Episode Description
What We Discuss with William Bengtson:
- What is Cloud Native
- Changing security role in Cloud
- How do you measure maturity in cloud?
- What should a manager be looking at when training their security staff?
- How does a team function effectively remotely?
- Recruiting for cloud security specialist for students and staff
- Benefits of Immutable infrastructure
- How does security work in an immutable infrastructure world?
- And much more…
THANKS, William Bengtson!
If you enjoyed this session with William Bengtson, let him know by clicking on the link below and sending him a quick shout out at Twitter:
Click here to thank William Bengtson on Linkedin!
Click here to let Ashish know about your number one takeaway from this episode!
And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.
Resources from This Episode:
- Tools & services, discussed during the Interview
- Cloud Security Alliance
- Cloud Security Academy
- Training with Will & Rick @ BlackHat
Ashish Rajan: [00:00:00] Hello, and welcome to cloud security podcast. I have an amazing guest today will Bengston and I have known will through the online community for a while. He was down here in Melbourne last year for an AppSec J conference as well. So I got to meet him in person and we talk about we’re diving and his amazing time he had in Australia.
So welcome bill. So
William Bengston: glad to have you here, man. Thanks for having me. It’s exciting and good to see you again. Yeah,
Ashish Rajan: thanks. For people who don’t know you and I don’t feel I can do justice to what you’ve done. So find a career, which is amazing by the way. What, how do you, I guess, what can you tell people about yourself and how can they who is, well,
William Bengston: let’s see, whose will a will is a I guess a guy passionate about security, that started as a generalist and kind of fell in love with the cloud in detection.
So I’ve spent a bunch of years, like traditionally from a software background, writing code and getting into security with like department of defense. As a contractor one of the defense contractors, and then kind of just found security and fell in love and has just gone off that career since then, I’ve had an amazing opportunity so [00:01:00] far to be involved with companies that people don’t have never heard of that are super small, trying to build security within a company to, you know, more popular brands like Netflix, and now with a, you know, a great, great company.
Which a lot of people, funny enough, still don’t know until you start mentioning some of the products and they’re like, oh, that’s actually, that’s great. But yeah, just overall, just, you know, have always loved security fell in love with cloud and things have just been, been super blessed and things have kind of just fell in place.
Ashish Rajan: That’s awesome. And that’s a great intro as well. You’re you’re so down to earth with your intro, I would have like what, from Netflix, like HashiCorp. First question that I usually ask people over here being talk security podcast. What does cloud security mean for you?
William Bengston: For me, cloud security is a security at the cloud primitive level.
And so I say, it’s like, it’s the, the security at the basis of the cloud providers. So what I mean by that is anything implemented on top of the cloud would be out of scope for . And so, like if you use AWS an example, [00:02:00] Security of all the services that they provide to you. So if you think about like secure by default securing load balancers, that’s three buckets.
I am, to me, that’s all within cloud security. Oftentimes people might even call it infrastructure security and make it a little more kind of at the infrastructure level, within the cloud platform or cloud provider. That’s typically where I scope of cloud security, but depending on the company and the size and obviously how big the team is and how fine grain they want to divide out the work, it could included, you know, more, it could be the platforms that you’re building on top of the cloud as well, that your employees are using.
For me, cost security is securing the infrastructure of the cloud at the cloud native level.
Ashish Rajan: Where does cloud native.
William Bengston: I think cloud native is understanding what the cloud is meant for and how it can actually help you. Developing approaches for security area, application and deployments that kind of fit the new age or what people say it’s cloud, right? So it’s not just taking your traditional application and shifting, lifting it over to the cloud, but it’s potentially [00:03:00] rearchitecting a using managed services to your advantage and really, truly grasping what the cloud has to offer, like scaling security.
You know, all those benefits to changing your, your mindset and using those APIs to, We’ll be successful in your deployments. Yep.
Ashish Rajan: Perfect. That was a great answer as well, because I feel, and I came to know your thought on this as well, where a new doc touching on this just offline cloud security also has changed the role of security quite a bit as well, where it’s no longer, I’m going to ask you a few questions and you do the work, but it’s a lot more about understanding the different services that the cloud has to offer, which you can use in security.
Would you like, are your thoughts.
William Bengston: Yeah. You know, with the cloud rapidly expanding you know, it’s, it’s one, I think it’s amazing how this type of role never really existed in the past now that now that the cloud exists, it’s, it’s a thing. Right. So super awesome to have a new area of security to focus.
But when you think about like AWS and the, the number of services that they bring about every year, that. To me, cloud [00:04:00] security is understanding the services and how they potentially affect, your company or your applications that you’re running. Right. So, understanding whether or not a service should be used, within the company, what the, what the potential misconfigurations are the permission sets, you know, Things go potentially awry or wrong.
To me it’s all kind of, part of the cloud security model of operating effectively and at a cloud native or cloud level. It’s just not one of those things that you want to just enable everything and, start responding to things.
Ashish Rajan: Yeah. Yeah. Fair enough. I got, how do you, so for people who are listening to this, obviously, one question that comes quite often is how do you measure maturity?
