. @awscloud #reinforce // here we go…

🎙🧵

☁️ #cloud #security #devops
Adam Selipsky (CEO, AWS) up first with an opening message for @awscloud #reinforce
“Security is job ZERO at @awscloud”, Adam Selipsky. he’s referring to the fact that it is required as a baseline before building or doing anything

he goes on to say that #security is critical to AWS’ success and customer success

#cloud #devops
Adam wraps up and @StephenSchmidt, VP & CISO, @awscloud takes the stage…
no one is happy with the abbreviated format but I’m grateful that @awscloud cancelled the in-person event, just not worth it

let’s make the most of this virtual event
“I think it’s still day one for us with @awscloud Security”, @StephenSchmidt

#reinforce
…that’s an exciting comment from the CISO of one of the most advanced #security orgs on the planet. lot of possibilities!

#reinforce
the agenda for @awscloud #reinforce…sounds boring, should be amazing
Threat detection and incident response section opening quote, “Risk comes from not knowing what you’re doing”, Warren Buffet

@awscloud #reinforce
“Risk is introduced from failing to define, learn, and iterate”, @StephenSchmidt

do you know what your normal good state is? can you react to anomalies quickly?

@awscloud #reinforce
remote & #wfh have changed “normal” for organizations, #security needs to adjust (should’ve done that already!) in order to assess risk and properly monitor what’s going on

@awscloud #reinforce
nice shout out from @StephenSchmidt to the #security community to make sure that we have a clear demarcation between work and home…need it to avoid burnout

@awscloud #reinforce
. @verizon DBIR continues to deliver amazing #security data. this key point: phishing continues to be a massive problem

@awscloud #reinforce
phishing example posing as “security guidance”

@awscloud #reinforce
in a security conscious environment, texts like this 👆 should set off alarm bells

@awscloud #reinforce
are you educating your teams? do you have guardrails in place to help avoid mistakes?

@awscloud #reinforce
into the updates and (fingers crossed) launches section…

@awscloud #reinforce
. @awscloud GuardDuty up first

#reinforce
GuardDuty ingests partner threat feeds as well as @awscloud data in order to generate findings

more on those findings at docs.aws.amazon.com/guardduty/late…

#reinforce
“If you’re a ship at sea, you don’t want to be responsible for predicting the weather…you want professionals behind that analysis to help you out”, @StephenSchmidt

@awscloud #reinforce
ignoring the buzzword-i-ness of machine learning, it actually helps

GuardDuty uses #ml 🧠 models to help filter out the noise to let humans analysis high quality data

these models improve with more data poured into them

@awscloud #reinforce
GuardDuty customers see a 4-6 week head start with anomalies compared to traditional security threat analysis

@awscloud #reinforce
on to @awscloud Security Hub now...

@awscloud #reinforce
…which I mistyped as “@awscloud Security Hug” initially…that might not be too wrong. will have to dive into that play on words later on

@awscloud #reinforce
. @awscloud Security Hub is an actual hub. almost everything sends data to it

turn it on with a single click in your AWS account

more at aws.amazon.com/security-hub/

@awscloud #reinforce
pricing is reasonable. details at aws.amazon.com/security-hub/p…

@awscloud #reinforce
on to the tips section now…

don’t try to compete in real-time with attackers. you’re not going to win. set things up ahead of time. lots of automation is the key to strong #security in the @awscloud

#reinforce
think, “auto remediation”

…also @awscloud Lambda…lots and lots of Lambdas

#reinforce
when conducting incident response, “Fix the underlying cause”, @StephenSchmidt

if you don’t, you’re just doing to have to respond again shortly after you stop the incident. avoid “security slippage"

@awscloud #reinforce
. @StephenSchmidt’s example around overly permissive permissions is a common issue

use tools like @awscloud IAM Access Analyzer to avoid this one

more at docs.aws.amazon.com/IAM/latest/Use…

@awscloud #reinforce
. @awscloud Security Hub insights are handy for root cause analysis as well. same for Amazon Detective

more on Insights: docs.aws.amazon.com/securityhub/la…

more on Detective: aws.amazon.com/detective/

#reinforce
…on to #ransomware now...

