Episode Description
What We Discuss with Nathan Case:
- 00:00 Intro
- 05:33 Threat Detection in Cloud
- 10:45 Starting in Threat Detection
- 14:14 Starting in Incident Response
- 20:40 Playbook + Runbook for Incident Response
- 26:33 Maturity Benchmark for Threat Detection + Incident Response
- 30:44 Threat Detection in Development Pipeline
- 32:56 Threat Detection in CI/CD Pipeline
- 35:35 Supply Chain Attacks in Bio-Manufacturing
- 48:11 Threat Detection and Incident Response at Scale
- 52:34 The Fun Section
- And much more…
THANKS, Nathan Case!
If you enjoyed this session with Nathan Case, let him know by clicking on the link below and sending him a quick shout out at Linkedin:
Click here to Thank Nathan on Linkedin!
Click here to let Ashish know about your number one takeaway from this episode!
And if you want us to answer your questions on one of our upcoming weekly episodes, drop us a line at ashish@kaizenteq.com.
Resources from This Episode:
- Tools & services, discussed during the Interview
- NIST Standard
Nathan Case
Ashish Rajan: [00:00:00] So for this guest, I think, I don’t think he needs a much of an intro, so I’m going to go straight into it.
Nathan Case: Hey man.
Ashish Rajan: Good man. Good.
Nathan, I’m so glad you’re here.
For people who may not know you, cause I, I would be surprised people who don’t know you, especially from the AWS space. So continue with the so many reinvent talks and stuff as well. Well, people who don’t know Nathan if you can tell us a bit about yourself and how you got into cybersecurity
Nathan Case: yeah, sure. So Hey, I’m Nick case. I really got into cybersecurity a long time ago before there really was cybersecurity. It was just kind of computers. We started doing some, some work on firewalls and some other, other different hardware, pen testing and whatnot, and really had a good time. I mean, like, if you really want to go all the way back when I was about 12, , seriously owned a BBS, had a really good time doing like modems and stuff.
So like, it really have enjoyed IT through the entirety of IT . It’s a lot of fun as we get into like things that I’ve done at AWS, I started out and it was kind of one of those things where it was really. I don’t know, I really wanted to help and I really wanted to contribute. And so I started kicking into some of the DOD work and some of the incident response work, one of the previous [00:01:00] companies I had was really focused on security.
So it made it pretty easy. And , here we are. What six years later and had a really good time helped a lot of people was able to do a lot of really good things and was really happy to contribute at AWS and help a lot of people through some, in many cases, uncomfortable issues.
Ashish Rajan: That’s pretty awesome.
And I think it’s probably the perfect person to bring in for like an incident response conversation as well, because I get this asked quite often. And for people who may be quite experienced in this space, because this is not the first timewe are doing threat detection. Right. , it’s been a thing for a years, but somehow people feel like like this magic box or something.
So I would love for you to kind of like share your thoughts on what do you think is the, maybe let’s start with threat detection, like. What does that mean for you and how is that different from what people currently doing on-premise
Nathan Case: well, so that’s a really interesting multi-pronged question that I’m going to kind of dance around a little bit.
So I would tell you that I don’t think, and , having helped to run, having helped to work in data centers and whatnot. I don’t think we did a particularly good job initially in data centers, honestly. So when we get to the cloud where it’s a lot [00:02:00] more fast and furious and things are happening at a different pace, We don’t do a good job there either.
So as we get into, how do you do detections? How do you figure out what’s going on? I would tell you that governance is key as much as nobody likes to hear that stuff. Sitting down and evaluating, well, how are we going to build this thing? What do you mean? How are we gonna build it? I mean, how are we going to put the switches together?
If we’re building a data center, how are we going to put the app together for building an app? Where are we going to put , the ability to detect a change to this. Are we talking about supply chain? Are we talking about the application itself? Somebody is doing something untoured. If we’re talking about a data center who propped open a door you’d be surprised at how often, like it’s something stupid where, I had a conversation with a guy I don’t know, about three years ago now.
And, , dude, , why are you propping the door open with you , with your coffee? It’s hot in here. Yep. Okay. Like the manager totally missed the security queue of it’s hot in here. So the human response is to prop the door open and create a security event. And so how do you detect that? Well, like part of that is really setting up the governance policies around what does this thing need?
The control room needs to be at a reasonable [00:03:00] temperature. So people don’t open the door. Yeah. And it kinda, it falls out from there then. So if you’re in the cloud and you want to do threat detection, cool. No big deal. The good news is you’ve got a bunch of events in the cloud. You’ve got way more indicators in the cloud than you’ve ever had.
