Cloud Security Baselines for Scale and Cloud Incident Response in Mins

🔥 Things are getting hot at Cloud Security Podcast 🌶️

Thank You - This Newsletter is for You

Thank you for giving love to this version of our newsletter and sharing it with others 🙏🏻, every week we are seeing more folks subscribing to it, we appreciate it as it tells us that there is value here that we are able to provide. So once again a big massive thank you.

As you know we are just wrapping up AWS Security Month on Cloud Security Podcast. We had some great conversations lined up so we cheated a bit and spilled over into July (slightly) but we know you will love these episodes.

Fear not though, July is prepping up to a fun month too as we will be tackling Google Cloud Security with some stellar guests.

Speaking of monthly themes and topics, we are always looking to bring to you more of what you are looking to learn and hear about in the world of cloud security, cloud native security and AI security. So if there is a topic or theme you would love to see on Cloud Security Podcast definitely let us know!

Cloud Security Podcast This Week:

We have a lot happening on Cloud Security Podcast right now, AWS Month is wrapping up , Google Cloud Security Month is kicking off and did you catch any of the Hot Takes episodes 🔥🌶️ - where you will catch Ashish laughing and crying more than usual. 😅 

Some exciting episodes have dropped this week and there are so much to take away from each one of them so lets get right into them.

Building Cloud Security Baseline with Olivia Siom and David Levitsky

What we took away from David Levitsky and Olivia Siow

For this episode we had the chance to speak to David Levitsky of Roblox and Olivia (Hillman) Siow from Benchling about creating robust Cloud Security Baselines that scales and work for the developers instead of building controls around them. Here are some nuggets of wisdom we're excited to pass along.

What's a Cloud Security Baseline, Anyway?

  • Imagine it as your safety net, the operating standards you set up for managing your cloud.

  • It's your environment but pre-configured with security controls to stop any slip-ups.

  • Oh, and it's not just about preventing errors, it's also about delivering crucial telemetry data to your security team. Think logs, threats, asset inventory, and billing – all under control.

Security Metrics for your Cloud Security Baseline

  • A good gauge of your security baseline? Look for what breaks the rules.

  • For example, if you've said no to public S3 buckets but they keep cropping up, it's time for a closer look.

  • And remember, a solid platform isn't just about fixing mistakes. It's about maturing your security, cutting down your attack surface, and making security controls that are not just reliable but also easy to tweak.

Constructing Your Cloud Security Baseline

  • First thing's first: decide what you want your baseline to be. That's where your understanding of your cloud usage patterns and workloads comes into play.

  • Once you've got your baseline, test it out in a small environment to see how well it performs.

  • And remember, you're aiming for a deployment pipeline that's not just repeatable, but scalable too. And, of course, security that's built-in for every account.

Make Those Logs Count

  • Sure, collecting data is great, but making it meaningful? That's where the magic happens.

  • You need to know which data sources are key for protecting your assets and meeting compliance needs.

  • Only turn on logs for accounts that need them and avoid the expense of collecting data you don't need.

And the question we love the most - Should you start with a Cloud Security Baseline or CSPM + CNAPP?

  • According to David and Olivia, these are complementary approaches. A Cloud Security Posture Management (CSPM) tool can alert you about security risks, while your security baseline works to prevent these risks from cropping up.

  • It's like an AppSec program: dealing with issues at their source can be more effective than continually putting out fires.

Definitely check out the full episode and if you want to know more? You're going to love their talk at Bsides SF.

What we learnt from Damien Burks

Unraveling Incident Response in Cloud

  • Simply put, incident response is all about detecting and responding to threats impacting your organization, specifically, those crafty cloud-native threats.

  • What's crucial here is leveraging the right tools - third-party or cloud-specific services, to contain or mitigate these threats.

  • For those AWS fanatics, you may want to look at services like Security Hub and Macie to detect threats and manage your risk landscape effectively.

Incident Response - Cloud vs On-Prem

Is incident response truly different in the cloud, turns out it is!

  • With On-Prem, you typically have a better grasp of your environment - the servers, the applications that might have been compromised.

  • However, with Cloud, it's all about working hand in hand with the Cloud Service Provider (CSP) to understand the threat and respond effectively.

AWS Services for Incident Response

Damien gave us a sneak peek into his tech stack for creating an Incident Response framework - AWS step functions and Lambda functions are key.

SNS (Simple Notification Service) and SES (Simple Email Service) come in handy when you want to loop in stakeholders with email updates.

Phases of Incident Response Plan

If you're constructing an incident response plan from scratch, Damien suggests looking into the NIST IR lifecycle.

Damien breaks down the IR plan into three phases:

  • detection and analysis

  • containment and mitigation

  • lessons learned.

He underscores the importance of lessons learned to avoid repeating the same mistake and reinforces the need for early detection and analysis of events in your environment.

Incident Response Containment for EC2 instances

For an EC2 instance, the idea is to restrict access completely, unless it's a security professional handling it.

The steps involve

  • disassociating the instance profile

  • removing IAM roles

  • denying all security group access,

  • applying a termination protection policy

  • stopping the instance from running.

For forensics, Damien recommends taking a snapshot of the EBS volume to analyze the attacker's entry and exit points.

Incident Response Containment for S3 Buckets

Damien also discussed how to contain threats in S3 buckets, recommending public access to be disabled and a deny all S3 bucket policy to be set up.

Only explicit security roles should be allowed to view the S3 bucket for analysis.

He also has a nifty open source project called datacop

So what are the Building Blocks for Incident Response in Cloud

Damien advises starting with detection when building an incident response plan in the cloud.

Understanding the threats, classifying business applications, and discussing what services to allow and restrict are crucial first steps.

And whilst we were getting caught up on doing AWS Security better, things have also been heating up on Cloud Security Podcast 🔥🔥🔥. We launched our special series of Hot Takes 🌶️ with CISOs and Cybersecurity Leaders.

The 1st 2 episodes with Caleb Sima and Srinath Kuruvadi dropped this week where guests can be seen consuming questionable amounts of Wasabi 🔥 and Hot Sauce 🌶️. More episodes in this series are dropping this week and next week so make sure you are subscribed to know when they drop !

Want to learn more about Cloud Security or know someone who wants to, we got you !

If you have been following our journey for a while, you would know that one of the big reasons we started Cloud Security Podcast was to make cloud security knowledge accessible for anyone wanting to learn it.

Have you joined our FREE Monthly Cloud Security Bootcamp yet?

But in the spirit to continuing the learning together, we have kicked off another Free Cloud Security Bootcamp, running once every month LIVE. If you want to join in or know someone who will benefit from it - you/they can subscribe to it here.

Cloud Security Podcast in July

We are wrapping up AWS Month with a great episode with John Burgess from Stripe sharing all things about building a Data Perimeter in AWS

And Day Johnson Kicks off Google Cloud Security Month sharing all things Threat Detection - Join us LIVE + have those questions ready !

As you know, our newsletter is on a path of self improvement and reinvention, Ashish and I have challenged ourselves to bring you even more value as we continue to evolve this each week & we would love to hear from you ðŸ“¢ as to how can we make this newsletter even more awesome for you (On that note! Thank you for subscribing💙)


Hope you are enjoying this new look Cloud Security Newsletter, theres plenty more to come.

Peace!

Was this forwarded to you? Sign up here

Want to partner with Cloud Security Podcast ! Lets make it happen

Have a topic or idea to share? Submit it here

Need Cloud Security or AI Security advice? Ask Ashish and Shilpi here