 the next talk that we're going to have right now is cloud security metrics presented by Xavier Ash. Thanks guys. If you want some metrics I'll give you some metrics too but that's all right. So cloud security myths. So I like to make sure that I'm talking to the right cloud, there we go. So I want to get an idea of what you guys do so that I make sure that I'll give you the information you need. So who here is, you know, part of a sock analyst? You guys have got to respond to cloud security crap. All right. So we've got some analysts in here. All right. So engineers, people that have got to like design security for the cloud. All right. Good. We've got to do this. All right. So that's generally where the talk is going to be aimed toward is those people. But we are going to talk, I've got some IR in the cloud and some other talks or other things about dealing with security in the cloud. So let's go ahead and get started. So a little bit about me. I'm old. I've been around for a long time. And I've most recently worked for Gartner. So if you see these terms that only Gartner uses, that's because they infected me with their terms. And so just bear with me as I use those terms as I describe some of this stuff. I've been in vendor world, consulting, did a little bit of my own business for a while. But I've recently switched gears. And after getting accepted this talk, I now do IR. So I don't do cloud security anymore. But, you know, I play a good one on TV. So now I do run an incident response team for a large financial institution. So I do, so that's why I put in the IR in the cloud stuff to make sure I cover that over. All right. So what is the cloud, right? So in general, most people talk about the cloud in these three general places, right? You've got software service, infrastructure as a service and platform as a service. And there's all these other, that is the three types of cloud, right? And I'm here to say that there's a lot more than that. And so we want to make sure that we all understand when we say the cloud, what are we talking about? I want to make sure that everyone walks away knowing about, especially function as a service and other serverless type of things, right? So function as a service is a big, you know, push. And for those that, you know, design security and design or work in a sock, we generally are not the ones that are going to decide, hey, we want to go do this function as a service thing, right? That's going to be some business line, some IT architect, some, you know, a developing team that says, hey, container is a service. We could, you know, let's do this new container stuff. And so as we talk about, you know, there's these three types of cloud, I mean four types, well, there's actually five types of cloud services. It keeps ever changing, right? So here's a couple more, that back in as a service, especially if you're doing mobile, that's a popular one now, you know, just all that other crap that you have to do, you know, just all the stuff to run a mobile app is back in as a service. Integration platform as a service to be able to get data from here to there. A lot started off in the sales world. And if you use what's the ITTTF, that's a good example. Unified communication service for getting your voice stuff. Payments as a service. All these wonderful services that you might make sure that you cover when you design for security. So very important. All right, so everybody got it down. Everybody knows what the cloud is. We're all on the same page. It's one big thing that we can talk about easily, right? Security, cloud security is just one thing. That's, what I'm trying to drive home is that there's a lot of different things here. So let's kind of talk about how doing security is changing the cloud. One of the things that I like to really put into people's mind when we talk about shifting the mindset of what cloud means, we used to have these designs of saying we've got this perimeter, we've got this system bus, and we've got this architecture that really kind of starts with our data center. And that's not really the truth anymore, right? The truth is that the user, end user, is the center of that hub. They're going to go out to all of these different services. And this kind of, you know, this is a good talk, especially when, you know, if you get into the tangent about endpoint management, you know, a lot of big companies like to say here's a trusted computer, right? You're a contractor. I'm going to give you a trusted computer. Therefore, I can manage that and I can control everything you're doing. The problem is that that's not the case anymore, right? You know, we have, as the cloud kind of continues to permeate our business processes, this is going to be the perspective and our users are going to demand being able to use whatever device they want. And so, you know, this is side tangent, this is a nice change. So when we talk about cloud and really, you know, cloud security, we've got to talk about who does what. And I found this great site. It's called Pizza as a Service. And, you know, the link here, you can just remember Pizza as a service and Google it and use this in your conversations. When you're talking about what, who does what when it comes to these different cloud services. And so this, they've updated it to include containers as a service and function as a service. But as you see here, traditionally when we're talking about the, you know, the data center, it is, you know, we own everything. That's kind of like, you know, good old homemade pizza, right? And we're going to move to infrastructure as a service. This is what most people think of when they think of cloud, AWS, opening up an EC2 virtual machine. They are, you're handing over the responsibility