You probably don’t have to worry about the physical as much though. I would tend to argue the physical is very important with the cyber. And as you get into the things that are happening in your application or in your cloud environment, you need to have set up all of the things that you are going to key off of.
If your application does something particularly interesting around files or S3 commits or. Probably you’re not going to be able to detect off of some of that stuff. So you need to figure out where are the edges around, , things that we do need to commit off of. Let’s say that for instance, , we’re putting S3 files, S3 objects in a bucket.
Cool. But we should never really have anybody read a whole bunch of S3 bucket objects out of that bucket. Okay. Cool. So like our first detection then is going to be, Hey, when somebody does a bucket scan and tries to download all the objects. Yeah. That’s going to be a detection and we’re going to automatically shut that crap down now.
So , it’s figuring that out, but like , you can’t do that at the other end. Right? Like [00:04:00] that’s the pisser most people’s ready to get to the end of this project and go, Hey, let’s tack on the security. Doesn’t work.
Ashish Rajan: It says, so to your point then, because of the API and automation, it’s a lot more easier in cloud.
Nathan Case: Well, it’s definitely, it gives you the opportunity to make it easier. Do you actually take them up on the opportunity? That’s up to you? Did you actually do the homework to get ready for the security? So you could do threat detection? Yeah. You can’t do incident response. If you don’t know what you’re responding to.
So you’ve got to have thought out, okay. , if I get myself an incident response, like I’ve got to respond to an incident, and I know everybody thinks about like, let’s talk about nation state and all of that, but seriously, let’s just deal with the intern for right now. Your intern comes in and he, or she decides that they’re going to delete your VPC.
That’s helpful because they’re saving you money. So as you look at all of this, well, what things did you put in place to actually respond to that? Yep. You have backup running or not. Okay, cool. So that’s Dr. Put that over there, but like when we’re responding to the incident, how do we know that he, she interned logged in and did something?
Yeah, I don’t know that we. If you haven’t planned for it, your detection, isn’t going to allow you to respond. So as we look at [00:05:00] like the S3 example where we’ve got somebody, , looking at all the bucket items. Yep. If Sally, the intern goes ahead and clicks on a bucket and like lists all the objects that should tell somebody insecurity or an operations that Sally clicked on something and it listed all the buckets .
Yep. Okay. Yep. Production. Probably not.
Ashish Rajan: Oh, actually, maybe in that case.. So where does one start? Because. Get this question quite a bit, where a lot of people want to start doing it. They all come in, they listened to an episode of Cloud Security Podcast and go get all hyped up and going.
Yeah, lets do detection I actually have. And funny enough, I’ve never covered this in terms of how does one start building a program for this? Right. Because I don’t think it’s like, just, to your point an example that he would just go one or two examples, which people weren’t here in the reinvent. Or they might hear someone else talk about, oh, I’ve got five scenarios that fit.
Nathan Case: Yeah, we’re done. The foundational statement, there is definitely security is a journey. It’s not a destination. So there’s no end to that scenario. That’s a constant walk. Secondly, it’s setting up a couple of different programs. So resilience, the company that I work for right now
and we have an amazing leadership team. We have an amazing [00:06:00] technical team. Just wonderful people. It really starts for me. It starts with a lady that I worked with a couple of times ago at McKesson Jamie Dixon, who deals with our governance and she starts helping us write governance policies that allow us.
Security operations to review the things that are happening both in software and in our three key vendors and a couple other places in the system, so that I can go ahead and say, oh, all right. So these are the places then that I’m going to have the ability to inject security. So as I start looking at threat detection, I know that if this is built to governance spec, I have these things that I can go ahead and.
And so as we begin to roll through that, it maybe , let’s take passwords for instance. Right. That’s always an easy one. Yeah. , Hey, this person’s changed their password three times in the last 12 hours, that’s unique or, Hey, this person changed their password out of turn, out of the, , the normal 60 days that we do or whatever it turns out to be for whoever you are.
Okay. That’s unique. , what patterns do we begin to set up? And if that governance hasn’t happened, Like you’re kind of shooting from the hip, right? Like [00:07:00] it’s we can go through and we can run, , I’ll just do all sorts of things and we’ll have a good time and, yeah. Okay. It’s threat detection, but , it’s not a governed normative threat detection.
It’s whatever you were able to tack on at the end. So getting it to the point where your SOC team in this case, my SOC team is able to sit down and look at a screen and go, okay. So all of these things are set up similar. They all have these similar governance. They all have the similar policies that they’re following.
