Cloud Security Summit & Training - Live Online

Virtual, US Mountain | Thu, May 28, 2020 - Fri, Jun 5, 2020

In response to the escalation of the COVID-19 pandemic, we've made the decision to convert this training event into a Live Online event. The Cloud Security Summit will now take place online Thursday, May 28, and Friday, May 29. The two-day Summit will include live-streamed expert talks, Q&A sessions, and virtual networking opportunities.

The courses below will now take place online beginning on Monday, June 1, using software to stream live instructors to all registered students during the scheduled classroom hours (Mountain Time). This alternate training format will allow us to deliver the cybersecurity training you expect while keeping you, our staff, and our instructors as safe as possible.

Your registration for a Live Online course includes electronically delivered courseware, live streaming instruction by a SANS instructor, course labs, and four months of online access to course recordings.

Thursday, May 28
9:00-9:15 am
Welcome & Opening Remarks

Ken Hartman, Summit Co-Chair
Mark Morowczynski, Summit Co-Chair
Dave Shackleford, Summit Co-Chair

9:15-10:00 am
Keynote

Securing Cloud Deployments: A Red Team Perspective

Matt Burrough (@mattburrough), Senior Penetration Test Lead, Microsoft

Cloud computing represents an opportunity for businesses of all sizes to deploy new service offerings more quickly, focus on development instead of system maintenance, avoid big bets on capital expenditures, and handle spikes in demand seamlessly. However, it also represents a fundamental shift in the security architecture that many organizations have become accustomed to over the last decade or more. In this talk, Matt will describe common missteps he sees as teams move to a cloud-first world, ways that organizations can minimize risk by protecting themselves and their services, and how security testing itself changes in the cloud.

10:00-10:30 am

Threat Hunting in the Microsoft Cloud: The Times They Are a-Changin'

John Stoner @stonerPSU, Principal Security Strategist, Splunk

So you are moving (or have just moved) to the cloud and excitement abounds! Do you and your leadership understand that this changes everything? This isn't a bad thing by any stretch, but everyone needs to understand the impact of this decision. We will discuss the implications of moving to the cloud using Microsoft's cloud services, Azure Active Directory and Office 365, as an example. We will look at the services that are available in the cloud compared to on-premise, how the logging changes, the attack surface and potential pitfalls in a cloud provider handling access to the log stream. From there, we will use Azure AD and Office 365 logging to perform a hunt and observe the fidelity of the events that a hunter would have access to. We will also identify where cloud logging is not enough and where on-premise logs are still needed to round out our hunt. Finally, we will wrap up by looking at MITRE ATT&CK's cloud matrix that was introduced in November 2019 and see how our hunt aligns to the those techniques. Our goal is to demonstrate how a threat hunter would adapt their hunting to this new terrain.

10:30-10:50 am

Break

10:50-11:25 am

Static Analysis of Infrastructure as Code

Barak Schoster Goihman, CTO and VP of Engineering, Bridgecrew

Planning, provisioning, and changing infrastructure have become vital parts of application development. Incorporating infrastructure-as-code into software development is also helping cloud security practitioners prevent bad configurations upstream, without inflating development backlogs. In this session, we’ll cover a simple method to write, test, and maintain infrastructure-as-code at scale using policy-as-code. We will discuss common open-source packages, integrated development environment plug-ins, continuous integration, and more. We’ll also review sample use cases that showcase the benefits of preventing cloud misconfigurations on Terraform/CloudFormation at build-time as opposed to preventing them at run-time, using the open-source tool https://github.com/bridgecrewio/checkov/.

11:30 am - 11:35 pm Q&A
11:35 am – 12:10 pm

Don't Just Lift and Shift! Why Traditional Controls Don't Always Apply to the Cloud and What You Can Do About It

Steve Turner, Director of Security Architecture, Prudential

If lifting and shifting applications from on-premises data centers is frowned upon and generally bad practice, why would you do the same thing when it comes to your security controls? Taking a traditional approach when it comes to cloud environments – be they PaaS, SaaS, or IaaS and your changing perimeter – will leave you with control and visibility gaps. In this talk we’ll present lessons learned from a security standpoint about how applying traditional controls didn't work, and what pitfalls to look out for if you're in the process of adopting or have already adopted cloud solutions. We’ll also look at how to simplify and centralize visibility, blocking, and remediation by either extending your existing control and monitoring planes or replacing them entirely. Finally, we’ll examine what you should be adding to your arsenal of security tools to gain even more insight into what your organization is doing in the cloud. The presentation will focus on some of the key cloud players (AWS, Azure, M365, Salesforce, and Workday), what logs to look out for and how to ingest and analyze them, integrating malware detection and prevention tools with alerting, and what additional controls can be considered or used (including some of the new MITRE Cloud Matrix tactics and techniques.

