 Good day, quick question Emily since we seem to be anticipating a new people joining today Should we do the quick round table slash introduce yourself oneself at the beginning rather than the end like we usually do or is there any preference? I'm usually when we have our first meeting after a security day event where we get a bunch of new members We usually do introductions Before especially if we do we have a really light agenda like today And then We usually talk about ways that new members can become more involved And I think one other time that we did it We had some of the pre-existing members talk about like why they joined and some of the things that they have done to help Inspire new members to be more involved But it's up to you how you want to do it My recommendation would be have everybody go around introduce themselves as either a new member Or what they're doing in the SIG It's a good idea. I'll take that advice. Thank you Hello Good day, Brandon How's it going? Um, Matthew are you going to be um, uh facilitating first day? Sure, uh, yeah, I will just today. Yes, unless anyone wants to grab the mic since it was just a big event Whichever works best for the team I had to turn my video off for just a little bit because I'm balancing a nine-month-old in my left arm And he keeps trying to kick uh, he's managed to kick my uh, usb thing unplugged and I had to restart my vm So that was a thing So I'll give a couple more minutes before we get things underway and I'll do a little recap at the very end In case anyone uh, John Layton wants to introduce themselves It looks like um, so far. It looks like the friendly usual usual crowd. So let's see Maybe people um to conduct Okay, good day everyone we're about four minutes in so I think we'll get things underway I think my webcam just disconnected. Can I confirm my audio is still coming through? Yeah, we still hear you Thank you So uh, taking a suggestion from Emily will change the format just a little bit today Since it was just a major event About Native Security Day the other day But the first thing I just want to ask is if anyone Would like to volunteer to be a meeting minute taker slash scribe I posted a link in the group chat to everyone to a link to today's agenda And if anyone wants to grab the scribe rule that would be appreciated just so we can take minutes as we go along I think Beautiful. Thank you. All right So today what uh, we will just start things is I was just going to go through um Alphabetically through the list of attendees And whether someone is a new person to seek security and would just like to introduce themselves or mention Why they joined or what interested them Or alternately if someone's already been a member of the team for some time now and we'd like to give just a quick elevator pitch slash spiel of uh, why they joined or what they Gain out of being a member by all means and if uh Rather not just mentioned no update and I'll just uh move on to the next attendee So With that, I'm just going to go alphabetically down the list unless anyone wants to jump in Ash may Send the mic your way Might still be game set up. I'll move on. Uh, yeah, look like a couple of people Connecting. Oh, yeah, I can start Um So so kind of just a quick introduction. Um My name is Brandon. I'm from ibea research. Um And I work on container slash cognitive security stuff A lot of my background is around image security. So signing encryption Stuff like that. We are also working around trusted platform components so things like Attesting hardware all the way up to the software stack. Um being able to figure out what What machines are being run by talking to the tpm and things like that um, so that kind of stuff. Um, and so sick security is is Um, kind of a place where a lot of these discussions also happen. That's I get a lot of the discussions that happen here Um, I first of participated in security assessments and things like that. They are really fun experiences Is something that it's easy. It's something easy to kind of jump into as well um Other than that, I think who we have a ton of other activities that I think Emily will Um, we'll talk a little bit about sick security day Uh, and the white paper. So Thank you Brandon, uh ash Would you like to do a quick introduction? Uh, yeah, sure. So i'm ash narker. Um, I am one of the maintainers of the open policy agent And for those who don't know it's a open source general purpose policy agent Uh, so if I want to contribute uh to policy if you're interested in policy enforcement Uh, reach out to us join the opa project and if any questions feel free to ask You're on the open slack. Thanks Thank you ash Uh onward Dan, would you like to provide a quick introduction? Hi, i'm dan shell. Um chair here at uh, six security Been involved in this. Um now for you know coming on three years. Uh, and uh um You know This sort of draws upon my background, uh in security and It's been a you know, great opportunity to sort of blend uh kind of a decade of experience On the app side of things and You know help ensure that we're building on a solid foundation of security first Thank you Dan Next up we have emily I am emily fox. I work for the us national security agency. I'm one of the tech leads in sick security I am one of the co-chairs for security day And I am the lead for the cloud native security white paper Thank you, emily Next we have gadi if I got that right would you care to Choose yourself Sure. Uh, hey everyone. This is gadi here. Um by way of background Presently i'm the cto and one of the founders of uh, al-sid um, which is a company that is purely focused on security for kubernetes and service mesh so mainly focused on runtime security security on the kubernetes audit log and everything in between and presently Uh, I am participating in the cloud native security white paper Thank you Next up we have justin gadi justin Hello, um, so i'm justin come back. I am the um cnc of toc liaison for sick security as i'm on the toc and i've been involved with sick security since um quite long time