They all have a similar normative application development cycle. Our pipelines are building out this way. We’re not letting people into production. We’re doing the things that we’re supposed to do. Testing is running this way. It allows everybody to be really calm about everything and say, look, I’ve got a detection here, here, and here.
And because of that, I’m going to go ahead and draw a line and say, Hey, we’ve got an incident we need to do. As opposed to hair on fire crazy Monday morning, obviously mine’s been on fire ones too many times.
Ashish Rajan: It has, well, I wouldn’t say it doesn’t look bad men, but I think to your point no one would want to be in a situation where they’re kind of have to deal suddenly with.
Right. , you realize it’s to a point about the journey, the new [00:08:00] threats that keep coming in new systems came building in the company, gonna have to keep thinking about what time it’s going to happen. It’s like she pointed about this, the same kind of deployment. How many companies have people are not people, but teams.
They use the same deployment method as well. They have multiple deployment methods as well. Sometimes you almost are trying to figure out how to do. How do you address all of those things? And I think maybe just in that line, there’s a question here from Vineet which is how do you normally plan when you are, when you start?
IR planning from scratch. For example, if the client has no plans,
Nathan Case: well, I think that’s where we start discussing with them. What’s actually going to be, I R for them. So for us, I am responsible for both digital which is cyber and physical security. So for us, because we do bio manufactured physical is really important and we can say very easily, Hey, physical impacts digital and digital impacts physical.
So yeah, I’m just going to, yeah, we’re just going to do that all together. Yeah. So for me, as we were looking at, how do we want to do this? It was very much an understanding of, okay, so our businesses. And as we take the business [00:09:00] apart in pieces, we need to start focusing on these different pieces in an appropriate way that allows us to begin to evaluate and deal with the things inappropriate triaged order.
And there’s really no other way to deal with it. So if you think about it from like first aid or something like that, as you look at how you’re going to deal with some of these things and every business is different and it’s just the way it is. , for us maybe.
Element a is really important because without this particular thing, we can’t do other things in our business. So everything rides on this one thing and let’s for giggles, let’s say it’s water. Okay. We have to have our water. Okay, cool. But , from your business, maybe it’s, it’s some other thing over here.
Maybe it’s maybe it’s
Ashish Rajan: fire,
Nathan Case: maybe it’s fire. Okay. So yeah, we fire I’ll be water. So, and consequently, your business, , kind of. Kind of stacks that way and, and real quickly, you’re able to start planning these things through. So when we look at like incident response, generally, when we look at like a data center or a technical, you start getting into this weird scenario where it’s a question of, okay, so which systems do you need?
What you need to be able to communicate. So you need to have thought about things that you’re going to communicate with. Post-incident [00:10:00] like, if you get hit, are you able to email? Probably not. Are you able to use slack maybe? Should you have a secondary set of communications that you’re able to use outside of that?
Definitely. Going from there. Then we also need to be able to go ahead and begin to recover systems or begin to recover abilities. So as you look at those abilities for your company, do you need an extra stack of hardware laying around somewhere where you can start putting things back together?
Do you need extra switches? Do you need, , all of these questions start have to start coming back up and plan for worst case, but plan for reality, like most people aren’t going to be able to have an extra ESX cluster laying around that they can throw together and magic. Yeah, it’s just the way it is.
But , you can probably say we need an extra blade or we need the ability to drop two of our blades and have three of them still running so that we can, re-install two blades and then move stuff over. But as you begin to take care of that and plan out that incident and how that incident is going to go, it’s going to start coming together and you’re going to have to work with the.
Well, the business side of your team to understand what actually makes the business go. And then as that business begins to come together, you’ll start seeing all the pieces that you need to respond to and take care of. It’s kind of around the [00:11:00] way answer Vineet , is that good? Or did you want , more specifics?
I feel like that was a little, little Roundup. Yeah,
Ashish Rajan: it does make sense. And I’ll let Vineet clarify if that answered his question, but I think you kind of hit on a good point that a good starting point is always true. No what’s most important for your company or business. And if, cause if that goes down, it doesn’t matter.
No advanced information security thing that matters at that point, there is no like AI of machine learning, going to stop or do anything for you at that point. So for from that perspective, I feel like it’s a good place to start to at least tell people, Hey, what’s the most important piece for your business?
Okay. And sometimes she appointed, it could just be an individual business unit. It doesn’t have to be the entire company could just be that.
Nathan Case: No, take it in small pieces if you can. Yes. Yep.
Ashish Rajan: Yep. And I think to your point, where are we all right. For me to say this and incident response can be started in a business unit first and then kind of expand around because if it’s your point, if fire is a main thing that.
