CloudSecNext Summit & Training 2023

The days of operating out of a single cloud account have come and gone. Companies are pushing teams to scale beyond one account, to multiple accounts, to multiple cloud providers. For those that have survived to tell the tale, the experience getting from A to Z is invaluable. In this talk, we share our experience by discussing the approach we took at HashiCorp, the hurdles we hit along the way, and the solutions we built or deployed to be successful. Come prepared with questions and leave feeling confident that there is a light at the end of the tunnel.

Many cloud-focused tools and third party vendors require access to your organization’s cloud account. Sure, you could open up the flood gates and allow full, administrative access, but do those vendors and tools need that level of access? Most likely, no. In an age of increased supply chain and upstream vendor compromises, we must ensure that we are limiting any and all external access to what is truly needed and nothing more.In this workshop, you will allow a third party vendor (Blue Mountain Cyber) access to your cloud account and, in return, an automated security assessment of your AWS account will be performed. But there’s a twist: To get these results, you must first limit access to ONLY what is needed to perform this audit. Too much or too little access? No report for you!

Requirements: Laptop needed. An AWS account with root or AdministratorAccess permissions. Note: You will be modifying IAM permissions allowing an external account access, so be sure this is permitted in the account you are using. Otherwise, create a new account for the workshop.

As Kubernetes (K8s) usage becomes more common, Cloud Security teams are often tasked with securing K8s usage within their organization. K8s Clusters contain a variety of different logs and data sources. Feeding these data sources with appropriate detective controls can give Security teams deep insight into the activity of their clusters, and help identify both malicious activity and risky configurations. In this talk, we will explore: The different types of logs and data available within K8s environments What you should care about (and why) from a security perspective The differences between self-managed and CSP managed-K8s offerings, and how each affects detection Engineering aspects of plumbing these logs to a SIEM or Data Lake How to get started on generating your own detection cases, including real- world attack scenarios! Throughout the presentation, we will layer our guidance alongside input from industry frameworks like MITRE ATT&CK for Containers and real world experience.

In this talk, we will discuss the numerous ways attackers can steal data from Google Cloud Platform (GCP) resources with minimal chance of detection. It explores five different methods an attacker can use to exfiltrate data in the popular services: Google Cloud Storage, Cloud SQL and BigQuery. For each method we will describe the generated log events and what to look for to detect malicious behavior. We will finish with a summary of the key takeaways and next steps for attendees:

1. Data exfiltration from Google Cloud Platform (GCP) resources is a serious threat that can result in significant data breaches and other security incidents. Understanding the various methods of exfiltration and how to detect them is critical for effective incident response and security management.

2. GCP audit logs are an essential tool for detecting data exfiltration and other security incidents in the cloud environment. By analyzing the audit logs, security professionals can identify suspicious activities, detect potential breaches, and take appropriate action to prevent further damage.

3. To prevent data exfiltration in GCP resources, organizations must take a proactive approach to security. This includes implementing access controls, monitoring the audit logs for suspicious activities, and configuring alerts for potential security incidents. By following these best practices, organizations can reduce the risks of data exfiltration and better protect their sensitive data in the cloud.

Practical advice on managing cloud security based on real-world experience and lessons learned leading large enterprise cloud projects. We'll compare and contrast case studies of 2 cloud migrations and the role of security in each with the goal of understanding why 1 company was much more successful than the other in moving to the cloud securely. We'll also look at what customers are doing better in 2023 and where they're still struggling. Topics will include: cloud security program leadership, designing an architecture, choosing cloud security tools, and ownership of security in the cloud. Participants will learn how to make sure that security is a meaningful and successful component of cloud projects rather than just a checkbox.

I currently work for an organization that was built completely and natively in the public cloud (Microsoft Azure). This presentation will provide some practical information about what to log from security monitoring perspective, examples of high fidelity use cases, conducting incident response, important Azure security controls that when used provide excellent value for prevention (e.g., Azure AD conditional access) and about how the Microsoft security controls integrate together with each other. I would also like to touch on security monitoring in Azure for things like APIs, microservices, and identity access management (IAM).

