In this episode, Nathanial Quist, also known as ‘Q’ returns along with Dr. Jay Chen, both of whom listeners might recognize from our inaugural episode where we discussed how common identity misconfigurations can undermine cloud security. Both Jay and Q are threat researchers with Palo Alto Networks Unit 42. Unit 42 is the global threat intelligence team at Palo Alto Networks and a recognized authority on cyberthreats, frequently sought out by enterprises and government agencies around the world.
In our conversation, they discuss what they found in their latest Cloud Threat Report examining the impact of the COVID-19 pandemic. We explore how the tremendous increase in remote work has affected cloud security and why Jay is more concerned over the number of mistakes that people are making, rather than the type of mistakes. Tuning in you’ll hear what organizations can do to curtail the recent rise in security incidents and some interesting observations that Q and Jay learned from their data, such as the fact that even malicious hackers need a holiday and don’t want to spend all their time in front of a computer cryptojacking :-)
Key Points From This Episode:
“We saw a decrease in crypto mining operations during the holiday period between December 24th through January 3rd. It just kind of goes to show that even malicious crypto miners want to take a holiday.” — Nathanial Quist [0:25:26]
“Standardization can help you find the issue but automation can help you to prevent or mitigate [it].” — Jay Chen [0:32:02]
Links Mentioned in Today’s Episode:Secure applications from code to cloud.
**Note: Transcript is automatically generated. Expect typos and crazy stuff that a poorly written ML algorithm thought was said but probably wasn’t! :) **
This is the Cloud Security Today Podcast, where leaders learn how to get cloud security done. Now your host, Matt Chiodi.
[0:00:29.9] MC: Cloud security will always be a moving target due to the innovative nature of cloud. In today’s podcast, we bring back on the show, if you remember from the inaugural episode, both Jay Chen and Nathaniel “Q” Quist from the Unit 42 Cloud Threat Intelligence Team. What they’re going to share are the latest findings from the Unit 42, the first half 2021 cloud threat report and what’s really interesting I found, at least about this study that they did is they went deep into understanding what changed pre versus post-COVID-19 discovery when it comes to public cloud security. Have a listen.
[0:01:14.3] MC: Thanks for joining us today, this is Matt Chiodi and I am really excited to have on the podcast today, Dr. Jay Chen and Nathaniel “Q” Quist from the Unit 42 Cloud Threat research team. You might remember our first episode, we had Jay and Q on to talk about, at the time, what was the latest cloud threat report.
The newest report came out just in April and today we’re going to be talking about some of the findings in that report. Jay and Q, why don’t you introduce yourself? Q, go first. Maybe just talk a little bit about maybe what are the areas of cloud security that you find most interesting, just a little bit interesting tidbit about each one of you. I like catching you guys off-guard.
[0:01:56.2] NQ: I’m awkward, no. Yeah, thank you again. I mean, it was awesome being part of the inaugural podcast, I’m really happy to be a part of this one again. There’s so many cool things to talk about within cloud but first off, I’m Nathaniel Quist, a thought researcher with Palo Alto Prisma Cloud in Unit 42.
Looking at the “Who, why, what” within cloud, who is attacking it, why they’re doing it and what they’re getting out of it. It’s kind of what my overall focus is. Cloud is an amazing space, this last report really kind of brought out some very interesting insights as far as trends, as far as industries that are seeing more of an impact within misconfigurations and just like how COVID really related or impacted these organizations in general, industries and regions.
Like I said, I like intel aspects, I like who is attacking systems, who is attacking cloud, I really want to try to put a – as close as you can, put like a face to a name sort of aspect but really, what techniques they’re using, to try to map out what threats are actually being used in cloud environments. If there’s a real passion, that’s really where I want to look at is, how cloud is being targeted, what’s being targeted specifically and real solid evidence that they’re using such and such XYZ exploits and then where they’re coming from and what infrastructure they’re using. That’s just awesome stuff to get around.
[0:03:14.2] MC: Attribution, that’s pretty cool.
[0:03:15.7] NQ: Yeah, well, it’s so hard, I want to say attribution.
[0:03:19.9] MC: Jay, what about you?
[0:03:21.3] JC: Yes. Hi, my name is Jay, also a security researcher with Unit 42 and Prisma Cloud. My research has been around anything related to cloud technology specifically is what I’m focusing on and also, you guys kept mentioning cloud is such a broad – you kind of – so many different service and what I’m most interested being currently I’m very interested in content or related technologies such as Kubernetes and server-less and STO’s, so I like STO.