And I figured out the different incident response scenarios for that fire business. At least that way he’s very able to kind of go, all right, at least the top five I’ve covered. Right? Like I think obviously it [00:12:00] would keep growing, but at least the top five, I think I could think of. Well,
Nathan Case: and I think that you’ll find that as you start taking care of this, , and this is for businesses, whether the business is particularly interested in security, or IR or not like , in our case, we have a really good leader and role.
Our CEO is really okay with security and really focuses and wants us to be very secure. So that, that helps my job quite a bit. But as we look at this, , maybe your leader doesn’t want that. And you’re kind of doing this on the side. Right. So what this ends up being is probably, and I’ve had to do that for people before where, okay, so water and fire are really into security, but air man, , he’s got nothing.
Yeah.
Ashish Rajan: It’s got both of us on a by a bag or something, but
Nathan Case: yeah. Yeah. But so like we prep our stuff and we get ready and then something happens to air or something happens to all three of us. We’re back up and functional in a week and , he’s floundering around for a month, , all of a sudden, , The people that are responsible for these two, we’re going to look really good.
And at that point, and then leadership goes, Hey, what did you guys do? You should be able to hand them the paper and say, look, this is what we did. This is why we did it. Oh yeah. And so, , start handing it out and making it open. I think one of the things , that we’re trying to do and I don’t know if you’re into any [00:13:00] of the, like the, the HII sack or the manufacturing ISAC or any of that, but like a friend of mine and I started up by the way.
And that’s for bio-manufacturing. So this concept of playbooks and runbooks, there’s a whole group of people that you should be working with that are your friends, whether they’re your competitors or not that will help you do this type of thing. And they should be able to show you and say, this is our runbook, this is what we do.
And you should be able to have that conversation with people and say, look, we need to figure out how to do this together, because if we don’t figure out how to do it together, none of us are. That’s a
Ashish Rajan: good point as well. A focus, a lot of people may not even know where to run book is. Can you tell us a bit about, so what’s the runbook and what was his role in the incident response?
Cause, I mean, cause people like you and I are assuming that everyone knows everything, so probably call that out as well. What’s the runbook
Nathan Case: mate. So the way I define it, and , this is me. This is not the industry as a whole. I had to find a place. As the thing you hand the executives of the things that you hand the business owners and that playbook is, this is what’s going to happen.
And these playbooks should be tabletop once a quarter, twice a year, as many times as you can, so that everybody feels [00:14:00] comfortable with how that playbook runs. Right. So if you and I are in a company, I literally sit down with you as my CEO, once a quarter. And I go, okay, so we’re going to do this thing now.
Right? And you say, yep. And I’m going to look at you and say, okay, sir. So our S3 bucket has been owned. What are you going to do? And then you would give me the, , the appropriate response and we play it out and it helps everybody feel comfortable about the things that are going to happen. And it means that on that Monday morning, when your hair’s on fire, because it’s going to happen, whether that be your intern or somebody else, you can have that conversation and feel comfortable about it.
And everybody just takes a deep breath and slows down because that’s really what it needs to do. Now, when you get into the run book, which is the kind of bit below that, , now we’re going to get into, Hey, my S3 bucket was owned or, Hey, my thing was owned and we’ve got to go deal with it. Okay. Now we’ve got specific technical things that we’re going to have to go through and do, and maybe that’s okay.
So we need to make sure in my case, maybe , as I, if I’m the technical guy and you’re the business guy, maybe that’s me going through and looking at all of these things again. I need to tell, well, okay. I need to go look at the identity people and I need to make sure that everybody rolls their passwords.
And then I need to go [00:15:00] look at this thing over here and we start doing it blow by blow by blow. And I should, should have a piece of paper that I am writing on. And I say paper, because you can’t trust that the systems that you’re using will be functional at that time. We reset everybody’s password at 12 0 2 and everybody’s password was, and then we did this and then we did this and then we did.
And part of incident response, honestly, the majority of incident response, the 90% of incident response, , the portion of the iceberg that nobody gets to talk about is that what happened beforehand, right? Like if you sat down and built those playbooks and those runbooks with , your business owners and your technical owners and the product owners and you all agreed on it, then dude Monday morning is going to be a, just a breeze.
You’re going to go, Hey, okay. , I, as your technical security lead, I’m going to hit a button and your, your carbon black is going to magically shut down. You’re at your end point. And , Jim, the guy that got the virus or the malware, , he’s going to call in and go, Hey, my stuff’s broken.
