Getting to know the AWS Security portfolio of tools is key to getting AWS Security right for any Cloud Security Program. We spoke to Mark Terenzoni, Director of Risk Management, in AWS. Mark spoke about the evolving landscape of cloud security and gave a deep dive into AWS's suite of services like GuardDuty, Security Hub, Inspector, and the innovative Security Lake. Mark highlighted the varied adoption phases of these services, with foundational tools like GuardDuty and Security Hub being widely utilized. He also shared the trends in tool consolidation and the importance of integrated security solutions in the cloud.
Questions asked:
00:00 A bit about Mark
00:19 Exploring AWS Security Services
00:53 Understanding the Need for AWS Security Services
02:03 How Companies are Adopting AWS's Native Security Services
04:55 Customer Responsibility in AWS Cloud Security
05:47 Starting Your Cloud Security Program with AWS
07:25 Measuring Maturity of Cloud Security Program
08:45 Next-Level AWS Cloud Security Program Elements
10:05 Building Capable Teams for Robust AWS Cloud Security
11:23 AWS re:Invent 2023 Security Announcements
15:01 Consolidation of Cloud Security Services
16:13 Amazon Security Lake Explained
17:56 What is Open Cybersecurity Schema Framework
19:36 Further Learning and Connecting with AWS Expert Mark Terenzoni
Ashish Rajan: [00:00:00] I'm gonna start just by introducing yourself and then move from there.
Is that all right?
Mark Terenzoni: Yeah, of course. Awesome. Hey, folks Mark Terenzoni here. I'm one of the leaders within what we call external security services within AWS. Our chart is quite simple. We build products and services that our customers can use to help fulfill their side of the shared security responsibility model
Ashish Rajan: and So if you give examples of the kind of services you normally work with Mark
Mark Terenzoni: Yeah, so within our suite of services, we've got threat detection with GuardDuty, we've got posture management with Security Hub, we've got vulnerability management with Inspector we have data classification with Macie, and then on the response side, we have Amazon Detective for investigations threat hunting and triage, and then most recently we launched what's called Security Lake. Which is our repository for customers to put all of their security telemetry to power some use cases on top.
Ashish Rajan: And maybe a good place to start because our audience is quite wide in terms of we have anyone who's a cloud security engineer today [00:01:00] versus all the way up to a CISO or a VP or Director of Cloud Security as well. In terms of, how you've seen these why was there a need for this specifically, these services, as called out specific categories as well, data classification, threat detection, posture management, so what was like the starting point for all these?
Mark Terenzoni: At AWS, security is always job zero. We've been recognized and known for securing of the cloud, but customers build applications. It's really no different than what they would have done on prem. They build some infrastructure, they build some applications, they have some customer or important information, and they need to secure it and protect it.
The difference is the infrastructure is quite different in the cloud than it is from a non profit environment. Yeah. So the specialized tooling that we deliver is based on our knowledge over, doing this a number of years of what the potential threat factors are and what the misconfigurations that can lead to threats are within the environment.
Naturally we wanted to give tools to help customers in their security [00:02:00]journey be able to fulfill their requirements easily and seamlessly.
Ashish Rajan: And do you find that the adoption has, I don't know how the adoption has worked in this, each one of these categories, because I think they came at different times as well.
So we've been talking about Amazon for 12 plus years now, over time, it's added on to the repertoire of, oh, these are new services that are being available. In terms of adoption of these native services from Amazon, how has that adoption started and where do you see a large or maybe not enough adoption?
Mark Terenzoni: Yeah, it's a great question. They are all in different phases, right? GuardDuty ,It's probably the service that's been out the longest, so by default it's got the largest set of adoption, and it's almost, the two services I would say that are, on by default for a lot of customers are GuardDuty and Security Hub, and they're the foundational aspects, right?
You come in and you need to determine if you're getting any threats within your environment, which is what GuardDuty does in near real time and what security hub [00:03:00] CSPM or posture management does is it goes off and just checks all your environment configurations and tells you where there's something that's configured in a way that you may not want it.
Now, in many cases, sometimes customers do want it configured that way and they have the ability to suppress those findings. But yeah, we at least do that initial analysis. Then layered on top, you have our vulnerability management solution with Inspector, which is covers Lambda, EC2 instances the software stack that's associated on those instances for customers and scans against the known database of known vulnerabilities and flags them.
