1. Table of Contents
1 IANS Information Security Forum 2019 Summary – Seattle.................................................................1
2 Executive Summary...............................................................................................................................1
3 Sessions.................................................................................................................................................3
3.1 The Cloud Security Maturity Roadmap.........................................................................................3
3.2 Hybrid Web App Pen Testing ........................................................................................................4
3.3 Container Security.........................................................................................................................6
3.4 Security Tools for a Multi-Platform Cloud Environment...............................................................7
3.5 Comparing Google to Big Cloud Providers....................................................................................8
4 Vendor presentations: ..........................................................................................................................9
5 Prize.......................................................................................................................................................9
1 IANS Information Security Forum 2019 Summary – Seattle
Prepared By: Karun Chennuri
Email: Karun.Chennuri1@T-Mobile.com
2 Executive Summary
IANS Information Security Forums 2019 at Seattle (June 12 -13), had a lineup of following Keynote
presenters:
• John Visneski, CISO, The Pokemon Company
o Phil Gardner, CEO IANS – interviewed John in this discussion
o Various touch points on - What it takes to run a successful Security program, Why ROI is
disappointing proposition while evaluating security, How security & privacy overlap -
how companies succeed if they understand this!
• Aaron Goldstein, Director, Endpoint Detection and Response, Tanium
o Some of the common pitfalls that organizations run into, and how threat actors exploit
these weaknesses
o Walked through some Ransomware scenarios he/his team dealt with in the past,
touched on how attackers act – Prior to Breach, During Breach
o Importance of improving visibility and control via Proper Asset Discovery & Compliance
assessments, Creating standard images, Implementing SOPs for common admin tasks
(Automation).
2. o Emphasized “Test your response team” (When breach happens – this drill – gives an
opportunity for teams to act, improve and better prepared during actual breach)
o Twitter handle @badthingdaily for daily security incident news
• Shannon Lietz, IANS
o Securing software through “measurement”. Like all other – ilities, Security, too, must
become a measurable capability in the art of deployed software.
o Hooking up security scanners to the CI/CD pipeline (isn’t just enough, you need more)
o Automation is key to solving major security issues – embrace CI/CD
o Steps to DevSecOps: Identify & eliminate Security gates, Training barriers,
Communication barriers, Compile/track known weaknesses, Security curation (reduce
false positives), Continuous monitoring etc.
• Gary Sockrider, Principal Security
Technologist, NETSCOUT
o Insights from the 14th
Annual worldwide infrastructure security report
o DDoS attack vectors, DNS pitfalls
Some of the key take aways:
• Measuring security is key tenet of Security operations – Challenging but do-able!
• Cloud Security Maturity Model (CSMM) – one can still be successful without being level 5 across
all domains of security domains
• Predictive Prioritization is key topic in multiple vendor presentations, they all pointed towards
how to focus on Vulnerabilities that matter the most! (Use of Data science and Predictive
analysis)
3. 3 Sessions
3.1 The Cloud Security Maturity Roadmap
Cloud Tourists vs Cloud Natives: Cloud tourists deploy their existing operational models and
frameworks onto a cloud service, losing most of the benefits of cloud. “LIFT and SHIFT” Typically due to
lack of knowledge, institutional momentum, and arbitrary economic models. On the other hand, Cloud
natives combine abstraction and automation for enhanced agility and increased security.
