Summit Chairs: Frank Kim, Eric Johnson | SummitCPE Credits: 12
Stay Informed with What's Next in Cloud Security
Cloud-based services are becoming increasingly more attractive to
organizations as they offer cost savings, flexibility, and increased
operational efficiency. However, protecting systems, applications, and
data in the cloud presents a new set of challenges for organizations to
overcome. Security teams need to adapt and learn how to utilize the
tools, controls, and design models needed to properly secure the cloud.
CloudSecNext Summit & Training will bring together a unique
combination of real-world user experiences and case studies, as well as
practical, technical training focused on specific approaches and skills
for building and maintaining a secure cloud infrastructure. As a virtual
attendee, you’ll explore current approaches, tools, and techniques with
fellow practitioners facing similar cloud-related security challenges.
Cyber42 Game Day
In this special session you will play to win the Cyber42
Vulnerability Management Simulation! In this 90-minute Game Day you will
play to improve the state of vulnerability management in a fictional
organization. You will see that the actions you choose can have
uncertain and even unintended consequences. This interactive simulation
puts you in real-world scenarios that spur discussion, critical thinking
of situations, and melding of different points of view and
personalities that likely will encounter at work. The decisions you make
will impact your organizations vulnerability management program,
leveraging and impacting the available budget, time, and vulnerability
*You must be registered for the CloudSecNext Summit to participate in
Cyber42! Summit registrants will be notified when the Cyber42
Who should attend:
Security personnel who are tasked with securing virtualization and private cloud infrastructure
Network and systems administrators who need to understand how to
architect, secure and maintain virtualization and cloud technologies
Technical auditors and consultants who need to gain a deeper understanding of cloud computing and security concerns
Security and IT leaders who need to understand the risks of cloud
computing and advise business management of the risks and various
What Attendees Say About Their Summit Experience
“Fantastic experience that gave me information I am able to take back to my company and grow our security posture.” – Dan Conroy, Booz Allen Hamilton
"The Summit provided valuable insight from colleagues in security regarding process tooling, and opportunities that can be encountered in the cloud. The time to network and discuss challenges was invaluable." - Johnny Ray, Ameren
"The Summit is great for those who have direct use/control of Cloud infrastructure. A wealth of information and experiences for those getting into the field and as always, there were great networking opportunities." - Chris S., US Navy
"Big players from cyber security working together in one room really helped paint a picture of the current state of the cyber intel industry." - Ryan Comrie, Fannie Mae
CPEs & Certificate of Completion
- You will get 12 CPEs for attending the CloudSecNext Summit. (6 for each day you attend)
- Currently, we are not able to issue CPEs to those that view the Summit recordings.
- A Certificate of Completion will be available in your account after the Summit’s conclusion.
- SANS will automatically submit your CPEs to GIAC within 7-10 days
after the event’s end date - No action is required on your part.
Bundle your Summit experience with a Live Online course to expand your information security expertise
In addition to the Summit, world-class SANS Live Online courses are
being offered to help you expand your information security expertise.
SANS instructors are experienced industry practitioners considered to be
among the best cybersecurity instructors in the world. They will
provide you and your community with the expert guidance and skills you
need to stop cyber-attacks against your organizations. No travel
The world is going multi-cloud. The transition from traditional on-premises datacenters and environments to dynamic, cloud infrastructure is complex and introduces new challenges for cloud security. There are more systems to manage, more endpoints to monitor, more networks to connect, and more people & machines that need access. Traditional security models, approaches and tools are unable to scale with the speed of cloud delivery and evolving nature of cloud operating models. In this talk, HashiCorp's CISO talks about market trends on modern Cloud Security Operating models, and how creating a central set of shared services that provide automation around operations, security, networking, deployment, and policy governance enables companies of any size to build a resilient cloud security operations program. This talk will cover practical considerations for securing cloud provisioning, architecture, security, networking and application delivery life cycles with an inside view of how HashiCorp built its security program from ground up.
