Uncovering Hidden Risks 9.27.23
Ep 12 | 9.27.23

Cloud Security Posture Management: Top Risks and Best Practice Solutions


Erica Toelle: Hello, and welcome to "Uncovering Hidden Risks," a new podcast from Microsoft where we explore how organizations can take a holistic approach to data protection and reduce their overall risk. I'm your host, Erica Toelle, senior product marketing manager on the Microsoft Purview team. And now let's get into this week's episode. [ Music ] Welcome to another episode of "Uncovering Hidden Risks" podcast. In today's episode we will talk about hidden risks behind cloud native applications and how customers can take a proactive approach to mitigating these risks across the development life cycle. Let's start by introducing today's guest host who will join us for the discussion. Daniela Villarreal is a senior product marketing manager for Microsoft Defender for cloud.

Daniela Villarreal: Hi, Erica. I'm excited to be here with you all today. Cloud security is a top priority for many organizations.

Erica Toelle: And also joining us today as our guest is Drew Nicholas. Drew is a Microsoft Principal Security Black Belt with in depth experience as a cloud architect. Drew has spent eight plus years at Microsoft in different roles. These roles include working for Microsoft's consulting services, Microsoft's customer facing incident response team, and his current role.

Drew Nicholas: Hi, Erica. Thank you so much for having me. I'm really excited to talk about cloud native applications, talk about securing them. In my current role my focus is helping customers gain visibility and really take control of their cloud security posture management.

Erica Toelle: Drew, maybe to start, can you set up the context of cloud security posture? For example, why is it important and how does it fit into the big picture of security? Like what role does it play in cloud native application development?

Drew Nicholas: So when I'm thinking of cloud security posture management it's really understanding your resources that you have. But if we kind of take a step back and look at it from a NIS cybersecurity framework, you have five pillars. You have the identify. You have the protect. You have the detect, respond, and recover. When I start thinking about CSPM it's really in that identify and protect stage. You're identifying what resources you have in the cloud. You're identifying what potential vulnerabilities you have. You're identifying kind of that sensitive data. But you're also doing the protect stage. Right? So cloud security posture management's all around giving you recommendations about misconfigurations and how to remediate that. And so one of the things that I try to tell organizations is if you kind of look at that, the military calls it left of bang or a lot of cybersecurity professionals call it like the left of boom before something bad happens. What I like to think of cloud security posture management, it's, you know, getting the fundamentals down. And so when I was on the incident response team I would probably say 95% of the investigations that I responded to were not doing the core capabilities. Right? You didn't have multi factor authentication. You had publicly exposed IP addresses that allowed for easy user name and password. And this thing that cloud security posture management's trying to help you do is it's all around letting you know where you're at risk to kind of help prevent those. I'm a huge fan of CSPM a lot because to me it reduces the noise that goes into your detect and response stage because if you can do those first two pieces well, you're preventing the bad actors from getting that initial foothold. You're preventing them from even starting their attack because you're removing that. And you're also kind of prioritizing based on your environment. So, for example, most organizations want to know where are my crown jewels and where's my sensitive data. And that's really what a good CSPM tool should be doing is telling you that you have a risk that could be remediated, but that risk also puts things like sensitive data in -- behind the sight of the adversary. So one of the scenarios that I always tell customers. A few years ago there was a large organization that got popped because they had a virtual machine that was publicly exposed. Adversaries were able to do remote code execution on the device. When they got on to the device, as most adversaries do at that point, they want to look for things like lateral movement. And so, you know, how can we get that foothold into the customer's network? As they were looking for lateral movement, they realized that that device actually had managed identities over a database. And so that device that they were on, they could do whatever they wanted to to that database. And so what the adversaries did was actually replicated that database into a storage account. And the reason they did this was to give themselves persistence. That storage account was publicly exposed so every time that database got updated, it was replicated to that storage account so the adversaries could just go get the new data. And so this is kind of one of those things that if you look at a good CSPM tool it's going to tell you, "Hey, you've got virtual machines that are publicly exposed that allow for remote code execution." And it will also tell you like, "Hey, here's your sensitive data." So you know that that virtual machine can authenticate to that database or has privileges over that database. So we start looking at that in a context. That's where a CSPM tool really needs to play.

