Pro: CSO Perspectives 2.1.21
Ep 36 | 2.1.21

Can you deploy zero trust, intrusion kill chains, resilience, and risk assessment to Microsoft Azure? - Around the Hash Table.

Transcript

Rick Howard: Last episode, I did a deep dive on how we might implement our first-principle strategies in Microsoft Azure. And in case you haven't been taking notes, my assertion is that if you want to reduce the probability of material impact to your organization due to a cyberattack, you have to deploy four strategies simultaneously - one, intrusion kill chain prevention; two, zero trust; three, resilience; and four, risk assessment.

Rick Howard: After scouring the Microsoft Azure website and listening to various Azure expert YouTube videos, I came to the conclusion that you can do this, but you're on your own about how. Microsoft Azure gives you plenty of tools to use, but how you put it together and how you measure your progress is more of an art than a science. So that's what we did last episode. For this episode, it was time to invite the experts to have a seat at the hash table to see where I got it wrong. 

Rick Howard: My name is Rick Howard. You are listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. Joining me at the CyberWire's hash table today is Rick Doten, the Carolina Complete Health CISO and Mike (ph) Simos, Microsoft's lead cybersecurity architect. 

Rick Howard: Before we get started with the first principles, though, it was interesting to hear Rick Doten's take on Microsoft's cloud migration strategy for its customers. Even though most of us have been moving workloads into the cloud for a number of years now - and yes, I consider SaaS applications like, you know, Office 365, Concur, DocuSign, they're all cloud workloads - cloud providers give their customers a subtle nudge, though, to move even more workloads into the cloud. Here's Rick. 

Rick Doten: Microsoft always - also very clever in their contracting to require that things like any of your SQL Server will then go into the cloud. Any of the - you know, it's kind of like the Microsoft Office license goes away. It's - if you wanted Microsoft Word, you're buying the cloud. 

Rick Howard: In other words, gone are the days when we would download an app, use it, save our data locally and be done with it. Now, everything is a tieback the cloud somehow. I asked Rick if he still had any doubts about being able to secure workloads in the cloud somewhere. He said he didn't for the most part, but the one thing that still nags at him is the single vendor problem. Once you commit to a cloud provider, Microsoft or any of them, it will be difficult to extract yourself once you have any sizable or meaningful workloads running there. It's not simply a matter of copying your data from one cloud provider to another. That data could be stored in lots of different places within the cloud provider's network. It can be done, but you aren't turning that tire on a dime. Oh, you can get your data out, but you might never be certain if you deleted it all once you're done with the copy. 

Rick Howard: Rick Doten says that the single cloud provider problem is similar to the old Jimmy Stewart 1946 Christmas movie "It's a Wonderful Life." And by the way, I love that movie. I cry every single time when the entire town comes in to save Jimmy Stewart at the end of the movie. But there's this one scene when the Depression is just starting, and everybody in town is trying to get their money out of the old building and loan bank that Jimmy Stewart runs, so Jimmy tries to talk the crowd out of it. 

(SOUNDBITE OF FILM, "IT'S A WONDERFUL LIFE") 

Jimmy Stewart: (As George Bailey) You're thinking of this place all wrong, as if I had the money back in a safe. The money's not here. Well, your money's in Joe's house. That's right next to yours - and in the Kennedy house and Mrs. Macklin's house and a hundred others. 

Rick Howard: Just like the money in Jimmy Stewart's building and loan, your data is not in one place. It's scattered across the Microsoft infrastructure. 

Rick Doten: I don't know... 

Rick Howard: Here's Rick Doten again. 

Rick Doten: It's like I just - you know, it was Christmastime, right? So we saw, you know, "It's a Wonderful Life." It was like... 

Rick Howard: Of course you did. 

Rick Doten: ...I want my money back. It's like, well, your money is in Bob's house and George's house and everything. Like, I don't know where it is. I don't have it. 

Rick Howard: Yeah. 

