Digital Anarchist+Prisma Cloud at RSA 2020: IaC vulnerabilites, shift left security, shared reponsibility model.

At RSA 2020, the team from Digitial Anarchist media sat down with Matt Chiodi, CSO public cloud at Palo Alto Networks, to discuss spring 2020 edition of the Unit 42 Cloud Threat Report, including surprising vulnerabilites in IaC templates, the practical effects of shift-left security, how to operationalize the shared responsibility model, and more.


Transcript

 

Charlene O'Hanlon:

Welcome back everybody. This is Charlene O'Hanlon, moderating, no, sorry, I'm the managing editor [laughs]. It's the end of the day, I'm sorry, managing editor of media ops, and we're here at day two of RSA 2020, having some really great conversations and I'm really excited about this next one with Matt Chiodi, who is the CSO of public cloud at Palo Alto Networks. Matt, thank you so much for joining me today.

 

Matt Chiodi:

Thanks for having me here, strongly appreciate it.

 

Charlene O'Hanlon:

So you guys just put out the unit 42 Cloud Threat Report, am I right?

 

Matt Chiodi:

That's right, yeah, spring 2020 edition.

 

Charlene O'Hanlon:

All right, so tell me what are the highlights?

 

Matt Chiodi:

So some of the highlights were we did the first ever industry wide-scale study of infrastructure-as-code templates.

 

Charlene O'Hanlon:

Wow!

 

Matt Chiodi:

So this is huge, right? For DevOps teams, this is something that they've been using now for a number of years. It's not new, but for security teams that are finally starting to get an eye on this, this is something completely new. And what we found from the study of hundreds of thousands of these infrastructure-as-code templates is that there's a massive number of vulnerabilities that are being created.

 

So we found a couple of things, so number one, we found that over 200,000 of these templates had at least one or more medium or high severity vulnerability.

 

Charlene O'Hanlon:

Yikes!

 

Matt Chiodi:

Right? So a large number of them. And then going a little bit further we found specifically that 23% of them, 23% of Kubernetes configurations from infrastructure-as-code templates created a container that ran with unrestricted permissions.

 

Charlene O'Hanlon:

Yikes!

 

Matt Chiodi:

So you've got an application that's now running as root, and if that application becomes compromised it is also-

 

Charlene O'Hanlon:

It's all over.

 

Matt Chiodi:

It's all over. And then even going one step further, we found that about 27% of SSH resources that are configured by Terraform, Rerraform infrastructure-as-code templates exposed SSH to the entire internet. So these are-

 

Charlene O'Hanlon:

That's kind of frightening.

 

Matt Chiodi:

It is, and the thing is that infrastructure-as-code templates has just this massive positive and potentially negative to it. The positive side of it, if leveraged appropriately, is that security teams, DevOps team, can have a common platform where they can build cloud infrastructure using this common language. Security teams can embed security standards.

 

Charlene O'Hanlon:

Right.

 

Matt Chiodi:

But what we've seen unfortunately is that security teams have not really started to leverage these templates, and DevOps teams are making a lot of misconfigurations in these templates.

 

Charlene O'Hanlon:

So do you think that's more an issue of maybe the security teams don't really have the developer background, or knowledge base to be able to go in and say, "Well, this is wrong, this needs to be changed, this is a huge issue." Or is it more the developers don't really have the security mindset? Or is it a combination of both?

 

Matt Chiodi:

Yeah, I think Charlene you're right, I think it's a combination of two of those things, but also something else I would add to the mix. So certainly one of the questions I asked, so I had a session yesterday at RSA, I always love to ask, show of hands, I assume most people in the audience are typically security people, being that it's RSA, I love to ask, "How many here come from a software development background?" I was surprised the number was a little bit higher than in the past, it was probably 20% of the room.

 

Usually when I ask that question when I give various talks it's usually 1% of the room. So you're right, part of it that security teams don't come from a software development background, so they're just not comfortable with ... They don't even know necessarily what questions to ask. And then you have it with the development teams, where even though people like to say, "Security is everybody's job," the reality of it is that developers are focused first and foremost on getting features and functionality out.

 

And so I think there's that piece of it, but the third part I would add to it is that there hasn't been a lot of tools in the industry to be able to enable developers to scan these infrastructure-as-code templates for these types of issues. And if it has it's been something that's completely disconnected from their CI/CD process.

 

Charlene O'Hanlon:

Okay.

 

Matt Chiodi:

So it's one of the reasons as well.

 

Charlene O'Hanlon:

That's interesting because I've been having the conversation for the last two days or so about DevSecOps.

 

Matt Chiodi:

Sure.

 

Charlene O'Hanlon:

And that whole migration of shifting left, security left in the software development lifecycle. But it's also been a culture conversation, that security and developers are never really going to work together no matter what because they speak different languages.

 

Matt Chiodi:

Sure.

 

Charlene O'Hanlon:

I personally don't buy that at all. I think that there can be a happy medium. And tools, like what you're talking about, I think will do a lot to bring those two factions together. And so developers won't look at security as this big wall-

 

Matt Chiodi:

Sure.

