ALERT to FIX in a MINUTE
ALERT to FIX in a MINUTE As Rich and I have been talking about for years, the ability to move to automated cloud security operations remains one of the most compelling opportunities for improving security in the cloud. The ability to have an alert trigger automated remediations will change your security
Supercharging Security Hub: Part 4, Taking Action
In our last post, we walked through the console and highlighted making the most of the Security Hub console and some tips and tricks to make it more useful. Today I want to dive into one of the best parts of Security Hub — taking actions on events and findings.
Security Ops Waiting Game
Security Ops Waiting Game Remember in the olden days, when central IT ruled the land? If an application required fixes or new capabilities, the business put in a change order, and the IT folks got to it at some point? That seems like eons ago because in cloud-time it
Supercharging AWS Security Hub: Part 3, Taming the Console
In our last post we covered getting started with Security Hub and how to set up an optimized configuration, including prepping forward findings for alerting or remediation. Now although we’ve introduced the core capabilities, in this post we’ll walk through the different parts of the console...
Supercharging AWS Security Hub: Part 2, Get a Running Start
Continuing our dive into AWS Security hub let’s jump into setting up. Don’t worry, I won’t just rehash the AWS documentation; this post will cover our recommended configuration, how to push findings and events back into your security infrastructure...
Supercharging AWS Security Hub: Part 1, the Secret Weapon
Like many AWS services, Security Hub is one of those products that sneaks up on you. Security Hub was pretty anemic when it first launched; it appeared to just collect the results from a few AWS products and a dozen partners into some basic dashboards so Amazon could say they had a “security center”.
The Tragedy of Security Dies on the Crucible of DevOps
The Tragedy of Security Dies on the Crucible of DevOps Security ain’t what it used to be. Or perhaps it’s always been this way and it merely seems different due to the slow degradation of my youthful idealism. Security is bifurcated. Down one path we strive to keep our
DisruptOps Welcomes Security Executive Matt Eberhart as Chief Operating Officer
DisruptOps Welcomes Security Executive Matt Eberhart as COO The cloud security automation platform player strengthens the executive team as growth accelerates. KANSAS CITY, Aug. 1, 2020 -- DisruptOps, a cloud detection and response platform, today announced the addition of Matt Eberhart, as the company's first Chief Operating Officer. This
ElectricEye v2.0
ElectricEye v2.0 We are thrilled to share the news that version 2.0 of ElectricEye has been published. You can check it out here: https://github.com/jonrau1/ElectricEye Over the past couple of months, DisruptOps has been contributing to ElectricEye, an open source project created by Jonathan Rau. Working with Jonathan, we set out
Advanced Techniques for Defending AWS ExternalID and Cross-Account AssumeRole Access
Advanced Techniques for Defending AWS ExternalIDs and Cross-Account AssumeRole Access Last month Kesten Broughton at Praetorian Security released some great research on third party cloud security products using Amazon’s preferred cross-account connection technique - AWS IAM Assume Role Vulnerabilities Found in Many Top Vendors. The opening paragraph is a
AWS Security Management with SecurityHub
AWS Security Management with SecurityHub Security has been a top concern with cloud adoption since its inception and as a result, security has been a top concern of cloud vendors as well. To help customers meet the security challenges of cloud infrastructure, AWS provides a lot capabilities including: granular access
Easy Does It – Understanding Object Storage Public Data Exposure
Easy Does It — Understanding Object Storage Public Data Exposure One thing I’d like to avoid in narrating this journey through common Cloud Attack Killchains is the implication that cloud platform providers are doing an inherently bad job. The main providers are incredibly secure, and tend to release all
Hitting PaaS on Inadvertent Cloud Database Exposure
Hitting PaaS on Inadvertent Cloud Database Exposure As we hit the third installment in our Top 10 Cloud Attack Killchains series you’re probably starting to notice that none of these attacks take a rocket scientist to pull off. If you’ve read the first two posts, but the time you finish this one
Unseen Exposure – Tackling the Pervasive Server Remote Access Issue
Unseen Exposure – Tackling the Pervasive Server Remote Access Issue One of my philosophies regarding the proliferation of relatively straightforward cloud security issues – those that are basically uncomplicated, yet challenging to address based on sheer volume – is that “simple doesn’t scale”. That’s to say that while many
Don’t Start Static – Mitigating Cloud API Credential Exposure
Don’t Start Static – Mitigating Cloud API Credential Exposure And away we go! Here’s the first in our recently announced series on the Top 10 Cloud Attack Killchains – a set of blogs that aim to help you and your organization prevent exposure to some of the most
COVID-19, the Cloud, and Cloud Security
COVID-19, the Cloud, and Cloud Security COVID-19, social distancing, work from home…these are our current realities. How we got here and how we get past it are beyond my areas of expertise. But here we are – now what? For DisruptOps we decided early to mandate work from
Stop Today’s Top 10 Cloud Attack Killchains
Stop Today’s Top 10 Cloud Attack Killchains Everyone knows that cloud-driven exposures and related cloud attack killchains are emerging at a furious pace. These are the top 10 real-world attack scenarios we see in the field; over the coming weeks we will dive into the details and show
DisruptOps Raises a Series A, Why Should You Care?
