Cyber-Defense Strategies to Protect Cloud Resources & Identities

Good morning everyone. My name is Ma Haber. I'm the Chief Security Officer at BeyondTrust, and I want to talk to you today about cyber defense strategy, specifically the cloud as a brief agenda. I'm gonna cover who I am, what I do, and why I'm up here. Basically speaking with you today, we're gonna talk about a, a way to think about the cloud that most people don't talk about it, something that makes you think a little bit deeper as to what the cloud means to you, your business, and your own personal usage. We'll talk about strategies, security, and round it out really with how are you going to manage the security in the cloud today. Now, this presentation is not a product pitch. It is a thought-provoking way for you to understand the security challenges, challenges in the cloud, versus what you would consider to do or do on premise today.
Now, I indicated I'm the chief security officer beyond trust. I've been in the security industry for 20 years. Like many of you, this is table stakes, just another year, another problem, another challenge. We're trying to mature our environment, but one thing that I enjoy is taking what I learned from my clients, what I develop internally as frameworks and writing books about them. I'm an author of four books all under the Attack Vector series from a press Media, the Privilege Attack Vectors has two additions. The identity attack vectors covering identity gov governance was co-authored with the CTO from SalePoint. To give you an idea of some of the work that I do out there, I also write regularly for Forbes Secure World, a wide variety of other periodicals. I will say I'm a very opinionated, so if you have questions, feel free to challenge me. I'll give you my perspective.
May not be yours. Current events, are we all numb from current events, right? How many of you saw what happened in California last week with ransomware? You're all numb from it. You don't even see it in the news anymore. 1.1 million ransomware payoff from the San Bernardino Police Department Police department for ransomware that took out all of the computers in their police cars. That's pretty, pretty obscene if you think about it. In the United States, the FBI recommends do not pay ransomware, but now you have law enforcement actually having to pay it because they had no other way of restoring operations in police vehicles. That's just another headline. We've become completely numb to the facts of cyber crime today. If you didn't hear it and if you, that big of a law enforcement had to pay that size ransomware, it's just another blip. The only time we see news today that we care about is when it's something unusual or new, something we have not seen before and new.
If you consider someone like T-Mobile has been hacked four times through the cloud in the last year, we all, well, many of us still have T-Mobile. Is it something with a warrant that we would change? But when SolarWinds and Fire Eye came out, many of us changed right away because it was the first of its type against supply chains. We have to think about every one of these as all of these attacks were successful because of the cloud, because of the protection strategies, because of our tooling and our security controls in the cloud. Now, this presentation has been abbreviated for 20 minutes. It normally runs about an hour long. I'll do the best I can to make sure I cover the highlights in that time period. But cloud attack vectors today follow these P primary paradigms. Fishing, we all know is number one, right? Okay. What are the forms of fishing we worry about today? Email, of course. How many of you seen the voice fishing attacks that have occurred in the United Arab Emirates in the last week, at least one, claiming to be an individual and spoofing the AI engines for that banking system. They've got a capture of your voice. They're duplicating it with ai, going through the cloud and using automatic dialers to extract money and validate your identity using AI and voice. That's just another form of phishing.
Is this working? There we go. I'd like to pick on vulnerabilities because the cloud is unique. SaaS vendors, platform vendors and infrastructure vendors are not required to report CVEs in the cloud. Patch Tuesday came out yesterday and Microsoft conveniently snuck a hundred vulnerabilities in one CVE for Microsoft Office, but we never hear about the pat, the cvs for MS 365 because there is no requirement to do so. So now we have to think about the cloud in a different way. When we deal with vulnerabilities, configuration, and problems, the standard reporting mechanisms that we've been doing on-premise for years are no longer applicable. That makes a huge challenge for us and it makes us trust the cloud provider in ways we never expected. How do we deal with that today? Security assessment questionnaires. Great. You told me that you're patching, prove it. It's not happening. So we have to take it as a vendor to do as a client and as a vendor, a better way of doing it.
Now, I mentioned in the introduction that I write a lot. I talk a lot, but I'm also in charge of my own security and my cloud security for beyond trust. So I have a unique role that I'm yes, marketing products, but two, I'm responsible for the security of a security company and lo and behold, threat actors would love to own us. So I buy products just like you do, and I have to deal with these same type of problems, whether it's Salesforce, whether it's an EDR solution, where it's cloud-based, sim, et cetera, and these are the problems we're seeing in the news. So what is the basic message? I wanna make sure you get across. The more things change, the more they stay the same. How many of you are CISSPs? Many of you? How many of you have taken security training over the years? What's the fundamental thing that you learn each and every time?
