too broad to
effectively secure the data therein.
Announcer: Have you implemented industry best practices for securely accessing SSH servers, databases, or Kubernetes? It takes time and expertise to set up. Teleport makes it easy. It is an identity-aware access proxy that brings automatically expiring credentials for everything you need, including role-based access controls, access requests, and the audit log. It helps prevent data exfiltration and helps implement PCI and FedRAMP compliance. And best of all, teleport is open-source and a pleasure to use. Download teleport at goteleport.com. That’s goteleport.com.
Researchers Share Common Tactics of ShinyHunters Threat Group. Put Indicators of Compromise—or IOC—data for the latest APT group or malware into your monitoring tool or tools. It’s possible, depending on the vendor, that there are already detections you can add to your production monitoring. Save some time and look for those pre-made searches, configurations, and scripts before you make your own.
How to automate forensic disk collection in AWS. Automating forensic data gathering is incredibly valuable. This not only has obvious value in security incident response, but it has value in teaching us how these parts in AWS work. This is worth a close read—several times if you need to—to understand how EBS, S3, automating EC2 actions, CloudWatch logging—among other services—operate. There are other pieces to the glue here to learn, as well.
Confidential computing: an AWS perspective. If you use EC2, you need to understand the AWS Nitro System. Their hardware-based approach to their hypervisor for virtualization combined with hardware-based security and encryption is quite well made. Everyone worried about security at all while using EC2—which I argue should be all of you—should know the concepts of how Nitro works.
New in October: AWS Security Awareness Training and AWS Multi-factor Authentication available at no cost. Now, this has value. Free basic security training for average users on fundamental computer security, including things like phishing and social engineering, is an amazing gift. Also, how many times have I wanted to point someone into an easy-to-understand multi-factor authentication tutorial? Oh, not often; only every single day.
Use IAM Access Analyzer to generate IAM policies based on access activity found in yo…
playlist_add
Aug 26, 2021
Can You Hear Me, Can You See My Screen?
Links:
* How to Make Your Next Third-Party Risk Conversation Less Awkward: https://www.darkreading.com/vulnerabilities-threats/how-to-make-your-next-third-party-risk-conversation-less-awkward
* 5 Vexing Cloud Security Issues: https://www.itprotoday.com/hybrid-cloud/5-vexing-cloud-security-issues
* Attackers Increasingly Target Linux in the Cloud: https://www.darkreading.com/threat-intelligence/attackers-increasingly-target-linux-in-the-cloud
* Top 5 Best Practices for Cloud Security: https://www.infosecurity-magazine.com/magazine-features/top-5-best-practices-for-cloud/
* Zix Releases 2021 Mid-Year Global Threat Report: https://www.darkreading.com/cloud/zix-releases-2021-mid-year-global-threat-report
* The big three innovations transforming cloud security: https://siliconangle.com/2021/08/21/big-three-innovations-transforming-cloud-security/
* The Benefits of a Cloud Security Posture Assessment: https://fedtechmagazine.com/article/2021/08/benefits-cloud-security-posture-assessment
* How to Maintain Accountability in a Hybrid Environment: https://www.darkreading.com/cloud/how-to-maintain-accountability-in-a-hybrid-environment
* 6 Cloud Security Must-Haves–with Help from CSPM, CWPP or CNAPP: https://www.eweek.com/security/6-cloud-security-must-haves-with-help-from-cspm-cwpp-or-cnapp/
* The hybrid-cloud security road map: https://www.techradar.com/news/the-hybrid-cloud-security-road-map
* How Biden’s Cloud Security Executive Order Stacks Up to Industry Expectations: https://securityintelligence.com/articles/biden-executive-order-industry-expectations/
* Cloud Security: Adopting a Structured Approach: https://customerthink.com/cloud-security-adopting-a-structured-approach/
* The Overlooked Security Risks of the Cloud: https://threatpost.com/security-risks-cloud/168754/
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Corey: This episode is sponsored in part by Thinkst Canary. This might take a little bit to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, or anything else like that that you can generate in various parts of your environment, wherever you want them to live; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use them. It’s an awesome approach to detecting breaches. I’ve used something similar for years myself before I found them. Check them out. But wait, there’s more because they also have an enterprise option that you should be very much aware of: canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment and manage them centrally. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files that it presents on a fake file store, you get instant alerts. It’s awesome. If you don’t do something like this, instead you’re likely to find out that you’ve gotten breached the very hard way. So, check it out. It’s one of those few things that I look at and say, “Wow, that is an amazing idea. I am so glad I found them. I love it.” Again, those URLs are canarytokens.org and canary.tools. And the first one is free because of course it is. The second one is enterprise-y. You’ll know which one of those you fall into. Take a look. I’m a big fan. More to come from Thinkst Canary weeks ahead.
Jesse: It is 2021. Conference calls and remote meetings have the same decade-old problems. Connection drops, asking if anyone can hear us, asking if anyone can see our screen, even though we can clearly see the platform is in sharing mode with our window front and center. Why is this so hard? We live in the golden age of the cloud.
Shouldn’t we be easily connecting and sharing like we’re in the same room rather than across the planet? Yes we should. Sure, there have been improvements, and now we can do high-quality video, connect dozens or hundreds of people from everywhere on a webinar, and usually most of us can manage a video meeting with some screen sharing. I don’t understand how we can have Amazon Chime, WebEx, Teams, Zoom, Google Meet—or whatever it’s called this month—GoToMeeting, Adobe Connect, FaceTime, and other options, and still not have a decent way for multiple people to see and hear one another and share a document, or an application, or screen without routine problems. All of these are cloud-based solutions.
Why do they all suck? When I have to use some of these platforms, I dread the coming meeting. The worst I’ve seen is Amazon Chime—yes, that’s you, Amazon—Microsoft Teams—as always—and Adobe Connect. Oof. The rest are largely similar with more or less the same features and quality, except FaceTime, which is still only a personal use platform and not so great for conferences for work. I just want one of these to not suck so much.
Meanwhile in the news. How to Make Your Next Third-Party Risk Conversation Less Awkward. You know that moment. Someone asks a question at the networking event. The deafening silence while you stare at the floor trying to find a way to get out of embarrassing yourself. Do your future self a favor and do some work before this happens again. You’ll feel better and you’ll have better visibility while improving your security posture.
5 Vexing Cloud Security Issues. Unlike the tips and best practices list, this one is a ‘don’t be stupid’ type list. Some of these are foundational basic security steps. Watch out for the zombies.
Attackers Increasingly Target Linux in the Cloud. Linux is the most common cloud-hosted OS. It shouldn’t be surprising that it’s the most common platform to attack, as well. Secure and monitor your cloud hosts closely. This is also a good reason to consider pushing toward a dynamic services model without traditional operating system footprints.
Top 5 Best Practices for Cloud Security. Oh, yay. Another top number list for newbs. We all need reminding of the basics of best practices, especially as they evolve. Are you doing these five things? Why not?
Announcer: Have you implemented industry best practices for securely accessing SSH servers, databases, or Kubernetes? It takes time and expertise to set up. Teleport makes it easy. It is an identity-aware access proxy that brings automatically expiring credentials for everything you need, including role-based access controls, access requests, and the audit log. It helps prevent data exfiltration and helps implement PCI and FedRAMP compliance. And best of all, teleport is open-source and a pleasure to use. Download teleport at goteleport.com. That’s goteleport.com.
Jesse: Zix Releases 2021 Mid-Year Global Threat Report. I suggest looking at the whole report, however, know attackers are using email, SMS and text messages, and customizing phishing more than ever before. Your people are going to see more social engineering attacks, so be sure everyone understands the basics of what types of things not to say on the phone and the usual about not following URLs in messages and emails.