for virtualization and hardware, but you still got the rest of the stuff to do, which is kind of like a communal kitchen. You show up and you know, you can just use their kitchen. So, but containers as a service, as we move into this, you know, paradigm of using containers that the OS is now no longer a responsibility. You're just, you know, moving around containers. You know, that's your, you know, bring your own pizza situation. Take away when you're now looking at, you know, platform as a service, you just walk up, you know, take your pizza away, go to a restaurant, you know, that's your, your functions of service. You're just showing up and you're going to get a pizza delivered. You just want that function. And then finally the party, right? Software as a service. Everything, you just show up, there's just pizza there. And so this is a good, good way of, of, you know, making sure that people understand who's responsible for what. And this goes to, you know, when we talk about, you know, your, your cloud security controls. So, I also love the word hybrid. Everybody says, you know, well, we get this hybrid cloud situation, right? We're going to do hybrid cloud. And this is just as easy to describe as just the cloud, right? There's only one thing of hybrid. Hybrid is cloud versus data center. Well, you've got to make sure that you're, when you, somebody says the hybrid cloud, you say, well, what do you mean? Are you using the cloud as a backup place, a place to do disaster recovery? Are you, you know, doing, you know, just, just using it as a storage unit? What things are you actually shipping to the cloud? And do you actually have, like, a separate data center out in the cloud? Or do you really kind of extend your data center? You've got data center one that's here in my office and data data center two that's AWS. And you can't really tell the difference, right? So hybrid cloud could mean a lot of things. And we'll make sure that when you're driving, you know, driving home, you know, a conversation that you're walking away and say, you know, we know what we're talking about. And so don't just say, you know, if somebody just says, hey, you know, the cloud, you know, you can, you know, dive into that. But then when they say, hey, hybrid cloud, you say, well, what do you mean by that? And so dive into that, make sure that you know. So as we change through this, this different mindset of what, what stuff is in the cloud, one of the things that we're driving toward is this serverless world, right? Basically, as, as we got excited about not having to run our own hardware, then we said, oh, wouldn't it be great if we didn't have to run our own software? And, and we can just have more and more other people do things. And so as, as, as, you know, these cloud service providers have clued into this, they've said, oh, oh, you want to run SQL? How about SQL as a service? All right, well that's great. Now I don't even have to work and do auto scaling on one, I have one database and it can just auto scale on its own. And I don't have to worry about, you know, actually creating containers or doing anything. That, I just have a SQL database or an elastic search, you know, and it's just this thing that you can call and it expands and it is really easy to use. Problem is, is that you, without a server, there's a whole lot of things that break down when it comes down to security. As we move into the cloud, that is the biggest, you know, gap that we have as we walk away from this talk once you understand is that as we move to these serverless world, what things are not going to work? So I went around yesterday, the day before, I went to Black Hat and talked to everybody that had the word cloud on their banner, which was just about everyone, right? Everyone does cloud, you know, security in the cloud, you know, secure your cloud, best security in the cloud. I said, well, you know, how did your thing work? And I said, well, we do this thing and then we installed an agent. I said, oh, we installed an agent, that's great. What do I do with serverless options? If I've got an elastic search stack, how do you protect that? Well, yeah, exactly. So be sure to take away from this is that, you know, that understand that these serverless options are going to continue to pop up. And so as your company, as your organization moves into the cloud, it is not just going to be infrastructures of service. Unless, you know, you want to put these training wheels on your, you know, your enterprise development and say, hey, we're not going to innovate. These services are so easy to use and really accelerate, you know, time to deliver on security or time to deliver on business processes that they're going to happen. So we, you know, security guys, we can't say, well, we can't put an agent on that. So you can't do that. And the more we act like that, the more we're going to get kicked out of the boardroom. We have to be able to do security in the cloud and not say, here's what you can and can't do. All right. So what do I mean by security in the cloud? Well, so here is just a, you know, a quick list of the, you know, NIST control family so we can remind ourselves there's a lot of things that, you know, as security teams we're responsible for, right? And so as we, you know, think back of, you know, pizza's a service slide, right? And so there's a couple of these that we can go ahead and strike off. As soon as we do infrastructures of service, right, the baseline just put some VMs in the cloud, we no longer have to deal with personnel, security, physical and environment protection. Right? We need to make sure our cloud service providers are doing those, right? If you do SOC2, right, you have to make sure your providers are doing