 

Charlene O'Hanlon:

That's going to cause them to slow their process and they're not going to be able to get their code out fast enough and yada, yada, yada. And then the developers will ... I'm sorry, the security folks will look at the developers and they'll have maybe a little bit of empathy, they'll understand what the developers are going through.

 

Matt Chiodi:

Right.

 

Charlene O'Hanlon:

And so I think the fact that there are tools that are now coming out that are doing this, I think they're going to do a lot to advance that.

 

Matt Chiodi:

Sure.

 

Charlene O'Hanlon:

But how long do you think it's going to take for that to happen?

 

Matt Chiodi:

It's certainly something that we're seeing, organizations, I guess in industry we've been talking about shift left for probably, what? Three, four, five years now?

 

Charlene O'Hanlon:

We should be shifted all the way over at this point. [laughs]

 

Matt Chiodi:

We should be, right. But I think there was a challenge with it, so even though the concept was out there three to five years ago the tools weren't there, and certainly, when we look at modern software development processes, CI/CD pipelines, even the ability, if A, the tools didn't exist, but the ability to plug those tools in, that also wasn't there. That's now here today, we have that capability today.

 

So now it's not a technology issue anymore, now it's a process and a people issue. And technology is usually not the difficult part, the process and the people are usually the hardest part. So it does deal with culture. But I meet with clients all around the world, commercial enterprises, federal governments, and last week I was at a forum in DC where there was over 150 attendees, this was all different parts of the government. And it was a whole forum focused on DevOps and also DevSecOps. So I was really impressed to see this. So this is something that I believe is just starting to hit the mainstream.

 

Charlene O'Hanlon:

Oh, that's good.

 

Matt Chiodi:

I'm really excited to see that federal government is also starting to get involved here.

 

Charlene O'Hanlon:

Yeah, well that is really good news.

 

Matt Chiodi:

It is.

 

Charlene O'Hanlon:

So what else are you seeing? What else came out of the report?

 

Matt Chiodi:

Yeah, so a couple of things. So one of the other things we looked at in this wide scale study was we looked at a couple of different things around infrastructure-as-code templates. We found, unfortunately, that about 60% of cloud storage services are configured in a way that logging is completely disabled.

 

Charlene O'Hanlon:

Yikes!

 

Matt Chiodi:

Yeah, it's scary, right? Because think about it, you can try to do almost all the right things, but eventually, if your number's up, you're going to unfortunately probably deal with a breach or a potential breach at some point. But if you have logging completely disabled in your cloud storage services you have no way to prove or disprove that you've had an event.

 

So this is kind of basic security hygiene 101. And we see that at least from our scale, looking at hundreds of thousands of these infrastructure-as-code templates, that basic things like that aren't being done.

 

Charlene O'Hanlon:

Isn't that a regulatory compliance issue as well, if you don't have your logs on?

 

Matt Chiodi:

Absolutely, it can be. Most compliance standards require that, of course we also found a shockingly high number of cloud databases that also don't have encryption enabled, which is here in the US, HIPAA, PCI, GDPR issues. So again, one of the things that we see that gets most organizations in trouble when it comes to cloud security, it's not the latest Zero-day, some nation state doing an advanced persistent threat. It usually has to do with simple misconfigurations.

 

We publish our cloud threat report twice a year. So in our summer of 2019 report back in July, one of our headline statistics, we found that 65% of cloud security incidents were the result of customer misconfigurations. So that's why we dug a little bit more into this report, to see the why. And I think we start to see that with these infrastructure-as-code templates.

 

Charlene O'Hanlon:

So what has to happen for that to change?

 

Matt Chiodi:

There's three things that we usually recommend. And none of these are, again, anything super advanced, but it's about doing the basics right. So the first one is, obviously you need to have, and you need to get and maintain deep cloud visibility into what's happening across both your private cloud environments as well as your public cloud environments.

 

Organizations are still struggling to understand what they have on a basic asset management perspective in the cloud. So that's number one, once you understand that then you can understand your attack surface and you can understand just what the risks are.

 

After that what we recommend is that you focus on standardization of security controls. So there's a lot of organizations out there, Center for Internet Security, has really good benchmarks for the major cloud providers. Use those types of standards, build off of those.

 

And then the last one we talked a little bit about already, and that's shifting your security left. We really believe that that 65% number that we talked about, 65% publicly disclosed incidents or misconfigurations, we believe if you shift security left, you start scanning those infrastructure-as-code templates as part of the build process, as part of the smoke test, that you can eliminate those in your build pipeline, and that'll greatly reduce that number of incidents that may end up being in production or in production code.

 

Charlene O'Hanlon:

That make sense, that makes total sense. What about the issue of shared responsibility in the cloud? That's something that's come up here and there in the conversation, especially this year. So does that have any bearing on what the threat report found?

 

Matt Chiodi:

Sure.

 

Charlene O'Hanlon:

And, if so, what is it?