The big three innovations transforming cloud security. CASB, SASE, and CSPM—pronounced ‘cazzbee’ ‘sassy’ and, well, nothing fancy for CSPM that rolls off the tongue, so just use the letters—are your new friends. With the three of these used for your cloud environment, you’ll have better visibility and control of your risk profile and security posture.
The Benefits of a Cloud Security Posture Assessment. Okay, so we’ve covered CSPM some, but you need a CSPA before you implement your CSPM. I tried to…
playlist_add
Aug 19, 2021
Attacks, Tools, and Ails
Links:
* AWS Cancels re:Inforce Security Conference in Houston Due to COVID-19: https://www.crn.com/news/cloud/aws-cancels-re-inforce-security-conference-in-houston-due-to-covid-19
* Cloud-native security benefits and use cases: https://searchcloudsecurity.techtarget.com/tip/cloud-native-security-benefits-and-use-cases
* The state of cloud security: IaC becomes priority one: https://techbeacon.com/security/state-cloud-security-iac-becomes-priority-one
* Takeaways from Gartner’s 2021 Hype Cycle for Cloud Security report: https://venturebeat.com/2021/08/12/takeaways-from-gartners-2021-hype-cycle-for-cloud-security-report/
* IBM upgrades its Big Iron OS for better cloud, security, and AI support: https://www.networkworld.com/article/3626486/ibm-upgrades-its-big-iron-os-for-better-cloud-security-and-ai-support.html
* Securing cloud environments is more important than ever: https://federalnewsnetwork.com/commentary/2021/08/securing-cloud-environments-is-more-important-than-ever/
* The Misunderstood Security Risks of Behavior Analytics, AI & ML: https://www.darkreading.com/risk/the-misunderstood-security-risks-of-behavior-analytics-ai-ml
* Accenture Says it ‘Detected Irregular Activity,’ Restored Systems from Backup: https://www.darkreading.com/attacks-breaches/accenture-detected-irregular-activity-
* Google Releases Tool to Help Developers Enforce Security: https://www.darkreading.com/application-security/google-releases-tool-to-help-developers-enforce-security
* How to Make Your Next Third-Party Risk Conversation Less Awkward: https://www.darkreading.com/vulnerabilities-threats/how-to-make-your-next-third-party-risk-conversation-less-awkward
* Cost of Cyberattacks Significantly Higher for Smaller Healthcare Organizations: https://www.darkreading.com/threat-intelligence/healthcare-sees-more-attacks-with-costs-higher-for-smaller-groups
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Corey: This episode is sponsored in part by Thinkst Canary. This might take a little bit to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, or anything else like that that you can generate in various parts of your environment, wherever you want them to live; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use them. It’s an awesome approach to detecting breaches. I’ve used something similar for years myself before I found them. Check them out. But wait, there’s more because they also have an enterprise option that you should be very much aware of: canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment and manage them centrally. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files that it presents on a fake file store, you get instant alerts. It’s awesome. If you don’t do something like this, instead you’re likely to find out that you’ve gotten breached the very hard way. So, check it out. It’s one of those few things that I look at and say, “Wow, that is an amazing idea. I am so glad I found them. I love it.” Again, those URLs are canarytokens.org and canary.tools. And the first one is free because of course it is. The second one is enterprise-y. You’ll know which one of those you fall into. Take a look. I’m a big fan. More to come from Thinkst Canary weeks ahead.
Jesse: There are many types of attacks that result in security breaches. To understand how many of them work, you need to understand how software languages function and how the hardware operations work in memory and in the CPU. However, you can learn a lot about security without having to learn those things. You can look at some of the attack vectors and gain a high-level understanding of what is happening. For example, man in the middle, or MITM, attacks are when someone inserts malicious code into the communication of two entities. That MITM service will capture communications, make a copy, then send it along like normal.
A buffer overflow happens when the allocated memory space for some type of input–whether its contents of a file or dialog boxes and the like—is less than the amount of input. In simpler terms, there is a bucket available for input. The attacker pours more water into the bucket than the bucket can handle. The result is that code in memory could be overwritten and become executable. So, you can learn about security flaws without digging under the surface to see what is actually happening. However, I strongly urge anyone doing security-related things to learn more about these attack types, and the others.
Meanwhile in the News. AWS Cancels re:Inforce Security Conference in Houston Due to COVID-19. The closings have begun. Dust off those creator lights, and prep that mic on your desk. In the wake of last year’s lockdowns and sudden remote working, there was a huge spike in phishing and other scams. Don’t be caught in this round.
Cloud-native security benefits and use cases. If you have a multi-cloud or a hybrid SaaS and self-managed systems in cloud providers or in data centers, it’s possible you need different security tools. Don’t go all cloud-native just because you have an initiative to do so. Slow down
and ensure your security meets the needs of all your technology and services, not just the new and shiny ones.
The state of cloud security: IaC becomes priority one. Cloud-native services are far too complex to do traditional cybersecurity. Truly cloud-native services need cloud-native monitoring systems. Consider Infrastructure as Code, or IaC, as part of a comprehensive solution in your process.
Takeaways from Gartner’s 2021 Hype Cycle for Cloud Security report. If you only read this one because the headline is awesome, I think that’s okay. Gartner’s evaluations are often seen as a deep truths into impenetrable markets. Don’t forget though, Gartner simply looks at all the parameters that are quantifiable and makes a judgement of comparison between products. They are valuable reports, yes, but it should never be the only deciding factor in making decisions on products to use.
IBM upgrades its Big Iron OS for better cloud, security, and AI support. Don’t worry if you aren’t running z/OS. Most people aren’t. However, if you are using z/OS, this looks to be a solid upgrade, assuming your systems meet the requirements et cetera, et cetera, et cetera.
Securing cloud environments is more important than ever. I post a lot of foundational articles that talk about different—and sometimes the same—aspects of cybersecurity. I do this because there are so many of you who haven’t implemented even one of my suggestions yet. Please
read this one if you’ve ignored my earlier warnings.
Announcer: Have you implemented industry best practices for securely accessing SSH servers, databases, or Kubernetes? It takes time and expertise to set up. Teleport makes it easy. It is an identity-aware access proxy that brings automatically expiring credentials for everything you need, including role-based access controls, access requests, and the audit log. It helps prevent data exfiltration and helps implement PCI and FedRAMP compliance. And best of all, teleport is open-source and a pleasure to use. Download teleport at goteleport.com that’s goteleport.com.
The Misunderstood Security Risks of Behavior Analytics, AI & ML. Finally someone with a realistic view of artificial intelligence—or AI—and machine learning—or ML. First, there is zero AI…
playlist_add
Aug 12, 2021
The Castle is Lost
Links:
* Cloud Security Basics CIOs and CTOs Should Know: https://www.informationweek.com/cloud/cloud-security-basics-cios-and-ctos-should-know/a/d-id/1341578?