those, but you're handing off the responsibility. So it doesn't, you know, eliminate the need to do these, it's just somebody else is doing these. And so with both NIST and a couple of others in your cloud service providers, lots of big ones. For example, I've got, you know, great spreadsheets to go through and say, here are the controls and what you do, what we do and how to figure all that out. But generally those meet, those really assume infrastructures of service. And so you have to say, all right, if I'm going to have some Lambda functions out there that is going to be connecting, how do I authenticate to that? How do I make sure that that works? As that scales up and I have an incident on one of those nodes, how am I going to respond to that? All right, so another way of making sure that we're understanding what we do is we're going to use cloud security. There's really three kind of groupings that I usually say. Are we talking about like services, you know, cloud security as a service? You know, security things that are happening in the cloud? You know, things like proof point. You know, you send your e-mail through their cloud, right? So that's just kind of like security as a service. So that's one kind of thing when you talk about cloud security. There's cloud security products, right? Your DLP things, you know, like virtual appliances that you're going to be putting in your cloud. So those are products in the cloud and then there's, you know, for the cloud, right? And a lot of these are going to be run by the cloud service provider. You're probably going to use Azure or AWS's IAM, but there's also a third party one of those. So make sure that when, you know, again, we say cloud security, what are we talking about? We're talking about, you know, cloud security services, products in the cloud or functions in the cloud. Now, generally as I dive in here, I'm going to look mainly at the products in the cloud because that's where a lot of the gaps tend to happen. And so let's kind of dig in here. So I did label this talk cloud security myths. So here we go, here's some good security myths. I love this. I googled around and said, all right, I'm going to talk about cloud security myths and know what they're all over the place. But in general, I felt like these were myths that you would talk to non-security folks about. All right, so the cloud is not secure. We can't go to the cloud. Now, as a consultant, I actually talked with a couple of companies that still to this day, 2018 said, well, I can't trust my data in the cloud. These guys were not doing government super secret stuff. Honestly, one of them was a cigarette maker. I mean, we know how to make cigarettes. He's not secret sauce and you're not, you're going to be okay by putting your data in the cloud. They still did not want to make that move to say, okay, we can think about maybe doing some cloud, but we're not going to put any of our, you know, classified data in there. So that's one myth. So, yes, we hear all the time about, you know, data breaches in the cloud. This was found in the cloud. That's not the cloud service provider. When's the last time you heard Amazon hacked, you know, they jumped from one, you know, one AWN instance to another, right? That doesn't happen, right? So, you know, the likelihood of that happening is really low. So the cloud is actually really secure. I love this other one. The cloud is perfectly secure. Well, no. So, it is as secure as you make it. You put up data there and you leave it out in the open. Somebody's going to find it. You load your AWS keys in your GitHub. Yes, somebody's going to find it. So the cloud is only secure as you want to make it. There's a cloud security is too complex to maintain. This one, I kind of say yes. And here's why. All right, so the complexity to cloud security, and this is what, this is the me of the talk, is that all of these controls, you know, that big list of family of controls, we've got to design all these different controls. IAM, we've got, you know, data protection, we've got, you know, all these things. I've got to be able to figure out how can I convert that control to all of these different services, right? We've got, you know, function of service, services options. How can I do that? And every week or so somebody's going to say, okay, but now AWS has got this new thing and it's awesome. It's going to revolutionize the thing. We're going to do it in six months. So security, you're going to have to get on board with how we're going to do this. And so, yes, there is a lot of complexity. It can be done, but we have to understand that, you know, you've got to be able to communicate risk to these people. Yes, you can do that in six months. You can do that in six weeks. But you're going to do it and, you know, it's going to be a much riskier situation because we're not going to have all of our controls converted for this new thing, new fandangled technology. All right. So all cloud service providers are the same. I'm going to jump to that in a minute. And then on-premise service is so much safer. I love this one because, yeah, we all know how poor our security is at our own data centers, right? So let's just not even go there. Yeah. Now, oh my God, cloud. All right. So cloud security truce. You've got to get away from this perimeter thinking. Now, there is, I am going to talk about like transient VPCs and how to set that up. And so there is going to be some aspect of, you know, building kind of, but it's because there's really two ways of doing that. Well, sorry. There's three ways of doing things in the cloud. There is agents. There is APIs. And there is network-based stuff. And so, really, you've got to make sure your solutions will fit one of those, one of those