@awscloud #reinforce
if you’re new to #ransomware, here’s a quick way to catch up

markn.ca/ransomware

@awscloud #reinforce
#ransomware in @awscloud usually equates to a loss of access to their accounts. resiliency and prevention is critical here

@awscloud #reinforce
some ideas around prevention of #ransomware

@awscloud #reinforce
I ❤️@StephenSchmidt’s keynotes because he always adds these “do this now” steps that take you 5-10m and deliver rapid #security value TODAY

well done Stephen!

(as usual 😉)

@awscloud #reinforce
btw, a lot of what @StephenSchmidt is talking about around prevention and resiliency is covered in the relatively unknown @awscloud Well-Architected Framework, “Management and Governance Lens”

docs.aws.amazon.com/wellarchitecte…

yes, it sounds super boring but it’s chalk full of gold
more on AWS Backup Audit Manager at aws.amazon.com/blogs/aws/moni…

@awscloud #reinforce
“Making backups is a good FIRST step. Having an automated testing process for restoration is key to making sure things work”, @StephenSchmidt

@awscloud #reinforce
on to identity and access management now...

@awscloud #reinforce
opening quote, “There is always a gap between intention and action”, Paulo Coelho

@awscloud #reinforce
some terrifying IAM #security stats

@awscloud #reinforce
btw, every one of these 👆 issues is the SECURITY TEAM’s problem…not the users

we need to do a lot better at education and building systems with delightful #ux

@awscloud #reinforce
…and if you’re doing things right, the security team includes the teams that are building all of your systems 😉

@awscloud #reinforce
“Free is a solid price point”, @StephenSchmidt

referring to the fact that @awscloud IAM is $0.00

#reinforce
if you want to setup @awscloud IAM “work hours”, you can read about the required policies at docs.aws.amazon.com/IAM/latest/Use…

#reinforce
side note: you should also be following @QuinnyPig’s tweet 💩⛈ too!

@awscloud #reinforce
on to updates for IAM now...

@awscloud #reinforce
IAM Access Analyzer gets some updates!

@awscloud #reinforce
all of the “access analyzer” features are part of an @awscloud initiative called, “provable security"

learn more about this (trust me, it’s super interesting and cool. lots of math under the hood) at aws.amazon.com/security/prova…

#reinforce
“Review permissions regularly”, @StephenSchmidt

- your systems changes regularly
- your business changes regularly
- adapt

@awscloud #reinforce
Use groups for IAM policies…pretty much always

details at docs.aws.amazon.com/IAM/latest/Use…

@awscloud #reinforce
<evergreen>
Use least privilege in IAM
</evergreen>

@awscloud #reinforce
build a culture that is OK with “I don’t need access to that data"

@awscloud #reinforce
“Keep humans away from data”, @StephenSchmidt << excellent advice…make sure you have good systems and automation in place

@awscloud #reinforce
on to Network and Infrastructure Security now...

@awscloud #reinforce
. @ajassy is the quote here, “We wanted well-documented, hardened APIs so that teams collaborated without having to talk to each other”

@awscloud #reinforce
starting off with supply chain security. this is a major #security challenge…

@awscloud #reinforce
. @awscloud is considering #security as a critical part of its supply chain philosophy

#reinforce
this ties back to the Shared Responsibility Model. almost all of this area of supply chain #security is in @awscloud’s area of the model

@awscloud #reinforce
Brian Lozada, CISO at @hbomax up now…

@awscloud #reinforce
. @hbomax is deployed globally serving 67 million customers

@awscloud #reinforce
grrr….still dealing with weird geographic licensing though

that has nothing to do with security but is still frustrating to me as a 🤓

🇨🇦

@awscloud #reinforce
it’s really nice that Brian is talking about the #security culture at @hbomax. that’s so often overlooked but it’s critical

he’s talking about how it’s necessary to deliver a “friction-free customer experience” internally and externally

❤️ it!

@awscloud #reinforce
“visibility and guardrails” not “controls and limitations”

@awscloud #reinforce
paraphrased: “An event-driven architecture is helping up deliver #security"

<< #serverless?