Asset management, right? If you don't know it, you can't manage it. We need to think about the cloud in this context. Go back to your cybersecurity training and understand your disciplines. Asset management, vulnerability management, configuration management, log management, they all apply, but the methods that you're going to use to do them in the cloud are incredibly different than what you did on premise. So we have to separate, hey, shiny new object from security best practices, and that's the key takeaway we wanna start with, because what happens with the traditional security disciplines of asset identity, privilege, vulnerability, and patch is we're not gonna do them the same way. The previous presentation talked about identities and access-based control and policy-based control. That's important for the cloud, especially for zero trust, but role-based access models that we relied on on premise don't work well in the cloud, especially in a work from anywhere world.
It's just the reality of the situation. I pick on vulnerability a lot. That's my background. I came from a company called ai, digital Security and vulnerability management used to be scanning. It became agents. You don't do either in the cloud, you want to do vulnerability management using APIs. You do not want to increase your risk service by opening SSH to allow an authenticated scan. You still have to do the basics of vulnerability management in infrastructure and platform, but you're not gonna do it the same way. Now, this has created some interesting confusion because the attack vectors haven't changed. We still have vulnerabilities and exploits, but the way we're actually going to do them is different, so we have to adopt or mitigate our strategy to make that work. The first thing that I recommend to my clients and that I struggle with internally, especially when I bring on new people, are definitions.
Let me ask you, what's a resource? Does anybody have a good definition for the word resource? Okay, well, you might think of it as CPU memory utilization, but in the cloud, it actually means an asset. Wait, is it backwards on premise? It means an asset. Sometimes I get that backwards. We don't have good definitions. We know what an asset is, a device, physical, virtual machine, et cetera. But in the cloud, it has a different term. When discussing the cloud with our peers internally, make sure everybody is using the same terminology. The word cloud means something different to you. It means something different to me. Is it private? Is it public? Is it infrastructure? Is it platform? Is it SaaS? Is it serverless? Is it lambda services? Those are all cloud. When you hear someone go digital transformation, I kind of shrivel up inside and go, okay, what does that mean?
I just closed my data center and moved all my virtual machines to the cloud. Come on. If you're one of the victims, and I say that loosely of an esx ESXi environment that just you started using VMware in the cloud and now they're running that same virtual machine that you had on premise, I ask, why did you do that? So get your definitions for cloud, correct. You'll find that it makes a huge difference when trying to strategize, build a framework, everything in that part of the work, in part of the work that you're doing. Okay, next, think of the cloud as the benefits. Why are you moving to the cloud? Because your boss says so. I hope not because everybody is doing it, and Gartner and Coppinger and Forrester and everybody else said, we need to go to the cloud. Again, I hope not. Measure and quantify the benefits not only in runtime, but also in cost.
One of the mis biggest problems with the cloud today is the amount of storage that you may need in the cloud and it's cost. If you had IO log servers and sims that were on premise taking up terabytes and terabytes and terabytes, it might be more efficient to run in the cloud, but you're gonna pay dearly for that amount of storage long term. For example, in the state of Florida where I live, government entities are required to store seven years of log files. First few months were cost effective. After year one, it became questionable after seven years cost prohibitive. Think of the long-term challenges and costs with things being in the cloud, your true benefits. Next, don't repeat the mistakes of the past. Instead of been around 20 years doing this, what's the first mistake anybody did? Just go stand up a server. Wait a second.
What? Did you harden it? Does it have security best practices? Is it being managed? Who has access? All of the things that we've learned from managing systems throughout the years, we cannot afford to make those mistakes in the cloud. The risk surface is larger. You can't control. Access is better. You don't necessarily have access to the backend to see what's going on, the mistakes that your business has made, building a data center and providing access, especially with identities, don't make those same mistakes. Plan those out first. Next, scanning versus agents versus APIs. This one is near and dear to my heart. Anytime someone says, just treat your cloud resources like a vulner with a vulnerability type scanner and do the same thing. I'm like, no, it's vulnerability management. You do not wanna open ports. You do not wanna do credentials. You do not wanna store those passwords in a vault and change them and do that type of scanning.
Vulnerability configuration, and that type of work has fundamentally changed in the cloud. When you are managing the infrastructure, you need a different way to do it. Agents is a great approach, but you have to also think of the complexity, the updates, the aggregation of logs. The right way to do it is with APIs. Anything you do in the cloud today for connectivity should be API based. Next asset. I mentioned this first to you. If you're doing work in the cloud and you don't know what inventory you have, you're not able to management, you're not able to log it, you're not able to control it. This is security basics 1 0 1, start with assets management. It's cis top 18, first entry. Get your asset management correct. Remembering that assets are not just the virtual machines, it's the running code. It's also your identities. This is where the definition comes back into play.
