Caution with Automation

Join Jesse as he talks about the critical role automation plays in security, why you need to be cautious when automating tasks, why you need to patch your Pulse Secure VPN, the M&A extravaganza going on in the cybersecurity space, why you should just let out a big sign and deploy into a zero-trust architecture today, how it’s important to know wrong behavior but even more useful to know what’s right, how cloud security breaches have officially surpassed on-prem breaches for the first time, why you should enable multi-factor authentication for cloud account access, and more.

Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.




Links:

Transcript

Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.


Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.


Jesse: Automation of processes is crucial for speed and reliable repeatability. However, automating tasks and procedures should be done with a certain amount of caution. Start by automating discrete tasks, then group or chain those tasks after thorough testing for safety. As you build experience and confidence in these groups of tasks, you can automate larger collections of operations. This is where security orchestration, automation, and response—or SOAR platforms—are critical to maintain automated operations in a cost-effective manner with minimal overhead.


In large-scale dynamic cloud deployments, whether using full-system stacks, containers, or cloud-native microservices, automating security operations is a requirement for functional response. This necessitates a high level of trust in your automation. Likely you’ll migrate into more machine learning and fuzzy-logic-based decision criteria that could have unintended consequences if you don’t put the right guardrails in place. Unfettered machine-based decision-making is how Skynet [laugh] is born. Please do be careful on your testing and implementation and production.


Meanwhile, in the news. Autonomous drone attacked soldiers in Libya all on its own. This is Skynet straight out of a Terminator movie. Remember this story when you are implementing automation in your environment. Unchecked and unmonitored automation can cause serious problems where there were none.


3 SASE—or ‘sas-ee’—Misconceptions to Consider. If you thought this was about self-addressed stamped envelopes, you are at least as old as I am. It’s pronounced ‘sas-ee’, which is all wrong phonetically. SASE, like my dog named Sassy, is a very valuable member of the family, but it won’t cure all your woes.


Announcer: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn’t translate well to cloud or multi-cloud environments, and that’s not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial. That’s extrahop.com/trial.


Jesse: Chinese APT Groups Continue to Pound Away on Pulse Secure VPNs. I hope you’ve patched your Pulse Secure VPN because if you haven’t, a nation-state will own you soon. Go patch it and turn up monitoring if you haven’t already.


Cybersecurity M&A Roundup: 36 Deals Announced in May 2021. None of us should wonder why the cybersecurity vendor market is so confusing after seeing the list of mergers that happen routinely. Just like with other tech markets, the big companies are slowly eating their way through the startups.



The VC View: Identity = Zero Trust for Everything. I don’t think I beat on the zero-trust topic often enough. [laugh]. I concur with the argument laid out in this one that identity management is rapidly becoming synonymous with zero trust. You might as well sigh the great sigh while deploying precursors to a full zero trust architecture. You’ll need it soon enough anyway, so you might as well get a jump on it.


Three Things Holding Back Cloud Security. I often tell people there are various things I’ve never learned how to do correctly but rather, I’ve learned what not to do. Knowing what is wrong behavior is extremely useful, but what is even more powerful is knowing what things to do that are right thinking. This article ought to improve your security posture.


What does the Future Hold for Cloud Security? We all need some calculated guessing to know the future. Getting out the magic eight ball might seem almost as accurate, but knowing the trends that are current and predicted into the future helps you build larger, more complex, and highly flexible future services.


Report: Cloud Security Breaches Surpass On-Prem Ones for the First Time. Pay attention to this one. Even if you don’t read the article, the headline has enough to catch the most important indicator. Cloud systems and services are being targeted by attacks more often than traditional systems and services.


What is DevSecOps, and how Can it Improve Your Security? Know your terms, I used to say all the time. Whether or not we use things like DevSecOps, or shifting left, or the whole red versus blue versus purple team thing, we need to know what these things mean. I rarely use the terms red, blue, or purple teams, but security people commonly toss the words about. Here’s your cheat sheet: red equals attack, blue equals defense, and purple equals a combo of red and blue on a 
single team.


State of Security Research Zeroes in on Data Strategies. Not enough companies are publishing data they gather in their normal course of business. Splunk—disclosure: I am an employee of Splunk—has released its first-ever such reports about a variety of topics. It has some great insights into how companies operate. My favorite chart shows the hidden costs of security incidents on page four.


P8O or Potato? The horse in the 1800s named Potoooooooo—aka ‘Pot-8-Os’—is clearly the precursor to a recent trend of naming things with a count of the letters in the middle of the word such as K8s—pronounced ‘Kates’—for Kubernetes, and O11Y—pronounced ‘Ollie’—for observability.


And now for the tip of the week. Enable multi-factor authentication—or MFA—for cloud account access. Because MFA means accessing a user account requires more than just the password, it is more difficult to compromise an account through brute force or other password discovery methods. The barrier for entry is raised high enough that other attack vectors which take more nuanced and sophistication must be used to successfully break through your defenses. To do this with AWS IAM, first read the documentation on MFA and decide whether a software-based authenticator is within your acceptable risk profile or if you need to implement a hardware solution. Then go to your AWS Management Console, Services, then Security Identity and Compliance section, IAM, then Access Management, and Users to edit your users. Choose a user to edit, then go to the security credentials tab, follow the Manage link after Assigned MFA Devicesthen follow the prompts.


Pro tip here: hardware takes time to acquire and implement. Therefore, immediately enable software MFA everywhere, even if you plan on implementing a hardware solution for some of your accounts. Then you can migrate those specific accounts, or all of the accounts to the hardware solution when that is ready for production. And that’s a wrap for the week, folks. Securely yours, Jesse Trucks.


Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.


Announcer: This has been a HumblePod production. Stay humble.

Join the newsletter

Cloud Security For Humans

Got it. You're on the list!

Meanwhile in Security is a production of The Duckbill Group. Check out our other publications, Last Week in AWS, Screaming in the Cloud, and AWS Morning Brief.

© The Duckbill Group, 2021