Like what’s the scale of maturity you’ve seen, which is like a basic security in cloud versus like, oh my God, these guys are super advanced. And how, how does someone measure it?
William Bengston: Yeah, that’s a great question. I think he could measure it on like a scale, if you wanted to think, like. Here’s where we’re not doing anything we’re not even looking at or not even turning logs on to here’s where we do everything [00:05:00] and we do it right.
And we do the advanced detections and all the things, right. So you could say like, here are the super advanced, super, if you want to call it the most mature cloud practitioners on, on one side, the people that aren’t doing, anything, being the most immature in that, in that scale. But I think it’s very much.
Upon your environment and what the business actually needs to be kind of mature, depending on your risk level. You could, you know, have like a simple example, you can have CloudTrail being logged, you can be monitoring it and detecting the things that you want and responding automatically to that.
That seems like a very mature club cloud approach, right? You might not be looking at like, you know, B logs and detecting bot traffic and those kinds of things, but maybe that’s not important to the company or the risk profile of what you’re doing, but for the core features, The things that you need, you’re very mature, right.
But someone might look in and think, oh, you’re only doing these things, not these other things. You’re not mature, but to your business model, that you’re very immature. And so I think it very, it differs very much [00:06:00] between company to company and industry, to industry what, what you’ve considered mature. But I think it boils down to, do you have visibility?
Do you know what you’re looking for? Can you find it if you need to find. And do you have some sort of alerting and approaches to responding, should an alert go off, right? You don’t have to have the most automatic response except in the cloud. I think it’s very important that you have some way to respond fast because of how quickly things can go bad.
But I think having visibility of a ability to detect and a plan to respond is a great start in a maturity model. You don’t have to have all of these. The various different really awesome tools. You don’t have to be riding around tools to be a very mature team. You can utilize vendors or open source and still be immature.
But I think it’s truly a hard question to, to answer. I think, you know, you have like, a bunch of the different compliance frameworks, which attempt to kind of show you where you stand. But a lot of those things. Don’t apply to a lot of places, right? I think there’s a lot of areas in the cloud that are misunderstood, where even [00:07:00] when you have the check, the box, a compliance check, mark, doesn’t really buy you anything if you actually understand how the cloud works.
So I think it’s, it’s, you know, it’s almost like in, in the application security world, they have the, the building security in maturity model. Right. But there’s no building security in cloud maturity. Cause I think it’s really hard and it depends on the industry. Somethings, it’s just not a risk that you don’t do them because it’s overhead that you don’t want to, you don’t need to actually, account for.
But yeah, I think it very much depends, but I think like if you had to dial down the things that you need. Visibility ability to monitor, building, to detect and ability to respond. And if you can do those things effectively, then you probably have a very much
Ashish Rajan: sure. And I think to your point, the maturity would come more from based from the businesses scenarios that are important for them.
Like if you’re not a company which has internet facing stuff, bot protection may not be the top of the priority. Whereas detecting something like an internal threat, maybe a priority at that point. So it comes back to the, so if there is someone who’s listening to, this has probably on the left side of the scale that you mentioned, where they haven’t done anything, [00:08:00] where can they like WhatsApp one, one or two things that they can do today, which doesn’t cost too much.
I go, I guess cost is probably secondary. What can they do today to just take courses, at least a couple of things that they should have at least from a basic foundation for.
William Bengston: Sure. I think the one thing I always recommend is the first thing you do is turn on a trail and centralize it into S3.
Regardless of if you have a plan to use it, at least having that data, should something go, go wrong. It’s available in the console. But you only get 90 days like sliding history. So you might need to go back and get more. That’s that’s the thing I always recommend people start with, having a good way to manage accounts.
So securing the user, using AWS, if we’re talking to AWS, like organizations is a great way to manage accounts and manage permissions on what you can or cannot do in a certain way. If you can, if you don’t have much S3 traffic or money’s not an option, or, you know, it doesn’t matter then, you know, turning on S3, cultural as well can be very, useful from [00:09:00] a data security and seeing as data leaving your environment or being accessed, inappropriately, those kinds of things.
But I would, I would think from a cloud perspective, turning on cloud trail to get visibility into what’s happening in your accounts, protecting or having an account management model of how you manage the brood accounts and account creation. And then, you know, trying to do, I am correctly. And only providing access to the things that your users need access to and not kind of the other way around.
Cause when you, when you give everyone access to the world and all of a sudden you want to start limiting it, that’s when you start selling bad relations with your teams. And that’s really where the hiccup starts, right? Where, you know, I used to be able to do this myself, but now it’s a process. And so people will start viewing you as the, Kind of not an enabler, right.
But a gate. So I think those would be my top things.
Ashish Rajan: Awesome. And I think the something that sparked at that point was you can have CloudTrail logs and you can actually the bay more storing. It doesn’t cost you much money as well. And would you agree? Cause I think S3 buckets are quite cheap as well, so it shouldn’t really be
William Bengston: [00:10:00] pennies on the gigabyte or.