Privilege key, who has access to create, delete, change, modify extract. It's all prac privileged access management, but that line is being blurred with identity best practices. So you have to think about, okay, in the cloud, everybody has privileges. What's more important than the next? Vulnerability and patch must be perfect. This is part of those lessons learned. If you own the infrastructure up there, you cannot ignore patching it like you might have done with this critical server on premise. You have to get it right. You have to get it right every time. I will warn you that certain solutions that are available in the cloud for patching, let's say virtual machines don't work, right? They may say the code was delivered, but they actually don't tell you If it was installed, i e leading vendors that offer patches a part of their platform, oh, that says it was patched.
Great. It just means the code was delivered. It doesn't mean it was installed, right? Sometimes you're gonna have to dig very deep to understand if those practices are working correctly, and remember, it's not your computer. You don't own it. This makes you accountable for everything that's done. Everything that you operate in the cloud is your responsibility. You set up a service in the cloud. It would be very hard press to have aws, Alibaba, Azure accountable unless they had something grossly misconfigured. For example, if you stood up office 365, 5 years ago and compared the hardening to what you would stand up in MS 365 today, you would find them vastly different. Yes, Microsoft has included and improved hardening when they change names In the newer instances, running older instances doesn't mean they've automatically changed your settings to make it better. Therefore, you have to apply best practices like SCUBA to find out where those changes are, and ultimately that's your responsibility, not Microsoft's.
So make the best business decision for you. Do you implement the shiny new tool to protect the cloud, or do you go back to basics? I prefer going back to basics with a twist, and I'll emphasize that this is the twist. The Analyst community and vendors at large have taken all of the security disciplines that you and I know from vulnerability, from vendor, from patch to identity, and created all of these new definitions for us to deal with. This is where it gets tricky. So what is cloud serv? Security work? Posture management. What does that mean? What does C a P mean? Well, c A P actually is a combination of multiple ones of these, but it is just vulnerability configuration log with a shiny new name implemented in a completely different way. Let's just take Kim as an example. Cloud infrastructure, entitlement management, enumerate all of the entitlements from my identities in the cloud.
Wait, identities have a correlation to accounts. Entitlements are the privileges, permissions, and rights encapsulated in a single category. We're gonna now call that an entitlement. Wasn't that what we've been doing for years on ad when we enumerate the rights of a group, we're just calling it something different in the cloud and we're implementing it in a different way, so don't be fooled by the shiny new object just because it has a new name. It's solving the same discipline problems, vulnerability patch, identity, privilege, et cetera, wrapped in a new product done with APIs. We're back to basics. Now, the last piece of this is cloud service providers. This is actually quite a long chapter in the, in the book that I referenced on cloud attack vectors. One of the questions we get asked, even though we don't necessarily participate in it, is, how do I find the right cloud service provider for me?
This can be a little bit of daunting, especially if you've been a primarily Azure AWS shop. You might be expanding into other regions using tenant Alibaba or something proprietary. You have to ask very basic questions about their certifications, their roadmap, how they provide support. Are they culturally compatible? How will they handle those vulnerabilities and let you know if they detect a flaw or an intrusion? What is their SLA for letting you know? Now, we broke this out in the book in quite depth with descriptions and a spreadsheet and a checklist all the way through and through because we find that people when selecting their cloud service providers, not only to host their applications, but as platform or infrastructure, sometimes fail to ask the right questions. They don't ask gross things like, what's their business viability? Have you been profitable? Who is your owner? If there was geopolitical conflict, am I gonna have a financial problem with the owner being in a certain country?
Think about these things as a baseline for when you move to the cloud or you start your cloud work. It'll help you get those disciplines right in the end. Now, finally, couple of key takeaways. This is just the quick money slide. Whenever you're trying to do security in the cloud, ask every one of these questions. What tool? Who owns how I'm doing, where I'm getting it from? How am I managing my secrets, my passwords? How am I doing break glass Again, it's not my computer. I can't walk up to it physically. All of these dis for different disciplines must be asked when you do, when you design or you're trying to build your defensive strategy for the cloud. My favorite one, education and training. Nothing says more than educating your client base about what you're doing it, why you're doing it, and how you're doing it.
I will emphasize over-communication works best versus changes. Doing something new in the cloud or even a straight cloud wash, lift, and shift of services training is key. Quickly beyond trust. We are a leader in identity security, privileged access management been around since 2003, well over 20,000 clients worldwide. Most of our products are quite unique with quite a few patents backing up our technology, making us really a leader in the space. We do all of this with a platform approach covering everything from password management to endpoint lease privilege, the removal of admin rights on Unix, Linux, windows, and Mac, active directory bridging and complete secure remote access technology for support vendors, employees, et cetera. Brand new product in the middle called Identity Security Insights, the first of its kind, identity detection and threat response solution, something that is revolutionary in the industry and literally just announced last week at our company conference. With that, please join us at P 17. My name is Maureen Haber, and thank you very much. Well,
Thank you, Maureen.
Hey,