What’s going on? And you give your laptop to so-and-so and we’ll get you a new laptop. No big
Ashish Rajan: deal. Yeah. I think to what you raised an interesting thing as well, because this kind of ties in really well with [00:16:00] what we were talking about earlier, where security’s a journey, even that tabletop exercises, as well as you kind of.
You almost always assume that, oh, I’ve gotten ma most of the scenarios covered, but then you come across this art scenario and you’re almost like, what the hell was that? Like how, , what, how did this happen? And fortunately, or unfortunately as technologies that are evolving, that kind of needs to evolve with it as well.
Well,
Nathan Case: that’s the thing. I mean, you look at the solar winds and the exchange issues, right? You’re like, I’m sorry, but solar winds come on. I never like you look at that and you go, wow, that’s a security risk sort of isn’t it. Yeah. We’ve got to think about that. But I challenge anybody to say that they were the person standing up and saying, that’s a security risk.
I’m going to go protect myself from that. Like that came up when everybody realized it. And man, it was a fire drill to get that thing patched. But at the same time, yeah. All things considered. That’s a pretty basic supply chain attack, , so we’ve got a guy on our team that does third party, like discussions and whatnot.
One of the things he asks is, , are you doing those three P re are you doing those static software reviews? Are you looking at your static code to evaluate, do [00:17:00] I have silly passwords in my code and know. The guy that does it for us is freaking amazing. Like he runs the team, , like it’s just, it’s clockwork, man, but that’s really what it needs to be.
So that as you get to the point where you say, okay, what, what are we doing for threat detection? Part of that threat detection happens in that three P org man, where we’re looking at the actual supply chain for my company as a whole, did I rely on like, , solar wind or whoever man, , did they do their work too?
And if the answer is no. Okay, well, that’s awkward. Maybe we should get a new provider. But , it’s kind of one of those things where we’ve got to figure that out together and maybe we ought to just push our providers to do it. Yeah. And I
Ashish Rajan: think there’s so much to unpack here. I feel like I just keep, just keep going, but I’m like, oh, I’m just mindful of everyone’s time here as well.
But this is really interesting because you’ve touched on something really interesting, all that. We’ve been talking about this is how you were starting to send responses and how you were starting to detection. We kind of spoke about runbook playbook as well. I’m pumped. I’ve heard, Nate, I’m going to do this. This, this has got to be it now. I feel like people love to kind of have like a benchmark for, Hey, where does like a great state look like? I [00:18:00] am I, this is like AI is running the company or what’s the maturity level that you see people go to. At say like threat detection or incident response, assuming obviously we would never have all the scenarios covered.
That’s never going to be the case. If it was a case that you and I are on, won’t have a job. Probably that’d be nice, but we’re keeping that in mind. What does maturity look like in that? Like what’s the maturity benchmark people can use. So
Nathan Case: we’ve been playing with this internally and we’ve been using NIST as kind of a, like, this is some in the wind type of a thing.
And there’s some interesting maturity model stuff that we can aim at as well. Generally, the way we handle it is let’s be honest. We’re not doing it. Okay. That’s. Yeah, we’re doing it by hand. That’s a one we’re doing it. We can do getting code. That’s a two. Yeah. We’re doing an automated in code.
So now that the whole thing runs by itself, that’s a three, and then we’re doing all of these things and we’re able to deploy it at scale. That would generally be a four. So like, as we look at like vendor assessment, for instance, your maturity may never get past a one or two. Like, let’s be honest. It’s just, , my three P review is mostly going to be.
Why because I’ve got to go [00:19:00] talk to you and I’ve got to ask you questions now, maybe they’re going to be cool and let you like red team their stuff, but I’m going to go with no. So, , generally it turns into a bit of a conversation now, maybe as you get into like some of the governance of evaluation, , are we actually looking at our governance?
We’ve got all of our policies. Like we talked about way back when for threat detection and is everything happening in an automated fashion? Do I have Python checking each of my policies in my. Okay. Well, yeah, we do over here. Okay. That’s a three, but it’s a solid three because over here we’re not doing that.
And the automated system that should be going through and evaluating all of my stuff at a swing, just isn’t happening. So like instead of once a day, evaluating all of the compliance for all of my things, I’m checking project a or project. And I’m not checking be, but see how some of that and D has that too.
So it ends up being this kind of, it’s a mish-mash. All right. So you’re a three, maybe a two, and it ends up being 2.75 or whatever else. And so like, as we evaluate the stuff that happens inside of resilience, it ends up being okay, you’re this you’re that you’re this. And like trying to get [00:20:00] closer and closer and closer to an actual number so we can drive people.