Erica Toelle: Thanks, Drew. That was very helpful. You worked on so many digital transformation and cloud migration initiatives with organizations. Could you tell us a bit more about the history of this space and the trends that you've seen over the years?

Drew Nicholas: Absolutely. This is one of the areas that I just kind of love. I mean when you talk digital transformation, right, this is really trying to increase value through innovation. So I was very fortunate at Microsoft that, as you said earlier, I've been here eight and a half years. I spent the first three years actually helping large organizations with their digital transformation, you know, get to the cloud. Over the last couple of years we've really seen that just take off. And then you'll have things like open AI. Right? So this is the whole idea of digital transformation. How can it use innovation technologies that just are not applicable to my on-prem environment? We're not going to be able to scale to the size that a lot of the cloud vendors do to virtualization. So really taking advantage of these cloud providers and allowing them to run these algorithms and such of that nature. But, you know, there's some of these complexities that are added into it because we're taking away the moat, if you would. Traditionally we had our castle, we had our moat. It was our networking aspect. What was ever allowed inside the network was good. Everything outside the network was bad. Well, in this new world everything is internet access. And the other part of this digital transformation is if we go back to the definition of we're increasing value through innovation, we've got to move fast. Historically we would do things like waterfall build methodologies and we've moved more to that agile build. And this is where some of the concepts of like CICD or continuous improvement, continuous innovation, continuous deployment come in. It's all around creating pipelines for faster cycles and a higher volume of releases so we can address our customer request faster. Well, as we kind of talked about the security risk, we go from this networking based security approach to this wide open where it's CICD. You're moving from the pre-commit to the commit stage, going to build, going to run time. And it's all going very fast. So when we start looking at these tools if we're looking at it from a historic standpoint, one, we would even wait until the very end. Well, unfortunately this waiting to the very end approach, so waiting until the application is fully running, if I wait until the very end, what's going to end up happening is those developers that kind of move on to the next application, they're going to kind of -- how do you say? They finish their job. They created the application. It's ready to go. So what we've kind of moved into this approach is actually bringing security into the dev ops process. A lot of times you'll hear it kind of called that dev sec ops aspect. But this is how security's got to think of the world today. How do I look at things like infrastructure's code? So infrastructure's code is the ability that we've never had really traditionally on-prem but they're templates. And these templates, it allows me to create my environment in the cloud. Well what a lot of organization and what we've historically had to do with cloud security is that we've had to wait until those templates were deployed. But if I can just do the scanning at the very beginning, then I'm shifting all of my security left and I'm really reducing that risk. But it does take a complete different change of mindset. But if we kind of go back to the original question, that is what digital transformation is. It's all around increasing value through innovation. And so in order to do that we have to have the right security controls.

Daniela Villarreal: Drew, it's interesting to hear about gaining this visibility and managing security with this seemingly end to end platform based approach. How does this help strengthen cloud security posture? What are some qualities organizations should look for in a cloud security posture management tool?

