The Cloud, Is It Really Secure? Ep. 107
Trish Cagliostro is the Head of Business Development for Security of Worldwide Public Sector for Security Services at Amazon Web Services (AWS). She explains how really secure Cloud security is and how threat intelligence factors in and her Cloud wish for the future.
Episode Table of Contents
- [01:24] Is Cloud Really Secure
- [08:10] How Should I Move to the Cloud
- [13:44] Indicator of Compromise
- [20:23] From a Threat Intel Perspective
- [27:17] Shared Responsibility in Ensuring Really Secure Cloud Services
- About Our Guest
Is Cloud Really Secure
Carolyn: Today, we have Trish Cagliostro, Head of Business Development for Security, Worldwide Public Sector at Amazon. She is a leader in the security industry. It’s where she spent 10 years advising public and private sector customers like DISA, DHS, and the US Senate.
Carolyn: I'm excited to talk to Trish because I struggle with Cloud. I don't get it. It's this big nebulous entity to me, like something in the sky. I don't understand how it's really secure. Honestly, every time my photos get backed up to the Cloud, I think, "Who else can see these?" Help me understand how is it really secure?
Trish: You hit on a common thing that we tend to run into with customers. There's a lot of uncertainty when they're moving to the Cloud from a security perspective. For us, security is our top priority, it's job zero for us. It's in everything we do. We take the approach of trying to make sure the customers have the most secure environments to operate in.
Trish: When you think about Cloud security, it’s important to understand from the customer side the concept of shared responsibility. We're going to offload some of the responsibilities from the customer. That's the other conversation I'll have with customers where they're like, "Okay, cool, go to the Cloud. I'm done. Now I'm good." Part of that, my role is helping customers understand, what is your responsibility?
The Cool Thing About AWS
Trish: The cool thing about AWS is that for us, we provide customers with a lot of different tools. They can use them to ultimately get to where they need to, from a security perspective. How do they meet that side of the shared responsibility model? What you're talking about is pretty common.
Trish: What's interesting though, is something you've seen over the last couple of years in the customer base. There is this shift from that, "Is the Cloud itself secure?" to focus more on, "How am I going to do what I need to do in the Cloud from a security perspective?"
Trish: A lot of times that'll drive customers to move to the Cloud because of scale. Here’s the nature of being AWS. It means that we can invest a lot more in security resources than most organizations can do on their own. So when they migrate to the Cloud, a lot of that undifferentiated heavy lifting gets taken away from them.
Trish: They can rely on some of the things that we're doing. What you're talking about isn't uncommon. Actually, it’s a lot of the reasons why people start to move to the Cloud. They do see it as something that's more secure as what they could do on premise.
Eric: Some of the big pieces there, economy's scale. I had a customer back years ago, 2008-2009 timeframe, I was with salesforce.com. They were talking about their risk to move to the Cloud and, "Is security covered? Can you do this and can you do that? What about scalability?" When we really got down into it, it was orders of magnitude off the charts compared to this organization.
Carolyn: More secure, off the charts.
Consolidation of Effort
Eric: Right. We were looking at physical security of the data center, security of the data. You could go to the trust.salesforce.com website, just to pick on Salesforce for a second and see uptime. This organization was a Manhattan-based, massive, couple hundred-year-old organization. You couldn't tell what was up at any given time, let alone security, who was in charge.
Eric: The IT team, it wasn't their business so they were hyper under-optimized. I think that consolidation of effort, the economies of scale can really help. But the shared responsibility models for the CSPs, they're not necessarily understood that well yet.
Carolyn: The shared responsibility is interesting to me because I like to believe what you two both just said. That the Cloud is run by a lot of people a lot smarter than me about security. My stuff's a lot more secure in the Cloud because that just makes me feel good and just easier. But the shared responsibility, it makes sense.
Eric: Are her pictures safe and really secure in the Cloud?
Trish: I was actually going to give you an example based on that. Think about this, you have your iCloud account, right? No matter how secure Apple is, if your password is password123, you're going to have a problem. So even as individuals, we have shared responsibility when we think about how we use Cloud security services.