* Spring 2021 PCI DSS report now available with nine services added in scope: https://aws.amazon.com/blogs/security/spring-2021-pci-dss-report-now-available-with-nine-services-added-in-scope/
* Top 5 Benefits of Cloud Infrastructure Security: https://www.kratikal.com/blog/top-5-benefits-of-cloud-infrastructure-security/
* The three most important AWS WAF rate-based rules: https://aws.amazon.com/blogs/security/three-most-important-aws-waf-rate-based-rules/
* Researchers Call for ‘CVE’ Approach for Cloud Vulnerabilities: https://www.darkreading.com/cloud/researchers-call-for-cve-approach-for-cloud-vulnerabilities
* Managed Private Cloud: It’s all About Simplification: https://www.computerworld.com/article/3623118/managed-private-cloud-its-all-about-simplification.html
* 100 percent of companies experience public cloud security incidents: https://betanews.com/2021/08/04/100-percent-public-cloud-security-incidents/
* Why cloud security is the key to unlocking value from hybrid working: https://www.welivesecurity.com/2021/08/05/why-cloud-security-key-unlocking-value-hybrid-working/
* Organizations Still Struggle to Hire & Retain Infosec Employees: Report: https://www.darkreading.com/careers-and-people/organizations-still-struggle-to-hire-retain-infosec-employees-report
* NSA, CISA release Kubernetes Hardening Guidance: https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/
* HTTP/2 Implementation Errors Exposing Websites to Serious Risks: https://www.darkreading.com/application-security/http-2-implementation-errors-exposing-websites-to-serious-risks
* Ransomware Gangs and the Name Game Distraction: https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/
* Using versioning in S3 buckets: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Corey: This episode is sponsored in part by Thinkst. This is going to take a minute to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, that sort of thing in various parts of your environment, wherever you want to; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use those things. It’s an awesome approach. I’ve used something similar for years. Check them out. But wait, there’s more. They also have an enterprise option that you should be very much aware of: canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files on it, you get instant alerts. It’s awesome. If you don’t do something like this, you’re likely to find out that you’ve gotten breached, the hard way. Take a look at this. It’s one of those few things that I look at and say, “Wow, that is an amazing idea. I love it.” That’s canarytokens.org and canary.tools. The first one is free. The second one is enterprise-y. Take a look. I’m a big fan of this. More from them in the coming weeks.
Jesse: The general theme in security news and trends show us that perimeter defense has a whole new meaning. There is no large perimeter anymore. Nearly every device is on a public or otherwise hostile network, from servers to phones to laptops. Every device needs scanning, protecting, monitoring, and analyzing. None of these devices can be viewed in a vacuum, as separate entities without the context of behavior of systems and services accessed from across a network.
This is why zero trust and cloud native applications and services go so well in these hard times. If you can’t trust anything without checking on current events, then you have to authenticate and analyze in real-time to determine if something is safe to allow. In the ancient days of yore, everything was default allow and you stopped things you knew were bad. Then along came default deny, where you allowed only those things you white listed. But that was a full-time allowance of bad things to happen when an account was compromised.
Ditch the white list and just implement real-time contextual security. If you do this, does it really matter if someone gets a hostile device on your network? Nope. If you treat everything, including owned and managed assets, as hostile, some new unmanaged device or service doesn’t change your operations or exposure much if at all.
Meanwhile in the news. Cloud Security Basics CIOs and CTOs Should Know. Some of the critical things non-cybersecurity execs ought to know: moving to the cloud isn’t a security easy button, cybersecurity insurance generally sucks, and moving to the cloud takes a lot more work than people think to get operationally secure.
Spring 2021 PCI DSS report now available with nine services added in scope. When you do compliance and use cloud infrastructures and SaaS services, you need to prove your services support compliance requirements. This AWS report can help. Also, review the new services added to see if you can improve your service delivery and applications supporting PCI.
Top 5 Benefits of Cloud Infrastructure Security. Using the cloud doesn’t make you more secure, but there are advantages that can make security more manageable in the cloud than it is in legacy data centers.
The three most important AWS WAF rate-based rules. Sometimes ya just got to geek out. Also, your security person won’t always be there to set up things like Web Application Firewalls with DDOS mitigation and other nifty security and compliance tools.
Researchers Call for ‘CVE’ Approach for Cloud Vulnerabilities. If there is a vulnerability in cloud service provider services, they should get a CVE like anyone else, right? After all, it’s just software, which is what the CVE is supposed to track.
I understand shining light on the problems to force cloud companies to fix them, but that is partly what the CVE system is for. If there are configurations that open gaping security holes, they need to be in CVE. Why do they want to make a new thing to replace a perfectly good thing?
Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That’s goteleport.com.
Jesse: Managed Private Cloud: It’s all About Simplification. So, let’s see if I understand this. Several article sources talk about the benefits of using private cloud citing the exact same benefits as using a public cloud service, except claiming it’s more secure for finance and medical verticals. Hello folks, AWS Outposts anyone? The only difference is the shared responsibility model, except that now you have an outside agency managing everything. Neither are more or less secure than the other…
playlist_add
Aug 5, 2021
Security Summer Camp
Links:
* 4 Factors that Should Be Part of Your Cybersecurity Strategy: https://www.csoonline.com/article/3625254/4-factors-that-should-be-part-of-your-cybersecurity-strategy.html
* Software Bill of Materials’—not just good for security, good for business: https://thehill.com/opinion/cybersecurity/564787-software-bill-of-materials-not-just-good-for-security-good-for-business
* Third Party Security Failure Caused 1 TB Data Breach at Saudi Aramco; Hackers Play Puzzle Games With Oil Giant: https://www.cpomagazine.com/cyber-security/third-party-security-failure-caused-1-tb-data-breach-at-saudi-aramco-hackers-play-puzzle-games-with-oil-giant/amp/
* Federal Tech Leaders Outline Future of FedRAMP: https://governmentciomedia.com/federal-tech-leaders-outline-future-fedramp
* ‘Holy moly!’: Inside Texas’ fight against a ransomware hack: https://apnews.com/article/technology-government-and-politics-business-texas-hacking-47e23be2d9d90d67383c1bd6cee5aef7
* Firefox 90 Drops Support for FTP Protocol: https://www.securityweek.com/firefox-90-drops-support-ftp-protocol
* Lower-Level Employees Become Top Spear-Phishing Targets: https://www.darkreading.com/attacks-breaches/lower-level-employees-become-top-spearphishing-targets
* U.S. Government unlikely to ban ransomware payments: https://U.S. Government unlikely to ban ransomware payments
* The Power of Comedy for Cybersecurity Awareness Training: https://www.darkreading.com/careers-and-people/the-power-of-comedy-for-cybersecurity-awareness-training
* Inside the Famed Black Hat NOC: https://www.darkreading.com/edge-articles/inside-the-famed-black-hat-noc
* Cloud Security Alliance Releases Guide to Facilitate Cloud Threat Modeling: https://cloudsecurityalliance.org/press-releases/2021/07/29/cloud-security-alliance-releases-guide-to-facilitate-cloud-threat-modeling/
* 5 Benefits of Disaster Recovery in the Cloud: https://securityboulevard.com/2021/08/5-benefits-of-disaster-recovery-in-the-cloud/
* Black Hat USA 2021 and DEF CON 29: What to expect from the security events: https://www.techrepublic.com/article/black-hat-usa-2021-and-def-con-29-what-to-expect-from-the-security-events/
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Corey: This episode is sponsored in part by Thinkst. This is going to take a minute to explain, so bear with me. I linked against an early version of their tool, canarytokens.org in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, that sort of thing in various parts of your environment, wherever you want to; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use those things. It’s an awesome approach. I’ve used something similar for years. Check them out. But wait, there’s more. They also have an enterprise option that you should be very much aware of canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files on it, you get instant alerts. It’s awesome. If you don’t do something like this, you’re likely to find out that you’ve gotten breached, the hard way. Take a look at this. It’s one of those few things that I look at and say, “Wow, that is an amazing idea. I love it.” That’s canarytokens.org and canary.tools. The first one is free. The second one is enterprise-y. Take a look. I’m a big fan of this. More from them in the coming weeks.
Jesse: As more services are delivered by cloud-native microservices with dynamic scaling, compliance management and monitoring becomes terrifyingly complex and difficult. The way around this is to implement processes and tools that can continuously monitor and manage compliance-related configurations using automated analysis and reporting of your cloud-native services. This collection of processes and tools is called Cloud Security Posture Management, or CSPM. CSPM generally involves a fair amount of automation to ensure secure practices are used and compliance requirements are continuously met. Implementing CSPM alongside DevSecOps and an organizational focus on shifting left in services development rounds out a tripod to support your cloud initiatives.