three. So with network-based stuff, we're going to create some transit VPCs to make sure that we can get the network traffic to go through our network products. Distribute threat service. Think about, you know, if you're going to try to protect all of your company's data and they start using the ERP as a service, sales there's data up there and there's all of these different areas where now you've got to, you know, apply all these controls and be able to keep that safe. So there's a distributed threat service. You will need new tools or, you know, make sure that the tools you've got are starting to get updated and become more cloud aware, become container aware, become more aware of what you're doing in the environment. Lots of new policies and procedures because, you know, just go a little back and read it and think about, all right, if I'm, you know, moving from, you know, from data center to a cloud, when am I going to have to rewrite? So, yeah, I already said that. It takes a long time to convert those controls. All right, so these are more equal than others, right? So this is a recent gardener study. They looked at, you know, took a large majority of the NIST controls and said, hey, except for IAM, we did another study on that. But it's how much, if I just go with what Amazon or Google or Azure gives me out of the box, how well am I covered? And it's really interesting how, you know, there's so many gaps on the Google side. And it's, I always think about like, you know, here's the perfect little cloud thing that already works for you but has fewer options and then Google says, here's just this basic platform to do some creative things. And so Google just kind of takes a different approach to it. While both Azure and AWS are trying to say, I want to give you all the tools that you don't have to go to anybody else, but there are gaps there. And the gaps there, you need to be able to identify. And this is just, this kind of simplifies the view to say, oh, well, again, are we just talking about EC2 VMs? Or are, do I, can I have the same level of logging if I just have a virtual or a elastic stack? So let's make sure that, we have our own analysis here that you understand and look at the options that your development team haven't even used yet. If they're not doing functions as a service within next year, there's going to be a Lambda function out there doing something and all of a sudden it's going to be mission critical. So go ahead and think about all those things and be able to do this analysis for your own company and your own situation. All right. So I wanted, this big search, if you have a gardener pass and get on and you look at the full study here, here are some of the highlights that I thought I would call out. So Amazon GuardDuty, great product. It does have a region specific thing. So if you guys that actually are working in the cloud using GuardDuty as your sim, if you have multiple regions, just know it's not doing cross-region correlation. So if you do have multiple regions in AWS, you want to make sure that you're using, you either assume that risk or use another sim to do your alerting. So it's a good take away. I love finding out that Google's OEM, they have the, it's actually semantic on the hood. They call it the Google workload protection. It's just semantic. And so if you have opinions about semantic, there you go. I've just given you more information to do something with. So Google does not support transit VPC. So as I said, there's really three ways of doing security. It's either have an agent on a box which we know that has a limitation. APIs, which of course has limitations because not every API gives you all the same access and or network. And so if you're going to be doing network based stuff and I say that you probably need to do network based stuff from IR and being able to do things on the wire, Google does not support transit VPCs. So keep that in mind as you're looking at these and of course there's more cloud service providers than just these. But we had to stop somewhere. So if you know anything about denial service protection Google is kind of like old school if they're going to just flood you with data then they've got protection. However, there's a method called scrubbing. We'll get into it right now, but that's a lot of the more modern denial service attacks are mitigated using scrubbing. That is a premium add on for Azure and AWS but Google does not have that at all. So again, when you think about which services to put in which cloud service provider that might move you one way or the other. So if you're applying the WAF on AWS that you really can only use on those two, either on cloud front or they're a load balancer. So there's other third party products I know five and a couple of others are really kind of looking to cover that gap, but the WAF has got a lot of limitations and the out of the box capabilities for AWS. Azure does provide endpoint security. I think that's interesting AWS doesn't even rebrand anything, so Azure does have that. I would encourage you to look at what's available out there for cloud based endpoint security for those instances in which you can put an agent. And then Stackdriver. So both AWS and Google have AWS and Azure have great logging tools. Stackdriver takes it a little bit further and it can do some debug level stuff which is great if you want to also do some IR. But what I thought was interesting is that Stackdriver can be used on AWS and so if you've got both Google and AWS look at Stackdriver to maybe consolidate logging and get a couple more features. All right. So transit VPCs. I'll make sure that everybody walks away with this. A technique that is definitely kind of required to implement a lot of the cloud security