The Security Cloud Podcast Fix

Jonathan Rau, VP/Distinguished Engineer at Query, explains the process of normalizing security data and the challenges of working with different security tools and APIs. He also simplifies the concept of security data into three categories: structured, semi-structured, and unstructured.

Finally, he discusses benefits of unifying security data, and the Open Cyber Security Schema Framework (OCSF) which Query uses as their data model. OCSF provides a standardized data model for cybersecurity events and objects, allowing for easier integration and interoperability between different security tools. The conversation also touches on the use of graphs in security data analysis, based on Jonathan's previous experience at Lightspin. 


Takeaways
Federated search allows users to search their security data wherever it is without ingestion.Normalizing security data involves mapping fields and setting constant states to handle different data formats and schemas.Security data can be categorized into structured, semi-structured, and unstructured data.Query simplifies the complexity of security data and provides a unified view of all security data sources. The Open Cybersecurity Schema Framework (OCSF) provides a standardized data model for cybersecurity events and objects, enabling easier integration and interoperability between security tools.Graph databases are useful for maintaining relationships and analyzing complex security data, but loading and querying graph data can be challenging.The key benefit of unifying security data is decision support, enabling security teams to make informed decisions based on a comprehensive view of the data.When building a data fabric or unifying security data, it's important to work backwards from the job to be done and focus on supporting specific use cases and decision-making needs.Staying informed about data technologies and approaches is crucial for security engineers and CISOs to make informed decisions about building a data fabric.

Daniel Spangenberg, Staff Cloud Security Engineer at Lyft, is building an internal cloud security posture management (CSPM) service.
Daniel has developed a mental model that looks at cloud security in three components: 
The past. Data about your current cloud inventory, e.g. your EC2 instances and S3 buckets, to idenfity and remediate misconfigurations.The present. Event logs, access logs and CloudTrail data, with real-time processing and alerting.The future. Preventative measures to guardrail your deployments, e.g. in Terraform or with policy-based controls.Daniel explains how he uses tools like Cloudquery and AWS Trusted Advisor to gather data and identify security issues. He also discusses the importance of resource coverage and how he leverages existing tools to extract data into a centralized view.

Daniel prioritizes issues based on their severity and assigns them to the respective service teams for resolution. Daniel highlights the importance of having a comprehensive asset inventory and using tools like Lyft's Cartography for graph traversal.

Daniel shares insights on tracking success, visualizing data, and the shortcomings of existing CSPM solutions. He advises approaching cloud security thinking like a developer, and fostering collaboration between security and engineering teams.


Takeaways
Lyft's cloud security team focuses on securing the infrastructure by addressing the past, present, and future components of cloud security.Coverage is important to ensure that all resources are accounted for, even if they are not actively used.Data is extracted from existing tools and centralized into a single source of truth for better visibility and analysis.Prioritization of security issues is based on severity, and tickets are assigned to the respective service teams for resolution. Having a comprehensive asset inventory is crucial for effective cloud security.Custom queries and automation are essential for handling a large volume of findings and creating tickets for remediation.Auto-remediation is a complex topic that requires careful consideration and can potentially cause more harm than benefit if not implemented correctly.A labeling system, such as using tags, can help identify resource ownership and assign tickets to the appropriate teams.Tracking success in cloud security can be done through risk assessment, ticket counts, and data normalization.Building an in-house CSPM solution allows for customization and integration into existing workflows, avoiding the limitations of commercial solutions.Thinking like a developer and understanding the motivations behind certain configurations can help bridge the gap between security and engineering teams.Collaboration and communication between security and engineering teams are essential for successful cloud security.

Mirco Kater, Information Security Officer at Gitpod, has taken a few startups from 0 to 1 when it comes to compliance and information security. Mirco has developed a five-step framework:
ConnectAssessDefineImplementMeasureFor start-ups, security and compliance programs provide access to markets. Mirco highlights the need for collaboration and communication with various departments within the organization.

He also discusses the selection of frameworks and tools based on the company's risk level and regulatory requirements. The goal is to enable the business while ensuring security and compliance.

Implementing a security compliance program requires budget allocation for salaries, tooling, auditors, and cyber insurance. Mirko also explains the difference between security and compliance, highlighting that compliance is about meeting specific requirements, while security focuses on protecting data and assets.
Takeaways
Building security and compliance programs is essential for startups to gain access to markets and customers.The five-step framework for building security and compliance programs includes: connect, assess, define, implement, and measure.During the connect phase, it is important to connect with leadership, peers, and other departments to understand the business goals and challenges.The assess phase involves taking inventory of processes, technologies, and people to identify existing controls and risks.In the define phase, a security strategy is developed based on the risk level, regulatory environment, and business goals.The implement phase focuses on putting the defined controls and processes into action, involving collaboration with stakeholders.The measure phase involves monitoring and evaluating the effectiveness of the implemented controls and making adjustments as needed. Measure and evaluate the effectiveness of the security compliance program using objective metrics.Reporting and metrics are essential for communicating progress to leadership and the entire company.Use tools and dashboards to track and visualize metrics.Continuous improvement is necessary as new risks and challenges arise.Allocate budget for salaries, tooling, auditors, and cyber insurance when implementing a security compliance program.Compliance is about meeting specific requirements, while security focuses on protecting data and assets.

Pramod Gosavi is a former VMWare corporate development executive turned venture investor at 11.2 Capital. Pramod and Lars talk about the current state of cybersecurity and the hurdles for Chief Information Security Officers (CISOs) across the four main areas of cybersecurity: network, endpoint, cloud, and identity security.
Pramod makes the case for how CISOs need to think about digital transformation of their legacy toolchains, and how there is a need for a cybersecurity data platform (“data fabric”) to connect various security tools and facilitate the integration and analysis of data. It would help security engineers work more efficiently and improve their security posture.
At present, security vendors often have separate dashboards and don't share data, making it hard for organizations to get a full understanding of their security situation. A data platform would solve this problem by offering a centralized, automated solution.
Pramod also talks about platforms in cybersecurity. Many companies claim to be platforms when they are actually suites of features. A true platform supports third-party businesses and lets them build on top of it.
Pramod gives examples of true platforms like Salesforce, which supported various vendors and allowed third-party businesses to thrive. He also talks about the importance of "platformization" in the industry and how companies like Palo Alto Networks and CrowdStrike are adopting this strategy.

CloudQuery is a high-performance open-source ELT framework built for developers. CloudQuery extracts data from cloud APIs and loads it into databases, data lakes, or streaming platforms for further analysis.
With raw infrastructure data, CloudQuery users are building solutions for security, cost, and governance use cases by writing SQL queries. Querying raw infrastructure SQL provides more flexibility and coverage than an opinionated DevOps tool could provide.
In this episode, I chat with Yevgeny Pats, CEO and co-founder at CloudQuery. We cover the "why now?" for infrastructure data, and the change in mindset observed among infrastructure and security engineers and their shift to using data lakes.

Alex Chantavy is a Senior Software Engineer at Lyft and one of the maintainers of Cartography. Cartography is a Python-based tool that collects infrastructure assets and their relationships into a graph view.
Cartography is open-source and was developed in-house at Lyft to solve offensive security scenarios. Today, Cartography is also used at Lyft to solve other InfoSec use cases, like container vulnerability management.
Cartography is built on top of the Neo4j graph data platform. The power of the graph is that it facilitates the exploration of many-to-many relationships.
In this episode, Alex and I discuss the origins of Cartography, how the engineering team at Lyft uses Cartography data for remediation of security issues, and how the graph powers an automated issue management system.