Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.

Show Notes:

Links:

• Report finds old misconfiguration woes continue to hammer corporate clouds: https://www.scmagazine.com/home/security-news/cloud-security/report-finds-old-misconfiguration-woes-continue-to-hammer-corporate-clouds/
• Pentagon Weighs Ending JEDI Cloud Project Amid Amazon Court Fight: https://www.wsj.com/articles/pentagon-weighs-ending-jedi-cloud-project-amid-amazon-court-fight-11620639001
• Netflix Exec Explains Where Infosec Pros are Going Wrong: https://www.infosecurity-magazine.com/news/netflix-exec-infosec-pros-going/
• Firms Struggle to Secure Multicloud Misconfigurations: https://www.darkreading.com/cloud/firms-struggle-to-secure-multicloud-misconfigurations/d/d-id/1341008
• Researchers Create Covert Channel Over Apple AirTag Network: https://nmap.online/news/2021/researchers-create-covert-channel-over-apple-airtag-network
• Ransomware is Getting Ugly: https://www.schneier.com/blog/archives/2021/05/ransomware-is-getting-ugly.html
• Try this One Weird Trick Russian Hackers Hate: https://krebsonsecurity.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/
• Attorneys share worst practices for data breach response: https://searchsecurity.techtarget.com/news/252501054/Attorneys-share-worst-practices-for-data-breach-response
• Ransomware Guidance and Resources: https://www.cisa.gov/ransomware
• How to Get Employees to Care About Security: https://www.darkreading.com/theedge/how-to-get-employees-to-care-about-security-/b/d-id/1341058
• Corey Quinn’s Twitter: https://twitter.com/QuinnyPig

Transcript

Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.

Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.

Jesse: All the rage is DevOps, for good reasons: it works. You can’t do good cloud work without a flexible and functional DevOps operation. Similarly, you can’t do good security in the cloud without DevSecOps. However, [laugh] security people love their cryptic and geeky terms, so you hear, “You should shift left.” This is derived from the left shift bitwise operators that do binary math that moves values to the left. I told you it’s geeky.

This moving left translates to moving security integration into a project farther left in the development process when you start on the left and move to production on the right. Ultimately, this means you bring security into the very beginning of your conceptual designs, and write your first lines of code with security processes and methods in mind from the very start. Use more security tools, authentication and authorization hooks, and more granular encryption methods in your underlying services structures through your more complex processing. More work on literally coding security in at the start could save you several orders of magnitude of direct and indirect costs in the future. Don’t get owned, don’t get ransomed.

Meanwhile, in the news, Report finds old misconfiguration woes continue to hammer corporate clouds. If you haven’t heard me and countless others rant about going back to basics of cloud security, you haven’t been listening. This article should scare you into finally checking your basic permissions on things like storage and services so you don’t get pwned by being stupid.

Pentagon Weighs Ending JEDI Cloud Project Amid Amazon Court Fight. When a nearly $2 trillion company drags anyone into court, things will change. The largest move to cloud services by the US Department of Defense might not happen because Amazon got pissed and sent lawyers. Watch how this unfolds to learn both how Amazon the company operates and how the market moves toward or away from cloud in general and either Azure or AWS specifically as a result of this legal challenge.

Netflix Exec Explains Where Infosec Pros are Going Wrong. Most of us who work in cybersecurity will read this piece and have one of two strong reactions. People like me and everyone who isn’t a security professional will nod and smile and agree that times are changing and security needs to get with the times. Everyone else in security will scowl, and pout, and 
get mad.

Firms Struggle to Secure Multicloud Misconfigurations. We all struggle to secure all the things, but this report shows that most of us struggle to secure any of the things. Back to basics; I keep hammering on this because things like shutting down or securing ports and services and locking up cloud storage objects get you the biggest improvement in security posture out of almost anything else you do.