 Welcome to this talk on a holistic approach to managing cyber assets and extending your security posture. I'm John Richards, the head of developer relations at Paladin Cloud, an open source security as code platform. Here's a couple things about me. In addition to my love of discussing tech and security, I also have four cats and I'm always down for playing some board games or trying an escape room. All right, let's jump into the topic for today. So here's the agenda. We're going to start with understanding a little bit about digital transformation and how that led us to the cloud where we'll look at our shared responsibility for security in the cloud. We'll understand a little more about our attack surface and then how to manage the cloud. Then we'll look at security efficacy. How can we be certain on the effectiveness of our security tooling? And then I'll give a quick demo of Paladin Cloud over its use in security efficacy. So a holistic approach to managing cyber assets and extending your security posture. That's a mouthful. So I'm going to break that down into three parts. We've got a holistic approach. This is characterized by the belief that the parts of something are interconnected and can be explained only by a reference to the whole. What does this mean in the context of cyber assets? Well, first, looking at only one asset or facet can be deceiving. For example, I was looking to fix an S3 bucket that reported a port being exposed to the public. But as I dug deeper, I realized the whole S3A bucket was unused. So the real solution was just to remove the entire asset. Similarly, attackers are looking at more than compromising one asset. But rather how to use a single compromised asset to move laterally into other parts of an organization's infrastructure. Then we have managing cyber assets. What's a cyber asset? According to NIST, it's the data, personnel, devices, systems and facilities that enable the organization to achieve business purposes. What's kind of a short sentence? It's a really broad lens list. We'll talk more about this, but it's safe to say that this basically covers everything in the cloud. Then we have extending security posture. NIST defines security posture as the security status of an enterprise's networks, information, and systems based on information security resources and capabilities in place to manage the defense of the enterprise and to react as the situation changes. You see that dot, dot, dot up there after security resources? I removed the example list so it would fit on the slide, but it was functionally the same list from up above in cyber assets. See, security isn't static. As the threats and risks around it constantly evolve. We'll be exploring how to understand what that looks like and why we must ensure that our security posture covers those assets up above. But how do we get here? Moving to the cloud brings many benefits to an organization. So digital transformation or moving to the cloud allows organizations greater scalability and flexibility. And this helps organizations respond quickly to changing business needs. The specifics vary by organization, but they fall into three big buckets we'll discuss later on. Operations, security, and cost. However, as organizations move more of their operations to the cloud, it is crucial that their security posture is maintained and that cyber assets are appropriately managed and secured. A holistic approach to security ensures that all aspects of an organization's cloud environment are monitored and protected against potential threats. Let's start with this concept of digital transformation. Digital transformation's been going on for a while. Developers needed computing resources for their applications. In the past, that was all built locally, so we had all this on-premise infrastructure. And that meant requesting an operations team to handle requisitioning and provisioning the assets needed by the team's developing applications. When we talk about efficiency in the cloud, a lot of that is from DevOps. The ability for developers to spin up environments on demand quickly. As cloud computing becomes available, the efficiency and cost saving of not needing a whole ops team becomes more and more attractive. Organizations began to realize that the value of digital transformation, but now needed to figure out how they were going to accomplish it. There are three main ways to tackle digital transformation. One of those is a lift and shift or migration. Here you're moving existing applications to the cloud with minimal changes. Use this strategy when the goal is to reduce costs, increase scalability, or you're under a time crunch. Re-architecture, this involves reimagining existing applications to take advantage of cloud native features. Use this strategy when the goal is to improve performance, scalability, and flexibility. And then there's cloud native. This involves building new applications from the ground up, using cloud native technologies and architectures. Use this strategy when the goal is to achieve maximum scalability, performance and flexibility, and you have the capacity to begin building new applications. Some organizations hybrid their approach, taking different strategies for different applications. But choosing which one is correct for a new organization should be based on their goals for why they're moving to cloud in the first place. At a previous