Rick Doten: You know, cloud was that way. 

Rick Howard: Be that as it may, it looks like cloud deployments are here to stay. But it isn't like many of us had some grand strategy when we picked our cloud provider. In the early days, we picked what we knew. Here's Rick Doten again. 

Rick Doten: It's kind of like a convenience, what they knew, what has a better, like, development platform, like AWS... 

Rick Howard: Yeah. 

Rick Doten: ...Certainly is much more geared towards development on it than Azure. Whoever is choosing to go to the cloud, what they feel most comfortable with is what they go to, not because there is like - and they may have - even in large companies will go through risk assessments of what's the springing and build a whole SSP about, you know, doing stuff in the cloud, in AWS. But, you know, the impetus for it is not strategic but more like, this is what we know. You know, it's, again, based on requirements. It's like, you know, we have some that are in one or the other because our partners are already in one or the other. And so it's like, oh, we have a whole platform on Azure. It's like, all right, well, I guess we're running ours on Azures then. 

Rick Howard: One thing did pop out in this discussion. Whether or not you use one cloud provider or some sort of hybrid approach will probably depend on how big you are. What is emerging is that organizations are managing these different kinds of environments with different teams. If you are a big organization and you're running workloads in, say, Google, Amazon and Microsoft clouds, you probably have a team for each. Likely, you have a team that manages the glue between all of them, also. But if you are a small organization, you don't have the resources for that kind of thing. The smaller you are, the simpler you're going to want it. At the very small end, you might be using Azure and a handful of Azure security products and calling it a day. At the extreme other end, very large organizations will be using a mix of the cloud security products and other commercial toolsets. Here's Rick again. 

Rick Doten: We will have a totally different team for AWS and a totally different team for Azure and a totally different team for Google. And development teams would be unique to each of those as well and unique to different product types. We're so big and so segmented that there is a team for everything and that they kind of coordinate or set up stuff to make sure that the developers can do what they - do only what they need to do at the time - for the time they need to do it. If you're smaller and you have nothing, I mean, sure. You know, if they have it and there are tools already embedded that do this, make it easier, fine. I mean, something's better than nothing. 

Rick Howard: With those preliminaries out of the way, I'm finally ready to talk about first principles in Azure. So let's start with the resilience. For this part, I had to bring in the big guns from Microsoft to help me explain some of this stuff. As I said at the top of the show, Mike Simos is Microsoft's lead cybersecurity architect. And he had this to say about resilience in Azure. 

Mark Simos: I kind of view the availability of resilience in two different respects. One is an accident of some sort. It may be negligence or a mistake or physical hardware failure, et cetera, sort of the innocent. And then there's sort of what generally falls on IT, right? And then you have the security side of it, which is disruptions and availability because of a malicious attack, because someone deliberately is trying to do it, whether it's an insider or an external attacker. 

Rick Howard: Rick Doten had a different view. He said that compliance drives his resilience requirements. 

Rick Doten: Most of the requirements come from compliance, meaning that, you know, we have health plans in for a U.S. state, and they say their data cannot be outside the - you know, the 48 continental United States. 

Rick Howard: One obvious advantage you get from Microsoft - and really any cloud provider - is DDoS protection. Especially if you are a small organization, your resilience benefit comes from the fact that the big cloud provider has already figured out how to defend itself from these kinds of attacks. Here's Mike again. 

Mark Simos: First is the DDoS protections. So you get a fairly basic set of - you know, how you're on Microsoft's network, and it's the same network as Xbox and as MSN and all these other things - right? - and all of our customers. And we protect against DDoS at that macro level for all of our customers, just as part of, hey, you're on our network. 

Rick Howard: And specifically to build resistance from ransomware attacks where the attackers might delete your data and your backups or at least try to encrypt it all, Azure makes it easy to add additional authorization steps before those actions get processed - a sort of two-man control that we talked about last episode. And if that isn't enough, Azure has this concept of immutable storage for your backups, where whatever data you put in there can't be changed. Here's Mike again. 