Talha Tariq,Vice President & Chief Security Officer, HashiCorp
11:00 am - 11:15 am ET
Thursday, June 3
11:15 am - 11:45 am ET
Thursday, June 3
Dynamic Authorization and Policy Control for Microservice Environments
Organizations use containerized workloads to build and deploy applications. Although diverse in nature these deployments must conform to company-wide constraints around cost, security, and performance. These constraints affect the entire stack, require state from multiple locations, and evolve over time thereby making it difficult to enforce them. The only sustainable, scalable way to enforce or even monitor security, compliance, and operational policies requires that those policies be taken out of PDFs, emails, wikis and hardcoded software and be written in a domain-agnostic programming language. In this talk, we will introduce the Open Policy Agent (OPA), an open source, general-purpose policy engine that was built to provide policy-as-code using a logic-based declarative language. We will discuss how companies like Netflix, Intuit, and CapitalOne have used OPA to enforce fine-grained security policies across a breadth of domains such as custom applications, container-management, i.e. Kubernetes, public clouds, server management etc. We will also demo a prevalent use-case that allows organizations to create secure applications that provide least-privilege access to sensitive resources by injecting OPA alongside their microservices. Main Takeaways: The attendees can expect to take away new ideas about how to enforce fine-grained authorization policies at scale across the stack in any system without requiring significant changes to their existing microservice architecture. They will also be able to create frameworks that result in OPA-powered secure microservices, irrespective of the diverse and unique components in their environments.
This presentation aims to talk about different attack scenarios leveraging Kubernetes clusters. We'll dig deeper into a real-world attack scenario using real-world applications to demonstrate different ways attackers and malicious users can use to exploit your cluster and the applications running on it. But first, we’ll give an overview about Kubernetes and its architecture, covering the main components from the Control Plane and the Worker Nodes. Then, we'll use the K8s Threat Matrix and the MITRE ATT&CK for Containers published this year to discuss the Tactics, Techniques and Procedures to demonstrate the Recon, Exploitation and Post-Exploitation phases. After that, we'll provide some best practices to securing your cluster based on the scenarios and the CIS Benchmarks for Kubernetes. We'll show how to use Role-based access control (RBAC) for Access Control, to enable audit logs for security and troubleshooting, and we'll set up some network policies to avoid communication between pods and prevent any lateral movement from attackers.
Azure AD multi factor security was built with two options for securing your environment. The super easy one click button, or the vast labyrinth of complex overlapping policies. Can you guess which one most environments will need? Join us to discuss the options for providing multi factor authentication for Azure AD logins, the intricacies of implementing Azure AD conditional access, and review the current best practice guidance.
Cloud Native environments have the potential to be more secure than ever before. But Security teams must navigate across new teams, like DevOps, and learn the security requirements of a nascent space. The good news is that, in this new territory, the familiar process of policy-setting is not only applicable, it is essential. In this session, we will discuss the key security policies required for securing a cloud native environment.
SANS Technology Institute presents our new Cloud Security Graduate Certificate Program.
This summit presentation will cover information on SANS Technology Institute. The SANS Technology Institute is an accredited college and offers programs at the graduate and undergraduate level. We will focus on our newest program in Cloud Security. In addition, we will highlight our other 7 graduate certificate programs, admissions requirements, curriculum review, and student resources.
We have the special privilege of hearing from a few of our faculty who both instruct and author a number of our courses.
2:00 pm - 2:30 pm ET
Thursday, June 3
Implementing an Effective Multi-Account Strategy on AWS
Implementing a multi-account strategy on AWS is critical to enforce security best practices and limit the blast radius of security events or incidents. In this talk, we will discuss how to effectively implement a secure multi-account strategy using AWS Organizations and Service Control Policies. We will walk through a demo and example configuration of AWS Organizations showing attendees how to implement security guardrails and reduce the overhead of managing multiple accounts.
Are you overwhelmed by the amount of awesome tools that have been released in the past year to help you secure your cloud data? In this talk, we’ll sprint through a number of open source options that you can start deploying ASAP to secure the data you care about the most. Some of the projects we’ll cover include multi cloud security and auditing tools as well as securing K8s, slack, git and more.
The alphabet soup of PaaS offerings from Google Cloud can feel overwhelming; like a mountain of services which could never be fully vetted in a single lifetime. But, are there really that many variables that make up a managed service? This talk pre-supposes there are a finite and knowable number of building blocks that compose any given GCP PaaS service. Like Chipotle, you can combine these handful of ingredients in ways to produce a wide variety of PaaS services, from Cloud Data Fusion, Cloud Build or Cloud Scheduler. By scratching under the surface of a GCP service, we can understand what combination of ingredients might pose a security risk in your Organization.