So like, I, I run up, I have probably six personal AWS accounts. I don’t access them alive on some doing development of tools or trainings, but I have Cottrell turned on all the time. And I, like, I never noticed that there’s a charge on my credit cards for those kinds of. Oh, right. Okay.
Ashish Rajan: And so what to see and I guess to your point, if you want, you can go to the extreme of say connecting a cloud to some goo and quick sites and make some like, really fancy dashboards as well.
If you want to, you can go to the next level of maturity and it gives you the foundation for that. If someone wants you to go down that path as well, in terms of. Multicloud. And this is a question that I keep getting quite often because a lot of people have started seeing Google flower, creeping and actual keeping creep in.
Are you seeing this around you as well? Where multicloud is becoming a thing?
William Bengston: Yeah, I think so. I think as more and more industries that are becoming comfortable with moving to the cloud, they’re having certain requirements put on them to say, you can’t just put all your eggs in one basket or one tray.
You have to have a plan at least to account for [00:11:00] what would it take to go operate in say GCP, AWS was your primary or it was your, you know, every cloud provider is catching up to AWS. AWS had the five or so year headstart, right? So you, for the longest time you could see. The advantage, but I think the other providers are, catching up rather quickly.
And it can make sense. Right. And if you think about like the traditional things that you did, back of the data center world from, especially when you think of like right now, business continuity, disaster recovery, how do you do that in the cloud? And I think the answer is potentially in other clouds.
So backing up data, even if you’re not using another cloud platform as a means of compute, maybe it’s a means of sex, recovery, storage. But you know, I think. I’ve I’ve seen more and more companies, either switch cloud providers altogether different. Maybe it’s a cost savings. Maybe it’s a, we need this one feature.
I’ve seen very much hybrid approaches where, we’re going to have main things with an AWS, but we really liked the query and the ability to do things over here and Google. So we’re going to use that feature as well. And oh, we really like we don’t want to [00:12:00] manage ID, but we want ads. We’re going to go use a as your AB.
Right. So I think it depends on. What companies actually wants. And there’s some really cool tools out there and, networking primitives now that enable you to have kind of that seamless cloud model of where you don’t even need to know if you’re talking to something in Azure or GCP that the network just happens.
Right. You kind of have that service from
Ashish Rajan: the service mesh thing. Is that like a data center thing or is that being provided by the cloud providers?
William Bengston: No, I think it’s very much a tooling on top of the cloud. So, being able to have a proxy that knows where to route, to put in, you know, if you have to discover in each, in each cloud provider, then he will say, Hey, I want to talk to this thing.
It doesn’t matter if that thing’s in there. Sure. It just routes the network. So as long as that path, Sarah just works. And two,
Ashish Rajan: this kind of leads me to, I guess, the next obvious. Which is an instant response. Now, maybe you can dig incidents ones do seven. I think the reason I I’ll probably go into Y incident response in a little bit later, but someone who’s doing incident response in AWS today, starting with one account to, I don’t know, hundreds of accounts.
[00:13:00] How do you see incident response done well from that perspective and that,
William Bengston: sure. Yeah, I think For one thing, like I’ve always said that the cloud is amazing because of the API and the cloud is the most dangerous place to live because is because of the API, right. You can build and destroy things so quickly.
And sometimes your visibility into what happens is delayed. So I think within incident response in the cloud, it’s going to be very hard to be successful without some sort of automation, because you’re going to need to move very quickly. I think. That becomes more important over time. I think we’re seeing, the, the people that are you know, th the adversaries are still learning the cloud alongside everyone else.
And so they might, there’s some super advanced ones and not so advanced. So I think it depends on the flip of the coin of which one you get. Should you be doing incident response? But I think there’s some really awesome, especially within AWS, right. People have been doing and presenting on this topic for many years now.
So there’s a lot of tooling that you can take advantage of. And the really cool thing is AWS is providing new features, day in and day [00:14:00] out, which allow you to continue to mature that your, your tooling. So, you know, I think a lot of it is the various same Of what it once used to be in the data center world.
Right. You’re seeing even the cloud perspective catch up to that. Where before from like a protection or response perspective you had within the cloud, you had no network visibility, you had kind of the flow log and that was it. But now, AWS has introduced a mirroring of. And so that becomes very dangerous too, in the cloud.
It’s like, do you actually want some mirror traffic? Cause what, what all are you going to see? But you know, some, some companies are like that very traditional approach of having, you know, bro you know, the traditional IDs IPS for a network standpoint, But, you know, it’s still very much in order to respond in the cloud.
You’re still having to build a lot of tooling. So it’d be really awesome. If cloud providers would start making it an API call to do some of the more common things for everyone riding the same tooling, or, Hey, I’m going to go use this tool to do the things, because this is what I have to do in the cloud.
So you’re starting to see a lot of new. [00:15:00] Vendors and cloud things come out with like other remediation, which makes responding to incidents easier where if you see that misconfiguration happen, fix it really quick so that you don’t have the incident later. So I always like when incident response leads to working in preventions or protections, so that something doesn’t happen.