ago before it was officially sick security um, I also maintainer of natury project and interested in supply chain security in particular among other things. Um And um, yeah my day job. I'm at docker working on containers Thank you, justin Next we have mark. Good day mark I'll come I'll come back to you mark. Uh, uh, you'd like to do an introduction Uh, next we have pratik. Good day, pratik sorry Hey folks, uh Myself pratik lotia. I work for charter communications, which is an isp in the united states Uh, been working on some container security stuff at the company focusing on secrets management a bit of service mesh uh Container scanning and things things like that. I've attended a few of the working group so far and So far it's been doing great and i'm eager to get more involved with the community Thank you. I see mark's uh cameras on there mark. Would you like to grab the mic now? Sure. Hey guys, sorry about that. It was hourglass time for me So i'm uh the innovation security guy at synchrony, but i'm really representing myself in this group Uh, I previously have collaborated with nist on some of their Work and also the dev ops security standard with eye triple e so I kind of bring the external standards conversation into these meetings Thank you mark Next I have michelle Michelle, would you like to introduce yourself? I'll come back to this attendee. Uh We're all just getting our mics working Next we have ray ray. Would you like to introduce yourself? Hello, uh, I am from uh rxm. We are a cloud native consulting training company I'm also an active participant in the kubernetes project Being part of the 118 release team and the current 119 release team as well I also um actually Participate in the in the documentation of kubernetes with the website Um, and i'm actually here to uh learn more about security to be more security minded because as a developer in the past I haven't always been so I figure this is a good place to start Agreed thank you ray And next we have robert robert. Would you care to grab the mic? Sure. Hi, uh robert feccalia. I've been involved with six security for gosh about the last year maybe longer at this point I'm co-chair of the policy working group Uh, where we look at uh specifically kubernetes related policies and more broadly how that maps to different compliance frameworks and policy validation uh for this group, uh specifically leading the cloud custodian uh security review process So i'm i'll get on my soapbox and ask for volunteers if you want to try the process here at sick security to review one of the cncf projects We're looking for all the help we can get And you can join the the slack channel for sec assessment Uh custodium. I think I I put that incorrectly in the notes and let it look at it So i'll correct that But if anybody wants to to chat or speak up, uh, we're happy to have some volunteer help on that effort Thank you robert. Would it be possible to also throw those links into the group chat here in uh zoom? Uh, yes, i'll uh, I think i'll link that to the github issue And i'll probably be the most expedient Okay, thanks again. Yeah, I dropped I dropped the thing for you robert Thank you And next up we have rohan. Good day rohan Hello there, uh, i'm rohan. I'm the head of security at control plane for a cloud native security consultancy out of london that was founded by andy martin Uh joined sick security to try to contribute to the cloud native security white paper that emily is leading Thank you rohan Next up we have tk. Good day tk Sorry, uh, can you hear me now? Hello Yes, you're coming through five by five Okay, thank you. I was on mute. I guess when I was saying yeah, I've been Sick security. I think for a while now um before it became sick security I think where it used to be safe group so forth and my interest is primarily coming from the security aspects of the edge computing So I am also involved in the IEEE next generation future generation networks for the looking at 10 years from now And in between I suppose and been working very closely with those things and i'm trying to make sure that they are aligned well, I suppose with the cncf working group so on the In case anyone is interested on the ingr. You can look that up in the edge fully The next generation networks and you will see some of the drafts that we are proposing And we're preparing there on the things and it's still at the very Initial stage, but we do have some working graph there as well Um other than that I present a consulting company on the edge computing basically So um we're working on those things and to make sure the cyber security is also aligned the edge side of it It's pretty much it. Thank you. Thanks Thank you tk And if you want by all means feel free to post the links to the drafts in the group chat if you if you want to Yeah, it's actually very easy to google search and ingr and IEEE because it's so Widely uh known true Okay, thank you. And next we have vinae. Good day vinae. Would you care to take the mic? Hi, Matthew. Thank you. Hello everyone. My name is vinae Venkatraagwan I've been part of the six security for about five months now since february this year, I guess and you know, I Wanted to you know contribute to the community bring over, you know 15 years of work in security enterprise uh, you know hybrid cloud cloud experience and I've also I'm also part of a Group at Palo Alto networks called prisma cloud where we help our customers secure across the entire Software supply chain, right, which is you know through the build deploy run phases So I thought it was very appropriate and the Someone one of the contributions I made to the community here is I presented a security reference architecture Which I'm hoping can have a place in the cloud native security white paper as well. So very excited to be part of this Great Thank you vinae and one personal just a loop back to because I don't believe they got a chance uh, michelle If I got that right, would you care to grab the mic? Uh, sure. All right. We've never done this intro thing before so