[0:03:55.2] MC: Okay, so server commissions.
[0:03:57.1] JC: Yeah, serverless technology. A couple of that serverless technologies, serverless can be built out on top of containers or like lend that function or pager function so those are the technologies that I am very interested in.
[0:04:13.4] MC: Wonderful. Let’s talk about the actual report, right? This came out in April, it was really focused on things around COVID so maybe let’s talk about it from the perspective of maybe the why behind the reports so I know that every time the reports are done, Unit 42, there’s usually a different focus of cloud security so I remember the one that was done almost a year ago was originally done on infrastructure as code templates and the risks that they provide or that they can bring into businesses.
I know the one that was done previous to this was focused on identity and access management. What was the thinking behind the latest cloud threat report and how did you end up going down that road? Q, I’ll start with you and then Jay, I’d love to hear you up on that as well.
[0:04:57.5] NQ: Sure, I mean as far as kind of the brain planning of what we did in order to come up with this topic, we started with lots of different topics and there are a lot of things that were top of mind at the time when we started researching and stuff like that but obviously, just the biggest elephant in the room is COVID, right?
There was a very large, very massive shift of workforce infrastructure to get people out of office buildings into homes, safe and secure from viruses and pandemics and things. Just kind of – what is the cloud response? You know obviously, it’s very big, this pandemic and this way we have to move infrastructure, how our company’s doing that and since we’re focusing on cloud, cloud is really good at moving horizontally and expanding on a dynamic nature. We knew that there was going to be some cloud spence, I think we just kind of, “let’s investigate that and let’s find out what the security risks are, has there been an effect with COVID and cloud usage?”
Was there a change? I think that kind of started, like I said was the impetus of the start for that and yeah, we just started diving in and what is the workload growth because we have visibility into that, what is the security and risk and angle because we have visibility into that and we just started asking some of those questions and then trying to find answers for them.
[0:06:13.8] MC: Jay, what about your perspective, how do you see that?
[0:06:15.5] JC: Yeah, to answer your question, “Why we picked this topic?” I think every time we want to pick something that is relevant to the general public and can also bring some unique insight to the security community or cloud practitioners. In the past 15 months, COVID no doubt is relevant to everyone and also the cloud security researchers, finding the core relation between the pandemic and the call to usage is a good topic to look into.
[0:06:46.9] MC: Yeah, so massive changes. I know that from looking at this, just to kind of put a specific number on it, I think Pew Research had done a study on this early on, they found that prior to the lockdowns, at least in the US, 20% of the US workforce worked remotely some portion of the time and that at the peak of the lockdowns, that number I think hit 71%.
That’s a massive shift, right? Just when you think of if you're used to going to work, going into the office every day, if you’re on the security team, if you’re on the soc, how you work, that was completely disrupted, right? There’s bound to be some type of probably negative security impact, I’m sure we’ll hear about here at some of these statistics in a minute. I’ll ask each one of you this question.
From your individual perspective, what was the most concerning finding for you in the data? Jay, I’ll start with you. What was most concerning for you in the data?
[0:07:42.7] JC: [0:07:42.7 - inaudible] we saw an increase in cloud usage in cloud workload and we also saw an increase of security incidents disproportionate to the increase of cloud workload. This is actually why we expected it, we knew that businesses are rushing to adapt a new, remote type of work. They ramp up their cloud workload and it makes sense that we see more security incidents in their cloud environment.
What made me really concerned is that we saw the same type of mistakes they make. People made the pre or post-COVID and people are just making these mistakes in a shorter time period. Instead of making 10 mistakes in a week, they make hundreds of mistakes in a week because they ramp up the workload.
What these really imply is that people are not securing their cloud environment, cloud native way. They are using the cloud native technology but they are not using a cloud native way to secure these cloud workloads. In particular for example, the people are not adopting the automation well enough, they are not adopting the standards such as CI’s benchmark or creating a guardrail to protect or prevent misconfiguration in their cloud environment.
There are many other things, a few other issues that we saw people are not really gaining enough visibility into their cloud environment. They are not money carrying, they are not collecting enough looks for forensic purpose. There are a lot of compact but these are essentially the issues that we saw.