Drew Nicholas: Great question, Daniela. So, you know, really a strong security of posture, it really implies that you have full visibility on the security policies across your cloud environment. And when we start talking about full visibility, this is where we start bringing in those concepts I talked about earlier with data sensitivity. Where is my sensitive data? Very interesting fact. Luminaire Labs actually found that 21% of publicly exposed storage accounts contained sensitive information. So it's kind of frightening to hear that one out of five storage accounts that could be accessed by the internet has sensitive information in it. And there's a lot of reasons for this. If you start thinking about how the cloud is done, storage accounts are a key component of it. A lot of times people will stand up storage accounts to do dev work. And so you kind of have these like we'll call them the wild west storage accounts. But that's one of those things that if I have the visibility and if I kind of know where my sensitive data is, I can create my -- my security posture and my security policies based on that. Another one is when we start talking about full visibility. Sometimes for Azure we call it subscriptions. Sometimes I've been to customers before and they're like, "Oh, I didn't know that all of these other subscriptions here," whether they were created by the business units or, you know, somebody on the team just went out to azure.com and created something. So truly having full visibility requires you to have that scope of not just what IT is managing, but really what is associated with your organization. And, you know, kind of facing the security challenges mentioned earlier, what we plan to do is really help the organizations realize that they need to take different steps to better manage their cloud security posture. What we found is that actually a lot of research shows that organizations look for that platform solution. And the reason is that because it gives you context. Right? So when you have a platform that's actually working together, you can start seeing things that you've never seen before. I gave the example earlier of that virtual machine that has a managed identity on a storage account. That storage account has sensitive information. But, you know, it goes even further than that. It's even scenarios like if we think about Log4J, every company in the world was trying to find, you know, if I had -- if I've got applications that are vulnerable to Log4J, who pushed the application? Where is that source code that's associated with it? And that's another piece of visibility. And I highly recommend organizations do -- is start looking at not just what is running, but where did it come from? For those organizations that had that visibility for what we call code to cloud where they could quickly find, okay, this is my application that had that vulnerability, I can quickly correlate this is where the application was pushed from. Here's the repo. I can go to that repo, do the updates, and I'm updating it significantly faster. And so to me when we start talking about visibility it's not just what is actively running, but it's things like where did it come from or like where's the source code that it's associated with. Is it internet facing? Is there sensitive data? Is this a production environment? So there's a lot of variables that go into that visibility as well. And I know it's not easy or practical to perform a lot of these actions without that unified platform that we talked about. And even when you start looking at different cloud providers, I kind of make the recommendation or the concept to customers when I'm talking to them, if you have a next gen firewall in all three of the different clouds, that server that that next gen firewall is going to be configured the same, but if you start looking at it from the cloud layer, you start looking at things like -- for Azure we have Azure load balancers. For AWS it's elastic load balancers. And so there's different configurations from the cloud provider perspective. So really having that uniformed approach can help you not just in your like one cloud, but all three of your clouds.

Erica Toelle: Drew, I can imagine that there are many organizations that have a very large cloud footprint that would benefit from the scenarios you just outlined in gaining visibility. Could you maybe share an example of a common blind spot that you've seen throughout your work?

Drew Nicholas: Yes. So I was working with one customer about 10 months ago. Great customer. I really enjoyed working with him. I was talking to them about a tool that we have that does that data sensitivity scheme. And I was like, "Just, you know -- just turn it on to see what's out there." Because they -- they kind of did feel pretty confident that it was going to be -- everything was going to be okay. Which I was hoping that everything would be okay for them, but they turned it on. About two days later they pinged me. They're like, "So we found a bunch of storage accounts that have sensitive data and are publicly exposed to the internet. How do we get this remediated?" As somebody who used to be on the incident response team, talking customers kind of through these kind of situations has always been I guess a skill of mine that you would say. I first reiterated that that study that we talked about earlier 21% of the storage accounts. So it's not -- it's not uncommon. But we've just got to get remediated. Right? We've got to get the right firewall rules in. We need to make sure that really what they should be doing is using things like private link, but until then let's go ahead and scope this where you can't just hit it with a URL. And let's go ahead and make sure going forward that anywhere that we have that sensitive data we're putting the correct controls around because unfortunately, you know, misconfigurations have serious consequences. One of the studies from IBM recently is that showed that -- is that security misconfigurations are now the third leading cause of a data breach. We know -- we know by that report that, you know, it's crossed the $4 million threshold now for each data breach. And unfortunately now security misconfigurations is right behind phishing an identity compromises. And so organizations have seen, you know, simple mistakes leaving applications and data open for unauthorized access. And it's hard repercussions. But the good side is is that with the cloud we do have a lot more ability to have visibility that we've never had before. Kind of going back to that whole idea of digital transformation, you know, we're able to answer customer requests significantly faster. So it's this double edged sword, if you would, is that we have these risk configurations. They are unfortunately very common. But we do also have the ability to truly help our customers faster. And so I would always make sure that we always highlight the positive side.

Erica Toelle: So data security's at the top of every organization's mind, and you mentioned data loss and finding sensitive data. And those related misconfigurations. I also know that there has been an emergence of data security posture management as a tool to monitor security risks related to cloud data. What is the relationship there? Have you seen both in practice?