@awscloud #reinforce
some details of the @hbomax #security stack in the @awscloud

#reinforce
shout out (-ish) for Cloud Custodian. more details on this amazing project at cloudcustodian.io

@awscloud #reinforce
“We should not be fixing the same problem twice”, Brian @hbomax << hell yeah!

@awscloud #reinforce
“If we’re not responding at the speed of a tweet, we’re not delivering for our customers”, Brian Lozada, CISO @hbomax

@awscloud #reinforce
summary points from Brian @hbomax...

@awscloud #reinforce
Brian and @hbomax has 100+ open roles right now. check them out at warnermediacareers.com/hbomaxjobs

@awscloud #reinforce
sidebar: this was one of my favourite customer segments in an @awscloud keynote is a very long time. Brian is a great speaker and his message is exactly where #security needs to be going

well done!

@awscloud #reinforce
now on to the updates for network and infrastructure...

@awscloud #reinforce
on to “confidential computing” now. a term we hear often? really?

@awscloud #reinforce
regardless, it’s a good segue to @awscloud Nitro Enclaves

learn more at aws.amazon.com/ec2/nitro/nitr…

#reinforce
dive deeper into Nitro Enclaves with this talk from @colmmacc from re:Invent 2020



@awscloud #reinforce
AWS IoT Core gets more functionality with VPC Endpoints

@awscloud #reinforce
on to network and infrastructure #security tips…

@awscloud #reinforce
1. keep things in your own VPC, use endpoints, etc.

@awscloud #reinforce
use the @awcloud Well-Architected Tool. it’s a free, versioned Q&A tool to help understand risk

@awscloud #reinforce
on to data protection and privacy…

@awscloud #reinforce
…and of course we have to talk about “zero trust”

opening quote, “For there to be betrayal, there would have to have been trust first”, Suzanne Collins

@awscloud #reinforce
here’s a great video from Quint Van Deman @awscloud from re:Invent 2020 on Zero Trust



#reinforce
lots of existing @awscloud #security controls fall under the “zero trust” idea

there’s a TON of marketing 💩 in this area. stick to basic, modern principles and you’ll hit your goals

#reinforce
updates for data privacy now…

@awscloud #reinforce
clearer, stronger contracts...

@awscloud #reinforce
remember that whole “cybersecurity vs. information security” rant I go on regularly?

👆 contracts is a good example. not a cybersecurity control but an #infosec one

@awscloud #reinforce
new resources to help with GDPR

@awscloud #reinforce
more information on GDPR in @awscloud up at aws.amazon.com/compliance/gdp…

#reinforce
“This seems really simple but so many people miss this step. Know what you are storing!”, @StephenSchmidt

@awscloud #reinforce
…information management is critical to a strong security and data privacy practice…but it’s almost never in place

orgs usually default to a “inside & outside” level of granularity. we need better tooling around classification and management for data

@awscloud #reinforce
simple tip from @StephenSchmidt, “Encrypt everything”

@awscloud #reinforce
given the simplicity of encrypting things in the @awscloud, there’s no reason not to have this as the default for all of YOUR builds

@awscloud #reinforce
. @StephenSchmidt shouts out the Wickr acquisition earlier this summer

more at wickr.com

@awscloud #reinforce
now on to GRC: governance, risk, and compliance

😴

😉

@awscloud #reinforce
I’m glad that @StephenSchmidt makes light of this topic’s “cool” factor. it’s critical but objectively boring
quote for GRC, “I thrive in structure, I drown in chaos”, @AnnaKendrick47

@awscloud #reinforce
more attestations, including expansion of @HITRUST covered services

@awscloud #reinforce
here’s the list of @awscloud compliance attestations: aws.amazon.com/compliance/pro…

#reinforce
sad that @StephenSchmidt didn’t shout out my FAVOURITE @awscloud “service”; AWS Artifact

aws.amazon.com/artifact/

#reinforce
🤣🤣🤣

spend some time with the service & become an expert user of it…

@awscloud #reinforce
I laugh, chuckle, and giggle simply because AWS Artifact is essentially a single web page with a bunch of links to download compliance documents

you’ll use it once a year, maybe once a quarter but it lets you get those critical compliance documents

@awscloud #reinforce
ohh, @StephenSchmidt did shout it out!