freaked me out. Sorry. Um, and I mean All good. I'm in witness protection. Clearly. So, um I'm michelle teberka. I work for a large financial institution. Um, I I worked for another large financial institution for that one and uh, I have um, I work primarily on a self-hosted kubernetes initiative at this institution Um, and I'm an architect if that helps. I don't know what else you need to know So Thank you. I was it. Thank you And uh, if there's anyone I've missed on the list that would like to introduce themselves I think we're good, but if I've missed you, please feel free to chime in And uh, oh may as well introduce myself. My name is matthew jasa. I'm a Principal engineer and technical lead for essentially cloud development at my employer key site former lexia and the CNCF a security group is kind enough to let me facilitate meetings now and again And besides that my major interest is just learning the security landscape for kubernetes I come from more an embedded development background in real-time operating systems And now that i'm thrown more into the cloud side of things I find that just by taking part in these meetings and joining the team I Learned just how much I don't know and how to fill in those gaps as time goes on So it's definitely helped with my day-to-day career With that said, I think we've got all the introductions out of the way We already have our minute takers here And my intent was to move on to check-in slash presentations we have proposed for today My understanding is is there's a post security day update from emily as well as the White paper schedule bump and i'm just going to quickly check and see if there are any updates You have here See I believe all these were covered in the round table we just had So with that said, I'd like to pass the mic to emily Hey everyone I want to let you guys know that we had a really awesome cloud native security day at kubecon this year It was our first virtual event and With most first time virtual conferences we did run into some technical difficulties with the platform But I think probably after the first few talks everything started to work out things started to get a little better I think it was our first time using that platform. So everything seemed to be going pretty well As we moved throughout the day We had about 369 Folks joined the security day channel for kubecon Some really good discussions in there And at one point we had 230 viewers for a single talk We're waiting for to hear back from the cncf about What kind of transparency metrics they're going to issue about kubecon and cloud native con So we can get more information about how wide of an audience we reached with all of the awesome presentations from all of our great presenters I will be running a virtual retrospective Of security day and the security events channel And then we can close out that ticket and create a new issue for a sick security day 2020 north america As another virtual event. So if you are interested in potentially presenting Get ready. We will hopefully be putting that call out once we coordinate everything with cncf again So that's the update for security day and then next update. So I updated the cloud native security whitepaper With a new schedule All of our dates have been bumped out about a week to allow The writers and the contributors to have a little bit more time to put in some content With kubecon consuming everybody's time last week Wanted to make sure that we had plenty of time to get as much information pulled together And that's about all I have Thank you. Does that effectively cover both the two topics then? Yep. Okay, but thank you With that I'm just going to double check the check-ins. I don't believe we have any sig representatives with any check-ins today Okay, so we do not have any additional prs or presentations So I was just going to ping a couple people here on the call to see if they wanted to provide additional info on the items they previously covered. So I have What mark underwood noted here on this IR 8006 cloud computing forensic science challenges Mark, did you want to go into any additional detail there or all good? So, yeah, just make it quick. I don't want to give these let me shut up this other meeting I don't want to give these two products from this too much presentation, but they reflect Sort of sub-disciplines in the work that we do in this group that we don't always give a lot of attention to So one of them is a cloud forensic. So there's a This is not a standards document. It's kind of just a technical report on that subject and the other one is actually a tool. It's an installable executable that tries to treat the cyber supply chain as a As a graph basically with multiple nodes in it where each node is, you know, some facet of the Supply chain could be another open source project could be a person could be a subcontractor and so on dubious whether that tool is really great idea, but it gets you thinking about Alternatives ways of looking at this. NIST has some other documents around cyber supply chain It's it's a real problem, especially for bigger organizations to try to manage down If you're heavily invested in tooling to solve security issues You're confronted with the problem that your lesser capable organizations offer often offer a greater risk to you. So That's it. Just a couple suggestions Thank you mark And then I believe we have one last thing on here and then we'll just open the floor if anyone wants to grab the mic So robert's there was the mention of needs cloud custodian security reviewers Is there anything else we would like to add to that or it's already all covered in the previous discussion I Know I'm happy to reiterate We'd love to have folks participate in the security assessment process So if you've been curious about it or you've kind of watched from the sidelines It's a it's a very low risk way to participate Kind of roll up sleeves a little bit, but we'll The ask is very low and of course the more volunteers we can get the more we can distribute the load So if you have