Ashish Rajan: All right. Okay. I didn’t realize you can use this for IRS. Yes. That’s a good idea. Like, so you can still have the detect respond like, oh yeah, you can still do that. Oh, that’s pretty awesome. So if that’s a great benchmark, we’ll start off with, and
Nathan Case: we’re doing
Ashish Rajan: it at least something to start with. So I think to your point, a lot of times you just need a starting point and then do you do, as you’ve just said, It’s just about making it simple enough for you to kind of go or maybe it just the maturity level 1, 2, 3, 4. That’s all I care about for the autonomy.
I don’t want to go into the details of how this happens, but this maturity
Nathan Case: it’s going to be different. Right. I mean, you’re going to be different than me and your stuff. Like, , in some cases , I’m evaluating the fill level of a 500. Bio-reactor okay. So how are we going to do that? Some of them are network connected.
Some of them aren’t, some of them, you literally have to have a guy look at the thing and go, yep. That’s full. You’re going to get what you get. , it’s, it’s really great to think that you’re going to get there today, but it’s going to be a long walk dude. . And that goes all the way back to that governance piece, right?
Amy helps with that. Amy helps with the evaluation of three P’s and you start marching down the line. And by the end, [00:21:00] by hopefully the end, when you get to incident response, you’re looking at all these pieces and you’re going, okay. It all lines up. So now I can talk to you about what it’s going to be like on Monday morning when this bad thing.
And it makes you feel comfortable, ideally,
Ashish Rajan: ideally, no, one’s panicking at that point. Hopefully. And people started loving Mondays again, because I don’t know why people started hating Mondays, but people started loving Mondays after that. Again, no Monday Blues after that. Actually this is probably a good segway into a few of the questions that came in that were left , on the post
I’m going to name a few folks as well , both the question that they had, like there’s a mutual friend of ours, Matt Trentler he asked a question about how to shift threat detection, further up chain that is further into the development pipeline versus reactive and centralizing the T D I R security.
Nathan Case: So that goes back to that governance statement, right?
Like, depending on how you’ve got it set up for us, because now this is like one of the FDA things, right? So like when you get into making drugs that go in people’s body, people get awfully persnickety about the security that you’re using to evaluate , those things, and that generally falls under quality quality is a great group of people that are going to make sure that your stuff is [00:22:00] done correctly.
And as we push this stuff up chain, what we’re trying to do is take quality. That is honestly a very. It is a very Mundane thought is basically compliance from almost a hundred years ago, honestly, where things are done in such and such and such a way. And we’re making sure that you follow the procedure.
Yes. Have you followed? Yes. Then we’ve gotten this thing and yes, and yes, it’s good. And so before it, you’ve got stacks and stacks of paper and that’s great. But what we want to do is push that up chain. We want to push it to the point where the software has an evaluation when it’s being written, to make sure that it’s complying with the things that were actually in the governance policies that said that we were going to, we were going to look at this thing and we were going to do a specific test to it, to make sure this other thing was happening.
And that test should function all the way from development. All the way to production and I should be able to handle the quality people, a piece of paper that says, yes, we’re complying with all of the things that we need to comply with, and this is how you go run a test on it. And so as we look at that, not only are we doing, , static code analysis, maybe we’re doing and maybe that’s happening back here.
And we’re looking at that code specifically, but we’re also testing for our specific quality needs in our specific compliance needs.
Ashish Rajan: Oh, that’s [00:23:00] actually interesting because can happen, especially in the cloud world where everything’s supposed to be coded anyways. You’re kind of going that direction might as well start there.
Yeah. And so to your point then, Because if we are able to kind of bring them in more to the left, we’re going to use the industry very shift left, then gonna use that. And that kind of goes in really well into another question that was on that same thread by Alejoe under the maturity level. I would love to hear your thoughts about implementing a threat detection, engineering CICD pipeline.
As well as ways to group alerting and build data models to mitigate alert, fatigue.
Nathan Case: I think that’s a really interesting question. And I’ve actually got a friend that worked with me at Amazon that did some of that, and she was just freaking brilliant. So as you look at some of the interesting things you can do with threat detection and CICD pipelines, where we’re actually looking at the things that occur in our environment, and then we have a pipeline potentially building out some of the things that we want to test when things have.
There’s some really interesting, very technical things that you can start to do with the cloud, because it’s all. Yeah. So this thing happens, this thing happens and this thing happens. Great. I’m going to go ahead and deploy this thing, and I’m going to [00:24:00] evaluate all of these new APIs that maybe normally I don’t evaluate, but then I’m then going to go ahead and go into this prevention or this, this lockdown scenario where I’m then running this code to evaluate and lock these things down.