That’s to me always the really cool part of incident response, because your D your detection piece Which, you know, you have detections leading to the response. Detections to me are telling you where, prevention works or where a gap still exists. That potentially you can put a prevention in place and then you have all the unknown, right?
So it’s really cool to see when you start shifting more into, Hey, my protection worked right. We saw someone misconfigure this, we saw it auto fix, and you know, now this doesn’t have to escalate to an incident overall. But yeah, overall I think incident response in the cloud is there’s still a lot of really cool areas to take into.
It’s like as, as companies continue to scale and move fast, incident response just has to continue to work, work [00:16:00] scaling. I guess we have that fast as well. So
Ashish Rajan: maybe we can dig a layer deeper then. Do you like, what’s an approach you recommend for people? Like I keep going back to people who probably starting out today, like having a quarantine organization unit is something that people talk about where you isolate, or basically you deny everything using an SCP and we’re talking specifically AWS.
But. How do you structure for this? If you have not done this before, so have a separate incident response account, and this is me making it up as I go. But because this is the example that I’ve seen, but curious to know from your side, how do you see this setup your car in an organization where they may already have an incident response team or a forensic team.
And how does that access kind of come back into? Oh, there was an incident and needs to do instance has nice lady did blah, blah, blah has happened. We moved into an organization unit, like, is there like a walkthrough that you can probably share with.
William Bengston: Yeah. You know, I think I’ve, I’ve seen a lot of people that go to implement the, or talk about the isolation.
Ooh. Within organizations of denying everything. I think the problem of denying everything is that you deny yourself access to view [00:17:00] what is going on as well. And so I’ve seen that mistake happen where people do as denies, denies, which stops the attack, but it also stops you from being able to respond to the attack and analyze and actually make a move.
Yeah. So there’s some tooling out there already that you could point at an instance, and it attempts to isolate an instance. I think some of the most, important tooling that you can build if you’re starting to build automation, you know, starting from the left of not, not having anything is some simple scripts that, can take a snapshot of a given.
So you at least have what is running. You don’t necessarily have the memory, but you have what, what is on disc? You know, being able to copy that if you have a separate incident response account that you can copy that snapshot into to then do your analysis. So you know, the thought is if, if the credential net box was very.
Permissive and the attacker knew what they were doing. If they saw you were taking snapshots, they could delete them. Right. It depends on how active that attacker is, but having some simple things, to be able to perhaps, remove the network attachment from [00:18:00] the instance so that there’s no outbound traffic anymore.
So if they were trying to steal data, or execute API calls, That they can’t write having kind of playbooks in place for what happens if a, a AWS credential is exposed. I think those are some of the most like crucial starting blocks to build building some incident response tooling, with an AWS that you could do.
And I think there’s some really cool open source projects that have done a bunch of this, that, either you can just look into to see how they do. And learn how to build them yourself or see how they can fit into your kind of toolbox.
Ashish Rajan: Sure. Cool. And I’ll probably might reach out to you later on for the, for the resources that you can possibly share with the audience.
That’s, that’s great about incident response, right? Do you reckon it’s, it’s a challenge. In the industry from, and this is me switching gears to training now, because to your point about not everyone’s cloud native, not everyone’s cloud ready for lack of a better word. How do you see people train? I guess for cloud security as a security and a lot of people have done traditional data center security and the mindset shift itself is way different than [00:19:00] cloud.
So obviously you manage your team yourself. And if you had a say, if I was a manager listening to this who has a team that’s been assigned to him, it’s a security team. Where, where did this talk with training? Like what kind of stuff they should be trying to look for in a, in a trip, Prudential training for their staff?
William Bengston: Yeah. You know, that’s a great question. I think a lot of the, like, you know, I started in the cloud just as I red team are trying to spin up fishing boxes, right. To phishing domains. That’s where I really started using the cloud. And I really sort of learning the cloud when I started actually building applications and deploying them on the cloud and needing to secure them.
So they are a great place to start is to kind of set an object. Of something that, you know, an outcome for and say, Hey, we want to go build this securely and, and give it kind of as a, an onboarding project to the user, to your team and say, Hey, here’s your first. Here’s your first month go build these things.
And that allows them to exercise through the various different services that potentially your company’s using and setting them up and have an end result that you expect it to be. Right. And then you could [00:20:00] have something that goes through and make sure it looks correct. Right. But I think it’s important like that.
I think the hands-on approach is the best approach. Giving them something to build and work towards. Tip that allows them to come up to speed with how some of these things work as they’re doing it. They’re not going to get it correct the first time. So they’re going to stumble into a lot of things that your engineers and other departments are going to stumble on.
And they’re going to learn from that process because I think within cloud security, your incident response, the key fundamental piece is understanding the cloud and how it operates. And most importantly, understanding the services. And hopefully understanding them, as much or more than the teams that will be using them day in and day out.
Because it’s really, once you start understanding the intricacies of each service that you understand, like how something, something so small can turn into something. So. So outside of building exercises and doing them within your team and yourself, and just kind of learning on the job, I think, you know, sands has been doing some really good stuff.
