This document discusses security teams and technology in a cloud world. It notes that security is now everyone's responsibility rather than isolated to one team. Modern security requires new skills from specialists like basic coding knowledge and a user-focused perspective. The document advocates distributing security specialists throughout teams rather than keeping them isolated. It also presents opportunities that cloud infrastructure provides for faster deployment times and continuous monitoring through automation and aggregation of security data.

1. Security Teams & Tech In A Cloud World
Mark Nunnikhoven, Vice President Cloud Research
@marknca
Audience: Public

2. Security “Facts”

3. Security “Facts”* About your organization or one just like it

4. We will respond
quickly to an incident

5. Attackers are on a
network an average
of 154 days

6. We need more tools

7. Canadian companies
spend just under
10% on IT security

8. Canadian companies
spend just under
10% on IT security
* 60% of companies didn’t mention people or
process as an area of focus

9. Users are a major
problem

10. Security is considered
the opposite of
usability

11. Security is everyone’s
responsibility

12. You have one,
isolated security team

13. You have one,
isolated security team
* …and a wildly unsuccessful “awareness” program

15. Mark Nunnikhoven
Vice President, Cloud Research
Trend Micro
@marknca

16. Modern Security

17. Video available at https://vimeo.com/111631197

18. Video available at https://vimeo.com/111631197

19. © Trend Micro, 201615
Automated Response
Web UIWeb UIWeb UIVM

20. © Trend Micro, 201615
Automated Response
Web UIWeb UIWeb UIVM
SIEM / Log Store

21. © Trend Micro, 201615
Automated Response
Web UIWeb UIWeb UIVM
SIEM / Log StoreMonitoring

22. © Trend Micro, 201615
Automated Response
Web UIWeb UIWeb UIVM
SIEM / Log StoreMonitoring
Event-driven
Function

23. © Trend Micro, 201615
Automated Response
Web UIWeb UIWeb UIVM
SIEM / Log StoreMonitoring
CSP API Event-driven
Function

24. © Trend Micro, 201615
Automated Response
Web UIWeb UIWeb UIVM
SIEM / Log Store
Restrict
Access
Monitoring
CSP API Event-driven
Function

25. © Trend Micro, 201615
Automated Response
Web UIWeb UIWeb UIVM
SIEM / Log Store
Restrict
Access
Monitoring
Web UI
CSP API Event-driven
Function

26. 2014

27. What’s the hold up?

32. Running in the Cloud

33. IaaS
(Infrastructure)
PaaS
(Container)
SaaS
(Abstract)
Data
Application
Operating System
Virtualization
Infrastructure
Physical
Data
Application
Operating System
Virtualization
Infrastructure
Physical
Data
Application
Operating System
Virtualization
Infrastructure
Physical
Shared Responsibility Model

34. Setup
• Lock down operating system, applications, and data
Harden system according to NIST / best practices
Encrypt everything
• Enable service health monitoring features
Check your CSP’s documentation
• Monitor service API activities
Look for unauthorized; replication, start up, termination, etc.
Steps:
IaaS

35. Setup
• Read all the documentation
Seriously, RTFM
• Implement strong code quality systems
Automation is critical to success
• Configure access control and other security features
Check your CSP’s documentation
Steps:
PaaS

36. Setup
• Read all the documentation
Seriously, RTFM
• Configure access control and other security features
Check your CSP’s documentation
Steps:
SaaS

37. Setup
• Evaluate controls against acceptable level of risk for data
used in service
I shouldn’t have to say this
• Monitor all service provider status updates and
communications channels
Remember to include them in your IR plans
Steps:
Any Cloud Service

38. IaaS
(Infrastructure)
PaaS
(Container)
SaaS
(Abstract)
Data
Application
Operating System
Virtualization
Infrastructure
Physical
Data
Application
Operating System
Virtualization
Infrastructure
Physical
Data
Application
Operating System
Virtualization
Infrastructure
Physical
Shared Responsibility Model

39. Opportunity

40. © Trend Micro, 201627
Physical
Weeks
Virtual
Days
Cloud
Minutes
Container
Seconds
Function
Immediate
{ Time to deploy }
{ Environment }