Meanwhile, in the news. 4 Factors that Should Be Part of Your Cybersecurity Strategy. Our security perimeters are no longer controlled by our organizations. With so many people working remote, every device on their network has become part of the threat landscape, from connected fridges to game consoles.
‘Software Bill of Materials’—not just good for security, good for business. SBOMs, as they’re called, are coming. Even if there is never a law forcing SBOMs like food ingredients labels, there could be an ever-increasing requirement for vendors to supply them. It might be a good idea
to start building these, even if they’re only supplied when legally or contractually required.
Third Party Security Failure Caused 1 TB Data Breach at Saudi Aramco; Hackers Play Puzzle Games With Oil Giant. This case study is like slowing down to see the aftermath of a crash and trying to piece together what happened. Given the breach came from a vendor, it’s a sideways attack on Aramco. Are you sure your vendors are secure? Thoroughly analyze all your third-party tools and services to ensure they aren’t the weaker link.
Federal Tech Leaders Outline Future of FedRAMP. Changes to FedRAMP are a big deal if they open up options for US federal agencies, or if the FedRAMP process—or its replacement—speed up certification. Many FedRAMP SaaS services lag their commercial counterparts because it takes so long to jump through the FedRAMP approval process. This hurts the market and the federal agencies.
‘Holy moly!’: Inside Texas’ fight against a ransomware hack. Learn from the plight of others before others learn from your plight. Reading case studies of disclosed incidents gives us insight into how doomed we are if we don’t get our act together.
Firefox 90 Drops Support for FTP Protocol. [sigh]. This is the end of an era of wide-open access and abuse. But I’m a little sad and nostalgic for my early computing days. I remember using FTP to get things to my internet-connected host account where I could then use Zmodem or Kermit to download things to my local machine. I remember when using HTML sites were new, but you could still get everything from FTP sites. Ugh, the bad old days.
Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That’s goteleport.com.
Jesse: Lower-Level Employees Become Top Spear-Phishing Targets. We always protect the big fish but the better target for phishing are the people not being closely monitored. If you can trick a system into lateral movement or privilege escalations, you can start with any non-admin user and infiltrate silently. This is why good SIM tools and behavior analysis mechanisms are critical to modern security.
U.S. Government unlikely to ban ransomware…
playlist_add
Jul 29, 2021
All Roads Lead to Cloud
Links:
* What does it Take to Secure Containers?: https://www.darkreading.com/cloud/what-does-it-take-to-secure-containers-
* Critical ICS vulnerabilities can be exploited through leading cloud-management platforms: https://threatpost.com/industrial-networks-exposed-cloud-operational-tech/168024/
* Kaseya Obtains Universal Decryptor for REvil Ransomware: https://threatpost.com/kaseya-universal-decryptor-revil-ransomware/168070/
* Kubernetes Cloud Clusters Face Cyberattacks via Argo Workflows: https://threatpost.com/kubernetes-cyberattacks-argo-workflows/167997/
* Cloud security is like an ‘all-you-can-eat buffet’: https://statescoop.com/cloud-security-is-like-an-all-you-can-eat-buffet/
* Cloud security in 2021: A business guide to essential tools and best practices: https://www.zdnet.com/article/cloud-security-in-2021-a-business-guide-to-essential-tools-and-best-practices/
* GitHub boosts supply chain security for Go modules: https://www.zdnet.com/article/github-boosts-supply-chain-security-for-go-modules/
* Cloud (in)security: Avoiding common cloud misconfigurations: inhttps://www.ironnet.com/blog/cloud-insecurity-avoiding-common-cloud-misconfigurations
* Akamai Edge DNS outage knocks out multiple major websites: https://siliconangle.com/2021/07/22/multiple-major-websites-taken-offline-widespread-internet-outage/
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.
Jesse: Building new things in the cloud is often a fun and exciting process, however moving a legacy application or infrastructure is usually a difficult and stressful process. There are several ways to implement a migration of something to run in the cloud. Which cloud migration strategy you choose largely depends on timeline and available resources. Some ways to accomplish an application migration are: one, rehost, aka lift-and-shift; two, refactor; three, rebuild; and four, replace. Rehosting, or lifting and shifting, simply means replicating your current legacy infrastructure on systems in the cloud, then cutting over from production. You spin up cloud systems in something like AWS EC2, install the OS and supporting middleware, add your application and data on top, then cut to prod.
Refactoring means rewriting your application to run in at least partially cloud-native services, but you can shortcut some of this by using container or middleware services, such as cloud-native databases offered from your cloud provider. Doing this means you largely use your codebase unchanged, but the underlying infrastructure is more scalable and is at least partially like a cloud-native product.
Rebuilding means writing a cloud-native app to be truly cloud-native. This is much like writing a new application as cloud-native, but you have an existing codebase—and possibly compatibility issues to contend with—from which to pull.
Replacing simply means implementing a SaaS tool that meets the same business requirements as the legacy application without migrating any of the old code. For example, moving to use Salesforce instead of a legacy CRM product or custom-built sales process tracking systems.
You can, of course, do some of these in stages as iterative steps. To do this, you could lift-and-shift your existing systems, then slowly work out replacing individual pieces with cloud-native solutions over time. Then you eventually get to a place where you can do very little work to yank out your final EC2 or container systems. At that point, you have a fully cloud-native application. If you don’t have much, or any, cloud application experience in your organization, follow the path of stepping through these processes as you grow your organization’s cloud skill-base and experience. Your people will migrate with your applications.
Meanwhile in the news. What does it Take to Secure Containers? Using containers isn’t instant security. They’re easier to lock down in terms of services and such, but it isn’t a silver bullet. The vampires are still going to storm the house if you invite them in.
Critical ICS vulnerabilities can be exploited through leading cloud-management platforms. Industrial control systems, or ICS, are notoriously insecure by default and often difficult to secure at all. Modern paradigms of locking down access to these infrastructures and tunneling all access through management and monitoring platforms is great. However, that platform is now the keys to the whole kingdom, so secure your
cloud management apps and dial up the monitoring.
Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That’s goteleport.com.
Kaseya Obtains Universal Decryptor for REvil Ransomware. This is amazing that Kaseya got their hands on the bits to unlock REvil things. If you are their customer, go get this right away. This doesn’t get you off the hook, though. There are likely time bombs just waiting for whatever rises from the ashes of REvil to take over the next phase. Watch your back.
Kubernetes Cloud Clusters Face Cyberattacks via Argo Workflows. Argo Workflows are great—so I hear—but now you could be pwned if you aren’t careful. Back to my often-used admonishment, don’t be stupid. Like many things, it’s easy to lock down and keep the control systems hidden, but you have to both care and verify you’ve been diligent.
Cloud security is like an ‘all-you-can-eat buffet’. The lesson here is that, as one source says, securing cloud resources is not the same as securing on-prem resources. The tools are often the same or similar, but how you use them is different. Also, the sheer volume of highly granular data from cloud systems is impossible for humans to parse and manage. You need better, highly tuned tools for the cloud.
Cloud security in 2021: A business guide to essential tools and best practices. The tl;dr: don’t be stupid. Like many lists of fundamental cloud security things, it’s lots of obvious things most people say they understand and never implement, consequences be damned.
GitHub boosts supply chain security for Go modules. I harp on supply-chain protection frequently because corrupting your software supply chain is insidious and incredibly hard to detect and remediate. Looks like there’s some help if you code in Golang.
Cloud (in)security: Avoiding common cloud misconfigurations. You can never read enough of these lists of obvious things to do. Even if you have done most of the basics correctly, it’s likely some new project hasn’t followed the best practices. This is back to my usual admonishment: DBS.
