Cloud Security Metrics for the Boardroom + Hacker Summer Camp Kicks Off
Learn from Google Cloud's CISO about whether the board truly cares about cloud security
Thank You - This Newsletter is for You
Thank you for supporting the podcast and the newsletter - thanks to all the feedback, shares and subscriptions we continue to grow for which we are very very grateful 🙏🏻,
Hacker Summer Camp 🎮 is on its way! Folks have already made their way to the Vegas as Blackhat 2023 kicked off with the training today, 5 August 2023. If you are anything like me, I was only initiated into the world of Hacker summer camp a couple of years ago. Its called Hacker Summer Camp as its one week each year where cybersecurity folks, specially those on the offensive side (and even defensive side) come together in a one space:
To test the limits of cybersecurity
To learn about anything that you may be interested in, in the world of cybersecurity and hacking
To meet and hang out with (at different events, cabanas, parties, dinners) with fellow cybersecurity friends
To attend one of many conferences that happen within this week, some of the conferences are
Blackhat - Probably the most formal and corporate conference of the Hacker summer camp. They do briefings (talks), trainings and arsenals (which is like demos of tools and open source projects). If you have ever been to RSA, you will see Vendor floors that are quite similar at Blackhat
Defcon - Informal community conference. You get to see many cools things here from satellite hacking, to ATM machine hacking to car hacking and everything in between. There are talks are have historically been quite technical and have dedicated villages for different topics in cybersecurity like Cloud Village, Appsec Village, AI Village, Red Team Village, Blue Team Village to only name a few
Bsides Vegas - Very similar to other Bsides around the world (if you are familiar with them), community cybersecurity conference
Diana Initiative - a community conference to highlight underrepresented groups in cybersecurity
There are several other events and conferences that run during Hacker Summer Camp and if there are any you would like to share with us, send them through!
Speaking of Cloud Village and AI Village from DefCon. We spoke to the Founder of Cloud Village, Jayesh Singh Chauhan and AI Village Board Member, Jason Haddix to get the low down on these villages and their recommendations for DefCon31.
If you are attending Hacker Summer Camp, please do come and say hello to us 👋🏽. As usual we will be walking around to make sure we say hello to all our favourite cloud security folks, capture some fun interviews and insights for you all.
And if you can’t make it this year - Don’t fear, we have a bunch of exciting things planned just for you. Make sure you follow us on our socials to know where to find us 🙂 - though we are usually hard to miss 🦚
Incase this was forwarded to you? You can signup here for more Cloud Security
Cloud Security Podcast This Week: Wrapping up Google Cloud Security Month!
We then had the pleasure of speaking to Jimmy Barber, who is the VP of Cloud Security for a Fintech about Landing Zones Patterns for Google Cloud and Doing Google Cloud Security Right!
But we were not done just yet - we were fortunate enough to host Phil Venables, CISO of Google Cloud. He spoke to us about how cloud security translates in the Boardroom and what are the security metrics a CISO should care about.
We learnt a lot from the episode with Phil, here are some of our favourite bits
Do Boards care about Cloud Security?
Phil shared that boards typically fall into two categories:
Those pushing for accelerated digital transformation and cloud integration, asking their CIOs and CISOs whether they're moving fast enough, harnessing the benefits of cloud technology.
Boards where the management is already driving towards rapid cloud adoption and digital transformation, focusing on everything from infrastructure as a service to high-end services like AI and data analytics. Here, they're concerned about managing the associated risks effectively.
Regardless of the type, all boards, along with regulators and auditors, now perceive cloud technology as a tool to reduce risk, not increase it. However, this depends on strong partnerships between the cloud provider and the customer to ensure secure and safe operations.
Security Metrics for Boards and Executives
For boards and executive management, metrics are crucial to track the current situation, set goals, measure progress, and most importantly, maintain situational awareness.
In terms of risk management, understanding
your most critical assets and services
the risks they face,
the implemented controls
the effectiveness of these controls
and any residual risk that hasn't been mitigated is vital.
All these need to align with business goals, not just technical ones.
Are Security Metrics seasonal?
According to Phil, risk and security program engagement with the board follows two paths:
A steady progression of metrics that demonstrate technology modernization to achieve a more defendable architecture.
A level of agility to cope with new opportunities, risks, and technological advancements like AI.
Today's boards expect discussions about AI to consider both risks and opportunities, seeking a balance to seize these opportunities while still ensuring adequate risk management.
Aligning Security Metrics to Business Goals
CISOs need to view themselves as business executives first and foremost, understanding end-to-end business processes, revenue drivers, and customer satisfaction parameters. This allows them to discuss identified risks in the context of business goals
To articulate this to the board, CISOs need to highlight the business impact of a security weakness, rather than simply stating that there's a weakness in a certain system. This involves understanding and communicating the potential impact on production, revenue, product launches, and other critical business operations.
Phil also challenges the notion of oversimplifying information for the board. He emphasized that boards should have a sound understanding of how technology risks drive cybersecurity, which might involve educating the board about these complexities.
Its all about educating the board up rather than dumbing things down
Rather than simplifying the information for the board, Phil advocates for 'educating up.' This approach involves enlightening board members about the intricacies of managing sophisticated risks, providing a deeper understanding of crucial concepts.
This doesn't mean the board should have a deep technical appreciation for every aspect of security but rather a higher understanding of how technology risks affect cybersecurity!
As every business becomes a digital business, the board needs to be equipped with the knowledge to handle digital and security risks in more sophisticated ways. This might require a more focused education program for board members.