employer, our digital transformation from on-premises architecture to the cloud was primarily to modernize our IT infrastructure, increase efficiency, and reduce costs. We ended up taking the lift and shift to route, which worked to reduce our costs and increase scalability. But since we recreated our same processes in the cloud, we didn't gain very much in performance and flexibility. However, since we were now in the cloud, we had those options open to us in the future if we wanted to invest in them. Organizations moved to the cloud for many reasons, but they usually boiled down to one of these. Time to value. Speed and efficiency are big motivators. We already discussed how the change in the operations model can provide faster time to value by removing extra steps. Elasticity. Scalability is an enormous benefit, being ready for and available for crucial moments. A place I worked at previously, we hosted some of the presidential debates. Those would cause huge spikes in traffic, so we need to be able to scale up to handle that load. But we didn't need it all the time, so the cloud's scalability ended up being a huge draw for us. Innovation. Using new cloud services can allow teams to create things that seem impossible to implement in a non-cloud environment. And cost. Moving to the cloud can reduce the need for human and machine resources, resulting in cost savings. Now this is very appealing, but remember, digital transformation isn't a magic wand. Done poorly, teams may find themselves spending even more money, and finding those humans were providing value in places automation can't. Now, the risk of going backwards from doing it poorly applies to all of these, but especially this next one, security. By offloading security to the cloud provider, overall security can be increased. But the cloud also brings its swath of security concerns. Let's look at what that security responsibility split looks like. This is an example from AWS, but of course, GCP, Azure, and other cloud providers have very similar approaches. Where certain security aspects are offloaded to the cloud provider, and other elements are still owned by the customer. AWS talks about this in terms of responsibility for security of the cloud and responsibility for security in the cloud. I once woke up from a sound sleep to a rustling sound, while spending the night alone in a hotel room. I was freaked out, then I realized the source. I had accidentally left the door to a shared patio open, and a breeze was wrestling some papers I had left out the night before. While the hotel had provided security of my room, there was a lock on the door. I had failed to handle security in my room by leaving that door wide open. Thankfully nothing happened, but it was a vivid reminder of my role in my own security. Being on the cloud opens up all kinds of new threat vectors. AWS gives some broad examples of what you need to secure, but this list is really just the start. That fantastic time to first value from using dynamic cloud environments means it's also really easy to misconfigure or lose track of things. The data shows that enterprises are struggling with managing security and compliance inside of their cloud. Gartner reported that nearly all successful attacks on cloud services result from customer misconfiguration. They estimate enterprises could avoid 80% of misconfigurations by adopting security posture management over their clouds. CSOs and security teams have a lot to deal with, but here are some of the top concerns that we're hearing right now. Trying to identify threat vectors in the cloud to mitigate risks and prevent data breaches. Ensuring protection over their sensitive data. A focus on threat intelligence and risk assessments. And then proactively monitoring the cloud risks with automations to be sure that they're compliant. So how do organizations get a handle on this? The first step is for them to understand their attack surface. Understanding your attack surface starts with a thorough and complete cyber asset inventory. An inventory has been a fairly common practice with physical assets, but the cloud changed everything. Think about the definitions we discussed at the start. What is a cyber asset? Remember NIST said the data, personnel, devices, systems and facilities that enable the organization to achieve business purposes. It's really everything. It's configuration. It's your databases. Your APIs, your clusters, your security groups, your accounts. Everything in the cloud becomes a cyber asset. Your attack surface has changed from a perimeter, like a castle wall with a moat to a living life form. Our attack surface is now like a coral reef that's constantly changing, growing and shifting. It's become an ecosystem. In the past, the attack surface was a static entity. You were able to build a wall around it. Add in that moat and keep the bad folks out. As long as nothing got past your perimeter, you were confident you hadn't been breached. At its most rigorous, the idea of air gap security worked exceptionally well. But now the internet connects everything. We've moved to this dynamic world and that brings all kinds of unknown risks. We no longer have a wall. Our moat is gone. Our perimeter is tens of thousands of entry points into our inner sanctum. We have the capabilities for developers to spin up entire stacks at once, each with its own whole level of complexity and security