that you see over at Red Hat when they say, hey, we can do these wonderful things. If it is a network based approach, you're going to need to build a transit VPC. And that just basically means that I've got to run my network traffic through a VPC to be able to get this stuff done. So this is just a basic architecture approach but is overlooked by a lot of architects and realizing, oh, we're going to have to do this other thing. And so, especially if you're moving the cloud and get this in place beforehand, if not, go talk to your network engineers and look at implementing this so you can do things like package capture, IPS and other things on the wire. Right. All right. So now I'll get into some of these. Like I said, this is some of the gardener terms. So cloud workload protection platforms. All right. So this is a really big long word for endpoint security in the cloud. But in a lot of these products I looked at were just the same EDR product. They just put the word cloud on it. So what I want to do is if you are going to look at and you should, if you don't have already, is to look at these endpoint based solutions, here's what you need to make sure that they have. So both agent list and agent based operations. Most of these are going to be agent based to begin with. But see which ones can tap into APIs in the cloud and decide what type of functionality is useful so that you can get that threat protection and threat detection and protection coverage on those serverless options. Protection of containers. Even if you're not using containers today you will be soon. So make sure that your endpoint protection is container aware. So tagging and segmenting. There's another slide on micro segmentation. But being able to understand the traffic coming out of each container from a different instance and with all the auto scaling everything else, you need to be able to describe the data in very finite ways and make sure that if you are looking at or already doing traffic tagging and security groups that your endpoint security solution works with if you've already done the job of describing here's all of my enterprise bus traffic built to this great APS security group and I can identify those. I've done all of the microservices tagging and then you go and install this product and you can't see those tags. You can't work with them so you can't really write rules based off of that other work. So this is where the enterprise architects are going to be at the end of the day. If you want to make sure your security products can leverage it. So native API based integration especially if you're multiple cloud providers you need to look at can I integrate, have one console for both my Google and my AWS cloud. That saves a whole lot of pain and effort so if you do have a multi cloud integration make sure you can do that. You know traditional antivirus really not a big deal on servers however application control whitelisting you know used to work for bit 9 so I love this stuff but I think that that's a very key feature as well. So this is your shopping list if you're going to go look for this wonderful world of cloud workload protection platforms i.e. import security. Alright next category of you know miraculous solutions is the who here has even tried to use Caspis out in the field? Anybody? A couple of hands over here. Caspis tend to have gotten kind of a bad rap because back when I was doing consulting I asked her so what about Caspis? They're too pain, they're for this size company we're too big for them or you know they're too complicated and they can be complicated. Caspis in general is this group of products that says I need to put something in between my user and my typically SaaS providers to do additional stuff. So when we talk about converting controls over to the serverless world there's also all these you know software as a service providers and I want to do things like you know authentication. Well yes you can go and do you know they've got you know now can really help you with that but the Caspis products kind of do more than that you know allow you to do can add on additional encryption can do some encapsulation do adaptive access control I've got a couple of features here and yeah I've got and there's multiple architectures on the way that these work and I've got them on my next slide but one of the main features is you know shadow IT so you can kind of go start getting a hold of these other products so of course yes if you've got proxy logs your splunk could probably figure out who's using these other you know shadow IT products so I wouldn't go if that's your only use case I wouldn't go out and buy a Caspis just for that but you can then apply start applying some of your security controls to those products in a Caspis product and so like I said you can apply those to your sanctioned SAS and then also be able to apply those to any of the unsanctioned SAS that you come up and you can start onboarding those but how do they work so there's generally usually three four is there as well so there's API mode so basically in some Caspis they just say I'm going to talk to the SAS provider and I'm going to tell it it's got API there and they know you're coming from you know company X and we're going to apply all these controls for you because we have this native integration so this is API mode and a lot of the big SAS providers work with a lot of the Caspis out of the box and can apply your security controls without necessarily doing a man in the middle the two men in the middle can apply forward proxy mode or reverse proxy mode won't necessarily get into the technical differences there but you know you can understand that the other way of doing this is you've got to basically put yourself in the