Yeah. But then, when you have all those base services on inevitably as things start to fire in the form of findings. Your customers need to go dive deeper and understand what's really going on here and how are these disparate findings connected? And is there a pattern that's going on that maybe suggests there's something malicious happening in my environment and that's where Detective's machine learning comes in and kind of pieces that all together and Provides the ability to deep dive into Security Lake into the raw records and enclose [00:04:00] the case out so they were built in a way to complement each other and give customers a lot of capabilities out of the box by no means do we, lock out any of our partners there, vibrant partner ecosystem that is combined with the services that we deliver as well.
But because your question is really around adoption, I would say that those foundational ones are very highly adopted throughout our customer bases. And then the value added add ons are getting increasingly more deployed.
Ashish Rajan: And would you say, is there like a spread of small to medium sized businesses or enterprise?
Because we, I think just before we got onto the recording, we were talking about the whole public sector and compliance requirements over there as well. Do you find that is there a lot more demand for this in terms of the public sector? I guess some of the challenges of the public sector is the fact that the service itself is compliant or not as well.
And we spoke about some of the compliance requirements over there. So what's the responsibility on the customer side for a lot of this, where different sectors are involved?
Mark Terenzoni: Yeah so first, our customer base, it's across the spectrum. We have small [00:05:00] to medium sized customers up to the largest enterprises in, Government agencies across the board.
So there is a wide spectrum. There are certainly some Verticals that are much more security aware and in conscious than others Yeah, but I think the awareness is starting to permeate throughout the whole segment I would say that as you go higher up into the enterprise customers we're largely dealing directly with those teams because they have security teams in those teams are utilizing our products and operationalizing them.
As you sometimes get into the small medium size, it may be an MSSP turning on our services on behalf of the customer and managing the process in the program for the customer. So we see a combination of those.
Ashish Rajan: And would you say in terms of because I guess a lot of people would also be thinking about 2024 is coming in and they want to build a cloud security program.
Mhm. What does that look like? And maybe we can cover from hey, anyone who's probably never done Cloud Security [00:06:00] Program, CISO, walks in, or anything about technical, like a CISO Cloud Security Roadmap. What is that starting point for them?
Mark Terenzoni: Yeah, it's a great question. If you don't have any idea on what you want to accomplish, or what your regulatory requirements are today, and what they may be in the future, I would immediately suggest you talk to one of our team members and maybe we, in some cases we bring partners in play to help customers really identify early on what their security program should be and to help implement it.
What we find is if we're able to do that on the front end, it actually makes the customers go faster on the back end, right? And I've seen a number of cases where customers migrate into the cloud. They don't build security into that initial phase of migration because they're somewhat still testing the waters.
Yeah, and then they find that wow, this is really, you know enabling my teams to move much faster but now I got to figure out security and then now they go back and rework it and I would [00:07:00] suggest you know, if you know what you want to do start with the preventative side. Yeah. If we can prevent things from ever happening, because we've put controls into our environment up front, based on our requirements around security.
Yep. Then that's going to solve a lot of problems. It doesn't mean you don't need to monitor on the back end but I think you'll find you'll get far less things. Identified into your environment. If you block things out and protect in the front end
Ashish Rajan: And as you go to that next stage of maturity, I guess now we have spoken to someone who's a TAM have worked through the process of at least the initial foundational pieces.
Where do you see the next maturity comes in?
Mark Terenzoni: Yeah. Then it becomes in the fact of, okay, I've got all the tools in place and I've got all the monitoring in place. How do I operationalize it in my company? So in some cases it's a DevSecOps person in a small company that's managing, both the applications and the security of them.
In other cases, it's large security teams that are very specifically focused on securing the [00:08:00] applications within the cloud. But where I get into operationalization is that the security folks find something that needs to get sorted. But they're not usually the ones that sort it. Now it's going to go back into the development pipeline for a developer to make a change, whether it's patching, some code that has a vulnerability, or you're removing some hard coded capabilities around credentials that, were identified throughout the process.
But inevitably, there's a developer that needs to get, do something. Where I see the maturity level is When companies have built that program internally to say, Okay, here's my expertise around when something happens to here's my process to rapidly remediate it by creating those linkages internally.
Yeah. And those are the companies that I see moving very fast in this space.
Ashish Rajan: Oh, and what about like examples of, I don't know if you have any customer examples where they're like, almost as in AWS term level 500 or level 600, like what are those people like, what are they doing, which may be aspirational for some people to put in their cloud security program?
Mark Terenzoni: Yeah in many cases, [00:09:00] they are they're utilizing a lot of the tools and capabilities that we have combining them with third party capabilities. And. In what I see happening, it's been an interesting ride. I've been at AWS for five years. I would say that in the first couple years, companies would run, in some cases, multiple tools that largely did the same thing.