@awscloud #reinforce
on to the MSSP program now

details at aws.amazon.com/mssp/

@awscloud #reinforce
on to the #security competency partners now...

@awscloud #reinforce
I remember when this slide was much, much smaller. ❤️ to see the growth of the #security space

@awscloud #reinforce
now on to tips for GRC...

@awscloud #reinforce
2nd shout out for AWS Artifact!

@awscloud #reinforce
remember, if you want to work on your #security skills, the @awscloud Security certification is a great goal to aim for

aws.amazon.com/certification/…

#reinforce
. @StephenSchmidt teases more info on the concept of “security guardians” coming at re:Invent 2021

@awscloud #reinforce
nice call out for the new-ish, “Cloud Audit Academy”

more at aws.amazon.com/compliance/aud…

@awscloud #reinforce
join the conversation…as you already have…by reading this 😉

@awscloud #reinforce
short break and then the next session is up!

@awscloud #reinforce
this is a great time to go back and read @QuinnyPig’s inevitably hilarious thread covering the keynote 👇

@awscloud #reinforce
here’s the launch blog for AWS Backup Audit Manager: aws.amazon.com/blogs/aws/moni…

@awscloud #reinforce
starting a new thread for the next @awscloud #reinforce session. check it out 👇

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Mark Nunnikhoven

Mark Nunnikhoven Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @marknca

2 Sep
containers on @awscloud: a rant 🧵

problem: I want to run a single container every so often

☁️ #cloud #devops
I start with a search. the first result is straight forward and promising

I click on "Containers on AWS"

☁️🧵 #cloud #devops
I land here. it's not bad though a bit of a pitch, "AWS is the #1 place for you to run containers and 80% of all containers in the cloud run on @awscloud" << but will MINE?!?

☁️🧵 #cloud #devops
Read 45 tweets
24 Aug
next up is IAM with Karen Haberkorn

@awscloud #reinforce
…and the challenge of virtual events rears it ugly head. other more pressing matters popped up and I’ve missed what seems like a great talk and discussion on IAM 😔

@awscloud #reinforce
…but the upside of the virtual event is that I should be able to watch this on replay soon enough!

@awscloud #reinforce
Read 17 tweets
24 Aug
Eric Brandwine up now at @awscloud #reinforce

he’s talking about building a culture of #security
scale quickly became a problem in building the #security organization at AWS

@awscloud #reinforce
Eric realized they couldn’t scale up the team to the size of AWS, it just wasn’t possible

they had to figure out a way to help the organization build the #security culture itself

@awscloud #reinforce
Read 34 tweets
24 Aug
new thread to cover, “Governance, Risk, & Compliance”

@awscloud #reinforce
Anil starts things off with compliance landscape…

@awscloud #reinforce
lots of different legislation out there around data protection and #privacy. combined with a push to the cloud, lots of change in a traditionally slow area of GRC

@awscloud #reinforce
Read 15 tweets
24 Aug
up now at @awscloud #reinforce, “Data Protection & Privacy” with @JKenBeer, @jennybrinkley, & @clean_freak

☁️ #cloud #devops
. @StephenSchmidt introduces the session, which is a “fireside chat”

@awscloud #reinforce
Jenny is co-ordinating the chat. Anne is the director of Alexa Trust. Ken is the GM of AWS KMS

@awscloud #reinforce
Read 37 tweets
13 Aug
yesterday I spun up 36x @awscloud EC2 instances to build out a weird sample data set

today, trying to get an exact cost for that work, it hits home (again) why @quinnypig has a very successful business

a story...



🧵 ☁️ #cloud #devops
ok, so I spun up the instances via python/boto3 (all old-school like) because I had a unique user-data script to each to execute and then shutdown

super simple 👇

🧵 ☁️ #cloud #devops
of course, the execution of this script took a while. about 6 hours. so I ran a couple quick, smaller scale tests and when I had things locked. I ran the script 👆

🧵 ☁️ #cloud #devops
Read 25 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

:(