Scaling IAM in Enterprises: Multi-Account Strategies and Challenges. Scaling Identity and Access Management in an Enterprise is hard. Enabling application teams and business to build and take advantage of cloud benefits while building secure IAM at scale is complex. Add in the additional complexity of multiple accounts, and this becomes quite the challenge. While we're given new IAM paradigms, new IAM tools with the possibility of many different strategies, we're now seeing new security risks and challenges in cloud IAM. In this talk, we'll look at strategies for Scaling IAM in enterprises and complexities (with real world examples) including:

• Multi-Account Strategies and AWS Organizations and how they impact IAM.

• Different Types of IAM Access.

• AWS-Native IAM Tools (Identity Center/SSO, Roles, Users)

• How to scale IAM with Policies and Frameworks

Once upon a time, in the ever-expanding realm of cloud computing, a group of brave engineers embarked on a quest to protect their organization's cloud infrastructure from the perilous threat of misconfigurations. This is the story of their adventure at Datadog, where they unravel the mysteries of detecting and fixing cloud misconfigurations at scale. In this talk, we invite you to join us on this remarkable journey. We will dive into the world of security, system and software engineers running services in the cloud, as we unveil practical insights and effective strategies for addressing misconfigurations. Our story commences by shedding light on the significance of cloud misconfigurations and their potential ramifications. Through real-world anecdotes and cautionary tales, we will highlight the profound impact that misconfigurations can have on security, performance, cost and compliance in cloud environments. As our intrepid adventurers venture deeper into their mission, they uncover a plethora of tools and techniques to detect cloud misconfigurations at Datadog scale. We will delve into the realm of automated monitoring and auditing, exploring how Datadog's security team harnesses the power of intelligent checks and comprehensive scanning to swiftly identify vulnerabilities and misconfigurations. But detection alone is not enough to protect against the perils of misconfigurations. Our heroes press forward to discover the art of remediation. Through their trials and triumphs, we will unravel the secrets behind prioritizing and rectifying misconfigurations effectively. Topics covered include workflows, leveraging infrastructure-as-code principles for automated remediation, and integrating continuous integration and continuous delivery (CI/CD) pipelines to enforce best practices. Throughout this enchanting narrative, we will weave together practical examples and relatable experiences that resonate with both beginners and those seeking to enhance their cloud security knowledge. By the end of our tale, attendees will be armed with actionable insights to implement robust detection and remediation strategies in their own cloud environments. In a world where cloud services are under constant scrutiny, this talk serves as a guiding light, empowering attendees to fortify their cloud infrastructure against the ever-evolving threat landscape. So, come, embark on this extraordinary adventure and discover the story of detecting and fixing cloud misconfigurations at Datadog scale.

eBPF has emerged as a game-changer in the realm of cloud native security. Its efficient and flexible kernel-level instrumentation capabilities enable robust monitoring, threat detection, and policy enforcement in modern cloud native environments. In this session, we will take a deep dive into the security aspects of eBPF and explore how it empowers organizations to enhance runtime security and protect their applications. Introduction to eBPF: Definition and overview of eBPF and its significance in cloud native security. Understanding how eBPF provides a lightweight and versatile approach to secure the kernel. Observability and Threat Detection: Leveraging eBPF for dynamic tracing to gain real-time insights into application behavior and detect security anomalies. Exploring the role of eBPF in monitoring and profiling to identify potential vulnerabilities and threats. Network Security with eBPF: Utilizing eBPF for advanced network security measures, including network monitoring, intrusion detection, and packet filtering. Demonstrating how eBPF enhances network security in cloud native environments and protects against malicious activities. Runtime Security: Uncovering the runtime security applications of eBPF, such as intrusion detection, policy enforcement, and anomaly detection. Showcasing how eBPF enables proactive security measures by monitoring and securing application execution at the kernel level. Real-World Use Cases: Examining practical examples of how eBPF is deployed in open source cloud native security tools. Reviewing architectural patterns that solve the most common workload security use cases in kubernetes This presentation aims to provide attendees with a comprehensive understanding of how eBPF can significantly enhance security in cloud native environments. By exploring the various security-focused applications of eBPF, participants will gain valuable insights into leveraging eBPF's superpowers to fortify their runtime security posture and safeguard their cloud native applications.