Trish: In my Facebook account or my Google, it gets worse. Let's say I have the same password across all of my different Cloud services. If, for example, in the past, one of my major social media tools was breached. That password is out there, I'm still using the same password, then I have a problem as an individual.
Who Owns the Responsibility for Your Security
Trish: I have responsibilities as an individual, when I use Cloud services, I also do as an enterprise. They can be as simple as making good decisions in terms of password security. The least privileged is how you design the application. But essentially that same concept is there.
Trish: The same way that as individuals we use those cloud services, we have individual responsibilities. Same idea with the Cloud services that we use as an enterprise. You are always going to have some level of responsibility that you have to control. You're going to be responsible to make sure that you're building really secure and safe applications.
Eric: The Cloud service providers or CSPs are responsible for security of the Cloud. The individuals, organizations, enterprises, you name it, they're responsible for security in the Cloud. Set a proper password, make sure you're not putting things there that you shouldn't have there. Understand what users are doing with that data . If we put something into a CSP and then we don't protect it, we put no security around it.
Eric: An invalid or a legitimate request comes in from a party who shouldn't have access to that data. Well, the CSP is going to do one thing and they're going to do it really, really well. They're going to serve that data up to that request. They don't know it as a legitimate or illegitimate request in most cases.
Eric: You own the responsibility for your security in the Cloud. It is why we always talk about protecting people and the data. The Cloud is a very secure place, as long as you understand the value of your data. Who has access to it and what they're doing with it.
How Should I Move to the Cloud
Carolyn: Why are we so slow in government to move to the Cloud?
Eric: COVID accelerated things, but Trish, what are you seeing?
Trish: You hit the nail on the head. COVID definitely accelerated it. Here’s one of the things I've always seen with government customers. It took a lot of time and education in terms of teaching them exactly what the Cloud is and how they can use it.
Trish: The Cloud is this very broad and nebulous term. We're talking very much about it as this one thing. It could be an application where it's a lift and shift of a bunch of VMs to the Cloud. Or it could be a refactor of your application where you're starting to get into managed services. When you're the government, it's challenging because you have to ask yourself this question.
Trish: "How should I move to the Cloud? Should I try to refactor all my applications and migrate that way?" That takes time and resource investment. "Do I want to lift and shift, which could be a little bit more expensive, but it'll get me there faster. And it'll get me started down the path of the Cloud." I see with government agencies and with most organizations in general the idea that you want to get a quick win.
Trish: Don't look at it as your most complicated, difficult thing. That it’s going to be super hard to move to the Cloud. Let's look and focus on the things that we can relate easily and grow from there. From the government side, it also involves having a different operating cycle. Think of the way the government normally builds an application, map out requirements.
The Legacy Nature of the Applications
Trish: I have this really long process in terms of how I'm going to build a system. When I build a system on premise, it's typically relatively static. I have to physically buy things in order to expand my application, new servers, new licenses, et cetera.
Trish: With the Cloud, that infrastructure is there and it's just expanding. It challenges the government to think a little bit differently. That's also made it a little bit hard for them. They actually have to think about how they're going to build things. How are they going to buy things a little bit differently than they had in the past?
Eric: We talked to Dr. Zangardi last week. I'm going to be controversial. So, Trish, don't shake your head yes or no, and just be careful here. He talked about contractually, we don't have the contracts in place. The billing is based on usage, as opposed to buy and deploy. He talked about the legacy nature of the applications and how they're all interwoven.
Eric: I'm going to throw this out there, the workforce. There’s a distinct gap between my age group, what I learned, and what we see in the workforce now. With the millennials coming up, the trust of the Cloud, the understanding of the Cloud, it's very different. It's almost like electricity. You're giving somebody a service, but you've got to understand it and secure it.
Eric: A lot of government contractors have no experience. It's a very scary place. It could put them out of work. That's always a big fear in the people I talk to. "We've got to move to the Cloud," but, "Well, I don't know how to do this." I see this often with customers.