any interest at all, please don't don't hesitate to join the Slack channel or comment on the github issue and I'll reach out to you Or speak up now I'm curious what type of assessment is involved Like I've not done any assessments previously. So I'm just curious. What does the work involve? Yeah, so the process that that we here in the sig have laid out is the the assessment process is really reviewing documentation provided by the project in this case cloud custodian On how they manage security how their how their project aligns with some of the common practices the ci i initiatives And you know, we as a team will review that documentation See that it maps to expectations discussed what those expectations are and then really come back with a a Some feedback to the project That we will review with the toc and present to the toc and You know what came out of that in previous assessment rounds with folks like opa and key cloak and such as a set of maybe concrete recommendations around either documentation or implementing different ci i initiative improvements and getting to a certain badge or adding Some additional tooling or and I think in a couple of cases some github issues to the project around a particular threat that was identified I see yeah, that that helps a lot and I think Brandon sent some links as well So I'll check out those definitely sounds interesting. I'll reach out to you on directly on slack for that Great fantastic. Thank you. Okay with that exchange we've Covered all the items we have on the agenda so far for today So at this point I just like to open the floor if anyone would like to bring up any specific pr's that require attention Or if there's anything else that needs to be raised. Here's your chance Yeah, I just No, I don't want to just add a quick note. Um, I think for for those that are new Um, that we have a new members Um, kind of section that's in the read me that should be helpful Um, also, um, there were mentions of slack as well. So we have on cncf Slack and the channel is sick dash security and within that channel actually if you go into um Go into one of the The pins as well. There are a couple sub Slack channel six security events trash. Um, all those things um So those Are about specific things for example six security events is for cognitive security day and stuff like that There are a few that are not there right now. I will try and post it in such as, um, there's some um About the white paper spell. I think I'll update that But the slack channel was also a good resource and feel free to just ask questions and then You know, we'll try our best to help out and provide any clarification Thanks, Brandon. Maybe I had a question. I wanted to follow up on a comment that marked me. It's sorry I didn't follow the latter part of your argument Uh, you mentioned that there are these standards and there are some tools and those tools are not quite effective Or they don't work. Could you elaborate on that? Please? Sorry tk. Was that for me underwood? Yeah mark. This is Vinay here. Sorry. I I just wanted to Try to clarify your the latter part of your argument You mentioned something to the effect that that there are standards. There are tools But these tools are not quite effective which actually opens up another kind of a threat vector for Enterprises. Is that what you said? right, so The there are two artifacts released this last week by NIST There are other ones that I wasn't calling out in this in this particular meeting that are worth talking about in this context But I'm not I haven't listed them all there. I'm lazy, I guess But of the two that they offered up here, one of them is actually it's an installable executable And it tries to do a representation of a supply chain And what I my critique of that simply is Uh, it doesn't try to represent the semantic space or the technology space Of the kind of relationships between these nodes So a node that's a person and a node that is a third party application like say sales force, right a sass application or Our sap hosted internally on a you know internal cloud or Like a security tools another yet another example now typically those are cloud based So each one of these things if you represent them as a node Uh, they have a complicated type of dependencies or an ai world We would call these attributes or properties. So it's an unsophisticated uh graph representation, but Because there's nothing else better right now And because NIST is influential in this space It's a good place to start to get people thinking about it. So it kind of depends on the sophistication of the organization whether you can Lead people along a useful a fruitful path of Saying okay, this is you know a starting point now Maybe we can identify our risk register where we think our biggest threats are Our most unstable elements of our supply chain That could be people you just on boarded In a regulated business like the one where I work We're also worried about the ones where we get audited regularly Because even though the risks might be low We'd have to report out on a regular basis on those things. So that might be Elevated concerning if the risk is low So trying to do a better assessment of that graph then becomes a worthwhile enterprise But then a deeper dive Looks at things like threat models and how do you share information like intelligence that you might have You know in a fortune 500 organization or in a large government organization with people down your supply chain You know, do you Share it directly and just say we heard about this threat and here it is in oh fyi You might actually not be permitted to do that in your proprietary agreements with your contractors Because that they're selling that to you. You can't just give it away to someone else Also, you might have information where you don't want to tell them about your own vulnerabilities Right because you have uh information sharing restrictions. So there's a filter going on That's bi-directional and so Although you really want to automate alerting up and down the supply