Mark Simos: Once you have that backup, you have sort of a kind of quicker and easier way of protecting it, which is you can force an out-of-band action before your backups can be erased, whether it's an MFA prompt or a preset PIN that is not in the system anywhere - hopefully not sitting in a Notepad document. But you know, those are the two different sort of out-of-band things that nobody can erase, nobody can encrypt. Nobody can mess with these backups. You have to have, one, the credential and an explicit extra MFA or PIN. There's an immutable storage offering in Azure that, you know, originally for financial reasons and recordkeeping reasons, you know, thou shall not be able to delete this data, ever - period. The immutable storage is you can store your backups there, at which point, even if they get that out-of-band PIN or they can, you know, do an MFA, you know, workaround or, you know, steal your phone or whatever it happens to be to get around that, they still can't delete it because the customer can't delete it. 

Rick Howard: For zero trust, if you go back to the original John Kindervag white paper that he published when he was at Forrester back in 2010, zero trust adopts the mindset of least privilege and need to know. The idea is that you assume the bad guys are already in your network and design it from there. Microsoft adds another component to this idea and in hindsight, a completely obvious one - unequivocal proof of who or what is accessing and processing resources. 

Mark Simos: You know, at Microsoft, we have these three principles - assume breach, least privilege and explicit verification. 

Rick Howard: But Rick Doten had an even more draconian solution at Carolina Complete Health. 

Rick Doten: None of our cloud infrastructure is internet-facing. There's no contact with the outside world. And so it is isolated access through trusted, you know, points and supported through our own data centers - you know, as extension of our data centers, I guess is what I'm saying. 

Rick Howard: And let's not forget about putting our sysadmins into a very special zero-trust category. 

Mark Simos: And that's one of the fundamental assumptions of our privilege access guidance, is you want two different access paths - one for users, one for admins. And that way, you can keep a nice, high usability but still secure user path. And then you can really turn it up to 11, as it were, for the admins. And you're only inconveniencing the admins, and you do the special stuff for those because they have a greater impact. They have greater access. 

Rick Howard: In the last episode, we talked about how Azure customers rent virtual network spaces through subscriptions that are bound to geographical regions. Customers can then create multiple subnets within your virtual network designed for specific business functions like, you know, finance, marketing and IT. Customers can then establish network security groups, or NSGs, for each subnet to enhance their zero-trust posture. Like I said in the last episode, NSGs are like mini stateful inspection firewalls that allow blocking rules between subnets based on IP addresses, ports and tags. But that is a fairly primitive mechanism. 

Rick Howard: Azure also has a higher order zero-trust construct called management groups - I know, not a very sexy name. But according to Orion Withrow from Cloud Academy, quote, "An Azure management group is a logical container that allows Azure administrators to manage access, policy and compliance across multiple Azure subscriptions en masse," end quote. Here's Mike again. 

Mark Simos: Yeah, so network security groups are great for - you know, they're just like a subnet with essentially a firewall between them, you know, to be analogous to on-prem. And so they're very good at that. And if your, you know, sort of business compartments fit nice and neatly into that, they can be used in that way. In most organizations, we often find that, you know, when you start to put a firewall rule between two business applications, it tends to not work because there's this complicated application layer interaction across them and the way that they interact. And it's usually not very well-documented, honestly. 

Mark Simos: So you've got the subscriptions that kind of contain all the resources, and then you have the groups of subscriptions, which we call management groups. And those tend to be a little bit more conducive to, here's all the finance stuff, which may be, you know, three or four different things. 