[0:09:24.0] MC: Q what about from your perspective, how do you kind of see that?
[0:09:26.7] NQ: Yeah, I’m trying to think about this, what is the most interesting aspect, there’s so many interesting findings that we found in this report, it’s like, what’s the number one. To me, it’s really more along the lines of just the wide skill exposure that is just happening in our environment I mean, Jay just alluded to it right there where some of these things were very – some of the security findings that we found were very normal. We were kind of expecting, we saw this before the pandemic and then we kind of still expected to see them after, during the height of the pandemic but it’s just like the types of things that we’re finding.
The number one exposed service that we found was Telnet, port 23, if you’re one who is still using port 23 in the cloud today.
[0:10:06.0] MC: Who does use that still? It’s crazy. I thought we got rid of that like a decade ago.
[0:10:11.0] NQ: Yeah, I mean, when was the last time you saw a 250 message and it’s like, everything’s okay and he was, “I just culminated that to my environment.”
[0:10:18.2] JC: Yeah, whoever is using Telnet is so wrong and if you are still using Telnet, don’t let the entire world know that you are using it. Don’t expose it. That’s just ridiculous.
[0:10:28.0] NQ: Yeah. It’s just really wild, just kind of goes down the list like SMB is right in there, FTP, not even SFTP, not secure file transfer, just plain old file transfer. 67% of organizations are exposing that. Some of these are just very odd and I don’t understand necessarily why that’s happening. For me, from a basic security principled perspective, why we’re not scanning it, why we’re not properly configuring them from the very beginning and then that’s prior to the massive push for more infrastructure to get more people online, those one and we’ve seen this in our past reports.
If there’s one misconfiguration, using infrastructure as code templates or something like that, that one was configuration, that was not just in one system, it’s now in every single environment that that infrastructure is code template it’s being used in. You not only exposed one system, now you’ve exposed probably upwards of a hundred, maybe even a thousand systems and it’s just the scale comes very dramatically into fashion.
[0:11:25.9] MC: Yeah. I mean, maybe for those that haven’t read the report, I would definitely encourage them to go to cloudthreat.report. You can just put that in your browser, that’s it. Cloudthreat.report, if you go to that you will be taken to the link where you can download a full copy of the report. Maybe for those who haven’t yet download it, what were maybe one or two of the headline statistics that you guys found that obviously have them go through the full report, there’s like 17 pages worth of data in there but maybe one or two of the headlines statistics that you would share that you think are pertinent and then we can kind of switch gears and we’ll talk about why it is that we continue to keep seeing some of the same things over and over again. Jay, if you want to share or Q or –
[0:12:07.3] JC: I think I shared with you across all regions and industry, we saw around 70% of the organization have their cloud workload increase in the 2nd quarter of 2020, around March and April. This is about the cloud workload and this increase of cloud workload led to 188% increase of cloud security incidents. This is an interesting piece of disproportionate numbers, this is more security incidents occurred, much more security into them occur than a cloud workload.
[0:12:42.0] MC: How you guys did it, when you talk about like cloud security incident in the report, how do you guys define that? That’s not an actual breach, right? It could be but how do you define that?
[0:12:49.6] JC: The way we define security incident is the insecure configuration that we could see in consumer’s calls environment. These incidents are not really attacks that we detect but are the misconfigurations in secure configuration that we identify.
[0:13:07.3] MC: That’s a good point of differentiation, we’re not saying there was necessarily a 188% increase in cloud breaches. We’re saying they were incidents and certainly, those incidents are made up of misconfigurations they could have led to breaches. That’s something I guess we’ll have to look at more from a historical perspective, maybe that’s something to look at next but that’s a good point of differentiation there.
I’ve been following these reports obviously closely now since we started doing them a number of years back but it seems that in every cloud threat report, Unit 42 continues to find misconfigurations as the leading cause of cloud security incidents. I guess at the heart of it is, what are organizations failing to do? What’s the root cause of all this?
[0:13:51.6] NQ: That’s a really good question and as reports we’ve set numbers like 65% of incidents are misconfiguration in general. Within our report, we specifically lay out what we find or the top 15 most common security incidents. It’s interesting, it’s broken up into really three basic categories. We have one, it’s encryption or lack of encryption in that case, we have exposed services and then we have logging and those three fields, those three areas are the top three things that we find within cloud so number one, being just databases.