A Massive Security Gap
Eric: They don't spin down and spin up resources on demand. They just turn them on and let them go. They don't understand the data movement and how much they're putting into the Cloud. Or taking out and what that costs and how to optimize that. There's almost a generational gap in the way we think. Almost like when you had mainframe operators, and then we went to open systems. Trish, you don't have to agree or disagree. I know some of that's controversial.
Trish: I didn't think it was too controversial. You hit on something that is extremely important and something I definitely see. Frankly, I've seen it in my entire career. In security, it's the 2 million, 4 million, however many millions of people workforce shortage that you tend to see in organizations. It’s where we all know we have a massive security gap.
Trish: Prior to the Cloud, really gaining as much traction as it has in the last few years, that's existed. Now couple that with, "Okay, well, I just figured out on-prem security. Now, I have to think about this in a whole different way. Think about security, where my boundaries are changing. What I'm responsible for is changing." You hit the nail on the head that we don't have the resources we need in terms of skills and training.
Trish: There are tons of resources that are out there. But who in security goes, "Man, I have too much free time on my hands. I just wish I had more things to learn." People are struggling to do their regular normal day jobs. That’s a real challenge for organizations. Something that should be thought about if I'm going to make this massive investment, then put my critical assets somewhere.
Embracing the Cloud
Trish: I want to make sure that I have the resources internally trained, educated. That they have the skills that they need, in order to make sure I maintain it over time. So I don't think that's controversial. I think that's actually a really important point that organizations do need to think about.
Carolyn: I know Trish that you talk a lot about threat intelligence. This whole episode, I'm just going to show my ignorance here. Tell me how that comes into play here. A good threat intelligence program, if that's the right term, does that help with embracing the Cloud?
Trish: I think you're on the nose. Threat intelligence program, totally fair way to say that, and Earth threat intel team, whatever you want to call it. I actually like calling it a program because I think a lot of times when organizations think about threat intelligence, they want to talk about IOCs. They want to say, "Integrate these IP addresses or these domains with whatever my security tools are. And then if there's a match I'm off and running," and that is part of threat intelligence and something that should be done.
Trish: When you think about threat intelligence, there's an opportunity to think about a little bit more strategically. It's one of my favorite things to talk about. So if you're looking at migrating to the Cloud using something like the MITRE attack framework, I'm thinking about not just what are the IOCs that I'm looking for. But, do I have the tools and techniques I need to have in place to detect the threats I want to face?
Carolyn: And IOC is an indicator of threat?
Indicator of Compromise
Trish: Indicator of Compromise. If you think about it this way, here's what threat intelligence is all for you. A guy knocks on your door, what do you do? Well, you probably just answer it. But if that guy is FedEx and they have a package like, "Great, I definitely want to answer that. I probably want one of my 4,000 Amazon things that I've ordered over the last year."
Trish: If it's a guy wearing a mask and maybe has a weapon, I probably don't want to answer that. So, what threat intelligence should answer for me is when I look at my peephole or my ring. If you're me, I use my ring doorbell, who's actually at my door? Is this someone that I actually want to let in my house?
Trish: That's what threat intelligence helps you do on the time and tactical level. That is what an IOC is. It's going to tell me the guy's wearing a mask and holding a knife, then I make the decision. I probably don't want to let him in the door. At the strategic level though, when I'm thinking about it at a higher level. I started this off with, "Do I open the door when someone knocks?"
Trish: I want to be able to have a ring doorbell so I can see what he looks like. Maybe that's too expensive for my home. I just want to have a peephole at the door. When you think about threat intelligence, the strategic level, it's about understanding what your risks are. Who you are as an organization, and what are the tools that you need to protect and defend yourself as well. That's something that the MITRE attack framework can be really helpful with.
Where the Threat Intelligence Group Sit
Carolyn: Who does that? Where, where does the threat intelligence group sit?
Trish: For the most part, it's going to sit in the security organization. Either inside of the SOC, as a pyramid SOC, it depends on the maturity level of the organization. Some organizations don't even threaten elegance teams. A lot of the customers that I work with actually, I come from a threat Intel background.