Rick Howard: After looking at Azure for a bit now, it's clear to me that there are many tools in the Microsoft utility belt that could help security practitioners with their zero-trust journey. What I mean is that there are many tactical widgets available to create a least privilege and need-to-know environment. What is missing, though, is some mechanism that will give us a sense of how our zero-trust policies are doing at the strategic level. And like I said in the last episode, this is not a hit on Microsoft. From what I can tell, no cloud provider does this very well because it's really hard to do, to codify the organization's zero-trust policy, say, in English and then provide some sort of useful feedback about how you are doing with those policies in the Azure environment. Here's Mike again. 

Mark Simos: Getting a clearer picture of what good looks like is definitely emerging out of the fog, but it is quite a challenge to get there. I mean, there's - you know, organizations are complex technically, and they're evolving, especially as could capabilities come out and many people embrace them partially and you have this massive hybrid of the new and the ancient and every generation in between. 

Rick Howard: Now, before we close this episode off, let's briefly touch on the intrusion kill chain strategy. It's brief because Microsoft doesn't provide any overt capability that lets customers assess how well they are doing against - oh, let's just pick one at random - how about the DoppelPaymer ransomware gang, or how about the Electric Panda Chinese cyberespionage group or any of the other 100 or so known adversary sets that are currently operating today? Instead, Microsoft bases its protections on the framework from the Center for Internet Security, or CIS for short. These are a set of 20 best practices that can guide you through the process of creating a layered cybersecurity strategy. According to Justin Gratto from Securicy, quote, "Research suggests that implementing CIS controls can reduce the risk of a successful cyberattack by as much as 85%," unquote. Here's Mike again. 

Mark Simos: So from a prevention kill chain perspective in Azure, we have kind of a - you know, we have two different options, right? We have a bunch of native controls that are built in. We've got the Azure firewall. We've got, you know, protections for Azure storage, you know, all the way up and down the chain, all across the resources. And so there's a lot of those controls, which we document in the Azure Security Benchmark, specifically how to address that in - I don't know - 20, 30, 40 categories that are heavily aligned to the CIS framework. But, you know, we map it to just about all the frameworks. So there's sort of all those built-in controls there. But we also provide, you know, particularly useful on the infrastructure as a service or IaaS side, the ability to bring in through the marketplace and whatever else you want to bring on your VMs, any number of, you know, popular firewalls, IDS/IPS capabilities, code security capabilities, et cetera. 

Rick Howard: Again, this is not a hit on Microsoft. Most security vendors don't do this. But what's frustrating is that they are so close to getting this done. They can prevent many different and isolated malicious behaviors but with no context. They can't say whether or not they could stop the entire collection of activity that the Iranian cyberespionage group Charming Kitten strings together across the intrusion kill chain. And we know roughly 95% of what all adversary groups are doing. Don't believe me? Check out the MITRE ATT&CK wiki. In other words, security vendors try to stop any adversary from using a generic technique. OK. That's laudable. But what I want to know is whether or not Charming Kitten is in my network and whether they are successful in accomplishing their mission. 

Rick Howard: Which brings us to the end of looking at Microsoft Azure through the lens of first-principle thinking. Overall, I would say that Azure provides you the tools to deploy your four strategies, but they don't do it for you. They have a robust set of capabilities that make it possible to build virtual networking environments that are resilient and follow a zero-trust strategy. They don't really talk about intrusion kill chain prevention, but they offer a standard set of security tools that we could use to do it ourselves. The same goes for risk assessment. They don't calculate the risk for you, but they do provide a lot of telemetry from your Azure Virtual Network instances that could be fed into risk calculations and Monte Carlo simulations. So it's possible, but there's some work ahead. 

Rick Howard: And that's a wrap. If you agreed or disagreed with anything I have said about Microsoft Azure security, hit me up on LinkedIn and we can continue the conversation there. 

Rick Howard: Next week, we will continue our theme of looking through the cybersecurity first-principles lens. And this time, we will be focusing on Amazon Web Services. Can you deploy the four strategies in that cloud environment? You don't want to miss that. The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, and the mix of the episode and the remix of the theme song was done by our insanely talented Elliott Peltzman. And I am Rick Howard. Thanks for listening.