Databases just not encrypted, they’re unencrypted databases from the beginning and having something unencrypted, especially in today’s day and age, especially with our cloud service providers, just essentially giving away encryption is like, it’s free, just turn it on. Its’ interesting that that’s the number one most common incident possible, likelihood of risk that we’ve seen in cloud organizations.
I think it’s just all of the – kind of the exposed ports that we kind of alluded to just a few minutes ago but it is pretty interesting. Now, well why that is, I think it’s really just, cloud is still, I don’t want to say new, it’s been around 16 some years but as far as operational perspective of developing and exposing production ready servers and services and applications, getting that continued scan involved.
Are things being exposed? I’m not saying it just from an incident perspective but seeing it from the outside in, are there exposed services in your environment, are there misconfigured templates? Just doing that initial scan. I don’t think that’s really being done to such a large scale as we kind of think it should be.
[0:15:26.4] MC: Jay, how do you see it?
[0:15:27.9] JC: I mean, there are so many types of mistakes that you can make in cloud it’s complex – I’m going to insert this quiet frame from a higher level. I think our level of organization, I think every organization should provide enough training for any user who used cloud either they’re a developer or engineers. Every engineer and developer, at least they need to know how to secure the specific service they are using day-to-day.
At least I need to know the potential attack surface and threat model of the service that they are using. If you are using virtual machine every day, you need to know, “Hey, most of our services shouldn’t be exposed to the Internet.” If you are using container, you see in case, you should know that, “Hey, how to define a secure task to properly isolate your containers and your service.”
It is impossible to trend every engineer to secure every cloud service but at least you need to know how to secure the service that they are working with.
[0:16:28.2] NQ: I think that’s really interesting, Jay, that education is huge and it’s really big. I guess I have a question when it comes to that, I mean, in what form of education does that come in? Is that on the job training, do you need to have a security team sitting with any mirrors, do you need to have your engineers taking security certification courses? Do they need to go into the cloud specific AWS or Google platform or anything like that and take a security focused course, does that solve the problem?
[0:16:53.8] JC: That’s a good question, I don’t know, I think it’s too general to just ask every engineer to past those specific certificate, right? Those people can give me your general idea but probably, it give them a good mindset about what are the attacks surface of cloud and how they can start to sink in a secure way when developing applications. That definitely will help.
[0:17:20.8] MC: Prisma Cloud secures infrastructure, applications, data and entitlements across the world’s largest clouds, all from a single unified solution. With a combination of cloud service provider APIs and a unified agent framework, users gain unmatched visibility and protection and for our federal customers, Prisma Cloud is now fed ramp moderate. To find out more, go to prismacloud.io.
[0:17:48.7] MC: It sounds like you know, I was on a call actually right before this podcast started with a CISO of a really large gaming company here in the US and he was talking about the fact that the gaming industry has been slow for the most parts without cloud, simply right, they’re heavily regulated especially those that are out in Nevada with that but his whole thing was around he wanted just massive standardization across all the big three cloud platforms.
It sounds like well certainly, education is a component, right? People have to understand the technology that they’re working with, the capabilities, the complexity but it seems like a lot of these issues could be solved through standardization and there are a lot of different lenses, right? Standardization is a very generic term but just think about all of the different knobs and tubes and dials that are available just in a single cloud platform, right?
Then you multiply that by how many other platforms you are using and you just got massive amounts of complexity. It seems like standardization would go a long way but I guess at organizations, although they probably want standardization, they probably struggle with, “How do I actually enforce standardization across multiple different cloud platforms?”
[0:19:03.0] NQ: Well, not only that I mean, so you have standardization that is enforced so there is a number of organizations and industries that have to be beholden to PCI or ISO or whatever, you know, they are trying as hard as they can to meet and match the CIS benchmarks for their specific cloud provider but then there’s another issue is, do you have total visibility over your cloud environment and have you done resource or incident assessment to find out what is your most valuable asset within your cloud environment?
Are you protecting it properly? I mean, have you gone through an assessment matrix? Then if you do find that that is held and then you find an incident that’s in violation, how do you fix it? I think there is a lot of cloud incidents, Jay and I are having a conversation with a product manager earlier where it’s like, “Okay, we have a client that has a lot of alerts in their environment, which one do they prioritize?” and it’s like well, that question is really like not so much just the one has the most alerts is the one that you prioritize of course but is that a critical system?