Building out a cloud security area of their program, and incident response as well. [00:21:00] There’s trainings at local conferences and the maths conferences. You know, we, we talked earlier, I’m doing a training with rich mogul on instance response in the cloud at black hat this year. So, you know, I think it would be really great.
I’ve given trainings on AWS in the past and from the very starting on the very far left, right. If you know nothing about the cloud, let’s understand, here are the basic things on the top top services that you should know. Here’s the one check box you should always tell people never clicked. Right. But I think a lot of it is leads back to the making sure there’s a hands-on component because.
If you read something and don’t actually go practice it, then you’re going to forget it. Right. You’re going to be like, I think I remember something about that, but I don’t exactly remember which, which button to click. But you know, I think ultimately there’s a lot of great training resources out there.
Ask around, see what other people have taken. Cause I think there’s a lot of courses out there that probably aren’t. They described and you’re, aren’t going to get maybe as much as you thought for your money. But there’s a lot of just great open source resources. A lot of companies are writing blog [00:22:00] posts on how they’ve done some things.
Right. I, I learned, you know, like I learned to code by reading other people’s code and learning patterns. So I think also, also learning in the cloud is very similar to how did someone else solve this? You know, spending time on a given service, I think is good, but, you know, I think ultimately finding something that gives a good deep knowledge transfer from a text perspective, but complemented with that technical hands-on approach, is kind of what I look for in trainings.
Ashish Rajan: That’s awesome. And I think it’s it’s important to call out the hands-on aspect of it. And especially in the cloud because you can’t auto respond. If you don’t know how to code on you find people to code. So that’s a good segue into teams. And what made me think of the teams, as I’ve already mentioned, training reliving the the better days of Colbert right now, where a lot of things are.
I believe your team is remote as well, primarily. I don’t know if it was the case before, but how do you guys function now? Because a lot of people have to do remote work. How does how do you see this work effectively? Like what works in a remote land? Cause you were doing remote work [00:23:00] before. No cold Colbert thing happened.
So keen to know something that you can share in case this squirting goes on for the rest of the year. And all of us go to more primarily what has worked for you and how can we use it or what can we borrow from it, I
William Bengston: guess. Yeah, no. Great question. Yeah, luckily I think it’s something like 90% of HashiCorp is remote, so it’s been very easy for us.
Fortunately in today to continue operating effectively or as effectively as we can. I think, but from a, I guess when I first started working remote back in the day, the things I really had to come up to speed with and be very stringent on, was, you know, setting up a work environment and not just working for.
Or something like that. Right. And I know a lot of people, cause I used to live in the bay area. Right. So space is a critical out there. Sometimes you can’t have a separate office. Right. But maybe setting up your computer on. Countertop instead of working from the couch, you know, those little things that allow you to focus more on the workforce being distracted.
So I think that’ll be the first thing people experience working from [00:24:00] home. If they haven’t is the distractions, right? Oh, maybe I should go to this load of laundry. I want to snack. Right. Know those kinds of things. But I think the most important thing you can do is get, if, if you’re able to set up a separate work.
In your home. Right? So I have a standing desk, and you know, it’s very comfortable for me. It’s just like if I was still working in the bay area, right. I, I became used to that experience. So now when I work from home, I want that atmosphere. I’m fortunate enough in my life right now. I don’t have children or anythings.
There’s no real distractions around me except my dogs. But my coworkers and employees that have kids, they think it’s very important to set boundaries with your family, for able to, Hey, you know, if this door’s shut, you know, dad’s working. So I think some of those things are helpful as well. But I think the most important thing that’s allowed us to be effective, working remotely is just the.
How thoughtful the company has been in setting kind of communication standards. And when you communicate via email or slack via zoom and kind of the usage of each and what, [00:25:00] like what each, which I guess, which technologies best for which type of communication you needed that given time. And from a, just from a decision standpoint perspective, we do everything within RFCs.
So when we want to develop a new feature or a new product or deploy a new tool, we end up writing an RFC about it, and it allows us to publish our thoughts and ideas and give everyone across multiple time zones, ample time to provide feedback. And allow you to learn how your solution might break someone else in a way that you didn’t know, because you didn’t overhear them talk about something in the hall anymore, or you weren’t able to swing by their desk and just randomly ask about something.
So that’s been really beneficial. And I read some comments online, funny enough about kind of the RFC process and that I’ve never even thought about it, but, you know, heaven forbid if I get sick or, you know, I was on vacation when someone’s didn’t have. Design document or an RFC, the process allows you to come back to work and catch up and still have your voice heard on that given solution as well.
And I never really thought about that because since starting [00:26:00] here at HashiCorp, I’ve, you know, I’ve only been here for a while now. Haven’t taken really any time off, so I’ve been able to, as things come out, here’s my, here’s my thought or here’s my expertise. In the past, I’ve seen this go bad because of this.
But if you’re sick especially right now, if you were to fall ill with COVID-19, you know, two weeks or whatever, when you’re feeling better, you can come back in and still be heard on that given document, which I think is really powerful, especially in this day and age when, you know, people aren’t being heard within companies, but yeah, I think ultimately, yeah.
