#RSAC SESSION ID: #RSAC SESSION ID: Brian Riley Hacking Your Security Culture for the Cloud CSV-F02 Senior Director, Global Cyber Risk Management Liberty Mutual Insurance #RSAC 2 or: How an InfoSec Curmudgeon Learned to Stop Worrying and Love the Cloud #RSAC $ whoami 3 Brian Riley, Senior Director Global Cyber Risk Management 25 years of experience with cybersecurity in financial services #RSAC 4 At Liberty, we believe progress happens when people feel secure. Liberty Mutual #RSAC 5 Liberty by the numbers Founded 1912, based in Boston Nearly 50,000 employees in 30 countries and economies worldwide 5thlargest global P&C insurer* Ranked 75th on Fortune 100 list of largest companies* *Based 2018 gross written premium and revenue, respectively. #RSAC 6 An early (mistaken) understanding of the Cloud “Ill tell you exactly what Cloud Computing is Cloud is nothing more than the current crop of vacuous, meaningless marketing nonsense that vendors use to try to open new markets. It really means nothing but is generally applied to large-scale virtualization (which we have been doing for years), just with fewer controls and less oversight.” B. Riley, 9/2013 #RSAC 7 The classic InfoSec mindset vs. PerfectBroken #RSAC 8 Early steps: Drawing some wrong conclusions The cloud is really just our 4thData Center. So lets protect it with the same controls we use in the other three. But we know how to do all of this. If the cloud is just another data center, why is it so hard to do what just works everywhere else? #RSAC 9 Thinking differently “We cannot solve our problems with the same thinking we used when we created them.” Albert Einstein #RSAC 10 Implications for security: Two paradigms shift Servers are fixed assets that depreciate over time, creating the incentive to keep systems around for as long as possible to maximize return on investment creating many traditional security problems. We pay only for what we use, creating the incentive to destroy environments as quickly as possible and rebuild them only when they are needed. This reduces risk (a threat can only be persistent in an environment that is persistent). OpportunitiesChallenges Cloud computing shifts the economics of security in ways that affect both attackers and enterprises. Everything is software which presents opportunities and creates new challenges Traditional handoffs and security checks no longer occur While automation eliminates many common risks, mistakes can have much bigger impact Some security controls are harder or more expensive to implement in the cloud Infrastructure and applications are built consistently through automation, simplifying disaster recovery Security and compliance controls can be automated, offering continuous compliance Automated deployments reduces the need for human interaction with systems, limiting insider threats and risk of misconfiguration Some security controls are much easier to implement in the cloud Cloud environmentsData Centers #RSAC 11 But the Cloud is more complicated! With developers defining AWS Security Groups in CFTs, do we give enough tools to help people code the right rules? Is an understanding of how packets route relevant to making the right choices about firewall rules? How much should a developer need to think about the way BGP is configured in our network routing? #RSAC#RSAC Tools to hack your culture #RSAC 13 Infrastructure as code requires security as code #RSAC 14 #RSAC z 15 Radar architecture Account Project Subscription Region X Account Region X (encrypted) #RSAC z 16 Radar architecture Account Region X Project Subscription Account Region X (encrypted) #RSAC 17 Our goal: Managing the blast radius of failure News flash: IT professionals are human beings and may occasionally make mistakes. How can we limit the impact of those mistakes? Small, frequent releases Modern development practices Rethink the way we structure our cloud resources #RSAC 18 Offensive Security: Red, Blue, and Purple Teams Purple Team What we learn when Red works with Blue Red Team Attackers Blue Team Defenders #RSAC#RSAC Conclusions #RSAC 20 Governance as an enabler Credit: Michael St. Onge, AWS AgilityControl #RSAC 21 The future of SecOps: Behind the 8 ball SecOps is behind the 8 ball, by definition. The deck is stacked against us Mike Rothman, Securosis11/10/17 We need to think differently. Embrace automation instead of fearing it. We are entering a new world Security is largely built into the technology stacks which run our infrastructure. We must change how we do things Embrace processes which will most likely make you uncomfortable. #RSAC Hacking our culture 22 Security as a documentSecurity as code s3-encrypted: action: enableEncryption remediate-report: true trigger-events: - name: CreateBucket - name: DeleteBucketEncryption