Is that a system that is actually important to focus on in the first place? Again, there is an education aspect for how does the cloud function but then if it’s under coverage or being covered with something, which one do you fix in what order and how do you assess that. It’s really the client, that organization understanding what their cloud is to begin with.
[0:20:21.1] MC: Yeah, I love that. I think that makes a lot of sense and I would agree with you that as I interact with customers, a lot of them are struggling with just that base component of just having visibility into their cloud environments. They think they kind of have it but they are not quite sure and so it’s like if you don’t have that base fundamental understanding of just the visibility in your cloud assets, you can’t get to the next step, which would then be, “Okay, how do I set a standard for X, Y and Z?”
Whether it’s a container or a server-less function or just a traditional VMware code, that would become extremely difficult to do and very complex to manage.
[0:20:56.9] NQ: I go back to Tommy Boy with Chris Farrell [0:20:59 inaudible]. It’s like when he’s in the sale and he just gets too anxious that he has a little roll, a bread roll in his hands and he’s like, “When I’m in the sales, it’s like a pretty little pet. I knew it and pet it and stroke it and then I …”
[0:21:09.3] MC: I remember that part.
[0:21:11.2] NQ: You know?
[0:21:11.9] MC: I got to put a link in the show notes to that, I will find that on YouTube.
[0:21:15.4] NQ: It’s a great thing because I think that you can make an analogy with people going to cloud because it’s kind of like, “We want to do all of these great service functions and we want to expand horizontally. We want to do all of these great super ninja-like cloud operations” but they just don’t even know where to start and they have this pretty little pet that just blow it up because they don’t know exactly what they are doing or even really how to use it or even covering the bases from the very beginning, so it’s interesting. It’s kind of funny.
[0:21:42.0] MC: A lot of times, I know when I read these reports, there’s a lot of doom and gloom, right? There’s a lot of, “Oh my goodness, it looks bad. Things are getting worse” or maybe in the case of cryptojacking, maybe things they do look a little bit better but was there any good news in the report either from any aspect? I’ll start Jay, from your perspective did you see any silver linings in the report?
[0:22:02.0] JC: I think two things, there’s more inside above the crypto. We saw a decline of cryptojacking in cloud that is kind of unexpected but that’s good. That’s one of the good things and I think you can provide more of this in detail.
[0:22:14.7] NQ: Sure, we can trace it at about 2018. The percentage number of organizations that are experiencing some sort of communication network traffic to public mining pools and a mining pool is where are crypto currency mining rig or an operation, it goes to collect its information like what task it’s going to use or what kind of crypto mining operation it needs to perform. That’s kind of like the central headquarters of a cryptojacking operation.
That number has been steadily increasing since 2018 until October of last year where it kind of peaked out at 23% of cloud organizations experiencing some sort of crypto mining operation or cryptojacking operation. This last report, we actually saw a decline of that. It actually went down to 17% so a decrease of about 6% of cloud organizations are seeing communications to crypto mining operations or mining pools. It’s the first time we’ve seen that since we started monitoring it, so that’s some pretty good news.
[0:23:09.9] MC: Were you guys able to find any correlation? I know that, you know, you guys know I’m a big crypto enthusiast but I’m curious, when you look at a price of certain crypto currencies, when you look at again, the whole focus of this report was really what changed pre and post-COVID-19 discovery. I know there is a section in the report specifically on crypto, Q, what did you find? Were there correlations?
[0:23:34.6] NQ: We’re looking at a number of crypto currencies. We narrow Ethereum, Bitcoin, Litecoin and Dash are the five coins that we really look at to see if there is mining correlations that we can find. Monero just wins every network communication battle. It’s been 99% of all of the communication to public mining pools is for Monero. It’s definitely the one that is being mined the absolutely most, so we did a correlation to see that type of network traffic per day based upon the actual price of Monero, the current market value of Monero and to see if there is a correlation between the two.
The data sample that we have unfortunately is not a long enough data sample to really show a strong correlation. There are some peaks and valleys that seemed to work. As the price goes up, mining will go up but really, we found that as the price of Monero goes up, more often than not the actual crypto mining operation decreases the amount of network traffic decreases during that time. Try to understand why that is, it’s perhaps that as the price goes up, a lot of tendency for those who hold crypto currencies is to kind of hold onto that kind of currency or possibly even sell it as the price goes up.