In this special session you will play to win the Cyber42 Vulnerability Management Simulation! In this 90-minute Game Day you will play to improve the state of vulnerability management in a fictional organization. You will see that the actions you choose can have uncertain and even unintended consequences. This interactive simulation puts you in real-world scenarios that spur discussion, critical thinking of situations, and melding of different points of view and personalities that likely will encounter at work. The decisions you make will impact your organizations vulnerability management program, leveraging and impacting the available budget, time, and vulnerability management maturity.
With the pandemic being a major accelerator, most organizations are increasingly moving to cloud adoption strategy. The transition also comes with concerns about security of the organization's sensitive data. This cloud adoption strategy must demonstrate to leadership at your organization that data in the cloud is secured and apply overarching best security practices. This session will take you through hands-on labs securing an Amazon EC2-based web application covering identity & access management, detective controls, infrastructure protection and data protection. You’ll walk away with skills and insights to help you secure your workloads in alignment with the AWS Well- Architected framework.
Zinet Kemal,Information Security Engineer, State of Minnesota
The security community has embraced osquery as a way to gather and normalize telemetry from endpoints. Now, new extensions can bring that SQL-driven approach to cloud infrastructure and container environments. This session will cover the basics of the open-source osquery project and introduce cloudquery and kubequery, two open-source extensions to the osquery project that enable security teams to strengthen their cloud security posture. Eric will also provide examples of detections and investigative workflows that join together telemetry from cloud-based hosts, container environments, and cloud infrastructure.
In this session, attendees will learn:
The basics of osquery, cloudquery, and kubequery—powerful open-source tools that normalize security telemetry from hosts, containers, and the cloud
How these open-source tools can help implement standards such as the CIS Benchmarks for AWS, Azure, and GCP
Examples of how blue teams and auditing teams can use these tools to identify risk and detect threats across cloud, container, and endpoint environments
Cloud service providers allow developers to assign metadata to their cloud resources in the form of tags. Each tag is a simple label consisting of a customer-defined key and a value that can make it easier to manage, search for, and filter resources. Although there are no inherent types of tags, they enable customers to categorize resources by purpose, owner, environment, or other criteria. Tags can be managed both in code and on a runtime cloud environment. Tags can be used for security, cost allocation, ownership assignment, automation, console organization, access control, and operations. In this talk we will discuss an open-source tool that helps to manage tags in a consistent manner across infrastructure as code frameworks (Terraform, Cloudformation, Kubernetes, and Serverless Framework) . By auto-tagging in IaC you will be able to trace any cloud resource from code to cloud. IaC tagging enables version-controlled owner assignment and resource tracing based git history. It also can extend tag enforcement logic by loading external tagging logic into the CI/CD pipeline.
The world has lately experienced dramatic changes that accelerated digital transformation in many aspects of organizations and individuals´ life: work from home, remote services, online shopping, etc. In order to achieve the required agility, scalability and adaptability, hybrid multi-cloud adoption has soared. A critical part of the cloud journey is ensuring the enterprise stays secure across its data and workloads throughout its digital transformation. The current hybrid multi-cloud environment, with a growing list of third-party security tools as well as cloud native controls, can lead to fragmented security solutions and an increase of the risk posture.
In this talk, we will first investigate the challenges and opportunities of hybrid multi-cloud security, then, we will propose a methodology to mitigate the identified challenges. Particularly, we will propose a cloud security strategy that will support organizations in their journey to hybrid-multi cloud.
Kubernetes Goat is “vulnerable by design” Kubernetes Cluster environment to practice and learn about Kubernetes Security. In this session, Madhu Akula will present how to get started with Kubernetes Goat by exploring different vulnerabilities in Kubernetes Cluster and Containerized environments. Also, he demonstrates the real-world vulnerabilities and maps the Kubernetes Goat scenarios with them. Also, we will see the complete documentation and instruction to practice Kubernetes Security for performing security assessments. As a defender you will see how we can learn these attacks, misconfigurations to understand and improve your cloud native infrastructure security posture.