Trish: If you can't tell, it's probably one of my favorite things to talk about. They're like, "Look, that's all great and cool, but I'm trying to patch my system. So can we start a little bit earlier on?" It really depends on the maturity level, especially as you become a larger, more mature enterprise.
Trish: You’ve looked at post-COVID and things like ransomware. What's interesting is all of a sudden, you see organizations that haven't faced that level of sophistication of a threat, they’re now targeted. Because you have healthcare agencies that are doing very sensitive research. Things like that, state and local in particular.
Trish: Our adversaries didn't think, "Oh, COVID, this is really bad for everyone. Let's take the next six months off." They were like, "Oh great. Everybody's really vulnerable. Let's get after it." So remote workforce is the other challenge there.
Trish: Ultimately, think about threat intelligence and who does that, it's going to be either the organization, it could be your service provider. The short answer is a lot of people. But some organizations might not even be ready to take that next step.
Eric: They are groups Carolyn, they're the ISACs, which Trish help me with the ISACs stand for.
Trish: Information Sharing and Analysis Center.
Can We Really Secure Sharing Internally
Eric: You'll see that around energy or financials where people will share internally. Then in government where I have a good bit of experience with it. You have DHS, you have FBI, you have the intelligence agencies. And you have individual groups, depending on what the organization has. The challenge I've had, Trish, is sharing challenges, consumption challenges.
Eric: What do you share? How do they consume it, how do they automate it? What's the value of the data? I know MITRE came out with sticks and a taxi for sharing and transporting the data in. But you can get tons of data just flooding you. Instead of, someone's at your door with a black ski mask on, a gun in their hand, that's bad.
Eric: You could get 300,000 notifications about different types of people that could be at your door that are bad. How do you go through 300,000 different profiles while you're looking at that person? And through the peephole in your door, you say, "What kind of decision do I make here?" There's a flood of data. We need automation.
Carolyn: Do you share the data inside the organization? How much do you share outside of the organization? I would think that threat intelligence would be valuable to share.
Trish: Absolutely. Sharing is not a problem that is exclusive to figuring out, "What do I share externally?" A lot of times it's, "How do I share internally too, and facilitate information sharing across my own internal teams?" Sometimes they're siloed. What Eric was talking about is hugely important. 10 years ago, threat intelligence was, I just left and went to a new security operation center job. I'm seeing this IP address activity.
Is Information Sharing Really Secure
Trish: Let me call my buddy and see what he's seeing too. That was information sharing. It was on the order of magnitude of tens of indicators. Maybe you started to ingest an open-source feed, and that was cool. But you just got 4,000 porous false positives.
Trish: The thing that was supposed to help you find the bad guy now has you chasing your tail all the time. That's frustrating. Then you started to see the premium feed sector start to emerge like the CrowdStrike, the Flashpoints. The different types of feed vendors out there, they’re supposed to give you more specific threat intelligence for more accuracy.
Trish: After probably five or six years now with threat intelligence, I think there are two ways to think about it. One is an actionable type of intelligence. Things that I know were bad, meaning I can perform some level of. This is what all needs to be machine to machine. Before, it's a level of hygiene on it, using something like a threat intelligence platform to remove false positives.
Trish: It essentially helps me identify my high competence. Things I'm pretty sure are accurate, are actually bad. They're going to impact my organization like command and control or malware, essentially malicious activity. Newer too, because the older indicators are, typically the less useful they are.
Trish: Boil that down and think about all the millions, billions, of potential indicators that are out there. It only comes down to a really small subset of data that I can take and push to my devices. I’d say, alert on this.
From a Threat Intel Perspective
Trish: The much bigger set now, the question becomes, "Okay. Well, if I can only use a small subset of this inside of my security tools, what do I do with the rest of it?" That's where you get into things like enrichment. It helps me understand about an indicator. If I go to an unknown domain, what's the reputation of this domain?
Trish: What's the reputation of this IP address that it resolves back to? Essentially, it’s starting to get into helping me inform my decision-making process, rather than saying this is definitively bad. But from a threat Intel perspective, that is something that a lot of organizations are struggling with. Like, "What do I do with all this data? How do I actually use it at scale?"