So as we look at that, that’s like we get way the hell out into four at that point where you’re looking, , in your maturity model from one to four, you’re looking at some seriously interesting . Automated systems that are able to go ahead and reply to respond to both onsite. And in my opinion, in the cloud systems where we’ve got VMware, that has a bunch of APIs, we have, , your cloud provider that has a bunch of APIs, and we’re trying to evaluate what’s actually happening in the system.
Maybe we’ve seen some interesting network connectivity. We’ve seen some interesting things that happened in a specific chunk of the world. And we want to go ahead and evaluate that. And then we also want to evaluate a bunch of other stuff for maybe we’re looking for some different. Some different signatures of a type of an attack.
Yeah. As we look at that, then we can go ahead and easily deploy it and evaluate it and all over the world. And it doesn’t really matter how close we are or how long it takes for a person to go plug something in. Cause it’s not about. .
Ashish Rajan: One of the questions that came in that I thought really was interesting. We don’t talk about bio-manufacturing [00:25:00] a lot in the, at least not in the podcasting space or at least in the content space. So I’m curious. The supply chain attacks for these kinds of things, quite a few supply chain back that became like a theme right. For, for a whole year. And are there any specific scenarios in the whole life science sector?
That you kind of like can share. It’s really interesting from a, I guess, for us to kind of sit and talk about technology like Facebook and Airbnbs of the world, but there’s also the other part.
Nathan Case: So if you go back and a friend of mine and I did a Def con talk and Charles has been doing the specifically, the.
The bio-manufacturing security awareness for a long time, a lot longer than I have.
Ashish Rajan: Well the same child afraid Fisher.
Nathan Case: Yeah. The guy that actually made the comment, which is probably the comment. Oh,
Ashish Rajan: , he totally roped me in, well, that’s an interesting one.
Nathan Case: And to be fair, it really is. I mean, he’s got a really point.
A lot of the manufacturers just don’t focus on security. So there’s a specific lab piece of equipment and I will. Graciously not give you which one, where I talked to the manufacturer and said, look, we need an API for this. We need to be able to evaluate , [00:26:00] the ins and outs of your specific device. And the guy literally looked at me and said, well, I’m sorry, but APIs insecurity just aren’t in our milew .
You and I just kind of sat there and stared at him for a second. I gotta be honest. Like I was waiting for Monty Python music to start going on and like,
I never thought I’d heard that, hear that word outside of Monte Python, but all right. So as we look at stuff like that, I mean the industry as a whole, just really, hasn’t been focused on that. And so like, one of the things that resilience is focused on right now is taking that industry and both scaling it up and turning it into a more cloud ask sort of a scenario where we have the ability to inject security into all portions of the bio manufacturing space.
And so we’re looking at how to, I mean, we go back to some of the things that we just talked about. So. I’m more than happy to go consult with a lot of these vendors and say, look, this is what you need to do. And I’ll happily help you with, we actually found a really cool set of security tools that were both security and biomanufacturing.
And we, we literally went to them and said, look, we, we want to buy your stuff. We can’t like, you’re not doing these things, but I really need you to, well, we can’t. [00:27:00] I’ll pay for it. I’ll show you how to use it. Will you use it with us? And that’s kind of, so Charles and I got together and we, we, and like the leadership, when we all got together, we put together bio ISAC .
And that’s why we did that. So we could go ahead to vendors and say, look, this is what we need you to do. This is a way for you to do this. We’ve got this open community that helps you figure out how to get your stuff more secure so that as we look at bio manufacturing as a whole, we can make it a more secure industry as opposed to.
Security. And frankly, it being a secondary thought for most of the industry, because to be fair, it’s been run on paper for a hundred.
Ashish Rajan: . Yeah. I think it reminds me of a, I was in a project once we were trying to for LA it’s funny. Well the, the specifics was more on are , we were trying to implement it to a fair the hospital and it is the hardest conversation to have with someone that you’re going to have.
Hey, we’re going to implement too afraid because clearly security is cyber security is a must and you almost go, I have a patient dying on this. Do you want me to put 2MFA trying to remember my password, which is complex, thanks to you. But while I’m trying to save Ashish’s life, would you, what would you rather have?
[00:28:00] Don’t worry about the password. Don’t worry about any of this to slack. Make
Nathan Case: sure I live. Yeah, well, and, and, and a lot of those things, I mean, like, and that’s one of the things that, cause obviously we have labs too, and , some of the things that we’ve had to set up, I’ve literally gone. So I’ve got some friends in the community that I’ve been able to reach out to national labs in the states, whatnot.