You want to shift focus from mining fully into more of a market watch mentality and that’s possibly what we see actors doing at that time.
[0:24:51.2] MC: The correlation with cryptojacking crypto currencies in cloud, I know that we’ve talked about that a lot over the last couple of years, is there anything that you saw from the data that related or was somewhat correlated with COVID-19 events? What did that looked like?
[0:25:07.6] NQ: Yeah, so we also looked at the amount of crypto currency in going through and then specific events happening in just our day-in day-out world. We didn’t specifically looked with COVID pandemic to see if we can find interesting points of reference. We did find a few, one of the interesting ones and it really isn’t COVID specific but it’s just more of like humanity specific is we saw an actual decrease in crypto mining operations during the holiday period.
Between December 24th through January 3rd and it just kind of goes to prove that even malicious crypto miners want to take a holiday, take a day off during that time so they don’t want to be on a computer all the time. That’s kind of interesting to see that that actually happens within crypto mining as well, it’s kind of funny. Other things that we saw, I mean there were – when specific things were announced like when Johnson & Johnson they passed their trial and then allowed them to actually administer.
We actually saw a significant spike, those were the highest spikes in mining activity just at the exact same time those things were announced. Why I don’t know necessarily what that correlation specifically relates to and why that maybe is just a coincidence but it is very interesting to see that when news was very heightened around our global news, mining activity did skyrocket during that time too, so it’s kind of interesting.
[0:26:21.0] MC: Interesting, so I know that there are often findings that don’t make their way into the report for one reason or another. If there are some things that you guys can share, I’d love to have you guys share maybe one or two things that didn’t make the cut but maybe was still interesting. Jay, I’ll start with you.
[0:26:36.6] JC: We have been looking into how to make our clients’ cloud environment more secure every day and that is why we do it every day and that is what we recommend in the report. One interesting angle that we didn’t mention in this report is that not only good guys are using cloud. Bad guys are also using cloud. Cloud provides the same type of simplicity, reliability, and scalability to everyone.
Attackers are also using cloud to launch their attacks, so during the pandemic we saw phishing sites come in and come through and saying to us and misinformation website being the host in public clouds. That is how they can quickly deploy their infrastructure and start their campaign and we also saw that attackers use cloud-based technologies such as content delivery network such as a call from with cloud fair to hide their malicious payload behind those cloud front door.
[0:27:38.6] MC: Interesting. Q, from your perspective, what maybe got lost in the editing room floor that didn’t make it in the report that you would have maybe loved to put in but for whatever reason did not make it into the report?
[0:27:49.1] NQ: I found one in mine with like multi-factor authentication, clients that are turning that on or turning that off. There were some interesting things that we found with that, that didn’t quite make it in because it didn’t fit into the COVID story but we actually found that there is a 21% increase in clients not enabling multi-factor authentication within their normal IAM accounts.
As we know, multi-factor authentication being that we are using a newbie key or whether you’re using like Google Authenticator or something like that to help authenticate into your cloud platforms, that as clients or as organizations moved into cloud spaces, we didn’t see that trend stay current with as many organizations that went up. The multi-factor authentication just unfortunately wasn’t being enabled as often as we wanted it to be.
That was an interesting thing that didn’t quite make it in but something interesting and also, while crypto traffic analysis in like which mining pools are most commonly used, they’re just kind of like you know, it is just mining, let’s just say mining is happening doesn’t necessarily mean that this specific one site was being used more than others. Yeah, so those are two things.
[0:28:50.9] MC: That’s interesting, so multi-factor authentication not being turned on. That seems just like a universally recommended best-practice to turn MFA on. It seems again that a lack of standardization because I’m sure if you went to the CISO or the security team, if any one of those organizations, I’m sure there is absolutely attribute to it or not, right? It seems again like this is a standardization thing, it’s like organizations have very efficient processes for moving workloads to the cloud but again, the standardization from a security controls perspective just seems like it’s not there.
[0:29:25.6] NQ: That leads me for a question for you Matt. I mean since you talk to a lot of organizations, you are a CISO as yourself, so it’s just like out of all of this data and there is a lot of data inside of this report, I mean what is the one thing that you find resonates the best or do you think that you need to push harder, what’s the one or two things that make this report interesting for large organizations?