middle and then broker those communications so that you can apply those security controls like authentication encryption and whatnot and then there's enterprise integration which is a complex word of saying that I've got all these other little products that I can tap into services so again I was going around all these providers yesterday or vendors yesterday and asking about them so and they describe how you're doing this oh so you're kind of like a Caspi right I'm not really a Caspi ours is so much different right so it's like no you're a Caspi so this is one of these product solutions that in general I do think that most Caspis is still a fairly new set of technologies and if you're a large enterprise probably not going to be able to meet all of your demands there might be now some of the Caspi products but started to like put a lot more enterprise features but this is a good men market program if you've got a very small data center or no data center and your company runs a whole lot of different SaaS products I would look at looking at some of these to help fulfill some of your security needs like I said this is one of these network based solutions that can apply security controls for SaaS and other security other cloud service technologies without necessarily having to you know manage the full agent so everyone's heard all about you know I've got this breach data over this so this is a mandatory thing is to make sure that you understand how you're doing ongoing cloud security posture management you know Gardner used to call this cloud infrastructure security posture assessment SISPA but then you know the congress decided to create a really bad law called SISPA now you don't want to call things SISPA because everybody gets all fussy and says E-F-L-C-S-S okay so we're gonna call it cloud security posture management now and so if you only have you're only doing things in one you know AWS or just just Azure they do each of the products do have their own like you know checklist toolkit however this is one of those areas I think that defense in depth is probably warranted right if you're having the cloud service provider tell you that everything's okay and in general that might be good enough for you but if you think that you need a little bit more there are third-party products there's open source there's a cloud sploit I think is one of these there's a lot of good let's see right now we're down to cloud scout to, prowler, security monkey, cloud custodian and cloud sploit so just look out there for those type of solutions and what they'll do is you know look to see how you've got things set up and constantly tell you hey yep you've got an open EC2 bucket right you know that's the kind of sploit and so this is this is your security blanket make sure that nobody over there that has the permissions to do so does something stupid and you can immediately respond to it so mandatory tool in your cloud security toolkit software defined perimeter anybody know what this one is oh I got one one alright so software defined perimeter I really like this because I worked for a start-up and this is kind of what we did we didn't call it this because we wanted to be cool we wanted to call it micro segmentation because you know NGX was talking all about micro segmentation we're like we can do so much better but this is basically the type of solution it says I'm going to put everyone that I've seen so far is agent based I think some may have APIs but the idea is I got an agent on one side I got an agent on the other and based off of different situations I can do different things with that situation so if I've got an agent on the endpoint I can actually stop network traffic from getting to through the IP stack based off of this broker's decision so for example you can do authentication before the TCP session is even established so you can make things disappear that's why I call it software defined perimeter server on the internet and it says I'm only going to allow other endpoints because I've got this third party broker that's going to say I'm coming in authenticated this IP over here he's good to go you can open up a TCP session for him all these other ones you're just going to drop the TCP session so I think it's a really neat way of doing security you can also do things like add encapsulation and again you can look at this for east west traffic as well it doesn't have to be client server that you can do this in the data center again most of this is agent based but provides some really interesting security you can make machines hide off the network unless you're part of this brokerage solution really neat tools there alright micro segmentation no cloud talk is good without micro segmentation like I said worked in this for a couple of years so micro segmentation this is my definition here because that helped write a lot of this it's basically saying I want to make a decision on whether traffic is allowed to flow based on something more than just IP import alright so I can say this is coming from these set of servers and it's coming from these sets of services so I know that this data is held up I don't need to do protocol inspection or anything like that I can just go ahead and say yes I can identify this, I can tag it and then I can link this in with my networking solution to then provide a lot of east west control on making sure that only traffic that should go where it goes micro segmentation is being built in the last software to find networking products it's obviously available I said the NGX product from VMware and I'm seeing a lot of enterprises start to actually push out you know import agents and start participating their entire company and doing micro segmentation most of the and so the architectures there