Oh, okay. And I've seen over the last couple years many companies look to consolidate tools. Yeah. And I think the ones that are at the very forefront have really honed in on the specific value of the tools in their toolbox and have integrated them in a way that gives them a significant coverage and advantage.
Now, these companies have resources in large security teams to be able to do that. But the one trend that I am seeing across the board is companies want integrated solutions. They don't [00:10:00] want APIs that they have to piece together to form their security plan. That's coming out loud and clear.
Ashish Rajan: I definitely would love to get into the trend part as well. In terms of people who are using this and are like at that level , do you get to talk about the teams as well?
One question that people normally ask is also this is my team size when I was a medium to start up kind of three people outside the CISO or Head of Security. And that kind of grows. A lot of times there's a lot of confusion around what responsibility do I need to have in my team?
AWS obviously has their own model and stuff. Do you find that, in terms of teams, you get to see some of that as well in some of these companies?
Mark Terenzoni: Yeah, a little bit. We certainly, get to meet with a lot of CISOs across the spectrum. I do and in those conversations I do ask a little bit how they're organized because I've seen that evolve as well, too And I think companies as they move to the cloud have went one or two ways, right?
One one way is they just build a cloud center of excellence and that you know It's separate from their corporate security and their on prem and everything else associated with it[00:11:00] Another way is they try to keep it all together and they bring in some expertise on the cloud side, but contain them from a process standpoint within the overall security structure.
There's no right or wrong in my opinion. These are the approaches I've seen companies take because there is a difference, right? There's, on prem, there's not as many APIs, there's certain things that are unique and different in the cloud.
Ashish Rajan: Yeah, definitely a learning curve as well.
So talking about the trend part as well, I think that's like my last question as well. Where do you see the trend for cloud security go at the moment? You said a lot of people are consolidating it. Is there any other trend that you're noticing? There were a few announcements here as well I guess just before.
Would you want to share that as well?
Mark Terenzoni: Sure, I'll talk about announcements we made, and then I'll walk into where I see in trends. On our threat detection side, GuardDuty we announced expansion of our runtime capabilities from EKS to EC2, ECS, and Fargate. So that was a pretty big and new announcement.
So now we have,[00:12:00] runtime detection capabilities really across the spectrum of where customers run their compute workloads. Oh, across
Ashish Rajan: the compute. Yeah. And that's almost like doing endpoint protection as well.
Mark Terenzoni: Yeah. It's agent based on a runtime capability.
So that was exciting in, in new news. Yeah. EKS and now it's been expanded pretty awesome. Awesome. Yeah, that was a big deal. Yeah. On the inspector side, we announced a generative AI capability in partnership with CodeGuru, where we identify vulnerabilities across Lambda code functions.
We can now actually come back to the customer with a remediated fix. And, again, reducing that cycle time from identification of a vulnerability to fixing it before it gets exploited in the wild.
Ashish Rajan: Oh, and I can already see the use case for it as well, because Inspector is quite widely used for vulnerability management, adding CodeGuru on to it as well.
And the spectrum of compute covered. Were those the two main announcements that you had from so far? I'm sure Werner would have his own share after he comes on stage.
Mark Terenzoni: Yeah, we actually [00:13:00] have a couple more. Security Hub announced global configuration, which was super important because they have so many checks for CSPM across all the workloads customers run.
Yeah. In every region that they run them. Customers were really interested in centralizing that. And we added some more dashboarding capabilities to Security Hub 2 as well.
Ashish Rajan: Also in customized data dashboards. Oh that would be a game changer. Because a lot of people go for a third party also because they realize, Oh, I can't customize it enough.
So now there's that capability as well.
Mark Terenzoni: Yeah. And then lastly, with Detective, we had four major announcements. One was deep integration with SecurityLake, so we can actually pull back the raw records and customers can click onto our visualizations and immediately spawn a query down into SecurityLake and bring back raw data and raw records.
The second one is around automated investigations, where we built some machine learning capabilities around investigating IAM principles. And customers can actually just with a single click, when they get to an identified user or role that is of interest, they can go off and run [00:14:00] this ML and bring back a lot of artifacts to determine if there's something suspicious and malicious going on.
And the other two is now we support the new findings that GuardDuty produces with the runtime monitoring. But the last one is an LLM based capability in Detective. Under the covers, Detective takes all the findings that we have visibility to, runs a graph algorithms in machine learning and clusters them together.