concerns. We're also dealing with high-tech threat actors and nation states making security attacks at a scale that we've not seen before. Our attack surface is no longer static. It is a living entity. And we have to realize we will never go back. And that's meant a move to defense in depth, implementing network security via stacks of controls. All kinds of security tools are being used now. As this proliferation of tools comes online to monitor all of our assets, we find out that we now need a way to monitor and consolidate the data from those tools. Otherwise, teams become overwhelmed by so many tools and data sources coming at them. And overwhelmed teams bulk at adoption. They resist improvements to security. Digital transformation is just as much about cultural shift as it is about technology shift. So how do you facilitate cultural and technological change? We recommend created group dedicated to cyber asset management. Time and again, we see that successfully managing cyber assets involves a self-governing group forming in the middle of an organization. The group goes by different names, the Cloud Center of Excellence, DevSecOps, Cloud Governance Team, or something else that aligns with their organization's culture. But the name isn't what's important. It's the impact they bring. This group focuses on the three key things to governing in the cloud. Operations, cost, and security. They consolidate best practice from internal and external sources and proliferate that to the rest of the organization. Now, operation is defining how teams carry out day-to-day activities within the cloud. What they can and can't do. Cost is about using organizational resources efficiently. How do you make sure groups aren't throwing money away? In my personal cloud, I forgot to do cleanup after a project and made the mistake equivalent of leaving the water running while I was on vacation. I came back to find a massive bill at the end of the month. Proper cloud hygiene and optimizing for discounts or credits can save organizations large amounts of money. And we have security, of course, making sure to minimize risk and protect against threat. Now, this group is answering the question of what does a healthy cloud model look like? To answer what healthy looks like requires that they understand what the organization wants to do and how it should operate within the cloud. At any organization large enough to need a cyberasset management group, this isn't something that's done in a day or even a week. This group needs to consider their transition strategy. For example, their goal might be to move to a completely federated workspace in the cloud. If so, that's going to be a factor in the policies they need to have. This group must tackle the challenge that important security concepts are often far more aspirational than prescriptive. Consider the United States government's executive order on security and implementing things like zero trust and a software bill of materials. It calls for plans for making these happen rather than defining their implementation. It doesn't mean these concepts aren't real, but we as a community of practitioners aren't yet sure what the best way to do all these things is. Similarly, organizations are faced with defining their plans to get to zero trust. How will they ensure they are implementing least privilege access? Can they be sure users only have access to what they need? It means already assuming networks have been compromised because we no longer trust the idea of a castle wall parameter keeping attackers out. Organizations like CNCF and OSSF are crucial to the security ecosystem of the web. They help shape these aspirational goals, define best practices, and give direction to teams looking to implement these practices. Now realize, this is really hard to do. The cyber asset management team needs support to succeed. When implementing cyber asset management, teams need to have the time to do it right. They need to have support from leadership to implement some hard choices, and they need to have developer buy-in. To make that cultural shift happen, they need to be sure developers are included in security conversations. Developers tend to have a large amount of operational power in the cloud. To spin up the assets, they need to work. Teams can often go to the cloud provider, it's spin up an entire environment, or even provision out a whole Kubernetes cluster. It's not unheard of for teams that then move on and those assets get left behind, creating operational cost and security problems. Therefore, developers engagement is critical to implementing cyber asset management and extending your security posture. The good news is most developers want to be secure. Sometimes they just need someone to give them the okay to work on it. Now, security is also complex. Teams often need to be informed on how they can begin tackling such a daunting task. There are so many tools and platforms out there, it gets overwhelming. There are many cloud providers and teams are often running multi-cloud. We have vulnerability scanners, identity management, code scanners, Kubernetes management, asset management, database management, data compliance, and a large number of SaaS tooling. A 2020 blissfully survey found that a medium organization averages 185 different SaaS tools. We do need a lot of tools, but throwing teams a whole bunch of different tools becomes