41. © Trend Micro, 201628
Physical
Weeks
Virtual
Days
Cloud
Minutes
Container
Seconds
Function
Immediate
{ Time to deploy }
{ Environment }

42. © Trend Micro, 201629
Move faster Focus on value
Goal

43. © Trend Micro, 201630
Deploy using the method that delivers
the most value
Goal

44. © Trend Micro, 201631
Every tool adds overhead
Constraint

45. © Trend Micro, 201632
Automation allows for the speed, scale,
and consistency required
Relief

46. © Trend Micro, 201633
Deploy using the method that delivers
the most value
Goal

47. © Trend Micro, 201634
…with minimal operational impact
Deploy using the method that delivers
the most value
Goal

48. DevOps

49. Flickr deploys 10+/day
Success

50. Etsy deploys 50+/day
Flickr deploys 10+/day
Success

51. Etsy deploys 50+/day
Amazon deploys 11.7 seconds
Flickr deploys 10+/day
Success

52. Etsy deploys 50+/day
Amazon deploys 11.7 seconds
Adobe +60% app development
Flickr deploys 10+/day
Success

53. Etsy deploys 50+/day
Amazon deploys 11.7 seconds
Adobe +60% app development
Fidelity $2.3M saved for one app
Flickr deploys 10+/day
Success

54. Where’s security?

55. …can have a much stronger security
posture in AWS and the cloud than
they can on-premises
Andy Jassy, AWS CEO
* From an interview with the Wall Street Journal, http://www.wsj.com/articles/amazons-andy-jassy-on-the-promise-of-the-cloud-1477880220

56. Security is everyone’s
responsibility

57. Security Everyone

58. Team Challenges

60. New Skills Needed
• Basic understanding of development practices & ability to write simple code
Everything in the cloud is an API. Security MUST BE automated
• Puts the user first
We make the tech that they “can’t use right” … not their fault
• Perspective & understanding of practical security
No more “the sky is falling”
• Educators
Written, video, presentations, Slack,…anywhere teams are working
Steps:
Security Specialist

62. Your Org Chart Is Wrong

63. Typical Org Chart
CISO Dev
GRC Ops
Infrastructure
CIO
Ops

64. Updated Org Chart
CISO Dev
GRC Ops
Infrastructure
CIO
Ops

65. Updated Org Chart
CISO Dev
GRC
OpsInfrastructure
CIO
Ops

66. Updated Org Chart
CISO Dev
GRC
OpsInfrastructure
CIO
Ops
GrC

67. @peterme
Peter Merholz Kristin Skinner
@bettay

68. Specialist Distribution

69. Specialist Distribution

70. Specialist Distribution

71. Specialist Distribution

72. Specialist Distribution

73. Specialist Distribution

74. Specialist Distribution

76. Coffee Shadowing Teaching
Bridges

77. Goal

78. Fabric

80. 1 min

81. 1 min
Slow lane

82. 1 min
Slow lane
Fast lane

83. 1 min
Slow lane
Fast lane

84. 1 min

85. 1 min

86. 1 min
Is this bad?

87. 1 min
Is this bad?

88. 1 min
Is this bad?
Is this malicious?
and

89. 1 min
Is this bad?
Is this malicious?
and

90. 1 min
Is this bad?
Is this malicious?
and

91. 1 min

92. 1 min
Aggregate information

93. 1 min
Aggregate information
1m, h, d, w, m
Trends

94. 1 min
Aggregate information
1m, h, d, w, m
Trends

95. 1 min
Aggregate information
1m, h, d, w, m
Trends
Evidence of compliance

96. 1 min
Aggregate information
1m, h, d, w, m
Trends
Evidence of compliance
Configuration
Processes

97. 1 min
Aggregate information
1m, h, d, w, m
Trends
Evidence of compliance
Configuration
Processes
Deployment data

98. 1 min
Aggregate information
1m, h, d, w, m
Trends
Evidence of compliance
Configuration
Processes
Deployment data
Performance
Debug

99. 1 min

100. 1 min
SecOps

101. 1 min
Aggregate Evidence Deployments
SecOps

102. Get stuff done

103. © Trend Micro, 201660
Thank you!
mark_nunnikhoven@trendmicro.com | @marknca