Trish: In my opinion, as an organization, before you can share, you have to figure out those two pieces first. You have to understand what I do with my actual intelligence? What is enrichment intelligence? Now start producing your own intelligence where I've seen something unique to my network, and I want to share that out.
Trish: That's where the sharing piece comes in. You have to have a mature foundation. Otherwise, as an organization, you're just sharing data ad hoc, or you don't really know what you're sharing. You need an ISAC to sit in the middle and help rationalize that. Or you need some of your more mature partners to help you grow out that capability.
Trish: There's a question of whether or not sharing should be automated as well, and let the machines handle it. Meaning, I have some level of detection on my network, it automatically sends to some central location.
An Automated Indicator Sharing Program
Trish: We do some massaging of the data, whether it's false positive reduction or scoring, and then share that back out. That's comparable to something like an automated indicator sharing program, a DHS, DIS. The goal is to get to machine and machine collaboration. It's just really hard from a policy perspective. It took a long time to get organizations to say yes to share this threat data with the FSI.
Trish: SAC is a really good example. Ultimately, your competitor has the best threat data that are most relevant to your organization. They're like you, but imagine a lawyer's face when you say, "Yeah. I want to help capital one be better at cybersecurity. I'm Bank of America." Big competitors. That's a hard conversation for organizations to have.
Eric: That makes sense, Carolyn?
Carolyn: Yes. I know you could probably spend another few hours with Trish, but we're coming up to the end. So I'm going to give you the last questions here.
Eric: Before I ask a question, it's a very difficult problem. How do you share, how do you consume? We're very early on in our journey. The automation, the decision-making, the risk profiling, it's still very early on. With that, I'll lead into the future.
Eric: Five years from now. What does the state of Cloud security look like? How would you compare that to today? What changes, what doesn't? Carolyn's scared to bring her applications online in the Cloud. She isn't sure. What's easier in five years?
Carolyn: I still do it, because I'm lazy.
Eric: That's the problem. You want to share your photos, you need to put them somewhere. As we always talk about, the mission overtakes, but what changes Trish?
Constant Realization and Recognition of What’s Really Secure
Trish: I'm going to say what I hope changes. For the longest time on premise security, we've had this constant realization and recognition. We need automation and it's always a priority. It's yes, we have to automate, we don't have enough people, insert 15 different reasons why. For whatever reason, there's always been this pushback whenever you get into automation.
Trish: Where, "Oh, we don't want to break anything, we don't want to cause an outage." To me, that is the thing that has to change as you move into the Cloud. As you're thinking about Cloud security, you can't think about it the same way we did. On the premise where if I'm a system, I'm looking at this going. I got tricked last time, I had to invest tons of money in my security infrastructure.
Trish: I invest tons of resources and care and feeding. And I still have to look for a new job every 18 months because it got breached. What has to change in order for that to work is being able to say, one, I want to automate. Two, I want to integrate security into my actual lines of business or into my development cycle. Long time ago I was at a company.
Trish: We used to release an appliance. The way that we would handle releasing the appliance is we would make all our development. A week before the release date, someone brought a vulnerability scan. We would try to patch whatever we could patch. Two days before the release and some stuff got patched, some stuff didn't. Just because we were on such a tight timeline.
A Different Opportunity With Cloud Security
Trish: As you think about things, you think about Cloud security. There's a different opportunity there. You can actually integrate security into the development cycle with things like CSCD pipelines and DevSecOps. We're starting to see organizations adopt that. Today, security is like a super manual process. I always used to joke with my customers. "Oh yeah, you have the analysts' 15 different screens that they're looking at."
Trish: I hope that what changes in the next five years is that there's a reliance on automation. Analysts aren't really looking at screens anymore and trying to figure out what the issue is. They're figuring out what they're going to do about the issue instead.
Eric: Interesting. DevSecOps, automation, big keys there.
Trish: Absolutely. In everything that the analyst does.
Eric: What you're telling me is, we're going to break down some of the traditional silos or walls. Those that we experienced on decision-making on budgets, you name it.