Effectively managing access and authorization in the cloud can have a huge impact on reducing attack surface and decreasing the chances of an identity-related data breach. But with the myriad frameworks for access control, and the staggering number of SaaS and IaaS apps in use within an organization, authorization can be a true monster for security teams. Paul Yoo, Head of Security Assurance at Ramp, will dive into the ways his team has streamlined authorization, and what they’ve gained from the improvement. He’ll speak to: selecting a solution to automate access management and authorization; advice on implementation and rolling out a least privilege program; and, how to successfully measure ROI.

In the last 10 years, Azure has become one of the most popular cloud platforms for businesses and organizations of all sizes. As the platform has evolved, so has the threat landscape. To understand the present cloud security landscape and predict the future, let's take a trip down the memory lane! In this session, we will discuss how Azure's security controls have evolved over time. Throughout the session, I will share best practices for securing your Azure infrastructure, applications, and data, so that you can build an architecture that stands the test of time.

Managed Kubernetes distributions such as Amazon EKS are highly popular ways to run Kubernetes in a public cloud environment. "Attackers think in graphs" has never been so true, especially when jumping around different platforms. In this talk, we discuss and demonstrate several attack vectors that allow an attacker to pivot from an EKS cluster to the underlying AWS account, potentially escalating their privileges from an unprivileged web application to a full cluster or cloud administrator. We focus on explaining and exploiting the mechanisms, often transparent to developers, that allow to "bridge the gap" between Kubernetes and cloud identities. Along the way we'll share actionable insights for defenders on how to reproduce, detect, and prevent these attacks. We'll conclude with a demo of the Managed Kubernetes Auditing Toolkit (https://github.com/datadog/managed-kubernetes-auditing-toolkit/), which will feature an exclusive new release for CloudSecNext! While this talk focuses on Amazon EKS, most of the concepts and remediation we discuss are also applicable to Google Kubernetes Engine (GKE) and Azure Kubernetes Service (AKS).

There are a series of cloud security megatrends that drive increased security and resilience in the cloud. These enable organizations to make more secure use of the cloud, from economy of scale through to the digital immune system and software defined infrastructure. In this talk Phil will explore these and will focus on the latest megatrend of AI and how it is shaping security, from Google's Secure AI Framework to how Google are using and deploying AI to transform the threat, toil and talent landscape of security.

Least privilege is a key part of any Zero Trust strategy. It was difficult on-prem and has gotten much worse as you move into a multi-cloud environment. When combined with a common cloud misconfiguration that is exposed on the internet, this can lead to a catastrophic breach. In this talk we’ll discuss what we’ve learned by implementing CIEM at large enterprises to help them get to least privilege. We’ll cover what the most common mistakes are, how many overprivileged users, groups, and service accounts are really out there, and how to get them to least privilege. You’ll leave this presentation with a list of go-do’s your team can accomplish within the next 30 days to strengthen your security posture across multiple clouds.

Many modern organizations are taking an infrastructure-as-code (IaC) approach to provide a consistent language in multi-vendor environments, and Terraform is a popular choice to facilitate this. In this workshop, you will learn how you can use Terraform to deploy a working Threat Detection and Incident Response functionality using AWS services. In this workshop you will discover how to deploy Amazon GuardDuty to produce security findings, and then automate those findings using Amazon EventBridge. By Automating your Threat Detection information from Guard Duty, you can then perform incident response in various ways. This workshop shows yuo how to use Amazon SNS to generate email notifications of GuardDuty Findings and AWS Lambda to perform auto-remediation tasks, automatically isolating compromised hosts.

Requirements: Laptop needed.

Amazon RDS simplifies the management of relational databases (e.g., MySQL, PostgreSQL) in the AWS cloud. Our research found monthly exposure of numerous databases with significant Personally Identifiable Information (PII) leakage. This lecture delves into RDS snapshots and the inadvertent exposure of sensitive data. We describe our automated process for detecting PII in publicly shared snapshots. Additionally, we offer recommendations for preventing, detecting, and remediating the risks associated with accidental public sharing of RDS snapshots.

Requirements: Laptop needed.

Migrating 1.5k repos from an internal Bitbucket server to GitHub is an enormous technical and process challenge. Doing it without causing interruption? At scale? Without creating a Resume-Generating-Event (aka, getting fired) was an even bigger challenge. Come learn about the mistakes I made, the tools and Actions I built, and the lessons I learned in the process. The project is now complete, and I didn't get fired (yet)!