In this Run and Reinvent podcast, I chat with Soumee Phatak, principal product manager for BMC’s Cloud Services, about TrueSight Cloud Security and self-remediation. Below is a condensed transcript of our conversation.
Rick Bosworth: What trends are you seeing in security of the public cloud?
Soumee Phatak: First and foremost, we find that a lot of the enterprises are moving very rapidly to the public cloud, either because of cloud first strategies, or initiatives in which they’re migrating their applications to the cloud. But, as businesses are moving fast to the cloud, and focusing on the business, they are kind of learning very fast that they are either unaware, or ill-equipped, to deal with some of the cloud security challenges. So, some of the challenges are – we’ve seen, even in the on-premise world – like, DDoS attacks, but now, since the public cloud, we have a lot of businesses on there that are becoming a bigger target nowadays.
Also, we see that, since cloud environments, like on-premise environments, are subject to rapid change. Therefore, the legacy processes and tools that organizations have are kind of inadequate. So, for example: What does it take to secure Lambda, or containerized environments, right? Additionally, what we also see – or, we have seen – in the last couple of years, particularly, is a lot of high-profile data breaches, and losses, where due to misconfiguration of cloud services, data has either been breached, or ransom-wared, in some cases. And, some of these have been very high-profile customers – organizations like the US Department of Defense, or Tesla, or Verizon, etc.
Rick: Tesla was crypto-jacked, right?
Soumee: Exactly. We also find that a lot of these environments are being hacked because there are automated bots out there. So, literally, today, the time between resources – which is provisioned insecurely – and the time to which it is hacked is sometimes literally hours or minutes because you have all these automated bots that are crawling and looking to exploit exactly these kinds of vulnerabilities.
Finally, I think the most critical problem that organizations are struggling with, and we are seeing, is that there is a shortage of cybersecurity talent in the market. Customers are now being forced to look toward solutions which have data analytics, or artificial intelligence, and machine learning which can help bridge that gap. So, these are some of the trends that we are seeing, in general, with our enterprise customers.
Rick: It’s almost like the bad guys have elevated their game, and sophistication, and I’m wondering: How would a bot decide to target your cloud footprint?
Soumee: That’s thing about bots. You may think that as a business, you’re not big enough, or important enough. But, since it’s a bot, it doesn’t care. All you have to do is be on the web, and you are a target. I read one experiment that a team had performed, where they created this instance on Amazon, which they deliberately created honey pots to attract traffic. But, it was a site which didn’t have any useful functionality that would benefit anybody at all. But, they found that the emphasis put on that server had almost 250,000 brute force attempts within a period of 24 hours. So, you can imagine the power of these bots.
Rick: 250,000. That’s amazing. So, besides that attack, could you provide our listeners other examples of a cloud attack?
Soumee: In the cloud, we have traditional applications, built of traditional virtual machines, as well as applications built of cloud native servers. Now, the applications which are built on traditional VMs, we see a lot of the traditional attacks which were also there, like the DDoS attacks, or malware injections, or exploiting vulnerabilities, etc. However, a challenge that we see, which is unique to the cloud are, sometimes, developers kind of store their cloud credentials on storage like GitHub, etc., which are then mined, and these accounts then get compromised.
And, once these accounts are compromised, the hackers can use it for any malicious purposes. So, not only are you being a victim of an attack, but it also ends up racking up these huge bills on the public cloud for the customers. Another challenge that we see, particularly with cloud native services is a lot of times, you might have noticed that, whether it’s Amazon, or Azure, or Google, they are aggressively building new services on public cloud, right? And developers are eager to adopt them, too. But what they don’t know how to do very well is how to secure those servers; how to use those servers in a safe manner. So, consequently, we end up in these situations where there is data loss, or there is crypto-mining attempts in the customer environments, like we saw for Tesla, and some others.
Rick: Why does the enterprise continue to struggle with security of the public cloud?
Soumee: You’re right. I mean, enterprises, even with all their might, they continue to struggle with this problem. And, we touched upon some of them a bit earlier. One of them is that cloud environments undergo rapid amount of change, due to the fundamental way in which infrastructure is provisioned and used in the public cloud. The rate of change is fast. So, the traditional tools/processes are not able to keep up with this rate of change, firstly.
Secondly, in the public cloud, we have noticed customers who have hundreds, and hundreds of accounts. So, obviously, this is not a problem that can be manually addressed where you have hundreds of accounts, and then thousands of resources within those accounts.
On top of that, most large enterprises typically do not just get locked into one cloud. We noticed that our customers are using at least two or more clouds in their organizations today, which means that the level of expertise needed is that much more. So, like we talked about, we have a shortage of cybersecurity skills. At the same time, there is this introduction of various new services which are sometimes similar, but slightly different, which requires different expertise. So, that’s why enterprises combined with all these factors are struggling to understand, or keep up with, these security challenges.
Rick: Do these cloud service providers – AWS; Azure; Google –offer native cloud security tools?
Soumee: Yes, they do. They have started giving a lot of services. They have introduced a lot of services, and I think, over time, they will build on that portfolio. However, right now, the services are not sufficient to address all the different types of attack factors. Another thing that I’ve noticed is these tools do a good job of detection of issues. However, what I’m hearing from our customers is that they not only need detection capabilities, but they need help actually fixing them. Because, the longer they’re exposed, the longer they are vulnerable.
Rick: How does automation help in enterprise?
Soumee: Automation is absolutely key to any cloud management practices, not just security. Because, this is what enables organizations to operate at scale in a predictable, safe, and expedited fashion, right? But, you’re right. Large enterprises also, typically, need to be audit-ready at any point of time. So, the way customers want to solve this problem – or, some of the ways we see are solving this problem – is to integrate these automation systems with incident and change management system, which kind of gives them that perfect level of speed, as well as the visibility, and control, that they need to be able to be audit-ready.
Rick: Let’s say that we’ve chosen a security policy that we want to fully automate to implement this self-driving remediation, could you walk the audience through what that automated response, or self-driving remediation would look like?
Soumee: Once you or your security architects have defined what those security policies are, the first step is to make sure that you have set them up in such a way that you’re continuously monitoring those environments. Now, once an issue is found, the next step would be to automatically open a change management ticket, which could be set to an auto-approval mode. Once it is set to an auto-approval mode, the actual remedial flow, like for example, if there was an S3 bucket that was left open, or an Elastic Search node, it’s shut off, and then the change ticket is closed. So, that way, you get end to end automated response.
At the same time, you have documented the fact that your production environment has changed, so that you have free visibility, increased ability of the changes that are going on in production environments.
Rick: What solution does BMC have to address security and compliance in the public cloud?
Soumee: True Site Cloud Security – was actually purpose built for our detection, as well as remediation for exactly these kind of security issues where application teams of customers don’t know how to secure their new cloud native services, and they can use this tool to not only detect those issues, but fix them in a self-healing, or a self-driven kind of mode, and therefore be safe at all point in time.
These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.
See an error or have a suggestion? Please let us know by emailing firstname.lastname@example.org.