The best thing about the remote work has been, the way that the company has set standards on communicate. If you want a response fast, pull up a zoom, right? If you need something within an hour or so, slack is probably the right means. If it’s not a super important email is probably better. And then setting up kind of, we have naming standards for channels within slack and stuff as well.
So it’s, it’s really easy to find the right team that you needed to talk to. Where, you know, you might go to this side of the building to talk to this one team. It’s really easy to kind of find them. And I think the combination of all that’s made it really effective for us to work [00:27:00] remotely.
Ashish Rajan: Right.
Because I find it hard with remote working. How do you find the person you needed a doctor for something
William Bengston: that, yeah, I mean, especially if you’re new, it can be very hard, right? So if you know the team, it’s easy to guess the team channel, right? Oftentimes I I’ll ask people in my team. Hey, do you know who owns this?
I actually just learned of a new channel that we have. We have a channel at a HashiCorp that we can go into and ask, Hey, does anyone know who the owner of this service? And it’s kind of a group of people that have been there, and they can point you to the right direction. Right. And most people, if you’ve reach out to them and they ended up not being the right person, they’re happy to direct you to the right person or help you kind of along your journey of finding that correct person.
Yeah.
Ashish Rajan: I like that channel. Cause I think, cause I was thinking as the more different companies, obviously, as they go through the COVID thing, they would have new people joining in and as the new people joining, they all go into slack. Well, it’s a lot of channels. Where do I start? And who am I supposed to talking to?
Like, you know, a lot of people have this whole onboarding presentation as well. It’s a great time to introduce something like, oh, if you don’t know where to go for help [00:28:00] for this, just go here. I think that’s a great idea.
William Bengston: I was gonna say within our security team, we have an onboarding guide and it talks about, here are the channels that are probably, you should join and come to the, just a quick description of what each channels for, and some like given tasks.
Here are the documents that you should probably read to catch up and have an understanding of how we operate, how we communicate, the employee handbook you know, the base like RFCs that are going to talk about the, the technologies that we’re building and those kinds of things. Also it’s as an employee, your first couple of.
Or really spent kind of coming up to speed on where the company is. And then when it’s about time, when it’s you start actually working on some things, you’ve got an idea and kind of like the second nature, or it’s really intuitive on where you go to find the information. But you know, I think knowledge management is a problem at any company, even, even at HashiCorp.
Sometimes it’s hard to find things that we need. But it’s just asking someone and someone has. Oh, yeah. Right.
Ashish Rajan: Also, I guess you can still use all of the online conference and other resources because sometimes you might be thinking, oh, has anyone done this [00:29:00] before? And you get like, but you just were not able to find a conference space, I guess.
William Bengston: Yeah. And luckily, you know, we’re a G suite shop. So cloud search is a great thing to search across all. Oh, yeah.
Ashish Rajan: Helping big query helping in the background, I guess. That that’s, that’s amazing, man. I think that’s what be really helpful for a lot of people are starting. Do you find. Recruiting in the, I, don’t not sure if you recruiting at the moment, but in dumps off recording for cloud security specialists, like I think a lot of people that have had spoken to the students and they’re looking for that crack into hardware crack into this world of cloud security, we kind of touched on the water training that you can do for the staff.
And would I be right in assuming that’s applicable for students as well? Like they can go out on the part of learning cloud and do that.
William Bengston: Yeah, I would definitely agree. You know, students can do just the same things that you know, the staff was doing. You know, anytime that you can get that hands on experience in operating in the cloud, I think is, is great.
You know, from a student perspective, I wish I knew more about it back when I was going to school, but the, What does it? Collegiate cyber defense [00:30:00] competition is is something in the U S where schools are able to compete in a like blue team perspective. We’re they’re given a set of infrastructure that is half configured and they have to go stand up all the services and secure them and protect them from an active red team.
And so it gives them like a firsthand look of what potentially there’ll be doing if they continue their security career, in the blue team world. And I think more and more it’s leaning towards cloud type operations where I know like I’ve helped the, the school here in Dallas, Southern Methodist university before.
And one of the organizers there had built out a game board in the cloud. And a lot of the things can be done in the cloud now. But, it really gives them a good person on a hands-on look of. What it actually takes to run, say a, my SQL database and patch it and secure it and keep the bad guy out like that kind of experiences priceless when it comes to applicants and all that stuff is available to students.
And nowadays, you know, with, online resources for learning, there’s so [00:31:00] much you can do. It’s just the, I guess the hardest part with learning on your own online and not go into a training. Is kind of the discipline. You need to sit and walk through everything. We’re. If, if you were lucky enough to have the money or having a scholarship, to be able to go to an in-person training somewhere, that’s not at a, a conference, like besides where it’s typically free, you know, the, the, the BD there is you’re there, right?
Your time is dedicated while you’re at the thing, but there’s so much online that you can. Yeah,
Ashish Rajan: that’s a great, that’s a great answer, man. That’s a good way for me to move into the next it’s called the mid busters. The first question is what is the most common cloud security myth or misconception that you hear from our public cloud?
William Bengston: Oh gosh. There’s so many.