Start with these Three Security Metrics
According to Phil, the maturity level of your program often determines the metrics you need. He suggests three core metrics that can bring about transformational change:
Software Reproducibility: It's about managing what percentage of your software is in a reproducibly built environment. This metric gives clear visibility onto where your software is, stimulating improvements in managing end-to-end, reproducible software environment.
Highlights the importance of configuration as code and configuration reproducibility.
Brings focus on Software Supply Chain Level Agreements (SLSA) compliance to ensure the security of end-to-end software provenance.
Time to Reboot Your Company: A crucial metric, particularly relevant in the context of ransomware attacks, is understanding your company's cold start recovery time. What if all your data and software were wiped? How long would it take to rebuild your company?
This measurement helps identify configuration issues, inventory issues, and issues with backup systems.
Data Governance Coverage: This metric explores how much of your data is under management and a mature governance framework. In a generative AI world, it's crucial to have precise tracking of training data, model weights, and test data lineage.
We also asked Phil, what makes a Successful CISO
A successful CISO wears many hats. They are:
Historians: They keep a record of the company's history, past projects, and risk mitigations.
Explorers: They have a clear understanding of everything going on upstream with customers and downstream in the extended supply chain.
Librarians: They document everything for record keeping.
Archaeologists: They dig deep to understand the complexity of system dependencies and facilitate change.
Anthropologists: They understand the social structures of the organization and find a path of incentives to get people to do what they need to do.
And finally we asked him, what Makes a Successful Security Program?
Phil believes a successful security program is a two-track thing:
Iterative Approach: Identify risks, define controls, implement controls, and continuously strive for closer to 100% conformance.
Future-Focused Big Bets: Well-funded, multi-year programs aimed at transforming the operation of the organization.
Phil actually has his own blog where he posts an article every 2 weeks about cybersecurity, leadership and lessons from his experiences. This may make a good addition to your reading list.
And to compliment to that iterative approach that Phil spoke about in identifying risks, we brought on Shannon McHale, Red Team Consultant at Mandiant (now Google) to talk about Google Cloud Hacking Red Team Perspective!
Red Teaming: Stealthy Approach to Security Assessments
Shannon defines red teaming as conducting security assessments in a manner that emphasizes stealth and evasion. Red teamers don't just look for vulnerabilities; they test how long they can exploit these without being detected.
The goal of red teaming is to provide valuable insight to blue teamers. It helps them assess their response times and strategies for dealing with real threats.
Pen Testing in the Cloud: Comprehensive Vulnerability Analysis
Cloud pen testing involves understanding all possible security breaches within a cloud environment, rather than focusing on specific objectives like a red teamer would.
It involves using tools like Scout Suite or Prowler to scan the entire configuration and check if everything is set up correctly.
The client is then alerted about any potential security risks and the ways in which an attacker might exploit these vulnerabilities. Although it lacks the stealth aspect of red teaming, it provides a thorough security check.
Recommendations for Blue Teamers: Hardening and Detection
Hardening Security Measures
Shannon recommends a routine audit of service accounts. With tools like IAM Recommender, it's easy to check if you're over utilizing permissions.
When setting up compute instances, ensure your permissions are minimal and your access scope is also limited. It's important to secure the access tokens through 'scopes'.
Strategies for Detection
Focus less on whether someone is viewing metadata and more on if someone is using the access tokens, particularly for authentication in the CLI.
Monitor who and what IP addresses are accessing the CLI or the host.
Exposed GCP Resources: Important Areas to Secure
There are 13 services within GCP that could potentially be exposed to the internet. While Shannon didn't name all of them, she mentioned Buckets, Functions, App Engines, Kubernetes, and DNS as a few examples.
During a pen test, she suggests looking at what's publicly facing and then running vulnerability scans to ensure everything is secure. The primary goal should always be to avoid exposure to the internet.
Some useful resources that Shannon shared ⬇️
HackTricks for GCP - GCP Pentesting Resources
Google Cloud Security Month is now all wrapped up, if there is a topic in Google Cloud Security you wanted to hear about and we are yet to cover it, let us know and we will make sure we have you covered for our next Google Cloud Security Month!
Cloud Security Podcast in August
In August we will be covering Offensive Cloud Security, ways in which you can test or challenge your cloud environments to make sure they are truly secure and appreciate the attacker’s mindset. We will be bringing you interviews from the grounds of Hacker Summer Camp and we have a truly exciting line up!! Cant wait!
Want to learn more about Cloud Security or know someone who wants to, we got you !
If you have been following our journey for a while, you would know that one of the big reasons we started Cloud Security Podcast was to make cloud security knowledge accessible for anyone wanting to learn it.
Have you joined our FREE Monthly Cloud Security Bootcamp yet? We have a session running this coming Monday so make sure you are signed up to get the invite!
But in the spirit to continuing the learning together, we have kicked off another Free Cloud Security Bootcamp, running once every month LIVE. If you want to join in or know someone who will benefit from it - you/they can subscribe to it here.
Are you liking this new format newsletter? What can we do better? What else would you like to see here?
Our newsletter is on a path of self improvement and reinvention, Ashish and I have challenged ourselves to bring you even more value as we continue to evolve this each week & we would love to hear from you 📢 as to how can we make this newsletter even more awesome for you (On that note! Thank you for subscribing💙)
Hope you are enjoying this new look Cloud Security Newsletter, theres plenty more to come.
Was this forwarded to you? Sign up here
Want to partner with Cloud Security Podcast ! Lets make it happen
Have a topic or idea to share? Submit it here
Need Cloud Security or AI impact on Cloud Security Training or Consulting? Let’s Connect