12:10-12:15 pm Q&A
12:15-1:30 pm Lunch
1:30-2:10 pm

Cloud Security Posture Management from Security Hygiene to Incident Response

Yuri Diogenes (@yuridiogenes), Senior Program Manager, Microsoft
Jess Huber, Director of Incident Response, Deloitte

Breaches in cloud environments are already happening due the lack of security hygiene in workloads. As organizations migrate more workloads to the cloud, security hygiene becomes more critical than ever. Cloud security posture management is comprised of three major pillars: prevention, detection, and response. When organizations work to enhance their security posture, it means they are strengthening all three pillars. This presentation covers best practices for cloud security hygiene, threat detection for cloud workloads, and lessons learned from incident response cases in the cloud. You will leave this presentation with a "Go Do" list to enhance the security posture in your cloud environment.

2:10-2:15 pm Q&A
2:15-2:55 pm

Modern Identity Strategies to Securely Manage Your Cloud Infrastructure

Michael Soule, National Director of Enterprise Architecture and Innovation, Sentinel Technologies

Identity is the modern security boundary, and it has been a challenging issue for many in the field. With the introduction of cloud service providers, the challenge and scope redouble. The potential security impact of identity mistakes can lead to security breaches. Today’s identity challenges involve managing granular permissions and segmenting blast domains while at the same time efficiently maintaining much larger scale. This presentation will focus on Amazon Web Services (AWS) identity management strategies, including examples of federation strategies to limit administrative burden and multiple account segmentation strategies to prevent lateral movement. Finally, we’ll present example code using AWS Lambda and S3 to handle identity and access management roles at scale and across many accounts.

2:55-3:00 pm Q&A
3:00-3:20 pm Break
3:20-3:55 pm

Reimagining Vulnerability Management in the Cloud

Eric Zielinski, Director, Cloud Solutions, Nationwide

As more workloads move to the cloud, it is critical to secure them against known vulnerabilities. The cloud gives us new advantages that we never had before, such as automated patching and re-hydration of OS images. But while the benefits of the cloud allow for agility, speed, and innovation, this can pose a challenge for vulnerability management. Images are often dynamic because they are generally turned on or shut off on a regular basis. So how can we ensure that our servers are scanned for vulnerabilities or patched in this dynamic environment? In this presentation, we will discuss best practices for cloud vulnerability management, with a strong focus on automation. We’ll demonstrate options for asset management, vulnerability detection, remediation, and reporting on cloud vulnerabilities.

3:55-4:00 pm Q&A
4:00-4:40 pm

Doing Cloud in China

Ken Hartman (@KennethGHartman), Summit Co-Chair, SANS Institute

China is the only country in the world that does not permit foreign cloud service providers to own and operate their own data centers in the country. To operate a data center in China, a locally registered company that has less than 50% foreign investment must obtain a value-added telecom permit. This talk looks at how Amazon Web Services (AWS) and Microsoft Azure have modified their services to gain entry to the cloud market space in China and compares their service offerings to local Chinese cloud service providers. We will cover specific considerations for foreign companies using cloud services in China. The Chinese company, Alibaba Cloud, is the fourth largest global Infrastructure-as-a-Service provider following AWS, Azure, and Google Cloud Platform. We end the session taking a test drive of Alibaba Cloud and discuss why this CSP should be on your watch list. NOTE: This talk provides a preview of some content from SANS SEC488: Cloud Security Essentials.

4:40-4:45 pm Q&A
4:45-5:00 pm
Day 1 wrap-up

Dave Shackleford, Summit Co-Chair, SANS Institute

Friday, May 29
9:00-9:45 am
Keynote

Lessons Learned from Cloud Security Incidents, Past and Present

Dave Shackleford (@daveshackleford), Summit Co-Chair, SANS Institute

For the past ten years or so, we've seen incredible growth in the development and use of cloud technologies and services. Right alongside that, sadly, has been an increase in attacks and breaches related to cloud services, as well as a few outages of note. As we're all interested in building implementing security controls and processes to help defend our cloud infrastructure, it's never a bad idea to break down some of the things we've seen go wrong, hopefully learning from them to avoid the same mishaps and incidents in our own environments.