Akamai Edge DNS outage knocks out multiple major websites. Most of us got en…
playlist_add
Jul 22, 2021
Compliance, Ransomware and Privacy, Oh My!
Links:
* How to Bridge On-Premises and Cloud Identity: https://www.darkreading.com/vulnerabilities—threats/how-to-bridge-on-premises-and-cloud-identity-/a/d-id/1341512
* How AWS is helping EU customers navigate the new normal for data protection: https://aws.amazon.com/blogs/security/how-aws-is-helping-eu-customers-navigate-the-new-normal-for-data-protection/
* Cloud security should never be a developer issue: https://www.securitymagazine.com/articles/95641-cloud-security-should-never-be-a-developer-issue
* Tool Sprawl & False Positives Hold Security Teams Back: https://www.darkreading.com/application-security/tool-sprawl-and-false-positives-hold-security-teams-back/d/d-id/1341517
* The what and Why of Cloud-Native Security: https://containerjournal.com/editorial-calendar/cloud-native-security/the-what-and-why-of-cloud-native-security/
* OSPAR 2021 report now available with 127 services in scope: https://aws.amazon.com/blogs/security/ospar-2021-report-now-available-with-127-services-in-scope/
* Researchers Create New Approach to Detect Brand Impersonation: https://www.darkreading.com/endpoint/researchers-create-new-approach-to-detect-brand-impersonation/d/d-id/1341549
* Privacy Law Update: Colorado Privacy Bill Becomes Law: How does it Stack Up Against California and Virginia?: https://www.adlawaccess.com/2021/07/articles/privacy-law-update-colorado-privacy-bill-becomes-law-how-does-it-stack-up-against-california-and-virginia/
* CISA Launches New Website to Aid Ransomware Defenders: https://www.darkreading.com/threat-intelligence/cisa-launches-new-website-to-aid-ransomware-defenders/d/d-id/1341539
* stopransomware.gov: https://stopransomware.gov
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.
Jesse: There are several larger topics within the realm of cybersecurity that come up constantly. Subscribers of MiS are likely seeing these emerge from topics I cover. Some of the most common themes lately are compliance, privacy, ransomware, and DevSecOps. So, we are all working from common definitions, let’s elaborate a bit on each.
Compliance is the process of meeting some list or lists of requirements, usually have an outside agency of some sort. Most people think about this in terms of laws like GDPR, SOC, HIPAA, FERPA, and others. These are great examples, but compliance includes meeting certification requirements like SOC 2, various ISO certifications, or PCI.
Privacy gets broad in terms of implementation, but at its core, it means the protection of information related to a person or organization. Basically, don’t collect or disclose things you don’t absolutely need to, and always ensure you have permission before any collection or disclosure of information.
Ransomware is the software that will destroy or disclose—or both—your data if you don’t pay someone. DevSecOps is the methodology of writing software with secure practices and systems in mind from the start. It’s that whole shift-left thing.
Meanwhile in the news. How to Bridge On-Premises and Cloud Identity. Identity and access management, or IAM, is difficult without introducing wholly different environments. We have to pick an IAM solution, so we choose what works across all our environments and services. Of course, ultimately, this means implementing Single Sign-On, SSO, of some sort as well.
Sophisticated Malware is Being Used to Spy on Journalists, Politicians and Human Rights Activists. Not all horrible software sneaking into our devices and systems are from hidden criminal or enterprises or nation-state sponsored groups. Some of it sadly comes from for-profit companies. Just like a hammer can be used for horrible things, so can some security software.
A Complex Kind of Spiderweb: New Research Group Focuses on Overlooked API Security. APIs run our whole cloudy world. They’re the glue and crossovers communication mechanisms rolled into one conceptual framework. However, while we may introduce security flaws in our use of the billion APIs we have to use, the APIs themselves might have security vulnerabilities as well. I’m interested in the output from this practical research group to see if this bolsters API use and implementation in general.
How AWS is helping EU customers navigate the new normal for data protection. Managing regulatory compliance is a circus act on a good day. On a bad day, it’s a complex web of sometimes conflicting and sometimes complementary solutions. Many organizations worldwide need to meet EU regulations, so be sure to know if you must as well.
Cloud security should never be a developer issue. I first thought this was the counterargument to the shift-left and DevSecOp movements, but this piece supports those movements. I like the view of supporting and protecting the developers to do better security. You don’t need to hire a bunch of security experts and teach them to code; that wouldn’t work so well. You can hire coders and teach them to code securely.
Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That’s goteleport.com.
Jesse: Tool Sprawl & False Positives Hold Security Teams Back. Tool confusion and poorly tuned alerting systems plagues IT and security alike. Think about how you can streamline this by consolidating both IT and security management monitoring and alerting tools into a set of tools spanning use cases. Also, you need to read this because a source of the article is one of the most forward-thinkers in security today: Kelly Shortridge.
The What and Why of Cloud-Native Security. Sometimes we humans struggle with the transition to a new paradigm. Well, most of the time. Despite rapid and drastic shifts in technology constantly since computers were a thing, we still struggle as professionals. Many of us had just gotten cybersecurity figured out when this cloud thing started raining on us. Let’s get us all sorted out before we miss the rainy weather.
OSPAR 2021 report now available with 127 services in scope. If you think your compliance issues are complex, have you considered what a global cloud provider has to support? I’ve worked with compliance for over two decades and I still struggle to keep up with the pace of change. Thankfully, AWS breaks it down for you with the Outsource Service Provider Audit Report, or OSPAR.
Researchers Create New Approach to Detect Brand Impersonation. Brand impersonation is where someone puts up a site that looks just like yours, but it’s a ruse to collect passwords and other information. Having a better way to find these and alert us is amazing. It used to be, this type of thing wasn’t common…
playlist_add
Jul 15, 2021
Who's Fooling Who?
Links:
* Fake Amazon cloud service AWS InfiniDash quickly goes viral: https://siliconangle.com/2021/07/05/fake-amazon-cloud-service-aws-infinidash-quickly-goes-viral/
* 7 Unconventional Pieces of Password Wisdom: https://www.darkreading.com/application-security/7-unconventional-pieces-of-password-wisdom/d/d-id/1341400
* Pentagon Cancels Disputed JEDI Cloud Contract With Microsoft: https://www.usnews.com/news/business/articles/2021-07-06/pentagon-cancels-disputed-jedi-cloud-contract-with-microsoft
* SolarWinds Discloses Zero-Day Under Active Attack: https://beta.darkreading.com/threat-intelligence/solarwinds-discloses-zero-day-under-active-attack
* 98% of Infosec Pros Say Multi-Cloud Environments Create Additional Security Challenges, Reveals Survey: https://securityboulevard.com/2021/07/98-of-infosec-pros-say-multi-cloud-environments-create-additional-security-challenges-reveals-survey/
* Autonomous Security is Essential if the Edge is to Scale Properly: https://www.darkreading.com/endpoint/autonomous-security-is-essential-if-the-edge-is-to-scale-properly/a/d-id/1341391
* Digital Habits During Pandemic Have Lasting Impact: https://securityboulevard.com/2021/07/digital-habits-during-pandemic-have-lasting-impact/
* Are Security Attestations a Necessity for SaaS Businesses?: https://www.darkreading.com/risk/are-security-attestations-a-necessity-for-saas-businesses/a/d-id/1341426
* How to Improve Cybersecurity for Your Business?: https://www.ccsinet.com/blog/how-to-improve-cybersecurity-for-your-business/
* CISA Analysis Reveals Successful Attack Techniques of FY 2020: https://beta.darkreading.com/threat-intelligence/cisa-analysis-reveals-successful-attack-techniques-of-fy2020
* How Predictive AI will Change Cybersecurity in 2021: https://insidebigdata.com/2021/07/09/how-predictive-ai-will-change-cybersecurity-in-2021/
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.