DisruptOps Raises a Series A, Why Should You Care? We are excited to share the news of closing our Series A funding round. You can read the announcement here. But, why should you care? The reality of venture funding is that raising money does not equal success. It
DisruptOps Raises $9M Series A to Scale Cloud Security Operations
Press Release (ePRNews.com) - KANSAS CITY, Mo. - Mar 10, 2020 - DisruptOps Inc., the leader in Cloud Security Operations, has raised $9 million in Series A funding from Drive Capital and existing investor Rally Ventures to scale go-to-market capabilities and accelerate product development to meet growing market demands.
The Overly Complex Way CloudTrail and CloudWatch Events Work Together
The Overly-Complex Way CloudTrail and CloudWatch Events Work Together One of the most vexing issues in my cloud journey has been understanding how CloudTrail and CloudWatch Events work together. For some reason it took me years (and a lot of testing) to wrap my head around how the
How to make the most out of AWS Guard Duty
This week, Amazon Web Services announced updates to Guard Duty findings to help reduce multiple alerts and false positives. Alert fatigue is one of the biggest complaints I hear about Guard Duty. It isn’t so much that Guard Duty is prone to large numbers of false positives,
The 4 Biggest Barriers to Cloud Adoption
The 4 Biggest Barriers to Cloud Adoption The cloud has fundamentally changed how enterprises structure their IT infrastructure and architecture. We’ve seen analyst reports positing that roughly 90% of enterprises are utilizing the cloud in some form or fashion -- whether public, private, or hybrid deployments. SaaS continues to
SSRF Defense Step 3: Eliminate Excessive IAM Data Access Permissions
SSRF Defense Step 3: Eliminate Excessive IAM Data Access PermissionsThe final guardrail in our SSRF Defense series is all about eliminating IAM policies with excessive data access permissions. For anyone new to this series, these solutions are based on Rich Mogull's post on breaking the kill chain in AWS using IAM
SSRF Defense Step 2: Manage IAM Role Location Restrictions
SSRF Defense Step 2: Manage IAM Role Location Restrictions The second guardrail in our SSRF Defense series is all about managing IAM role location restrictions. For anyone new to this series, these solutions are based around Rich Mogull’s post on breaking the kill chain in AWS using IAM roles. The
SSRF Defense Step 1: Protect Data Storage Targets
SSRF Defense Step 1: Protect Data Storage Targets In previous posts Rich Mogull discussed using IAM Roles to break the attacker kill chain in AWS. We are excited to announce that DisruptOps now supports guardrails to automatically ensure you’re not exposed to these issues. We’ll be releasing a number of
Yes, Finding Public S3 Buckets is Automated and Easy
Yes, Finding Public S3 Buckets Is Automated and Easy Attackers are automating the discovery of public AWS S3 buckets. Are you automating your security defense? We found a list of over 60,000 public S3 buckets. Verdict (a UK-based tech journal) is reporting on yet another public S3 bucket attack that exposed hundreds
RDP Scanning in AWS
AWS RDP Scanning I came across a great post from Joseph Wood at HP last week, on the recent dramatic increase in RDP scanning in AWS -- specifically scanning of the RDP port. Down in the comments someone asked, “Why anyone would allow port 3389 from the Internet?” That seems to
What You Need to Know About AWS Security Monitoring, Logging, and Alerting
What You Need to Know About AWS Security Monitoring, Logging, and Alerting In terms of AWS security, first the good news: Amazon Web Services offers an impressive collection of security monitoring and logging capabilities. Now the bad news: these tools are entirely too fragmented and complex, with a range
Preventing the Next CapitalOne Cloud Breach
Configuration mistakes. This is not a new issue. IT and Security Operations teams have been struggling with managing configurations for as long as they have existed. As organizations start down the cloud path, the problem becomes more acute. There are simply too many opportunities in a massively complex cloud environment to make
Breaking Attacker Kill Chains in AWS: IAM Roles
Over the past year I’ve seen a huge uptick in interest for concrete advice on handling security incidents inside the cloud, with cloud native techniques. As organizations move their production workloads to the cloud, it doesn’t take long for the security professionals to realize that the fundamentals, while
