Cloud Security
Published in

Cloud Security

Copycat Security

Seeking solutions that make a difference

Sometimes I take consulting calls from clients to help them with cloud security solutions via the phone. Customers will get on the phone and say, “Tell me what everyone else is doing.” I understand why people would want to take this approach. However, when I get this question, I generally respond that I don’t think you want to do what everyone else is doing. Just look at the breach statistics. I’m not a status quo or a “because that’s how we’ve always done it” type of person. Let me get that out of the way up front to save us both some time, if you are. If you are open to new ideas, or want to know why I think differently about security solutions, read on.

At companies where I previously worked or got training, I was not always in agreement with the status quo in approaches to cybersecurity and application development, which led to some of my early white papers and presentations on cloud security and data breaches. I know everyone is doing the best they can, but I’m always seeking better solutions, and especially when the current solutions aren’t working. I want to help organizations close security gaps in a more efficient manner. I see a problem right now in cybersecurity, and I want to help people solve it in better ways with tangible solutions not abstract concepts. I’ll talk more about forward-looking solutions in a minute but consider this when you want to know why you probably don’t want to do what everyone else is currently doing.

2019 was one of the worst years on record for data breaches, if not the worst. The report indicates there is a silver lining based on the number of records stolen. However, I wonder if this number includes cases where attackers encrypted files in a ransomware attack, but did not expose or exfiltrate them. I don’t know exactly how they calculated these numbers, but either way, it’s not a fantastic statistic.

This article states that 2019 was the worst year on record for health care.

Here’s another report with breach statistics for 2019.

Based on the things I report on my Twitter account @teriradichel as time allows where I report breaches and comment on what caused them, if that information is available, 2020 is not looking much better. Some companies are handling security differently, and their names are not in the headlines. Some companies are doing a great job with their cybersecurity and are just unlucky or had a very targeted attacker after them. But I can tell you from personal experience, some companies that have not yet been in the headlines are just lucky. Holes exist in their cybersecurity practices — gaps that can be identified and fixed.

When you’re approaching something in a futuristic way, sometimes people aren’t comfortable with that and want to stick with what they know. When I say futuristic, I mean projections based on experience, data, and logic, not new-fangled ideas without any basis. Some people proposing “new” and “modern” security ideas are throwing out all the principles from many years of experience with data breaches and security. I’m not one for tearing down the house and building a new one if the disruption and cost will cause more problems than the status quo. We should learn from history to avoid past mistakes. But when something isn’t working, why would you continue to mimic it?

I prefer to present forward-looking security solutions. Some people like this and are open to new ideas. Others want to stick with the things that they are used to and comfortable doing or using. I understand this and am not suggesting companies are doing everything wrong, either. I’m just trying to provide some ideas that might help reduce those breach statistics based on what causes them to rise. You can take a gradual approach to get to some future improved state. It doesn’t need to happen overnight. Figure out small iterations of change you can implement to move toward an objective that will bring about positive change.

Sometimes people think the things I suggest are not feasible or possible. I know they are. My entire life, I’ve been telling people about things that are going to happen, and they don’t believe me — and then it does. My first presentation in my first class when I started my master’s degree in 2013 at SANS Institute was about cloud security. I presented on security automation at SANS Networking 2016 when no cloud security classes existed. I knew the cloud was a thing, and it was not going away.

I saw the benefits that automation could bring, along with the risks associated with moving to the cloud due to the potential lack of visibility and control. In my opinion, the pros outweighed the cons, depending on the specific cloud provider and customers’ continued efforts and assessments to keep them honest. Additionally, security controls need to be implemented correctly. I go over all of that at a high level in my book, Cybersecurity for Executives in the Age of Cloud.

One company recruited me to architect their cloud solution and lead a team to do it. I said, “I’ll come if I can do it the way I want to.” We built a secure, automated pipeline and development environment with segregation of duties built in. We only had a team of 30 people with 3 people on our DevOps team. You can do it too. I wrote about those ideas in my 2016 white paper about deployment pipelines with built in security checks and automated security remediation: Balancing Security and Innovation with Event Driven Security. Now many people are talking about and doing those things but at the time, they were not. I had many other ideas that never got implemented before I left. Some of those thoughts are incorporated into my book.

My ideas about automation, security, and metrics come from a broad range of experience. I have performed due diligence for venture capitalists, worked in telecom when an oil company moved from leased lines to frame relay, and managed systems a prior company I founded in my ‘data center’ (ok it was a rack at Internap, but still, I had the lovely experience of racking and stacking). I tried to write a SAAS content management solution and web application firewall when those terms did not exist. No one understood what I was trying to do.

Later I moved to a managed hosting service, managed email services, and managed spam filters back in the day when spam was everyone’s worst nightmare. I found out how cloud solutions pose a risk if you don’t have the logs to solve problems when needed. I learned that vendors don’t always have more security knowledge than you, nor are they always taking care of your security when you think they are. You need to ask, review third-party assessments, and continue to monitor over time.

As both a software engineer and a security professional, I see the convergence in these spaces and potential new technology solutions that would help stop many breaches. I’m a database person and an e-commerce and financial application specialist, though I’ve built systems for sales organizations, retail, security cameras, firewalls and security appliances, the printing industry, manufacturing, health care, and many others. I see so many ways that IT systems and cybersecurity can learn from the way the financial systems manage money. I see how transactions in security systems need to add up the same way financial transactions do. Because I have new ideas about how we can use convergent technologies in new ways doesn’t mean that I, like some, want to throw out old solutions because they are hard or present a smoke-and-mirrors solution that doesn’t actually work.