Jesse: Last April, I went to a secret training camp. We studied the entire AWS functional objection orientation language services—or FOOLS—suite of tools and APIs. The first public rollout of AWS FOOLS-supported products is already an amazing success. AWS Infinidash took the internet by storm. This product is such an amazing way to quickly dash into production all your FOOLS-coded projects.
I’m looking forward to the UDB service, AWS Infinitdiscus, where you toss your data to the cloud, the automated problem-solving tool, AWS Infinihurdle, where you leap over virtual objects, and the non-ephemeral cloud-native microservice, AWS Infinimarathon, where you can run microservices for long-running batch jobs. Sadly, I suspect the all-in-one API product AWS Infinitriathlon won’t see the light of day because the project participants keep dropping out before it’s finished. I hope they finish someday. I feel like it’s a new day dawning with AWS FOOLS. This is a watershed moment as momentous as the day we discovered Agile over waterfall.
Meanwhile, in the news. Fake Amazon cloud service AWS InfiniDash quickly goes viral. [laugh]. This turned into a fantastic and fun internet meme that won’t be going away anytime soon. Also, everything I said above about AWS FOOLS is a joke. This is not real. I’m sure there will be reports about AWS FOOLS soon enough, now.
7 Unconventional Pieces of Password Wisdom. Passwords suck. We all know they suck. We all hate them. However, we will always need to memorize a few passwords. Set passwords you can remember but are hard to guess and make them as long as the site or application will allow. Passphrases are far superior, of course.
Pentagon Cancels Disputed JEDI Cloud Contract With Microsoft. If you wonder what happens when a trillion-dollar company takes you to court, just recall how AWS managed to kill this massive contract with Microsoft. Don’t tangle with AWS, Google, or Microsoft unless you know what you’re doing.
SolarWinds Discloses Zero-Day Under Active Attack. Okay, let’s be honest. If I gave you every urgent patch announcement, this whole publication would be a boring list of stuff to install. Be sure to watch your vendors for patches and everything else.
98% of Infosec Pros Say Multi-Cloud Environments Create Additional Security Challenges, Reveals Survey. Using more than one public or private cloud combined into one infrastructure or service delivery platform is difficult for IT, of course. For security, the tools used in one cloud stack are different than another cloud stack. This makes it hard to do a single comprehensive solution that works seamlessly between them all. Shift farther left on these things.
Autonomous Security is Essential if the Edge is to Scale Properly. Mobile edge computing—or MEC—and other edge service delivery models are turning into more critical as we move to more cloud-native applications with low latency needs. These applications operate at speeds humans can’t ever track, so automated responses are the only way to keep them monitored or secure.
Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That’s goteleport.com.
Jesse: Digital Habits During Pandemic Have Lasting Impact. The gin isn’t merely out of the bottle. The bottle is shattered, melted down, and reformed into artwork to remind us of the distant past. People changed how they use their computers and personal devices, and their online behavior is now forever altered. Don’t expect a return to historical behaviors to come with a return to offices.
Are Security Attestations a Necessity for SaaS Businesses? There's a fair amount of debate as to whether security adaptations of compliance to things like SOC 2 levels or ISO 27001 have any value. My general approach is to indicate they are necessary when it makes an impact on your business or mission, otherwise, it doesn’t really matter much.
How to Improve Cybersecurity for Your Business? We security people never get tired of reminding everyone how some basic concepts implemented into business practices and production systems makes for far better security than the world’s most crazy and new SIM, or honeypot, or red team. I figure if I keep reminding everyone of this in different ways, someone out there might just follow the advice. Also, I’m sure most of you won’t, or your organizations won’t let you.
CISA Analysis Reveals Successful Attack Techniques of FY 2020. Imagine my not surprise when phishing links are at the top, followed by application exploits, and then fishing attachments. Knowing the popular attack methods helps you guide your defenses and your security with more effectiveness and…
playlist_add
Jul 8, 2021
Use a Vault Before Ransomware Does It For You
Links:
* Cyber insurance isn’t helping with cybersecurity, and it might be making the ransomware crisis worse, say researchers: https://www.zdnet.com/article/ransomware-has-become-an-existential-threat-that-means-cyber-insurance-is-about-to-change/
* House lawmakers introduce bill to increase American awareness of cyber threats: https://thehill.com/policy/cybersecurity/560077-house-lawmakers-introduce-bill-to-increase-american-awareness-of-cyber
* 5 Mistakes that Impact a Security Team’s Success: https://www.darkreading.com/edge/theedge/5-mistakes-that-impact-a-security-teams-success/b/d-id/1341470
* Google Working on Patching GCP Vulnerability that Allows VM Takeover: https://www.itsecuritynews.info/google-working-on-patching-gcp-vulnerability-that-allows-vm-takeover/
* NSA & CISA Issue Warning About Russian GRU Brute-Force Cyberattacks Against US, Global Orgs: https://www.darkreading.com/attacks-breaches/nsa-and-cisa-issue-warning-about-russian-gru-brute-force-cyberattacks-against-us-global-orgs/d/d-id/1341458
* $70 Million Demanded as REvil Ransomware Attackers Claim 1 Million Systems Hit: https://www.forbes.com/sites/daveywinder/2021/07/05/70-million-demanded-as-revil-ransomware-attackers-claim-1-million-systems-hit/?sh=7517b8f957c0
* How to monitor and track failed logins for your AWS Managed Microsoft AD: https://aws.amazon.com/blogs/security/how-to-monitor-and-track-failed-logins-for-your-aws-managed-microsoft-ad/
* Six ways businesses can reduce their cyber security risk as incidents rise: https://www.newshub.co.nz/home/money/2021/06/six-ways-businesses-can-reduce-their-cyber-security-risk-as-incidents-rise.html
* How to get a lucrative job in cybersecurity: https://www.bbc.com/news/business-57663096
* Why MTTR is Bad for SecOps: https://threatpost.com/mttr-bad-secops/167440/
* What is the dark web? How to access it and what you’ll find: https://www.csoonline.com/article/3249765/what-is-the-dark-web-how-to-access-it-and-what-youll-find.html
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.
Jesse: What? Your backups are really just diversified pools of production data across multiple cloud provider regions, or stores with no space wasted on offline or non production data? That’s awesome. You are a beautiful target for ransomware. Best practices from a production infrastructure view don’t always match up to best practices for security.
However, there are ways to provide data protection and redundancy as ransomware impact mitigation while still providing dynamic operational systems. Once again, this solution is to shift left and design security into every single interaction and layer of your systems and infrastructure.
Meanwhile, in the news. Cyber insurance isn’t helping with cybersecurity, and it might be making the ransomware crisis worse, say researchers. I know of organizations that have purposefully reduced spending on their cybersecurity programs in favor of hefty cyber breach insurance. It seems at first like a great balance sheet move, but in the long run it doesn’t pay. Just build adequate security programs, please.
House lawmakers introduce bill to increase American awareness of cyber threats. Wow, so now the whole nation will be subjected to useless clickthrough CBT experiences that don’t change their behavior? Excellent. I’m sure the APTs of the world are shaking in their VR headsets already.
5 Mistakes that Impact a Security Team’s Success. Call them fiefdoms, silos, or something else, whatever name you use, operating in any way but cooperatively is horrible and unprofessional. If you are frustrated by other people doing this to you, think about the ways you can bridge the divide and draw them into a shared success model where everyone wins by working together.
Google Working on Patching GCP Vulnerability that Allows VM Takeover, AWS users rejoice. Finally a cloud security problem you can ignore. GCP users, it’s your turn to panic and question your choices. Now, you know what it feels like to be everyone else using cloud services. Being in the cloud doesn’t reduce your risks inherently; it merely shifts the focus of some of your risks.