Dev, Sec and Ops: Communications Breakdown
One of my favorite movie quotes of all time is from Cool Hand Luke: “What we’ve got here… is failure to communicate.” It’s so apropos because better communication could help avoid a majority of problems -- at work and in life. Alas, a recent Trend Micro survey (covered on DevOps.com), found 89% of
Cloud Security CoE Shared Services
As we return to our Cloud Security Center of Excellence series, we talked about the need for a CoE structure as well as our preferred organizational model. Now let's dig in a bit more and discuss a bit more specifically into setting up your CoE to be able to define
Build Your Own Multi-Cloud Security Monitoring in 30 Minutes or Less with StreamAlert
One of the most difficult problems in cloud security is building comprehensive multi-account/multi-cloud security monitoring and alerting. I’d say maybe 1 out of 10 organizations I assess or work with have something effective in place when I first show up. That’s why I added a major monitoring lab based
The 3-Step Process to Start Monitoring Your AWS Cloud Environments
The 3-Step Process to Start Monitoring Your AWS Cloud Environments The following recommendations will help you outline a path to setting up a proper monitoring program for your AWS instances or cloud environments. Before we jump into our best practices for monitoring your AWS accounts, we highly recommend that you
AWS vs. Azure vs. GCP: A Security Pro’s Quick Cloud Comparison
The Security Pro's Quick Cloud Comparison: AWS, Azure, or GCP? Over the past year I've noticed a very large uptick in production workloads, often from large organizations, moving beyond AWS and into Azure and GCP. This isn't necessarily real multi-cloud -- just the reality of competing services becoming more
So, You Want to Start Monitoring Your AWS Account?
So, You Want to Start Monitoring Your AWS Account? Before implementing an AWS monitoring solution, address “What” and “Why”. Before we jump into our recommendations for best practices for monitoring AWS accounts, we need a 30,000′ view of why we need to monitor activity and what we are trying to
The Top 3 Reasons for Utilizing a Cloud Management Platform
The Top 3 Reasons for Utilizing a Cloud Management Platform Before implementing an AWS monitoring solution, address the “Whats” and “Whys”. An IT department gains many advantages by using the cloud, but the three we hear most are increased agility, flexibility, and usability. However, gaining such advantages could also lead
The Top 10 Most Commonly Used Guardrails for Automating Routine Monitoring Tasks
The Top 10 Most Commonly Used Guardrails for Automating Routine Monitoring Tasks These are our top 10 most requested or frequently run ops that help our customers automate the routine tasks required to manage and secure their AWS instances. There are many advantages to writing Guardrails to enforce best practices
Cloud Security CoE Organizational Models
In the first post of our Cloud Security Center of Excellence series we covered the two critical aspects of being successful at cloud security: accountability and empowerment. Without accepting accountability to secure all of the organization’s cloud assets, and being empowered to make changes to the environment in the name of improved
Forming the Cloud Security Center of Excellence
We spend a lot of time talking to cloud security professionals, basically trying to figure out the best ways to get their jobs done in largely uncharted territory. Cloud technology is evolving at an unprecedented rate, empowering line of business users to move fast and not ask permission from
DisruptOps Product Update for February 25th, 2019
Hi everyone, We are in serious crunch time as we prepare to compete as a finalist in the RSA Security Conference Innovation Sandbox. For a startup like ourselves it doesn’t get any better. Well, maybe a little better after we win. As we prepare for RSA we are focused on
DisruptOps Product Update for February 18, 2019
Before we get into this week’s details I want to thank all our beta testers for the great feedback. One of the harder parts of building a product is anticipating all the ways it might be used and, needless to say, that is sort of impossible. Please keep the
DisruptOps Product Update for February 11th, 2019
Hi everyone, Welcome to our first official product update! Now that we are deep into our Beta testing we plan to publish these updates on a regular basis to keep you informed on all the latest product features and Ops. We’ve just finished our latest sprint which makes this