So it takes the noise of millions of findings down to, in some cases, five, ten, a hundred clusters depending on the customer size, but magnitudes shrinking from the findings when they get customer gets these clusters sometimes it's multiple findings sometimes multiple resources, and they've said hey, this is really great because it's a prioritization that I didn't have before but can you explain this to me?
What's going on? How did it start and how did it traverse and how did it get to where it is now? So we integrated with LLM to provide the human readable explanation of what these finding groups are seeing in their environment [00:15:00] Wow, so we're excited about that. So a lot going on It leads into some of the trends, right?
Yeah, and I think, consolidation is a big thing, right? In our six services, we're trying to shrink that service down a little bit. We're moving all of our vulnerability things closer together. Security Hub, CSPM, , is largely infrastructure vulnerabilities.
Inspector is software and code vulnerabilities. You'll see those two come together very closely. In the threat detection side, we've already unified that under GuardDuty, over the years, you've seen it expand from accounts and network activity to S3 data activity, to RDS activity, to now runtime activity.
So we continue to expand the capabilities, but under the GuardDuty brand, and then on the response side, Security Hub, the findings, aggregation, Detective and Security Lake work together and combine into a path where customers can start on Security Hub. If that's the level of maturity they have, then they want to go in to do some [00:16:00] investigations.
They can turn on seamlessly Detective and they want to go in and start bringing in all their raw telemetry from their other in states and other clouds. They can immediately bring in Security Lake and have that be the center of gravity of all their security data.
Ashish Rajan: I think, we've mentioned Security Lake quite often just in this conversation as well.
I think it's worthwhile explaining to people what Security Lake is and what do you see people use that as. Because I think I understand the value of it. It'll be interesting for people to understand what is it and what's the value that people are finding from that service as well.
Mark Terenzoni: Yeah, it's a fairly new service for us, but it really spawned from, like anything we do, customers needs. And customers told us that, they had trouble getting the hands around all the telemetry that was associated with not only the cloud workloads but their on prem and other cloud workloads in a single place that they can make use of it when they need to and then you know we started looking around to say who's doing something in this area?
Because it boils down to, for me, the outcomes customers want are largely driven by the analytics that run on top of these [00:17:00] data sources. But in order to get to those analytics, multiple vendors have to do multiple things across the same data sources for customers that's inefficient and costly.
So we had the idea of let's go build a very simple place for customers to bring all their security data together in their S3 bucket, not in a service S3 bucket. So customer has control of the data in an efficient format that allows for you to query and run analytics on top of it. where the customer can actually decide who has access to the data based on the tools that they want to work with.
And when we started testing it with customers, virtually every customer, large and small, said, yes, please. This is a challenge for us. We're security engineers, we're not data wranglers. And we're spending half of our cycles wrangling data to get to the base level outcomes we're looking for. Now, it created a little bit of a challenge for us because the value becomes when you can normalize disparate data sources around a specific schema.
Two years before launching Security Lake, we actually started [00:18:00]working with industry to develop an Open Schema Framework. And, it's actually got GA'd at Black Hat earlier this year, but it's Open Cybersecurity Schema Framework, or OCSF. And we have started with two organizations two years ago.
We opened the aperture up to about 15 We currently have 166 organizations contributing with 500 plus members all open, we're bringing in the domain expertise of categories of companies and these in many cases are competitors, but they're sitting down to the at the table together to figure out what the right schema is for their segment of business, whether it's firewalls or endpoints or posture management or findings producers.
So we have this large community that's contributed to this Open Schema Framework that is now going to be the language for security. There's been schemas around for a long time, but they've largely been driven by a single vendor for the benefit of that vendor's [00:19:00] product.
This is really truly an open standard and it's the foundation around the data that we put in Security Lake and we have 60 partners writing data into Security Lake in that format and, another 20 or so partners building solutions on top for customers.
Ashish Rajan: Wow. I can already see that small to medium sized businesses or people who use MSSPs can definitely benefit from this as well.
Because I think, to what you said, not everyone could have a SIEM provider as well. Correct. This kind of solves that problem. Instead of going for, hey, what's the most expensive? Or, even more affordable ones are expensive, to be honest. I think that would definitely solve that problem. But, thank you so much for sharing that.
This is really valuable. People probably want to know more about any of these services or maybe connect with you. What's the easiest way to connect with you on social media?
Mark Terenzoni: I'm not very much on social media these days, but I think people can find me on LinkedIn pretty easy.
Ashish Rajan: Awesome. Alright, I'll put that in the show notes as well.
Thank you so much for coming on the show. Thank you. Thank you for this, everyone. I will see you next episode. Peace.