NSA & CISA Issue Warning About Russian GRU Brute-Force Cyberattacks Against US, Global Orgs. Cyber attacks are becoming more frequent and more automated. Even the human-driven APT attacks are using scalable cloud technologies to do their dirty work. Monitor your cloud and service or system usage for anomalous behavior, as well as known attack profiles.
$70 Million Demanded as REvil Ransomware Attackers Claim 1 Million Systems Hit. Ransomware is no joke. If you don’t already have easily recoverable systems and data, ransomware can be the end of you. Also, if the supply chain for your software includes outside libraries or packages of any kind get assurance in writing, with details, from your vendors on how they are both securing and monitoring for these attacks.
Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That’s goteleport.com.
Jesse: How to monitor and track failed logins for your AWS Managed Microsoft AD. If you need to make AWS send you custom-crafted alerts about failed logins, you aren’t doing something right. If you don’t have proper log management and a SIEM of some sort, spend your precious little resources slapping something together for broader monitoring instead of crafting bespoke little jewels of highly specialized AWS magic for very narrow use cases. There are so many turnkey solutions for log monitoring and alerting, why would we waste time building our own? Don’t be stupid.
Six ways businesses can reduce their cyber security risk as incidents rise. I’m sure regular readers will know this list isn’t anything new, but maybe one or two of you will finally implement a few things. Use any multi-factor authentication scheme, combined with a proper password manager for all your users, employees and customers alike. Even a tiny business struggling to make ends meet can afford $6 to $10 per month on a password vault servers for employees.
How to get a lucrative job in cybersecurity. I swear this isn’t a Ponzi scheme advert. The opener has the usual kid hacker to security pro story we’ve all seen in the movies, though many of us in cybersecurity today had that type of journey to our roles. The modern era generally isn’t conducive to opportunities for self-taught hacker kids, however there is hope for people who have not gotten computer science or other related security or engineering degrees.
Why MTTR is Bad for SecOps. Oh, I love me some data and me…
playlist_add
Jul 1, 2021
Thesauruses are fun: Adaptable Durable Flexible
Links:
* Cybersecurity industry reacts as antivirus pioneer John McAfee found dead: https://www.csoonline.com/article/3623188/cybersecurity-industry-reacts-as-antivirus-pioneer-john-mcafee-found-dead.html
* Storms & Silver Linings: Avoiding the Dangers of Cloud Migration: https://beta.darkreading.com/cloud/storms-silver-linings-avoiding-the-dangers-of-cloud-migration
* 7 ways technical debt increases security risk: https://www.csoonline.com/article/3621754/7-ways-technical-debt-increases-security-risk.html
* New DNS Name Server Hijack Attack Exposes Businesses, Government Agencies: https://www.darkreading.com/vulnerabilities—threats/new-dns-name-server-hijack-attack-exposes-businesses-government-agencies/d/d-id/1341377
* CISO Jason Lee on Zoom’s response to its pandemic security challenges: https://www.csoonline.com/article/3622671/ciso-jason-lee-on-zooms-response-to-its-pandemic-security-challenges.html
* Software-Container Supply Chain Sees Spike in Attacks: https://beta.darkreading.com/cloud/software-container-supply-chain-sees-spike-in-attacks
* Four states propose laws to ban ransomware payments: https://www.csoonline.com/article/3622888/four-states-propose-laws-to-ban-ransomware-payments.html
* Senators propose bill to help tackle cybersecurity workforce shortage: https://thehill.com/policy/cybersecurity/560318-senators-propose-bill-to-help-tackle-cybersecurity-workforce-shortage
* Expecting the Unexpected: Tips for Effectively Mitigating Ransomware Attacks in 2021: https://beta.darkreading.com/vulnerabilities-threats/expecting-the-unexpected-tips-for-effectively-mitigating-ransomware-attacks-in-2021
* What Lies Ahead for K-12 Cybersecurity?: https://securityboulevard.com/2021/06/what-lies-ahead-for-k-12-cybersecurity/
* How to Protect Healthcare Data from Ransomware Attacks: https://www.ccsinet.com/blog/data-from-ransomware-attacks/
* System Resilience: What Exactly Is It?: https://insights.sei.cmu.edu/blog/system-resilience-what-exactly-is-it/
* Resilience Engineering: An Introduction: https://www.bmc.com/blogs/resilience-engineering/
* Charting a path to software resiliency: https://medium.com/walmartglobaltech/charting-a-path-to-software-resiliency-38148d956f4a
* 7 Best Practices to Build and Maintain Resilient Applications and Infrastructure: https://thenewstack.io/7-best-practices-to-build-and-maintain-resilient-applications-and-infrastructure/
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.
Jesse: I’ve heard the term ‘fail gracefully’ hundreds of times. What the heck does that really mean? Most people don’t think too hard on how their system should gracefully bow out rather than the old school method of complete failures and horrible restarts. Resilient software engineering is the discipline of making software and systems fail in ways that minimize and isolate failures while continuing to deliver service and availability. Basically, it means if you have a failure from hardware or dependencies, like a database, your service continues to work correctly and the broken parts just get shut down and replaced.
Cloud-native software using microservices or even dynamically deployed containers or systems is the perfect way to implement resiliency in your operations. Look toward the next development cycle of your software and systems to begin implementing this immediately if you don’t already have this in place. None of this really makes sense until you see an example, so think of it this way: you have a web-based service for customers to see their account profile and order history. It’s built to scale with containers using AWS Elastic Kubernetes service—or EKS—and it is designed so when a system throws errors of any kind, that container is closed down. Then the Aws Elastic Load Balancer—or ELP—service points all subsequent requests to a different container instance in EKS.
In that scenario, if a container is breached in a security event, or if something simply fails due to a software bug or data corruption, the service recovers by tossing a new system while yanking out the old system. This is security by designing self-healing IT systems. You get both security and stability for the same effort. This is DevSecOps in practice and shows how a shift-left mindset for your organization is the best possible approach for your business or mission.
Jesse: Meanwhile, in the news. Cybersecurity industry reacts as antivirus pioneer John McAfee found dead. Sure John McAfee was clearly in his own blend of strange and eccentric, but he launched an entire industry vertical 34 years ago. The computer age has been around long enough now that the founders of the early megacorps are all fading away. Don’t forget our history, and if you ever asked yourself, “What would John McAfee do?” Please go do the opposite unless you plan on launching a successful business.
Storms & Silver Linings: Avoiding the Dangers of Cloud Migration. This reminds me of the weeping and gnashing that happened every time some new wiki went up at various jobs and projects. I learned to hate wikis because they were always horribly organized and always out of date. Heed the advice here: if it’s out of date, archive it somewhere else and don’t migrate to your shiny new cloud.
7 ways technical debt increases security risk. Fixing old software in a fast-moving world is like the scope creep of how much stuff we acquire between moving houses or offices. You can either take advantage of touching everything to purge and organize, or you can blindly shove it all in a box and move it. We all think we’ll get around to fix it later. Nope. We don’t. We increase our risk in ways we can’t see. Go fix your stuff.
New DNS Name Server Hijack Attack Exposes Businesses, Government Agencies. There is so much information someone can gather about your organization by collecting information that was supposed to go to you. AWS closed this hole, but not all DNS services have. DNS is a resilient service, but it was never designed with modern attacks in mind. I love DNS and I hate DNS. You should too.
CISO Jason Lee on Zoom’s response to its pandemic security challenges. Explosive growth is scary; 30X growth in months is terrifying. Zoom did it. Can you? Very few companies can stay functioning, let alone secure in those situations.
Software-Container Supply Chain Sees Spike in Attacks. I don’t think I’ve beat the drum of supply-chain attacks enough. These are on the rise now that there is a great example of how effective these are. I sure hope you’ve secured your supply chain. I’m sure you haven’t, but we can always hope.