Drew Nicholas: Yeah. So I love DSPM tools. I will say that originally a lot of security teams are a little resistant to it because they think that they're going to be stepping on the compliance team's toes. And this is a very kind of a narrow road to walk, but what I'd like to help organizations understand is DSPM tools are not about doing cataloging or compliance checks. We absolutely still have to have our compliance data tools. A good DSPM tool in my mind is one that gives you visibility. It's allowing the security team to go back to that prioritization of risk. It's all around giving the security team visibility into where the data lives. And so years ago I asked about tools to monitor security risk. I'm going to just keep harping on the ability to have context. Right? So if I have things that are PII or if I have data that I would have to disclose if it got compromised, those are kind of my crown jewels. And so I was talking to an organization actually just a couple hours ago on that whole idea of sensitive data and how do we mitigate risk. And I -- I always compare this to like jewelry at a house. You know, my wife has her engagement ring and if she's not wearing it, it goes in the safe. We're not going to just leave it on the table so if someone like breaks into the house they could just easily steal like the crown jewels of you. And that's where I really start thinking about sensitive data and data security posture management tools is that additional safe. It's knowing where your crown jewels are and building that security strategy to make sure that you have that defensive methodology so if something does happen they don't just break in the front door and they can steal the most expensive crown jewels. They have to go through the front door, then to the safe. And so you're putting those controls in, but you're doing it all around kind of sensitive information.

Erica Toelle: How should organizations approach gaining this visibility to strengthen their security posture? What are some of the risks that a unified security posture management approach can help address?

Drew Nicholas: Yes. So one of the biggest things that I recommend is having like an external vulnerability scanner. And actually recently CISA actually did the same publication and this was part of their recommendations is, you know, you should have a tool that is scanning from the outside in. So if we kind of go back to like thinking like a hacker, if we would, right, one of the tools that they use is a tool called Shodan. Shodan you type in IP addresses. You can type in domains. And it can give you that external vulnerabilities. And so what a lot of these adversarial groups do is they just scan it. They're like, "Oh. There's an IP address. What kind of vulnerabilities are there?" Or there's a domain. What kind of vulnerabilities are there? And so having that visibility that the hacker does or the adversary does I think is an incredible first step. So if you start looking at a from the outside in approach, now you're kind of building your defensive depth strategy with what the world sees. I think most CSPM tools that I've worked are typically kind of inside out approach. And so what that means is like you're looking at it from the service layer and what it could do. But as we all know that there is -- there are kind of network tools out there that can do things on the network layer that maybe those CSPM tools can't do. So I always recommend taking the CSPM -- so that inside out telemetry and pairing it with that outside in telemetry. So that can really help me prioritize. So kind of going back to the data security posture management, I know where my crown jewels are. I'm not going to allow it to be connected to something that is on the internet. It's going to have to go through the stages of security to get there. And so if I'm looking at it from the outside in, I can't just break into one virtual machine and steal all your sensitive data because, you know, there's a lot of times that these machines and IP addresses need to be publicly exposed. That's, you know -- that is what a web application many times is. But what I don't need is my web application to allow for remote code execution. So I shouldn't be able to take over that web application. And so that's where the -- like an external attack surface type management tool comes into play is it's really telling you what's out there and what could adversaries take advantage of.

Erica Toelle: So having this dual perspective and run time is super important, but is there an opportunity to extend this to development? How should organizations think about securing their development pipelines?