[0:29:46.0] MC: Yeah, I mean that I think that again, we’ve talked about this quite a bit in the scope of the report but I can’t focus enough on the power of standards, right? It sounds really boring, it’s like, “Ah standards” right? Just by the very name, it’s like watching paint dry but I think in security and I think Jay you said this before, the biggest enemy of security is complexity, right? I think if security teams can think of security in a very modular way, there are all types of frameworks out there, right?
I love, I think it’s CIS has their 20 critical controls, they have a crosswalk of that for cloud, right? You could start with something like that and just use that, say, “Okay, here are the 20 critical errors for cloud” and then you can develop a standard for how we’re going to approach this organizationally for each one of those 20 areas, right? It will take time, it’s not that you can just pull it off the shelf and it works but it gives you 20 very specific areas that you can focus on and then you work to develop a standard that can be automated that’s critical.
I’ve seen a lot of organizations create great standards and I’m like, “How are you going to automate that?” and they’re like, “I have no idea” so if you can’t automate it, don’t make it a standard and that’s how I do. I kind of really see it almost like Legos, right? It’s like these building blocks. You’ve got an organization like a CIS, very well respected. They’ve got all kind of industry input in like these 20 areas, use those, create standards in each one of those areas and then figure out what kind of tooling you need to actually implement those into it and enforce those.
I know we didn’t touch on it I think in this report but I think infrastructure is code. It’s probably one of the most powerful ways that a security team can make sure that those standards are implemented and they’re used every time because if you can get a cloud environment to start correctly, right? Start from your standard, it’s much easier than to correct things where there’s a handful of things that go askew versus now you’ve got 10,000 things because it was insecure to begin with.
I think that’s kind of how I at least see it visually. I probably need to create a chart of that somehow to get that across but I don’t know, hopefully to answer your question it made sense.
[0:31:54.7] NQ: It does. No, it totally does. Thank you.
[0:31:56.8] JC: That is so true. I hundred percent agree that automation needs to be paired with standardization. Standardization can help you find the issue but automation can help you to prevent or mitigate.
[0:32:08.2] MC: That makes sense, so I know this is sometimes top-secret but what type of things are you looking to research next? What types of cloud threats our cloud consumers maybe not even aware of yet? What are you guys looking at?
[0:32:20.0] NQ: I mean, it doesn’t sound like amazing but there are certain things I want to go back and go for that standardization like we’ve done a lot of talking and we’ve done a lot of researching into a more complex, more granular risk but going back and looking at IAM again, really looking at identity and access management and then also looking at infrastructure as code, have any of those story points change in the year, year and a half since we last talked about it.
Kind of giving a refresh on some of those things, bringing on top of mind again I think would be a good thing. Just for a selfish reason, I would like to see what kinds of malware are in the cloud. Just as far as my own personal aspect, I’d like to see if there are new ways that we can look at identifying malware in cloud environments. I think that would be a really cool research project.
[0:33:01.7] MC: Jay, how about from your perspective?
[0:33:03.3] JC: I’m trying to look for ways to bring the existing capabilities from our next generation firewall to the cloud, going beyond just the cloud security posture management. Maybe we can use the threat intelligence from next generation firewall to gain deeper insight into traffic in the cloud and look deeper inside into the content, not just block or grant access to a specific user but we can also look into the content, what is inside this file.
Is there any sense of this information in this file or in this directory in this cloud bucket? Yeah, that is what I’m working on.
[0:33:46.3] MC: Great. Well, thank you both so much for coming on the show today. I know that these sessions are almost always some of the most popular podcasts. People are really just looking for pure threat research that’s not pushing any type of product or anything like that so I think these reports are highly valued and I think if I do the math correctly, the next report should come out October-November of 2021, so we’re still a couple of months out from the next report so I know we’ll be looking for that again.
If you want to see, you can get a full copy of the report, just go to cloudthreat.report and you can download a full copy of the report. Again, thank you both gentleman for coming on the show today. We look forward to having you back on in a couple of months for the next cloud threat report. Thank you.
[0:34:29.1] JC: Thank you.
[0:34:29.4] NQ: Thank you Matt, I appreciate it.
[END OF INTERVIEW]
[0:34:31.9] ANNOUNCER: Thank you for joining us for today’s episode. To find out more, please visit us at cloudsecuritytoday.com.