So I think, I think the first myth that I’ve heard, some people say is that moving to the cloud is easy or, you know, more secure, where I think. There’s a lot of truth to it. But from before you, until you understand how the cloud operates in the different services work, there’s a lot of room for mistake.
And so that’s where you see the common, misconfigurations or vulnerabilities that lead to [00:32:00] compromise within companies. But. I don’t know. I think that’s, that’s a common one that I hear all the time and it says it’s going to be great. Or I think the biggest, the one that’s I think, you know, more applicable is, you know, I can run my applications in the cloud, just like I do at the data center.
And so like moving the cloud is just doing the same thing as I’m doing on the data center. Cause you see it all the time is the lift and shift, right. People coined that term because it happens. And so I think that’s, that’s a myth. I guess one of the advantages to running in the cloud is that you’re going to scale potentially and lifting a shifting is not going to help you scale very effectively from a, you know, taking advantage of the services.
But you know, I think those, those two would probably be the, the myths that I would say.
Ashish Rajan: Yeah, that’s a, that’s a great one. I think the common one we hear from our previous guest has been declared. That’s the other one that like, well, it’s secure. As long as the person make it secure securing, it knows what they’re doing, I guess.
William Bengston: Yeah. I would say, yeah. Yeah. Very much. So the, the cloud platform itself is very secure. How you implement things on the cloud may not that’s right. That’s right.
Ashish Rajan: The next question that I have is[00:33:00] it’s more around what are people not talking enough about cloud security? What are they not talking about?
Cloud security that I, that you wish they were talking about?
William Bengston: What are they not talking about that? I wish they were. It’s a good question. I don’t, I don’t know. You know, I love immutable infrastructure and I don’t hear a lot of talks about it and kind of the benefits there. But I think when you think about I guess for those listening, that aren’t aware of what immutable is, it’s kind of the premise that every time you make a change, you build something new.
So in the AWS world with machine Amazon machine images, every time you want to deploy an application, you build a new machine in. And the application’s ready to to run from the time of boots. And so there’s no configuration done on startup and you’re not using something like chef. Once the instance is up and running to configure it.
But the benefit there is if you do things correctly and you become that mature cloud for the mature practice, right? You can get to a point where you’re not even as to staging the boxes, right? If you think that your logs are always being shipped off, it’s it’s like a rare. Like a really hard bug to figure out that you [00:34:00] might have to go on box and just see something really interesting that you can start approaching a world where SSH becomes less of a thing.
And so it provides you a lot of advantages from being able to alert if a box is accessed by someone, because you know, this isn’t really normally done, you know, rolling out changes. Patching becomes easier cause it’s, you can test it before actually making it the patch. You know, it just becomes easier.
And I think when you started, adapting to the cloud and really embracing the cloud native aspect of auto-scaling and, you know, I think the thing and Netflix coined the chaos engineering of the cloud, right? You can just destroy something and it just auto recovers and it keeps working. To me, like the thing that I don’t hear people talk about a lot is, once you move to an immutable world and it kind of embrace auto scaling and the ability to scale in scale out.
You can start doing some really interesting things like deploying more frequently or saying, say, have a policy where you must redeploy your application every day. If you’re doing configures code and it’s mutable, [00:35:00] there’s no reason why you can’t, it’s just putting the automation in place to do it. But if you think about from an attacker perspective, if I’m trying to exploit something and I’m making progress, or if I did get access to a box, if that box goes away, really.
It limits my ability to be effective. And I didn’t see a lot of people talking about that. Which would be really interesting if I still see people talking about, or, you know, using immune mutable infrastructure and, you know, that it very much could work for, A lot of companies, but I think if people just move to like the immutable infrastructure from the beginning, it could be like a really, really powerful movement.
Yeah. But I,
Ashish Rajan: and that’s an interesting one because hardest security work in that case, you know how to take your point about immutable infrastructure, because our security depends on the fact that art was this in society, blah, which was the root of the root causes, the problem. Or by the time you got to it, it’s already been destroyed and a new instance.
For me, that’s like another layer of complexity. Have you had a August? Have you had an experience with that kind of a setup where, I mean, I guess I’m, I’m assuming with Netflix, but it’s just, it comes and [00:36:00] goes, but you slapped a group, you still have to go and investigate an incident. How
William Bengston: do you, yeah, so I mean, it becomes problematic, right?
If you’re, if the thing that was exploited is no longer there. So your evidence or the forensics value goes away, right. Theoretically you haven’t, if you’re building machine images, every time you have something that represents what the instance looked like at the configuration. So you have something to work on, at least for say a red team to go figure out how did this get exploited?
But if you enable logging and such, you have most of the artifacts, except for like a memory snapshot that you probably need. Yeah for that’s a configuration. So as long as you can ensure that before the instance terminates it, shipping off the logs that you need, you theoretically have most of what you probably need for your investigation.
Like w I got an abuse complaint once about an IP thing used to serve malicious content. And when looking it’s like we had this IP for four months. And I was able to find that because CloudTrail showed that IP, right? And so I had some, some logs actually show [00:37:00] that, Hey, even though the instance is long gone, by the time I saw that abuse complaint, here’s the instance that showed that this instance launched at this time, it made this API call from this IP and it just got destroyed at this time.