In environments where sensitive workloads and data reside, controlling where traffic can exit is often done with network level controls, such as security groups and network access control lists. However, when the workloads need access to AWS managed services, these controls are no longer enough as the control plane may expose the environment to other AWS tenants if not configured correctly.
This talk will focus on how isolation can be achieved with VPC endpoints and include examples of attack paths that have been leveraged to exfiltrate data from misconfigured locked-down environments.
A lot of focus has been placed on securing the cloud, but the cloud can also be used to help secure applications. Find out how the same principles that apply to building cloud scale applications can also be used to deploy test environments in the cloud that support application security testing. Never again fear that your automated security testing, penetration testing, and customer A/B testing will collide. This talk will cover how applications that abide by the 12 Factors (https://12factor.net/) are easier to test. It will also discuss how the extreme flexibility of cloud resources allows easy separation of different types of application testing, ensuring that security tests can be run without interfering with business objectives.
You've probably heard about a recent compromise involving SolarWinds, but do you know how to defend against what happened in the cloud during NOBELIUM’s campaign? When the news of the SolarWinds compromise and subsequent global impact broke, it became critical to get the details about how the adversaries conducted their long-term campaign out to the community to raise awareness for defenders. Microsoft conducted extensive analysis into how it happened and identified several new behaviors that had not been documented as seen in the wild before. The MITRE ATT&CK® team used this information, as well as other sources, to update the ATT&CK for Cloud techniques that were executed during the campaign. In this talk, Microsoft and MITRE ATT&CK will team up to help you understand how the adversaries pivoted to Microsoft Azure cloud environments after gaining access through the initial supply-chain vector and what behaviors they executed in the cloud through the lens of MITRE ATT&CK. The audience will walk away with a better understanding of what happened during one of the most widespread and impactful campaigns in recent years and how they may be able to better detect or mitigate these behaviors in their own environments.
Every day, at every company, someone stands up new cloud infrastructure that needs to be discovered and protected. I, for one, am getting tired of playing wack-a-mole. With the increased usage of cloud infrastructure services, I needed to build something scalable, repeatable, and idiot-proof enough that even I could use it. In this presentation, I will guide the audience through a few different access auditing use cases in AWS that I come across daily and a new private attack collection I created to test my solutions with real-world attacks. This collection can be used to demonstrate how poorly implemented access controls can lead to exploitation and data exfiltration. I will emphasize not just why we need to monitor access but also what can happen if we do not.
Argo empowers the community to adopt GitOps for K8s without a separate CD tool. Argo triggers automated operations for cluster reconciliation by monitoring changes in git for images and artifacts such as Helm Charts. While Argo enables hyper automation for cluster deployment, how can teams ensure they aren't slowed down by requirements such as security, privacy and compliance?
In this talk, Om Moolchandani will discuss how to leverage the power of the Open Policy Agent built into Terrascan to automate delivery of secure, compliant deployments. Argo with Terrascan can ensure that any Helm charts and container images to be deployed, are compliant with the established policies. Om will also demonstrate a new approach of self healing GitOps to the community which leverages OPA's Rego language to remediate risks and violations on the fly.
This presentation is relevant to any audience interested in GitOps, especially those responsible for meeting security and compliance goals. It will include technical details and demonstration that technology teams will find valuable, and also speaks to the business value which leadership understands.
Technology teams will learn new strategies for delivering secure, compliant deployments more efficiently and consistently.
Enterprise leadership will learn about new techniques which deliver value to the business while eliminating common sources of operational friction.
Security and privacy are critical considerations for the community to adopt open source projects and ecosystems. Argo is an ambitious project that can enable GitOps at speed and scale for the community, and OPA is now accepted as the standard for security and policy enforcement in cloud native environments. Adoption of Argo may be hampered by uncertainty around where security fits in Argo’s operator-driven deployment lifecycle. The lack of security assurance in Argo makes it difficult for DevOps, GitOps and security teams to promote adoption of Argo.
This talk highlights security gaps in the Argo driven GitOps flow and explains how they can be bridged using a policy validation approach based on OPA. The talk will also introduce the concept of self healing GitOps which will empower operations and security teams to adopt Argo with confidence.