chain Realistically, that's not feasible in many settings. You need to You know, both have contractual and also automated Intermediaries think of these as agents in a kind of AI way these agents need to be Intermediaries between your principles of Sharing with the supply chain and vice versa So all of this is happening in a mix where we're all trying to automate things in order to be more efficient And deal with the deluge of alerts And traditionally there is no automated up and down chain alerting in information security. This is kind of a You know, you get on the phone with talk to some and talk to somebody or you get on slack and you tell them Hey, we heard about this bad actor and they might be going after you too Occasionally you might have sector-wide sharing like Utility sector or finance, you know, and they have their own interest groups, but that's not real time It tends to be, you know, periodic meetings and and that sort of thing. So that's the stuff I know about I know there's stuff that's dark sharing that goes on that's besides that but you know in the In the ethos of cloud native, you really want to have full transparency about supply chain Information sharing and vulnerability. So that's a longer version of this topic, which is a deep one Got it. Thank you so much. So It's a great framework, but Operationalization Is It's a very tall ask Well to that point and to underscore what you were saying, Mark, there is sharing that's going on But from what I've seen firsthand, that takes more of the approach of Hey, you know, you guys send your your sim alerts to my sim And there doesn't there's not a lot of structure to that. So having some sort of graphic or graph To, you know, what alerts am I sending you and what am I supposed to do with that on the receiving end? And how does that map to my, you know, ato or how does that map to my risk con one? I mean, I haven't seen anything That that specific or concrete that would help me operationalize What am I supposed to do with this this fire hoses of events that i'm getting from my vendors? Or that i'm asking my vendors to give me See that brings up a great point I mean, I don't know if we have time but maybe just one last comment on that is there is is there a There is no open standard right even all the threat data intel etc across so many different providers It's all proprietary. Is there like an open source or open standard rather for threat that can actually so you know Here is the format here's how it looks here's how I can ingest it and here is how I can operationalize it As anybody know of anything is that I don't know if it's the right, but is ogle xccdf I think maybe some of that I have to go refresh whether they have specific map There is actually as I recall mitre has some standards around threat intelligence information threat data I mean, there's the cbs There's the scoring mechanisms like cbs s3 cwe's stuff like that Where you have calculators But you're talking about the actual format of the information and how it's uh transferred correct. Yeah Yeah But it never really got hold i'm afraid i'm sorry, which standard It's an oasis standard for uh cyber ops interoperability that tries to do that but I think the current best hope for that is the The mitre universal ontology project and you know what they come out from that So that's a derivative of the other mitre projects, but they're trying to be a little more formal about it I I try to keep track of the standard where that is but it's not usable And none of the vendors are doing anything with it beyond trying to do attack mitre attack mapping I mean there is sticks right and that was the one that comes to my mind on the threat intel side I thought they had something for um the way you collect um specific uh Testing output. I i'm not finding it though Yeah, and you know the challenge is there's so many challenges with this, you know, do you trust information you get up and down the supply chain and You know, there's the reputation problem. There's the standardization problem and also The the nature of the threat depends on what you do as a business, right? So The supply chain threat for healthcare is not the same as the one you have for A finance business and even in finance. It's not the same between the the credit markets like credit card offerings and The the venture capital folks, right? It's uh, you know there They've got a big logging standard around what they're trying to do there that's got federal funding But uh, that turns out not to be very usable for somebody that that sells credit cards So there's a domain dependent part of this. That's that's important too I mean there is there is some open source things. I think we all know of that's the OW ASP, which is the application related security threats that there is a good log there And it's continuously being updated online community And I am just like my dad Okay, we got a 10 second gap of crickets. Is there anything else anyone else? Yeah, pardon. Would like to add or bring up? Yeah, if there was interest in this general topic, you know, I could try to put together, you know a more comprehensive Presentation and walk through that. Uh, you know, I really did do some more homework instead of this slap-dash presentation. I just laid on you I would be interested in seeing that Um, can I open a presentation issue and assign it to you? All right, thank you Yeah, we'll work on the dates tbd, right? Yeah Okay, in that point, I think we've covered all the major points and Gary went a good chance to I think I see one or two more people that weren't on the call initially So before you wrap things up if there's anyone that's joined partway through If you would like to introduce yourself Whether you're a new member or just getting to know sick security or an existing member Feel free to grab the mic now if you'd like to I see capill there. Would you like to grab the mic? I'm good All right In that case, that's a wrap for today. We'll see you everyone next week and until then stay healthy Cheers Thanks, buddy Thank you