DisruptOps Selected as Finalist for 2019 RSA Conference Innovation Sandbox Contest
DisruptOps recognized for providing automated guardrails for multi-cloud infrastructures through its security operations platform. KANSAS CITY, MISSOURI – February 5, 2019 – DisruptOps today has been named one of 10 finalists for the RSA® Conference 2019 Innovation Sandbox Contest for its work in automating cloud management. On Monday, March
Something You Probably Should Include When Building Your Next Threat Models
We are working on our threat models here at DisruptOps, so I decided to refresh my knowledge of different approaches. One thing that quickly stood out is that nearly none of the threat modeling documentation or tools I’ve seen covers the CI/CD pipeline. This. Is. A. Problem. Include your pipeline in
Three of the Most Crucial Sections That Make Up the DevSecOps Roadmap
As I mentioned in our (DevSec)Ops vs. Dev(SecOps) post, we’ve been traveling around to a couple of DevOpsDays conferences presenting our Quick and Dirty DevSecOps talk. One of the things I tend to start with early in the talk is the fact that, like DevOps, DevSecOps is not a product. Or something you can deploy
The 4 Phases to Automating Cloud Management
A Security Pro’s Cloud Automation Journey Catch me at a conference and the odds are you will overhear my saying “cloud security starts with architecture and ends with automation.” I quickly follow with how important it is to adopt a cloud native mindset, even when you’re bogged down with the
Consolidating Config Guardrails with Aggregators
In Quick and Dirty: Building an S3 guardrail with Config we highlighted one of the big problems with Config: you need to set it up in each region of each account. Your best bet to make that manageable is to use infrastructure as code tools like CloudFormation to replicate your settings across environments.
Quick and Dirty: Building an S3 Guardrail with Config
In How S3 Buckets Become Public, and the Fastest Way to Find Yours we reviewed the myriad of ways S3 buckets become public and where to look for them. Today I'll show the easiest way to continuously monitor for public buckets using AWS Config. The good news is this is
DisruptOps Introduces Cloud Management Platform for Automated Security and Operations
Company secures $2.5 million seed round investment led by Rally Ventures Kansas City, MO — October 17, 2018 DisruptOPS Inc. today introduces its SaaS-based cloud management platform to implement automated control of cloud infrastructure. Through the continuous assessment and enforcement of security, operational and economic guardrails, enterprises can realize the
How S3 Buckets Become Public, and the Fastest Way to Find Yours
How S3 Buckets Become Public and the Fastest Way to Find Yours In What Security Managers Need to Know About Amazon S3 Exposures we mentioned that one of the reasons finding your public S3 buckets is so darn difficult is because there are multiple, overlapping mechanisms in place that
Why Everyone Automates in Cloud
If you see me speaking about cloud it’s pretty much guaranteed I’ll eventually say “Cloud security starts with architecture and ends with automation.” I’m nothing if not repetitive. This isn’t a quip, it’s based on working heavily in cloud for nearly a decade with organizations of all size. The one
(DevSec)Ops vs. Dev(SecOps)
I just got back from the Boston DevOps Days. I really enjoy hanging around DevOps and cloud people. The energy of these conferences is great, and they are genuinely excited about transforming how their organizations build and deploy applications. Many don't have a negative perception of security folks, but they
What Security Managers Need to Know About Amazon S3 Exposures (2/2)
Continuing from "What Security Managers Need to Know About Amazon S3 Exposures (1/2)"... In our first post we discussed how the exposure of S3 data becomes such an issue, and some details on how buckets become public in the first place. In this post we go a little deeper before
What Security Managers Need to Know About Amazon S3 Exposures (1/2)
The accidental (or deliberate) exposure of sensitive data on Amazon S3 is one of those deceptively complex issues. On the surface it seems entirely simple to avoid, yet despite wide awareness we see a constant stream of public exposures and embarrassments, combined with a healthy dollop of misunderstanding and victim
