I ran into an old friend over the holiday, he will remain nameless, and I will refer to him by a moniker, the Security Admin from Hell (S.A.F.H.). Since I spoke at length with him last (over seven years ago), he has transitioned from building and operating large data centers to working in the cloud, Amazon Web Services.
To describe the person is complicated; in the real world, he’s successful, married, has children and grandchildren, and lives in an area called the Hamptons of the North. I mentioned the location seemed quite remote, and he responded, “I’m not inviting you over if that’s what you mean. However, the location is close to mass transit, so NYC is an easy day trip; within 2 hours of travel, there are five international airports, if that is required. And since almost all of my work is remote or in the cloud, All I need is clean internet connectivity.“
He has been in the technology game for 30+ years and has a list of industry certifications that is “impressive.” He seems to be on the speed dial for several “C” layer players in multiple areas, from Defence, Start Ups, Service, and Non-Profit. As he said, “Life is not boring. Always something new to learn, always a new challenge to solve.“
Over an excellent steak and several bourbons, he began to open up about the various projects he’s been involved in. But being involved in security operations at many levels, he was more than oblique in describing the clients and focused more on the technology, experiences, and theories involved. (This was quite fine by me as I am interested in the tech, not the names).
Pressing him on his experiences in the cloud, I asked, “What are the top three things you need to succeed in the cloud?”, His answer was, “Paranoia, Paranoia, and Paranoia.”
He read my face at this answer and expanded on his responses;
“Paranoia in Operations as things WILL GO WRONG; When they do, what is your plan, And when that does not work, what is your backup plan, how do you back out plan, and what is the OH SHIT Plan?“
“Paranoia in Development, developers need to get things done, which means security considerations are secondary to launching a project. So how do you bake in G.A.S.S.P.?“
I pressed him on what G.A.S.S.P. is; His response was, “Generally Accepted Systems Security Practices, Have a look at any of the open standards out there, Like the C.I.S. standards, NIST, etc.”
And the third paranoia is? I asked. He responded, “P.O.P. People, Operations, and Procedures.” Then, pressing him on this, he replied, “People – No single points of failure, no one person should hold critical knowledge or access, Operations – Basic functions, Monitoring for operational health and security compliance, Backups for when things do go wrong, or an automated way to restore the working environment, and Procedures – Every task should be documented in simple, step-by-step instructions.“
I pressed him more on the procedure’s side and responded, “It’s called O.M.L. Not Oh, My Lord, but Operational Maturity Level. A general measure of organizations, and not just the technology side, overall consistency, reliability, resilience, coherence, and sophistication at management, design, and operation levels. There was a website SopCulture.com that went deep on this, but I don’t know if it is still active.”
As the desserts and coffee arrived, I asked, “Given you work in AWS, where do you start an engagement?” He responded, “Basic account level review. Many services check for compliance and do ongoing reviews, etc. There are also many open-source products supported on the AWS Marketplace, my go-to for this is prowler; look it up on git-hub. It will compare your entire environment to many standards and utilize the G.A.S.S.P standards as well.“
He continued, “For environments with web interfaces (this is just about every born in the cloud environment), a good O.W.A.S.P scan. And before you ask, Open Web Application Security Project. Just think of it as GASSP for websites. Kali OWASP-Zap is a decent starting place, but many services are also available.“
As we finished our meal, he looked at me and said, “You’ve done a nice job pumping me for info; now it’s my turn. So let’s grab one more at the bar, and you tell me about the monitoring project you were raving about at re-Invent 2018. I think you called it Llama.“
As I sipped a very nice cask-strength bourbon, I commented, “It’s cloudtrails all the way down; make sure the trail is global and records all events, management, and data. Past that, it’s all about what you do with the data. There are many services to do this for you, but I find they are either inflexible or complex to the point that a team is required to manage them. Llama was a homegrown solution, and the framework grew from Llama to Camelid, to C2, C4, and thence to M2. But again, these were all homegrown with no support other than myself.“
He looked at me and commented, “I’ll recommend an open-source framework with community support, a paid support option, and even a cloud-based service. I suggest you start running this in EC2 or in a beefy box in the lab.” He continued, “It’s called Wazuh and is a spinoff of the ossec project.“
At this point, we were both sated with food and becoming fuzzed with alcohol. Still, he did wrap things up with a few pity remarks, “The cloud-based services are great if you want to check boxes for an auditor; they do the basics, and hopefully are maintained to keep pace with the ever-changing threat landscape, but do not expect them to be overly flexible or deliver the data you are looking for. The one thing I want from a security monitoring service is meaningful, actionable intelligence. Home-grown like your Llama series is great for targeted use but a PITA to manage. For deep use, I’ll reach for a supported open-source project.”
Leaving the restaurant and stopping for the obligatory separation smoke, He mentioned a current born-in-the-cloud client who arranged chartered aircraft flights, as well as a client moving from a classic WordPress website and e-community to an all-in AWS data collection and analysis system.
As we parted, plans were made to meet up whence he was next in the city.