 

Matt Chiodi:

I think most organizations conceptually understand the concept of shared responsibility. But I think where things start to break down, I was with a large organization last week, and they were asking, "Can you help us internally with this shared responsibility model?" And as a security vendor we're happy to help educate, but unfortunately inside, the larger the organization, a lot of times they just get stuck on, well who actually owns this component of it? It's actually somewhat easier in a smaller organization, simply because you don't have that level of complexity.

 

So I don't think it's necessarily the shared responsibility model that gets people in trouble not understanding it, but it's actually figuring out who's going to do what. So simple things like roles and responsibility, responsible-accountable-informed, like a RACI matrix. I usually encourage organizations to really think about that, to make sure they understand that there's not any gaps. Someone has to be responsible for all those areas, you need to map those types of things out.

 

I think that's what has gotten a lot of organizations in trouble, is just not understanding that. And then of course most organizations at this point of time, probably 80-plus percent, are multi-cloud. They're not just using one, they're using two or three vendors, and just when you go from using one provider there's complexity enough, you move to another one, it's not just like one plus one, we're talking an exponentially more complexity because everything is done very differently.

 

Charlene O'Hanlon:

Right, right, right. Yeah, and that's becoming a much larger issue as more organizations move to a multi-cloud environment.

 

Matt Chiodi:

Absolutely.

 

Charlene O'Hanlon:

So what are some of the tips that you might be able to offer organizations that are moving into that multi-cloud environment to help them at least be more aware of some of the security issues that they might be facing?

 

Matt Chiodi:

Sure. So I think a lot of organizations are tempted to try to deal with things in a multi-cloud world with the way they did it on premise. They're trying to use old tools that are not API aware, they're not leveraging the cloud provider APIs.

 

So we're big fans of cloud native security platforms, you might hear this term CNSP, cloud native security platform. So it's really important, because, again, from a security team, when you look at who owns most cloud accounts now, it's usually DevOps. And so the table has turned quite a bit over the last few years. So I think the recommendation is for security teams to really make sure they're evaluating their platforms to make sure they are cloud native. Which means, all cloud native means is that you're using tools that work natively with those APIs, that don't disrupt that DevOps pipeline. So figure out what are the tools that natively work with the tools that your developers are using, with the cloud platforms of choice, and making sure they integrate and work well and help you also have that ... I hate to use the term single pane of glass, but just a common place where you can go and see your security status, across not just one, two, but multiple clouds, including private cloud.

 

That's what gets a lot of organizations in trouble, is when they have, "I've got to go to seven different consoles to try to understand different parts of my security, what's the risk?" So having all those disparate point products a lot of time leads to actually a greater lack of risk clarity, and that's the opposite of what most Chief Security Officers I talk to want. They want that clear picture of risk clarity across multi-cloud.

 

Charlene O'Hanlon:

What about the idea of being able to show different ... I'm thinking along the lines of value stream management in DevOps where you need to see how something impacts something either being late or delayed or not working at all, how it impacts the rest of the ... It's like the butterfly effect, right? So is there something like that for security as well? When we're talking about a multi-cloud environment, is there that single pane of glass for different personas that need to see that information?

 

Matt Chiodi:

Yeah. I mean certainly at Palo Alto Networks we have a similar tool that does something like that.

 

Charlene O'Hanlon:

There you go.

 

Matt Chiodi:

It's called Prisma Cloud. So Prisma Cloud is such a cloud native security platform that allows developers, it allows security teams, compliance teams to have, again, that single dashboard where they can see into their development pipeline. So if there's vulnerabilities that are introduced, they can stop them in the pipeline, and at the same time they can also manage what's happening in their runtime environment as well.

 

Charlene O'Hanlon:

Okay.

 

Matt Chiodi:

Yeah, so I don't think it's ... In the security world it's not called probably value stream mapping, but certainly, again, a lot of times it comes down to metrics, being able to understand what it looks like across the board. And we help customers do that with Prisma Cloud.

 

Charlene O'Hanlon:

Excellent, excellent. So the Unit 42 report you said comes out twice a year?

 

Matt Chiodi:

Twice a year. So this one that we talked about here today, that one was just released, just the beginning of February, so it's very fresh.

 

Charlene O'Hanlon:

All right.

 

Matt Chiodi:

And then the next one will probably be coming out some time right around Black Hat.

 

Charlene O'Hanlon:

Okay, and freely available on the website?

 

Matt Chiodi:

Absolutely, just go to unit42.paloaltonetworks.com, and you'll find a link for the latest cloud threat report.

 

Charlene O'Hanlon:

Awesome, awesome, good stuff.

 

Matt Chiodi:

Absolutely.

 

Charlene O'Hanlon:

Thanks so much.

 

Matt Chiodi:

Yeah, it's fine. Thank you so much.

 

Charlene O'Hanlon:

That was great. All right. Hey guys, I think that is the last interview for today. Please check in tomorrow, we're going to have a raft of interviews for the last day of RSA 2020, so thanks for joining us today.