native micro segmentation is in the cloud or with VMware third party model is I've got some other product that is going to come in and do it for me and then the overlay model is the agent based model like Illumio and then the hybrid model is using some combination there so in cloud you've got micro segmentation natively so if you're doing any micro segmentation in your data center you can carry that over to the cloud and make sure that if we're using NGX the tags carry over and you can create an enterprise wide micro segmentation scheme a lot of people get worried about the micro segmentation I've got I didn't put that graphic in I've got complex city I've got VLANs were hard but now you're talking about micro segmentation thousands of different so a lot of people I've seen enterprises call this macro segmentation but this model we're just going to simplify it do macro segmentation either way it is a very strong control that you should look at and when you're designing your cloud solutions because when you look at the number of controls and you look at a lot of the serverless options sometimes you're just going to have to segment that stuff off right I can't put an agent on it it's encrypted traffic but I can't do anything else with it so how can I secure my data layer in the cloud so you can do some micro segmentation make sure that only the approved services can connect to that and really you have to do micro segmentation when you're talking about auto scaling a lot of the dynamicness of the cloud so it's in response to the cloud so we'll talk a little bit about how we can now make something bad has happened right so one you have to plan for IR in the cloud so of course a lot of this is logging but logging is always not enough but when you are doing logging I would look at things like write once storage S3 bucket versioning is a good way of making sure that as you put your logs in that they're immutable and then also index all of your SaaS services if something bad were to have you know that we kind of laugh about oh those are the sales guys using Salesforce what do they really need instant response for oh I lost my contacts I'm sorry if you're sales guys the sales team loses a whole bunch of stuff trust me that's going to be a big IR situation because the sales guys a lot of companies run the company right and so if they can't sell stuff nobody's getting paid so we got to go it's a big deal so go talk to your SaaS providers and figure out what can I get access what can I get in get the data it needs get the whatever logs whatever different captures that I can get plan for that stuff and this is also where you might look at it and say hey I think I might want to look at Cosby's now because now with Cosby's I can start doing capturing some of that network data so if I don't have net witness on every single one of those and so I can figure out how to respond for my software as a service providers note that all of your cloud service providers they have their own IR process and if there was a situation if there's a data center on fire they're going to let you know so if you're you know part of IR part of the sock make sure that you one you've indexed all of your cloud services and two that you know what their IR program is if you're mature enough to be able to sit there and pull sock to reports that's great but you know to go and you know Microsoft and Amazon they all have really good you know explanations on how their IR process so just remember because there's different levels of responsibility that IR process might be kicked off by your actual cloud service providers so just make sure you have that in your mind so a couple tips here so EC2 we can actually you know if you've actually got you know VMs there you can do a snapshot capture in EBS Azure you can actually you know if you've got you know IIS OS you can just capture the data drive directly in the portal Margarita shotgun great little tool for doing memory captures especially in the cloud and if you're on AWS there's this great combination of toolkits called the open source incident response toolkit it's got a number of different tools packaged together and that way you could actually start up you know have an IR station in your cloud so that you know when you go to capture something you can go ahead and just mount it on your IR instance and you can go and start working away so again IR is not waiting until it happens to put all this together right so build all that out and that in the security center Azure's got a pretty good you know playbook based system in its security center that can help a lot of the IR automations and of course if you've got something like Demysto they all kind of tie into those so again just like with the enterprise the endpoint security stuff if you're doing automations like rainbow tables just show this you know make sure that they can connect to your cloud so again the takeaway here is that you know there is lots of different things in the cloud there will continue to be lots of different things in the cloud and we have lots of different security controls that we have to continue to do it's very hard to keep up with that and so we have to make sure that we index as much as we can and we can communicate those gaps and also you know so that you can intelligently to vendors and they say hey you know this great beautiful thing that you know here's what it can do right but how does it work because that's going to tell you what kind of coverage you have so I appreciate your time for coming out and if anybody has any questions I can take a few now otherwise I'll be around in the back to talk a little bit further so any questions? I answered them all great well I appreciate you guys coming out have a good DeafCon