overwhelming. It creates friction and that resistance causes teams to push back, delaying overall progress. By including developers in the process and providing the right information they need, they can become allies instead of roadblocks. So how do we get to the right information? Well, let's go back to our definitions again. We're looking for a holistic approach. All these cyber assets are interconnected and we need to need a way to deal with them individually and collectively. And by deal with them, I mean we need to extend our security posture over them. To do so, we need a policy management plane. So our cyber asset management policies can holistically apply to all of our cyber assets. We start by defining all our cyber assets. Then we take the cyber asset management policies our cloud team created and apply those across all our assets. Once that's in place, we then automate the monitoring of those assets against our security posture. So we can know the state of our cloud in real time. The end goal is to observe and automate everything. With that in place, we can now look at our cloud and understand our attack surface. In addition, we can visualize how it is changing over time and understand the trends of our compliance. That brings us to a concept called security efficacy. Efficacy is the ability to produce a desired or intended result. Let me give an example of what I mean by efficacy. I worked with an organization that adapted Qualys to do scanning of their compute instances. They were getting good results back from their scans. They thought, hey, we are secure. But come to find out as they began identifying all of their cyber assets, there were a bunch of instances they hadn't been aware of. And those were not being scanned. There was nothing wrong with the tool they chose, but the actual efficacy of that tool was far lower than they realized because they didn't know their attack surface. This idea of security efficacy is about getting the most out of the tools available. If we don't have a cyber asset inventory, then we don't have a way to verify we are taking a holistic approach. We then think we're fully protected when we aren't. It's important to know is our efficacy at 99%, 90% or 50%. The news is filled with organizations with compromised assets they didn't even know existed. This is because they were unaware of the full extent of their attack surface. Enterprises must have coverage across all their cyber assets. The other aspect of efficacy is around time. How long are vulnerable assets sitting around? Does your cyber asset management cover how long teams have to address critical issues? Is this measured in terms of hours or in weeks? For example, if it takes three weeks to fix a publicly exposed asset, your security efficacy is much lower than a team that addresses those within 24 hours. Having scanning and monitoring is a step forward, but security efficacy is about understanding the effectiveness of those tools and policies. Tracking the efficacy of your security posture lets you be certain it extends over your entire attack surface. Let's wrap up here with a review. First, we discussed a holistic approach to managing cyber assets and extending your security posture. We broke that down into its three parts, the holistic approach, managing the cyber assets and extending security posture. We examined how and why organizations adopt digital transformation and move to the cloud, then covered how security is a responsibility shared with the cloud providers. Moving to the cloud forever changed our attack services. We have left the static castles of the past and must now secure the dynamic morphing ecosystems of modern clouds. To deal with this new shifting reality, organizations must understand their attack surface by identifying their cyber assets, creating holistic cyber asset management policies and then extending their security posture by automating and reporting on the efficacy of those policies. As promised, here's a quick demo of what measuring this using open source tooling looks like. Paladin Cloud is a free open source security as code platform that's working to address these challenges. Let's take a look at how it enables teams to manage their cyber assets. Paladin Cloud scans your cloud infrastructure locating assets on any accounts you give it. For this demo, we'll use data from our three cloud providers, pulling in assets from AWS, Azure and GCP. Paladin Cloud has over 400 policies built in and allows you to write custom policies for your specific organization. Anytime an asset fails to follow one of those policies that creates a violation. We can see here in our demo account that we have just over 300 assets. And here in the dashboard, we can see a breakdown of all of our violations. First off, they're sorted by criticality. So we know what to focus on. We can see that we have 79 critical violations. These are the ones that need to be addressed first. Now we get information about those so we can see that even though there's 79 critical violations, those are across just 20 policies. So we'll wanna look at those policies to understand if we can get some quick wins here by locating which ones we have the most violations with and resolving those. We can see that that runs across 43 assets. So kind of in general, each one of these assets has two different critical violations. And then after that, we have the average time it