《从幽灵到护栏:超越警报驱动的姿态.pdf》由会员分享,可在线阅读,更多相关《从幽灵到护栏:超越警报驱动的姿态.pdf(9页珍藏版)》请在三个皮匠报告上搜索。
1、BurGhosts to Guardrailswith Shaun McCulloughMoving beyond the alerts-Cloud Security Architect with GitHub-SANS Instructor and co-author of SEC541 Cloud Security Attacker Techniques,Monitoring&Threat Detection-20 years at the National Security Agency focused on cyber operations,red/blue/hunt,and soft
2、ware engineeringcybergoofthecybergoofAlert Based Posture ProgramEvery finding must include:docs,auditing,alerting,implementation.An alert-based program works if:resources have owners,tools to notify and track,leadership is an advocate,not a supporterYou are competing with engineering for energy.(tim
3、e,resources,investment)AWS GuardrailsService Control PoliciesControl ACTIONS in AWSPrincipal-Centric(Control IAM User/Role)Deny VM creation without an included TagDeclarative PolicyDescribe how the resource is deployed.Custom error messages.Images:Public access is not allowed.Feedback LimitedAllow/D
4、enyThe IAM ActionAgainst a resource(s)When conditions are metAzure PoliciesSupports Audit,Deny,Fix Apply at OU,sub,or resource level with exceptions.Declarative resource configuration:Storage Accounts are not public.Audit Deny Deploy If Not Exist ComplexIf a VMAnd type G seriesDeny actionBuilding Th
5、e ProgramPREP:Group cloud accounts into similar categoriesConvert all findings into audit policies.Begin deploying deny for 100%.Deploy deny for new resources in small batches.Drive to 100%compliance.Measure,learn,grab the next batch,and repeat.BurGhosts to Guardrailswith Shaun McCulloughThank you for attendingcybergoofthecybergoof