And so I think there’s still a lot of valuable data that you can get, even with a very, very short term. You might not just have like the traditional, ability to do things like take a memory snapshot, and things that some people’s response playbooks might rely on. And I think there’s a lot of other things that you can put in place to make sure you have just as much valuable forensic data to be able to like at least get a lot of way through your investigation without necessarily maybe knowing the particular attack.
Or how they might’ve stolen a credential from memory or something like that,
Ashish Rajan: or right now, dude, that’s a great answer, man. Thank you. And this is probably the last segment, which is a fun question, which I have not given you a heads up on because they’re aren’t technical at all. What do you spend most time on when you’re not working on cloud or tech?
William Bengston: And I was going to say researching cluttered,
You know, I love to work out [00:38:00] and I sort of, as you mentioned earlier, earlier, scuba diving, and so I love to travel and kind of see the whole new world under the ocean. I’ve also become a huge like bourbon aficionados where I’ve trying Newport. And so I’ve, I’ve joined a whiskey group out here in Texas.
And so I spend a lot of time trying new, like going to tastings and learning a lot about bourbons. I just recently went to Kentucky and was able to tour a bunch of the distilleries and. A barrel with one of the groups here, a unique, amazing experience. And it’s kind of changed my life, but, but yeah, between scuba diving and reading about bourbon, that’s probably outside of like tech and stuff.
That’s probably where I spend a lot of my time.
So my favorite distillery is Buffalo trace. And they make all of my favorite bourbons except for four roses. But I really love plantains quite a bit. And so when I was in Australia, I went and bought a couple of points that you can’t get in the U S. And so I was able to bring those back and make all my friends jealous.
Ashish Rajan: Well, you definitely have to give me the names of these ones later on the, I want to try to try them on, because I’ve gotten into [00:39:00] whiskeys you, myself and my wife as well. So it definitely would take your recommendation for that. What is something that you’re proud of, but it’s not only a social media.
William Bengston: I think a lot of people don’t know that I teach at a university here. And so I’ve been teaching for like six years now, a master’s class. And so I’m really proud of that achievement because it’s something I’ve always wanted to do. But the, I think the proud part of that for me is, I kind of fell into teaching because I was helping the university go get an accreditation.
With the national security agency or cyber cyber operations. And we identified a course that we needed to build and they asked, Hey, can you build this? And I was like, sure. And they’re like, oh, and can you teach this? So I ended up teaching it and it ended up being voted the number one course of the 16 schools for that topic.
Wow. Or the NSA. And so I don’t think I’ve ever. Tweeted about that or posted anywhere about it. And that’s one of my proudest achievements, I think since like what’s the core school, it’s an advanced wireless technologies course, and it’s about, cellular, signaling and, and technology. And so this, the students do everything [00:40:00] from tracking airplane.
Learning how to potentially intercept pager networks and things like that. Using, you know, the, the liberal SDR USB RTLS. I make my students buy those and we have a lot of fun. But I teach at the university of Texas El Paso. That’s a great time over the years, my course has grown from, I think my first year had tossed.
And I have like 60 students every semester now, chief class now,
Ashish Rajan: I guess you need to help, but I guess con consonant 60 people at one goal.
William Bengston: Yeah. I have a teaching assistant now, which is nice. That gets me out of a ring. All the assignments.
Ashish Rajan: No, that’s awesome. I’ve going, one more question for you, which is what’s your favorite cuisine or restaurant and you can
William Bengston: share.
My favorite cuisine or restaurants? I think it depends like, you know when I lived out in the bay area, I love this place called Alexander steakhouse. They had some of the best steaks you can get in the bay area. But being from Texas I really love a cuisine or I guess an appetizer called chili , which is a Mexican, it’s a Mexican like starter.
It’s a. Depending on where you go. It’s the main ingredients are usually melted cheese and like something [00:41:00] spicy like chili. But I, I go around the Dallas area trying trying it from different restaurants to see if I can find the best case. And I found we’re all eat that for, just for dinner. Oh really chips in case.
And so that’s probably like Mexican food and barbecue, or like my two favorite cuisines in Texas. Chili con
Ashish Rajan: cancer. Okay. So, all right. I’ll Google it. I’ll put it in the link, but I feel hungry now. Like damn dude. That’s what I had time for, but I really thank you so much for your time. I really appreciate it.
But people who may have a follow-up question, I’m going to reach out to you. We can find you on your social media.
William Bengston: Yeah, so I have Twitter, I think my handles at underscore underscore mussels,
Handle from a tech that I like to work out a lot. I’m on LinkedIn as well. Good luck spelling my last name, but maybe you can post the link. But yeah, I’m on Twitter quite a bit as well. And then you can find me in a bunch of security slack. For those that are in slack, I’m there as well. So,
Ashish Rajan: perfect dude, thanks so much.
And thank you so much for your time. Really appreciate that, man. Thanks for coming on the prompt.
William Bengston: Thank you so much for the opportunity. It’s great. Thank you.