I am a fan of data-driven and automated solutions based on tried and true fundamentals and axioms. Certain things do not change, even though the technology does. These are all the things I write about in my book. I end the book with a history lesson showing how the more things change, the more they stay the same. I walk through fundamental security principles initially — things that cost me a lot of my own money through experiences and training to learn. I explain how some of these things change or stay the same in the cloud. There are about 40 pages of references to back up what I’m telling people about cybersecurity if anyone wants to do a deeper dive on the topics.

Cybersecurity for Executives in the Cloud

In the final chapters, I propose new ideas and methodologies for better metrics, compliance, and security management. These chapters are not on my blog, though most of the content is, in a very raw form with many typos. The book has additional content you won’t find on the blog in just about every chapter with the real summation of the reason for the questions in the book at the end.

If you come to me for advice and ask what everyone else is doing, I may not be able to or even want to give you that solution. Because I don’t think what many companies are doing, especially if not correctly leveraging cloud technologies, is working. Additionally, in some spaces I believe the technology will be evolving and improve in the near future to provide better solutions than exist currently. I want to give customers a plan for better security based on a culmination of experiences across many different domains. Additionally, I tend to see into the future in some cases as to where trends and technology are going. When a fellow developer told me people would never use Linux as a desktop when I was young, I said, of course not — it’s for data centers.

Rather than just purchase the latest technology, companies have to use it appropriately. For some of the security problems that exist currently, I don’t think we have the best answers right now. There is a lot more work to be done. I may not give you a solution based on what everyone else is doing, but I can provide the information to evaluate and come up with a better one than the ones that exist currently in some cases. I can also provide strategies for assessing and implementing solutions that provide better value using existing products and technologies. Most vendors are open to suggestions — especially companies like Amazon and their #awswishlist. Customers and vendors can work together to come up with better solutions than those that exist today.

If you engage me in a consulting call or read my book or blog, and you are seeking the status quo, you may be disappointed. I encourage clients to do better than what we are currently doing in cybersecurity. My company, 2nd Sight Lab, is researching new tools to help us provide more value for assessments and pentesting using automation, combined with manual analysis that dives into how systems work at the core. We base our cloud security assessments and penetration tests on and what causes data breaches and what most effectively prevents them. If you want to hire someone who is always researching and testing out better solutions and looking for a better answer, you can reach out to me on LinkedIn. I currently answer questions for customers of IANS Research. IANS does not accept all types of companies as clients. If you fall outside the bounds of their services, I may be able to answer your call directly.

Teri Radichel — Follow me @TeriRadichel

© 2nd Sight Lab 2020

____________________________________________

Want to learn more about Cloud Security?

Check out: Cybersecurity for Executives in the Age of Cloud.

Cloud Penetration Testing and Security Assessments

Are your cloud accounts and applications secure? Hire 2nd Sight Lab for a penetration test or security assessment.

Cloud Security Training

Virtual training available for a minimum of 10 students at a single organization. Curriculum: 2nd Sight Lab cloud Security Training

Have a Cybersecurity or Cloud Security Question?

Ask Teri Radichel by scheduling a call with IANS Research.

____________________________________

2020 Cybersecurity and Cloud Security Podcasts

Cybersecurity for Executives in the Age of Cloud with Teri Radichel

Teri Radichel on Bring Your Own Security Podcast

Understanding What Cloud Security Means with Teri Radichel on The Secure Developer Podcast

2020 Cybersecurity and Cloud Security Conference Presentations

RSA 2020 ~ Serverless Attack Vectors

AWS Women in Tech Day 2020

Serverless Days Hamburg

Prior Podcasts and Presentations

RSA 2018 ~ Red Team vs. Blue Team on AWS with Kolby Allen

AWS re:Invent 2018 ~ RedTeam vs. Blue Team on AWS with Kolby Allen

Microsoft Build 2019 ~ DIY Security Assessment with SheHacksPurple

AWS re:Invent and AWS re:Inforce 2019 ~ Are you ready for a Cloud Pentest?

Masters of Data ~ Sumo Logic Podcast

Azure for Auditors ~ Presented to Seattle ISACA and IIA

OWASP AppSec Day 2019 — Melbourne, Australia

Bienvenue au congrès ISACA Québec 2019 KeynoteQuebec, Canada (October 7–9)

Cloud Security and Cybersecurity Presentations

White Papers and Research Reports

Securing Serverless: What’s Different? What’s Not?

Create a Simple Fuzzer for Rest APIs

Improve Detection and Prevention of DOM XSS

Balancing Security and Innovation with Event-Driven Automation

Critical Controls that Could have Prevented the Target Breach

Packet Capture on AWS

--

--

--

Cybersecurity in a Cloudy World

Recommended from Medium

Token use cases

SMS Spoofing: What Is It, and How Can You Avoid SMS Spoofing Fraud?

An Analysis Report of the Attack on the WePiggy Front-End Servers

How to encrypt with AES-256-GCM in Erlang

Azure AD — Privileged Identity Management (PIM)

How can I Change my Unversity Grades?

Why Did I Encrypt Myself With My Own Darknet Ransomware?

Anonymous Hacker

Hey guys, Creator No Code Smart Contract has officially released.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Teri Radichel

Teri Radichel

Cloud Security Training and Penetration Testing | GSE, GSEC, GCIH, GCIA, GCPM, GCCC, GREM, GPEN, GXPN | AWS Hero | Infragard | IANS Faculty | 2ndSightLab.com

More from Medium

[Some Interesting] Cloud ‘n Sec news: 29th Apr 22

Threat Modeling — The Short Version

Launching a community-driven insider threat knowledge base

Cyberdefenders-Boss Of The SOC v1