Four states propose laws to ban ransomware payments. This is a bit like making it illegal to pay kidnappers or terrorists. I know many companies will get owned and pay anyway, and regulations to stop money flowing to criminals is nothing new. There will be loopholes found and exploited, like in all things. Keep up with what laws affect your organization and how you perform security. To stop ransomware pandemic, start with the basics. We security people repeat ourselves constantly because implementing the basic security defenses mitigates most risk for most organizatio…
playlist_add
Jun 24, 2021
Real Risk vs Movie Risk
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.
Jesse: Don’t be stupid. Focus on your real risks, not hacker movie risks. It is easy to get caught up in a type of advance for persistent threats and the latest in obscure attack methodologies to the poin…
playlist_add
Jun 17, 2021
You Down with ATP? Yeah, You Know Me
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.
Show Notes:
Links:
* ABT1 Report: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
* Securing Your Cloud Transformation Journey: https://onwireco.com/2021/06/08/securing-your-cloud-transformation-journey/
* TeamTNT Strikes Again: A Wake-Up Call to Start Securing Cloud Entitlements: https://securityboulevard.com/2021/06/tea…
playlist_add
Jun 10, 2021
Pirates and Castles
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.
Links:
* Blog entry: https://swagitda.com/blog/posts/on-yolosec-and-fomosec/
* Why the Worst Cloud Security Predictions Might not Come True: https://securityintelligence.com/articles/worst-cloud-security-predictions-not-true/
* First Known Malware Surfaces Targeting Windows Containers: https://www.darkreading.com/vulnerabilities—threats/first-known-malware-su…
playlist_add
Jun 3, 2021
Caution with Automation
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.
Links:
* Autonomous drone attacked soldiers in Libya all on its own: https://www.cnet.com/news/autonomous-drone-attacked-soldiers-in-libya-all-on-its-own/
* 3 SASE—or ‘sas-ee’-Misconceptions to Consider: https://www.darkreading.com/cloud/3-sase-misconceptions-to-consider-/a/d-id/1341088
* Chinese APT Groups Continue to Pound Away on Pulse Secure VPNs: ht…
playlist_add
May 27, 2021
Stop Using Passwords, No Really, Stop
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.
Links:
* Password strength XKCD: https://xkcd.com/936/
* Building fine-grained authorization using Amazon Cognito, API Gateway, and IAM: https://aws.amazon.com/blogs/security/building-fine-grained-authorization-using-amazon-cognito-api-gateway-and-iam/
* Misconfiguration of third party cloud services exposed data of over 100 million users: https://blog.checkpoi…
playlist_add
May 20, 2021
A Jump To The Left Not A Step To The Right
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.
Show Notes:
Links:
* Report finds old misconfiguration woes continue to hammer corporate clouds: https://www.scmagazine.com/home/security-news/cloud-security/report-finds-old-misconfiguration-woes-continue-to-hammer-corporate-clouds/
* Pentagon Weighs Ending JEDI Cloud Project Amid Amazon Court Fight: https://www.wsj.com/articles/pentagon-weighs-ending-jedi-clou…
playlist_add
May 13, 2021
The Grid Has Fallen and It Can't Get Up
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.
Show Notes:
Links:
* Here’s the hacking group responsible for the Colonial Pipeline shutdown: https://www.cnbc.com/2021/05/10/hacking-group-darkside-reportedly-responsible-for-colonial-pipeline-shutdown.html
* Biden says ‘no evidence’ Russia involved in US pipeline hack but Putin should act: https://www.theguardian.com/us-news/2021/may/10/colonial-pipeline-s…
playlist_add
May 11, 2021
Meanwhile in Security Trailer
Cloud security is a minefield of news that assumes the word "Security" is lurking somewhere in your job description. It doesn't have to be this way. Weekly cloud security news for people with other jobs to do. Cloud Security For Humans.
playlist_add
May 6, 2021
All Changes Are Permanent Until Replaced
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app rela…
playlist_add
Apr 29, 2021
Hooked on Compliance
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.
Show Notes:
Links:
* Information Security Compliance: Which regulations relate to me: https://www.tcdi.com/information-security-compliance-which-regulations/
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Announcer: If your mean time to WTF for a security alert is more than a minute,…
playlist_add
Apr 22, 2021
ZTA: What's Your Plan?
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.
Show Notes:
Links:
* All Layers Are Not Created Equal”: https://blog.paloaltonetworks.com/2019/05/network-layers-not-created-equal/
* Help Net Security article: https://www.helpnetsecurity.com/2021/04/06/john-kindervag-zero-trust/
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
An…
playlist_add
Apr 15, 2021
Zero Trust: Do You Trust Me?
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.
Show Notes:
Links:
* An introduction to the mathematics of trust in security protocols: https://ieeexplore.ieee.org/document/246634
* No More Chewy Centers: The Zero Trust Model Of Information Security: https://www.forrester.com/report/No+More+Chewy+Centers+The+Zero+Trust+Model+Of+Information+Security/-/E-RES56682
* 800-207, “Zero Trust Architecture”: https:…
playlist_add
Apr 8, 2021
AWS, Verizon, and MEC: Demystified
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Announcer: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn’t translate well to cloud or multi-cloud environments, and that’s not even cou…
playlist_add
Apr 1, 2021
Know News Is Good News
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.
Links:
* "What is an Attack Surface? (And How to Reduce it)": And How to Reduce ithttps://www.okta.com/identity-101/what-is-an-attack-surface/
* "Developing Cyber Resilient Systems: A Systems Security Engineering Approach": https://csrc.nist.gov/publications/detail/sp/800-160/vol-2/final
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse…
playlist_add
Mar 25, 2021
Trilogy of Threes and a New Mantra
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.
Links:
* aws.amazon.com/compliance
* aws.training
* docs.microsoft.com/asure/security
*
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport…
playlist_add
Mar 18, 2021
The Holy Trinity & the CIA Triad
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.
Links:
* EI-ISAC Cybersecurity Spotlight – CIA Triad: https://www.cisecurity.org/spotlight/ei-isac-cybersecurity-spotlight-cia-triad/
* What is the CIA Triad?: https://www.f5.com/labs/articles/education/what-is-the-cia-triad
* The CIA triad: Definition, components and examples: https://www.csoonline.com/article/3519908/the-cia-triad-definition-components-and-ex…
playlist_add
Mar 11, 2021
The Golden Triangle
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.
Links:
* “What actually is “The human aspect of cyber security”?”: https://www.cybsafe.com/community/blog/what-is-human-aspect-of-cyber-security/
* “What is Process View of Work?”: https://asq.org/quality-resources/process-view-of-work
* Smartsheet Complete Guide to the PPT Framework: https://www.smartsheet.com/content/people-process-technology
Trans…
playlist_add
Mar 4, 2021
Welcome and Why Does Security Matter?
Links:
* https://simonsinek.com/product/start-with-why/
* https://www.ted.com/talks/simon_sinek_how_great_leaders_inspire_action?language=en
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Announcer: Are you building cloud applications with a distributed team? Check out Teleport, an open-source identity-aware access proxy for cloud resources. Teleport provides secure access for anything running somewhere behind NAT SSH servers, Kubernetes clusters, internal web apps, and databases. Teleport gives engineers superpowers. Get access to everything via single sign-on with multi-factor authentication, list and see all SSH servers, Kubernetes clusters, or databases available to you, and get instant access to them using tools you already have. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. And best of all, Telepo…
playlist_add
Feb 18, 2021
Introducing Meanwhile in Security
Ever noticed how security tends to be one of those things that isn't particularly welcoming to folks who don't already have the word "security" somewhere in their job title? Introducing our fix to that: Meanwhile in Security. Featuring Jesse Trucks.
playlist_add