Thanksgiving and re:Invent are nearly upon us, and that means attackers will once again have their annual ~9-day window where development and security teams are busy eating turkey (or Tofurky) and spending time in Vegas. From an attacker’s perspective, this combination is liquid gold. If you knew that every year between Thanksgiving and re:Invent, you had 9+ days where eyes on glass were at their lowest, would you not take advantage of this? I know I would. Yet despite this knowledge, we continue to see companies not taking advantage of security standards – such as the CIS benchmarks – or public cloud provider APIs to automate monitoring the security posture of their cloud environments.
It’s re:Invent. Do you know where your access keys are?
Back in 2017 on the last day of re:Invent, we had a haggard-looking attendee frantically run up to the RedLock booth (definitely not the first time or likely the last). We’ll call him Aditya to protect the innocent. Aditya asked if we could help not only with the hygiene of his company’s AWS accounts but also detect the compromise of access keys (the answer is “yes” to both). He proceeded to explain what had happened over the last few days as large portions of both development and security teams had basked in deep knowledge sharing at re:Invent. The story unfolded in an increasingly common way: a developer had inadvertently uploaded an access key to GitHub, and an attacker found that key and was then able to spin up massive amounts of compute (likely for cryptomining). This not only generated a six-figure bill but also permitted the attacker to exfiltrate data from several key resources. Remember Aditya’s haggard look? Now you understand.
Unless public cloud provider APIs are a core pillar of your security program, you are still operating with an on-premises mindset.
Standards & automation to the rescue
Public cloud services, such as Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure, all provide greater agility, scalability and infrastructure consistency than traditional data centers. However, the risk of data loss and business disruption remain because many companies have not yet organized their cybersecurity programs to take advantage of the API-driven nature of public cloud platforms. What does this mean from a practical standpoint?
Unless public cloud provider APIs are a core pillar of your security program, you are still operating with an on-premises mindset. It is these very APIs that will allow your team to continuously monitor compliance with a security standard (we very much like the CIS benchmarks) as well as glean powerful telemetry data around the status of your access keys. Likewise, it is these very APIs that give you the capability to not only monitor compliance but also take corrective action. But those rich APIs don’t do you or your security program any good unless your processes and tools take advantage of them.
Get your house in order before Thanksgiving + re:Invent
Aditya was clearly someone who knew the technical merits of AWS. However, from an organizational standpoint, his company made at least two critical errors: 1) no clear adoption of security standards, and 2) no continuous monitoring of the security posture of their cloud environment. While most large organizations have dozens of on-premises security tools at their disposal, many are severely underinvested when it comes to public cloud. Public cloud providers have attempted to bridge this gap by providing cloud-native security controls. However, many of these tools are nascent and only solve narrow problems related to their cloud. This doesn’t help the estimated 81% of companies that have a multi-cloud strategy.
In order to enjoy the upcoming Thanksgiving holiday as well as an amazing week of learning and networking at re:Invent, do yourself a favor and get a free risk assessment of your cloud footprint. RedLock is API-based, without agents or proxies. This means, within minutes, you’ll have a solid understanding of which actions you need to take before digging into that turkey (or “plant-based roast”) and boarding your flight to Vegas.