takes for our team to remediate these violations as they come in. And so we can see here, we have two days to remediate critical violations. We have then our high violations, medium and low, working to resolve all of those. And then down here, we could see a breakdown of our total violations mapped out by severity. We can even look at the trends to understand how we're doing over time and see if our numbers are improving. Now, the different policies that we have are broken down into four categories. There's the security, which makes up the majority of our policies. But we also have policies in here around costs, saving money, operational policies, and then tagging. Tagging is so important to understanding your cyber assets that it gets its own category and its own whole section in the UI that we'll look at here in a couple of minutes. Below that, we could see asset graph. This charts our total assets over time. This can be really helpful for understanding what your usage looks like. Do you have regular peaks and valleys? It's also important for identifying anomalies and understanding what's going on. If you have a large drop or a large gain in assets, it's important to know why that's happening. It can help you do early detection of a possible breach or at least understand what your teams are doing as they're removing or creating new assets in your environment. And then we can get to our policy compliance overview. This lists out all of our different violations by policy and tells us how many we have of each one. So this is helpful when you're trying to prioritize what to work on. We could see that the policy with the most violations here is assigning mandatory tags. We've got a lot of work to do on tagging. So we could start in here tagging things to bring this down. We might also wanna look at by severity. So we could see the nigh public access here is the critical policy that has the most violations. Another great spot for our teams to begin working at. Now, these violations, we can dig into those. We saw we have 400 different violations. These violations, we can filter those. This is a large list, but we can come up here and we can filter those as needed. And by the account, by severity. So let's say we wanna look just at all of our critical ones. So we can see just look at those. Let's look for EC2, we see some of those. So we can pull up just the item specific for that. So let's dig into one of these. We'll click in here. And so we can from that list, we can now dig into the specific violation. So here we can see the status is open. Let's say this needed to be open for a certain amount of time. We might request an exemption. So an exemption can get added in here. Now I'm in the role of an admin. So I can add them. If you're a user, you can only request it. Have to have an admin approve that. We can see this is critical. What it is on on the EC2 instance. And importantly, we have information for the specific resource here. We can look at the policy itself and that can give us some ways to remediate it. But let's say we're starting to remediate this. We might dig down into the specific resource. So by doing this, that brings us to our assets. And now we're looking at the details for this specific EC2 instance. We get an idea of its overall compliance. So we can see we're actually doing pretty well on here, except for this one very important critical item that needs to be addressed. Information over here on where this exists. We could use that information to go in, locate this and resolve this issue. While we're looking at specific assets, we can look at our distribution. So this gives us a heat map of all of our different assets that we have. And this can be really helpful to understand the proportion and how you're using all of your different assets in the cloud. We've had people come in and stall this and one group found that they had tens of thousands of AMIs that they didn't know about. As they began cleaning up those and cleaning up their snapshots, they ended up saving over a million dollars by better understanding what their cloud looked like. They didn't know that all these assets were sitting out there. So understanding the layout of your attack surface, understanding what that looks like can be important to saving money, but also being more secure. And then we have the tagging section here. Even if you've got all these different cyber assets added in here, knowing what they do is important. And if they aren't tagged well, you can just have them sitting there and not knowing the purpose or how to handle those. So we really want tagging to be a first class citizen here. We can see that in this, we can check our total tagging compliance. We can even see our mandatory tags for our organization over here and how we're following those. And we can even look at different specific asset types and dig into those which ones are tagged and not and work to remediate those. Now, hopefully this has been helpful for you to understand how a teams can come in here and better understand their total cyber assets, be able to manage those and how the automation can allow them to extend their security posture over that whole attack surface. If that interests you, check out our repository and give us a star. We love to hear your feedback via our community channels. You can also contact me directly on Twitter or LinkedIn. Thank you so much for your time today.