Drew Nicholas: So no. I -- you just hit on probably my favorite topic right now. It's this whole idea of kind of dev sec ops and shifting everything to the left. So one of the biggest things that I think can help organizations is really understanding their vulnerabilities before they get into runtime. I talked earlier about that kind of infrastructure's code scanning capabilities. So how most development is done nowadays is that you build like whether it's Terraform files templates or bicep templates, and these are things that say like when I push this, I need, you know, two servers, a database, storage account. And infrastructure as code scanning is all about looking at that infrastructure's code template and letting you know beforehand what kind of vulnerabilities are there. So, for example, if I'm creating new servers, I can see in the way that the template is written that it would allow for public internet access on a like management port to like 3389. I can look at the storage account that would be created and it could tell me whether it was going to be using the proper networking access controls. I can look at that web application, make sure that everything is from the web application to the database or properly going over a private leak. So infrastructure's code scanning is all about telling you before anything ever reaches production what could be wrong with them so you can quickly remediate it there. But that doesn't just stop at the infrastructure's code. One of the pieces that I think every organization in the world should do is actually do secret scanning on their source code. Like our -- remember I mentioned that on an infrastructure's code many times like servers will have a local user name and password. You definitely don't want to hard code the user name and password into the template. And I've seen developers do it. And that's another one that will allow for a quick, you know, alert. It will say, "Hey, this template has hard coded user name and passwords." Or this template has a SQL string. And the reason being is because a lot of the times depositories are shared, pooled. And so when you start pooling like these different repositories you don't really know who's all actually accessed. And unfortunately many times with repos people put them on like public repos. I know one large organization that actually put their arm templates on a public repository. It had hard coded user name and passwords. And it was the template that created all of their virtual machines. And so the whole idea of kind of dev sec ops is grabbing that information before it ever gets into runtime and giving you that posture management before it ever actually even becomes a resource in the cloud.

Erica Toelle: Daniela, I'd love to hear from you. What excites you about the future of CSPM?

Daniela Villarreal: I'm super excited about gaining more signals across the development life cycle to really embed security from code to cloud. But I'm also excited about using AI and applying AI to help boost security posture, especially in deepening those risk insights and remediating them earlier better and faster.

Erica Toelle: And, Drew, how about you? What should audiences be planning for in the future of CSPM?

Drew Nicholas: For those that aren't doing cloud security posture management, I absolutely recommend that piece. That external attack surface management. And I think the biggest piece that I haven't talked about is TI, threat intel integration. Because one of the things that we're sad to hear is that a recent study actually found that only 10% of vulnerabilities are remediated each month. But if you can start actually taking things like threat intel into context, so think of like APT 29 or 28, if they are actively exploiting a vulnerability, you should move that vulnerability to the very top of your remediation plan. So I think if I could say the top three things to really start looking at putting into your CSPM plan, the data security posture management, the attack surface management, and threat intel.

Erica Toelle: Thank you so much, Drew. That's about all the time we have for today's episode. To wrap it up, we'd love to know what is your personal motto or what words do you live by.

Drew Nicholas: That's a really good one. I'm actually going to talk to kind of the newer folks to cybersecurity. I joke all the time that I actually reverse engineered my way into cybersecurity. I kind of started, as I mentioned, as a cloud consultant. And then when some issues happened and our DRT team or detection response team needed a cloud resource they pinged me one day and was like, "Hey, you know, we need your help." Dan Taylor's the head of DRTs and he basically told me to get on the bus. And so I went there. I did my first engagement. And this was about six years ago, and it was the coolest experience I ever had. But I tell people that I reverse engineered my way into cybersecurity because we are an area that there is a lot of job openings and we absolutely have a talent gap, but I think folks who maybe not even have ever been in IT before absolutely I highly recommend looking at cybersecurity. And if I can do it, anybody can.

Erica Toelle: Excellent. And, Daniela, what's your personal motto?

Daniela Villarreal: When it comes to cloud security, it's really about, you know, knowing that accidents won't happen if prevention is taken. So having this proactive approach and really fixing vulnerabilities at the source is critical to securing your data and the downstream impacts of regulatory fines and potential reputation damage. So it's really important to take that preventative action.

Erica Toelle: Well, thank you both for joining us today to discuss how cloud security posture management can help enhance security. For our listeners, you can learn about Microsoft Defender cloud security posture management at aka.ms/defendercspm. We had a great time uncovering hidden risks with you today. Keep an eye out for our next episode. And don't forget to tweet us at msftsecurity or email us at uhr@microsoft.com. We want to know the topics you'd like to hear on a future episode. Be sure to subscribe to "Uncovering Hidden Risks" on your favorite podcast platform. And you can catch up on past episodes on our website uncoveringhiddenrisks.com. Until then, remember that opportunity and risk come in pairs and it's up to you where to focus.