Trish: Yes, and I'd love to see more adoption of different Cloud-native capabilities as well. I hit on this earlier when you think about prem security. It's something you had after the fact when you build an application. You are like, "Okay, I built this application. I go get a firewall, I go get this. Then I end up with this really expensive, complicated architecture." With the Cloud, you don't really have to do that.
Trish: What you can do is take advantage of some of those Cloud-native capabilities. Instead of investing all your time and maintaining my infrastructure, I can build that into my process. Then all of a sudden, I can have a much more efficient, much more effective security operations center.
Shared Responsibility in Ensuring Really Secure Cloud Services
Trish: Ultimately allow our analysts to just focus on responding to incidents. Instead of well, "Do I patch all of my security infrastructure that I have out there?" Stuff like that, updates, all that.
Eric: What do you think, Carolyn?
Carolyn: I feel better about the Cloud.
Eric: I think it's a generational shift though. We have the younger generations come in and they start doing more with DevSecOps and everything else. Those traditional walls will come down as people retire, as people take different jobs or move up in the process. These millennials, the younger side of the workforce, this is what they'll just do because they do it. They did it at one company.
Eric: They'll go to an organization and agency and do it there because it's easy. These Cloud services are becoming more and more robust. There are more and more of them. Trish, I don't know if you agree or not, but I see that shared responsibility model shifting a little bit.
Eric: With the Cloud service provider providing more tools and capabilities, more services for the business to take advantage of. Maybe shifting isn't the right phrase or word. Probably the tools and services are more available for the individuals. For the organizations to leverage, to better protect their data and their people.
Trish: From a customer perspective, security is going to look different. I hit on this a little bit earlier. The idea that the Cloud is this big term, but there are different flavors. There's something like a Lambda, that serverless technology where you're not worried about the underlying operating system anymore. You're worried about the code itself and things like that.
Different Flavors of the Cloud
Trish: As you get into different flavors of the Cloud, there are different security concerns. There are different ways to think about it. I also agree with the generational part. For example, I actually didn't start from a technical background. I randomly ended up with cybersecurity.
Trish: I've always thought about it a little bit differently than some of my peers did. I thought about it from how does this enable what I'm trying to do? How can we do this, instead of why we can't. As you see more people coming in, that's honestly one of the most critical pieces to the Cloud success.
Trish: I challenge security people to this all the time. We have this tendency whenever someone comes up with a new idea. We think, "Okay. Here are all the reasons why we can't do this. It's insecure for these five reasons," right?
Eric: We bash it down.
Trish: We go, "We can't do this. It's not secure if there are five reasons why you can't." I challenged people. "Well, if those are the reasons why we can't, what are the things that we could do? In that order, we ultimately achieve the same outcome." It's a little bit of a different way of thinking from a security perspective.
Get Away From the Department of NO
Trish: I ultimately think if we can get that piece right. We'll do a lot better as a security organization and get away from being a department of no.
Eric: A lot of developers will just start doing these things. That's how they know they'll be taken care of. Those discussions won't even happen in many cases. Long question, Carolyn, I appreciate the time though. I think that was a good one. Good answer from Trish.
Carolyn: Well, thank you so much for being with us today, Trish.
Trish: Thank you for having me. I really enjoyed it. It was a great conversation.
Carolyn: Thanks to our listeners, and have a great week. We will talk to you next week.
To The Point Cybersecurity was recently named one of the 30 top Federal IT influencers 2019 and 2020 because of fantastic guests. We are always looking for great thought leaders to interview. Please email me with guests you would like to have on the podcast firstname.lastname@example.org.
About Our Guest
Trish Cagliostro, Head of Business Development for Security - Worldwide Public Sector for Security Services at Amazon Web Services (AWS). She is a leader in the security industry. She’s spent 10 years advising public and private sector customers like DISA, DHS, and US Senate. She also advised commercial entities like Bank of America and United Airlines. Trish is a subject matter expert on a variety of topics, including integrating threat intelligence. She has testified before the House Homeland Security Committee about information sharing.