In this talk, Dave will dissect a chronological list of cloud incidents of note, with a brief post-mortem and alignment with the MITRE ATT&CK framework. Some of the incidents we've seen are relatively straightforward, and others are much more nuanced, but we can learn something from all of them. This presentation will also include ample references for attendees to take back for their own research, as well.

9:50-10:30 am

Put a Lid on Those AWS S3 Buckets

Lily Lee, Staff Security Strategist, Splunk
Melisa Napoles, Security Engineer, Splunk

In previous sessions, the presenters have talked about the Amazon Web Services (AWS) shared responsibility model and some great places to start collecting data for continuous security monitoring in a cloud world. They’ve even discussed how to make use of these data to detect evil. For this presentation they’re back with a real-life issue: misconfigured AWS S3 buckets leading to a security breach. They’ll walk through an attack scenario that demonstrates how an attacker can exploit a misconfiguration and plant cryptomining code that exploits a system’s resources. Attend this talk to learn methods to identify and detect these types of incidents as you fulfill your end of the shared responsibility model.

10:30-10:50 am

Break

10:50-11:25 am

Cover Your SaaS: practical SaaS security tips

Ben Johnson (@chicagoben), CTO & Co-Founder, Obsidian Security

SaaS is 75% of the cloud, yet when you hear cloud security, you often think IaaS. In this talk we will discuss areas to consider when thinking about SaaS security in your environment. We will also review practical tips for quick wins for common SaaS applications found in most environments, and discuss overall how teams are approaching these problems.

11:25 am - 11:30 am Q&A
11:35 am – 12:10 pm

Leveling-up Your Workforce for Cloud Enablement - Pathways to Total Pwnage

Aaron Lancaster (@aarondlancaster), Business Information Security Manager, Truist Financial Corp.

Red, blue, or purple? No matter your preferred color, we all have new skills to learn in order to level up and win at cloud security. In this talk, we will touch on several backgrounds from which you may be approaching cloud security and how to adapt your skills to work with public, private, and hybrid cloud environments.

12:10-12:15 pm Q&A
12:15-1:30 pm Lunch
1:30-2:10 pm

Multi-Cloud Visibility for Large Organizations

Chris Farris, (@jcfarris), Community Instructor - SANS Institute

There is a reason why inventory is the first SANS/CIS Critical Control. With public cloud, your inventory is constantly changing. S3 Buckets with your name don’t always belong to you. IP addresses sometimes only belong to you for a few minutes to an hour. In larger environments the problem is compounded with multiple accounts, multiple cloud providers, and multiple billing arrangements due to mergers & acquisitions. This session will describe WarnerMedia’s history with cloud inventory and how our home-grown tool Antiope is leveraged to know what is part of our environment and make it available to the various functions of incident response, vulnerability management and cloud finance & engineering. Attendees will come away with a plan of action for boosting their visibility into the cloud resources their organization creates, owns, and (hopefully) manages securely.

2:10-2:15 pm Q&A
2:15-2:55 pm

Cloud Breaches: Case Studies, Best Practices, and Pitfalls

Dylan Marcoux, Consultant, Mandiant
Christopher Romano, Senior Consultant, Mandiant

In this presentation, the speakers will distill their real-world experience from multiple breaches spanning different cloud service providers in order to identify common pitfalls that can be avoided. They’ll provide tactical recommendations stemming from some of the largest cloud-based incidents. The best practices covered in this talk are based on real-world incidents and cloud assessments that both of the presenters have had the opportunity to work on.

2:55-3:00 pm Q&A
3:00-3:20 pm Break
3:20-3:55 pm

Building a Pipeline for Secure Virtual Machines in AWS

Shaun McCullough (@thecybergoof), H&A Security Solutions

Great infrastructure security starts with the Virtual Machine (VM). In the cloud's elastic, automated, and responsive environments, we can think about creating, managing, and patching VMs differently. In this presentation, we will walk through how to design a secure VM pipeline, avoid pitfalls, automate deployment, and ensure that all VMs are patched regularly. We’ll provide an overview of the concepts involved, but we’ll also dive into practical applications in an Amazon Web Services environment.

3:55-4:00 pm Q&A
4:00-4:30 pm

Cloud Security To Go

Ken Hartman, Summit Co-Chair, SANS Institute