VIDEO TRANSCRIPT
So question three and we're going to start with you lee this time is how do we recognize abnormal use patterns in the cloud that might indicate a security incident when we when you have more limited visibility of your data services and users
okay um so i suppose first thing is you need to get more visibility with data services and users um it's all down to logging everything needs to be logged where you can log log it and log it centrally where possible uh obviously there are tools out there and platforms out there that enable this um once you've got that central logging mechanism in place well you can either go through it manually which is obviously yeah people cannot do that the amount that goes through these days it comes back to using the right tool sets again you need to be at the tool sets which will go through those that logging identify the abnormalities the abnormal the things that don't normally happen in your in your environment the tools will create that baseline for you they will understand what is what is normal once you understand what normal is anything that's different can then be then be alerted on yeah so you can take examples of traffic that would normally go across your network for example if something starts talking to something else be in that cloud network or you're going on premise environments you can alert based on that to understand that if user x starts talking to user y or device y that can be flagged as an anomaly or if they start talking on different traffic different ports for example that can be raised as a potential breach within that within that platform um control of data then can be logged you so you get a complete visibility of everything that's happening within your environment and anything that doesn't happen normally is yeah will be flagged as a potential potential threat within your within your environment
All right greg
Yeah i'm going to try and tie in three bits here because i saw there's a there's another question come up i think uh around kind of risk management which i think kind of very much plays into this because you could very easily tie yourself in not trying to monitor everything uh you know on the web and that's a that's a fruitless task so um you know the risk management part i think comes in here uh you know very fortunate john kinderware actually joined us a few years ago who's there if you're like the godfather of xero trust and uh you know he talks about daz which is uh how do you define the protect surface firstly which is the data the applications the assets uh and and the services so you got to start with going which bits do i really care about it's kind of like the 2080 rule you know what's the 20 that's really important and then you know how do i start to map those transaction flows and understand them and as richard said you know it gets more complicated when you start going sas to sas or maybe sas to pass you know we're not used to so much this kind of multi methods of connectivity we used to employ to the data center and now suddenly we have so many different routes of connection um so i think you need to really kind of distill it down make the problem easier for yourself go which of the bits i really want to have that visibility i think once you've done that the next challenge is we now move into this shared responsibility model of you know some of it's done if it's in the public cloud by them if it's a sas application depends on the maturity they may have some really good security controls or they may be nice and then we have none and so i think you have to be really really diligent about what do you want to get in terms of visibility to see what's normal what's not abnormal and then you have to go how do i achieve that uh and i think that's almost where the shared responsibility model goes out the window because it's like what do i need from this it's not about what they do what i do it's about what do i need to get back in terms of visibility i think there is a myriad of controls you could look at there's more and more network behavior analytics user behavior analytics uh indicators compromise the list gets bigger and bigger and bigger i think the key bit of this though is then how do i distill this down how do i correlate those together in something that tells me this is abnormal compared to my normal uh and i think that requires a having the data and i come back to shared responsibility you know do i get this or do they give it to me and if they give it to me how do i ingest it and use it and to keep it there is how do i correlate this and actually turn it into something that i go this is important it was high on my risk priority stack and i see something and now i can act on that and i think the challenge is is we're used to doing this easily ourselves with three or four tools now you're talking different sas applications different cloud applications uh different responsibility models and the challenges you know picking that all apart and and figuring out how do i achieve this consistently based on what's important to me
Okay richard
So really in the short answer is really defense in depth um the first question was shadow i.t yeah kind of answer this in two parts with shadow i t people used to employ casper's still that's reasonable control great got casper you got some reporting but the sas to sat breaks that model so you need to lift those controls up to a higher level of governance so you need to invest into those tools and again this shadow i.t relates back to these umbrella products that then have uh platforms you know the business approves something like box and then it plugs in because it can do because now the business owns authoring of policy it can then just switch on another integration because it's already there maybe your infrastructure admins are not looking after that you know second piece is a great question uh about risk you have to be risk-led there's a lot of uh for me noise in the market about threats um and you know like you get things like the mitre framework which is great but it's all about dealing with threats yeah you have to translate those threats threats and vulnerabilities just data points you have to translate them into real risks inside your business so you need a risk framework and those risks have to relate to controls that mitigate them and what mitigates them then is policies that you've authored in these new generation of tools that are posturing your cloud so you've got actionable outcomes on them and that comes down to real time tooling that's looking at your cloud your cloud infrastructure be it a sas infrastructure platform and posturing it yeah to mitigate those risks and when and also these platforms will take also take threat intel so uh they're not just static things they're taking feeds to when uh other other vulnerabilities come out to see if that actually affects you anyway you know before so you have to have that triage where you could so you can never inc uh reduce threats because they're always however going to grow the only thing you can reduce is risk so you have to know what is you care about you know your assets inside and then you have to build up a layer of controls which are really about your privacy controls your technical controls your operational controls and then you have to have your management controls are they getting the right information it's not all about technology it's about your processes as well internally a lot of people think if i buy a new piece of technology that'll solve it but that's not the case it's technology processing people and a lot of people do not want to invest in in their people too much and they don't want to invest in their processes so you can have an alert clicking off telling you this thing's going to happen but your processes are not picking it up so for me a part of part of the journey is to invest in your processes instead of saying well i'll get a new technology now when you're dealing with risk with defense in depth you know there are things like ueba which is user entity behavior analytics that can help you give build you up a picture of what's risking your organization so so one of the key things is is that least privilege access is not attainable it's a high principle that i agree with but it's just not attainable because it's just too much to try and define every detail of what every person needs access to because it's too dynamic so you have to use analytics you have to use ai machine learning you have to use analytics and these tools are coming out that can identify the risk to your organizations if you go down to the path of least privilege which i agree with in 100 the problem is it's not attainable so you have to use the these tools uh defense in depth to and then start bringing in these tools bring in the analytics to reduce the noise and let people have access what they need access to do their job but understand it so for example you know someone could send out a cv that may raise their risk profile in the organization because they're in a very sensitive area of data it doesn't mean that the person's divulged because we can't surveil people but it may raise their risk profile then something else happens and then something else happens and then you bring them all together so the problem is is that with least privilege is that if you've got access to something you've got access to something you have to understand the context around it and that could be you've got malicious inside or that could be someone's just targeted and if they start doing abnormal behavior which is what ueb addresses you can then at least focus in on that so that's how i see that you