Securing information on mainframe computers was where we started long ago, focusing on access control and data encryption. As soon as information left the mainframe, we found out it was really hard to make data secure across client/server and then web computing. The focus shifted to putting security controls on and around the servers, PCs and networks that handled the sensitive information. We renamed what we do “cybersecurity” which covered up the fact that we were leaving the information vulnerable. The rapid movement of IT applications to the cloud and mobile systems has shown that we can’t just “lift and shift” this old cybersecurity approach to a very different environment – persistent data encryption, strong authentication and privilege management can enable hybrid and multi-cloud business environments without driving high levels of “spending in depth.” This talk will focus on use case examples where the barriers to data security have been broken down (or bypassed) and how you can do the same.
We've all heard about the cyberattacks on the US Government that took advantage of the software deployment process. And if it can happen to the US Government, it can happen to you. Fortunately, there is a way to close the loophole attackers took advantage of by ensuring that the software you're installing is actually the software you think you're installing. In this session we'll look at potential issues in the CI/CD process, and how you can plug those holes through the use of a trusted container image registry such as Mirantis Secure Registry (formerly Docker Trusted Registry).
In this talk, we'll demonstrate Kubernetes and AWS attacks, attacking a scenario themed on the movie "Real Genius." We'll discuss multiple defenses available to every Kubernetes and AWS user. In part of the attack, we'll use the open source Peirates tool. Come learn how to attack Kubernetes and break your attacks! You will learn about how to attack and avoid several "gotcha" configurations, where the cluster maintainer's intent doesn't match the attacker's view of the defenses. You'll also learn how some of these defenses really work, including the Kubernetes to AWS linkages.
Every day cloud providers release or update key services, new open source projects are created, and a plethora of cloud security startups are launched. Join the panel to see how to make sense of the noise and learn best practices that organizations are following to protect, detect, and respond to security issues in the cloud.
Understanding what it takes to be successful in security operations is difficult, regardless of your organization’s technology environment. With an increasing number of organizations transitioning to the cloud, security operations teams must identify and implement new strategies to detect and respond to security incidents. In this session, you will learn how to best prepare for an AWS security incident through the lens of incident response industry standards and frameworks. You will receive tactical guidance to improve your incident response processes and procedures for your AWS environment.
Anna McAbee,Solutions Architect, Security at Amazon Web Services (AWS)
Over the last few years, Kubernetes has strengthened its security posture and the community has developed tools to keep it secure. That said, one of the more prevalent concerns of users of Kubernetes is the ability to keep it secure. In this talk, we will look at Kubernetes' security concerns, provide best practices based on our experience that will help avoid common pitfalls, and the insightful learnings with customers, as well as the tools we have employed to address the issue of Kubernetes security.
Monitoring cross cloud presents some unique challenges, whether it be monitoring deployments in multiple Cloud Service Providers (CSPs) or monitoring multiple Software as a Service (SaaS) solutions used by an organization. The differing service features coupled with varied security controls and auditing capabilities means that a one size fits all solution is unlikely to work. In this presentation we will explore specific challenges presented by cross cloud monitoring with examples from Azure, AWS, Zoom, Microsoft Teams and others. The session will deep dive into various challenges around data collections, schemas, data models, and detection opportunities before presenting practical technical and procedural solutions defensive teams can implement to make their own cross cloud deployments more effective and efficient, along with effective use of attack simulation frameworks to test and validate these.
Peter Bryan,Senior Software Engineer, Microsoft Threat Intelligence Center
Ashwin Patil,Senior Program Manager, Microsoft Threat Intelligence Center
5:00 pm - 5:30 pm ET
Friday, June 4
Automate Your Security in GCP with Serverless Computing
Automating security in the cloud can increase your response time, lower your risk, reduce costs, and even boost your security team's efficiency. Google Cloud Platform (GCP) logs events in real-time, allowing you to remediate insecure resources or reverse high-risk actions in a matter of seconds. This talk will explore serverless open source tools and other cloud-native options that allow you to automate your cloud security without the need for human interaction. You can expect to learn how GCP handles logging, monitoring, and alerting as well as actionable steps to immediately secure your GCP organization.
Jason Dyke,Principal Cloud Security Consultant, ScaleSec