Cloud Native Security Program Principles: APIs, Automation, Immutability & Isolation
“Cloud Security Starts With Architecture, and Ends With Automation”
– Rich Mogull, Securosis and IANS Faculty
IANS developed “5 Levels of Cloud Security Maturity Model & 12 Categories across 3 Domains”
3 Domains: Procedural, Structural, Foundational Domains
Note: Monitoring and logging of both cloud administrative activity (management plane) and assets
within the cloud (networks, workloads, applications, data)
5 Levels of CSMM:
4. Advantages of Immutable Infrastructure:
• Based on images and automatically deployed (eg: by an autoscale group)
• Very easy to harden for security
• Entire environment fully consistent, easy to rebuild/roll-back
• Login disabled since changes won’t propagate to other instances
Summary:
• You can be successful without being Level 5 across all domains
• It’s about constant improvement
• Remember to START with Architecture
• The focus on automation where and when practical
• Data Security: Bring Your own Key (BYOK)
• Embrace Chaos Engineering
3.2 Hybrid Web App Pen Testing
Problem/Challenges: So many web app vulnerability scanners, so little time. Server side frameworks,
client side frameworks, Highly scaled, decoupled web architectures and deployment
Client side frameworks: Angular, React, Vue.js, Node.js etc
Service side frameworks: Django, Ruby on Rails, Flask etc
5. Web Vulnerability Scanners: Acunetix, Netsparker, Burp Suite Pro, OWASP ZAP, Fiddler, W3AF
Automation Only Approach for PT Manual-Only Approach for PT
Advantages:
Quick recon of attack surface area
Wide coverage for low-hanging fruit
Advantages:
Detailed exploration of attack surface
Recon results in deeper context-awareness
Allows for custom attack development
6. Identifies possible starting point for deeper
exploration
Disadvantages:
No user perspective context-awareness
Prone to false positives
More of a sledge hammer than a scalpel
Disadvantages:
Slow progress
May only achieve limited application coverage
More dependent on tester skill
Need for Hybrid approach:
• Start with one or more automated scanners
• Very useful for app recon
• While scanner is running, perform manual recon
• Using results, manually verify individual issues
o Helps eliminate false positives
o Helps focus on what is important
• Document all manual success and failure
Tools: Burp Suite Pro, Firefox (Wappalyzer, Cookie modifiers, FoxyProxy, User agent string selector,
Developer console), WPScan, Python programming
3.3 Container Security
Few best practices:
• Lock Down Container Hosts
o Container run on a standard OS build
▪ Lock it down! & implement hardening standards
o Update container services and patch
o Limit OS user/group access to container services
o Log everything from container services
o Audit all container files/folders
o Host IDS/IPS or anti-malware agent to be installed if possible (watch out performance!)
• Enable auditing
• Enable isolation and lead privilege
• Enable runtime threat detection and response
• Enable access controls: Use AppArmor and SELinux
• Enable image provenance
• Enable image Scanning
• Look at guidance from sources like IANS, SANS and NIST (NIST 800-190)
7. Container Security Tools:
• Docker Bench for security
• Docker Cloud Scanner
• Black Duck Security Checker
• Twistlock
• Aqua
• Sysdig
• CoreOS Clair
3.4 Security Tools for a Multi-Platform Cloud Environment
Problem: Many organizations use numerous cloud providers in a hybrid configuration. What security
controls are available in each environment? How to handle complexity and operational overhead of
these varied controls?
A Key Theme for Multi-Cloud: Centralization
Do you have centralized:
• Endpoint security tools
• Configuration and patching tools and processes
• Vulnerability scanning
• Event collection and SIEM/analytics
• Template-based infrastructure as code
Some that will not be easy to centralize:
• Encryption
• All identity and access management (IAM), although directories should be
• (more on that in a moment)
• Automation
Multi-Cloud Brokers (Network Connectivity and Admin): AT&T NetBond, Cloud Exchange Fabric. Problem
with these solutions – very expensive!
8. Hypervisor Security Controls:
• Foundational Controls, Hardening and configuration, Network access control, local firewall,
Users and groups, SELinux and/or multitenant isolation measures, CSP controls
Cloud Firewalls and Capabilities:
• Palo Alto VM-Series (AWS, Azure, VMware vCloud Air)
• Cisco ASAv (AWS and Azure)
• Fortinet FortiGate VM (AWS and Azure)
• Check Point vSEC (AWS and Azure)
Other options
• Network IDS and IPS in the cloud
• Web Application Firewalls
o Security as a Service (SecaaS) – Cloudflare, Akamai etc
o AWS has a WAF natively available today
o Azure has WAF controls in its Application Gateway
• Cloud DLP
• Network flow and Behavioral Monitoring (AWS VPC Flow Monitoring, Microsoft Network
Security Group Flow Logs, Cisco Stealthwatch cloud)
• HashiCorp’s Terraform – for IaaC
• IAM, Identity as a service (IDaaS)
• Encryption (CloudHSM Safenet, S3, EBS, KMS)
• Event Monitoring (CloudTrail, Host Logs, Flow Logs)
3.5 Comparing Google to Big Cloud Providers
Monitoring/Threat Detection: Native GCP (Stackdriver), Google Cloud Security Command Center, Cloud-
based security data lake/security analytics
9. 4 Vendor presentations:
There were bunch of vendor presentations:
• Kenna Security – “A Risk-Based Approach to Vulnerability Management”
• Netscout – “Visibility without borders”
• Cequence – “Bad actors and Bad bots: How they are exploiting your application infrastructure,
and how you can stop them”
• Tanium – Connecting security and IT operations through shared visibility
• Expanse – Cloud care: Tracking Assets at your Network Edge
• Tenable – Worlds first cyber exposure platform with predictive prioritization
5 Prize
Won this :D
END OF DOCUMENT