Deal with this, cause this, I can’t be the first person to have to deal with this type of a problem. Right. Cause I’ve got the same argument from people that are actually in the labs, got to make this stuff because it’s custom and this is going to save this guy’s life right over here. Don’t you want that to happen?
Ashish Rajan: I’m the guy on the other end. I definitely want that to happen. Yes, yes. Yes.
Nathan Case: And that’s the thing is how do we, so that’s the pisser with security, right? Like. Two views of security. Everybody looks at security and things. It’s the thing that has to stop everything from happening. But really it’s not the thing that should stop everything from happening.
It’s the thing that should enable things to happen so that you don’t have to think about security. So actual security in that situation is, yeah, the dudes got a wristwatch on and we’ve gone ahead and evaluated that it’s Jim or Jane. And what? We know that it’s Jim or Jane doing that specific thing.
And all they had to do was wave their hand in front of. I don’t [00:29:00] know, some sort of a D a depo sort of a thing, and it gives them the shot that they need and you get the shot and everybody’s happy. Yup. That’s what we need to focus on. Not how do we get 2FA? I mean, and I’ve been right there with you.
I did that for a hospital too, and it was painful as hell, but you get to the back of this. And we actually looked at some of the stuff that we had internally, and it came up in labs where I went out and talked to some of the national labs here and said, okay, how do you guys deal with. And they were really honest about it and said, look, this is the framework we use.
And so I went ahead and mapped that framework back to our labs. And basically we have bubbles of resources that are set up so that when they collapse and let’s be honest, they will like, they will get attacked. They will be popped and that’s okay. And we can very quickly within milliseconds shut the entire bubble.
And everything gets locked up. We clean it all up. We get your stuff, reset the bubble, and everybody’s good, but it doesn’t give the ability for that bubble to connect to other bubbles in the system. So we always make sure that your impact radius, which is kind of a scary military term for what this really is allows us to say, okay, that’s the only thing that gets hurt.
Everything else is. Okay. And [00:30:00] so it’s a little bit of extra work on my team’s parts or. But that’s, that’s my job. That’s what we should be doing is allowing other teams to do their job as opposed to trying to get away. So
Ashish Rajan: 2 cents on that one. No, that was pretty good. I think you’ve got a lot of agreeance here as well.
So we did answer this question. That was good. Make sense, gait. A good starting point. We have, I think at Zido head, I like, oh, like that’s a good name by the way. It’s good to hear that those things and learn specifically when trying to get into cloud loved the podcast. Thanks so much, man.
Appreciate that. I’m sure. Maybe. Ah, that’s brilliant. Go to the men, to Tom pike. Another regular that’s brilliant. Go to the manufacturer with a security solution so you can incorporate their product into your ecosystem. Bring them along on the journey. That is actually a hundred percent money on the money.
I wish we could do the same, same for television and all the other industries as well, because they keep asking for it. My television keeps asking me for it activating. I’m going. I don’t know. I don’t want to like give you a voice. Like I, especially, we went for a television, which doesn’t have a camera as well, like w cause I wonder to your point, because these industries have been running for over a hundred [00:31:00] years without any need for an ID or even probably most likely a CISO or a chief security officer.
Like why do you care about that? We just have televisions. They’re going to, are you going to hack a television? Like you need to literally physically come. But at least that’s what he used to be. The thing like until like six, seven years ago, now all televisions are connected. , all of them do airplay or
Nathan Case: obviously that’s what we’re going to do.
Ashish Rajan: Yeah. Clearly, because that’s where everyone’s going. It’s the cloud, right? Like let’s move to the cloud.
Nathan Case: And there was a recent breach on IP cameras too. Like most of the camera systems we use now are IP and that’s. I don’t know how many people have their IP cameras out on the public web, but with a unique IP address, are you kidding?
Ashish Rajan: Ah, come on Nate. It’s so easy to access. I can show it off to my friends. Like
you almost hear that, but I think I definitely have a proud moment when I I had a team member of mine , who definitely had the IP address on the internet, but had a username, password and 2FA he had to write the custom code for it, but I write it. But I said before, before I showed it to you, I wanted to make sure I had tousername pasword and at least 2FA in there.
I’m like, that’s brilliant because I think, and it’s funny [00:32:00] because a lot of people just assume these are supposed to be. Used to make your life easy, right? No, one’s, denying the fact that yeah, I do no one saying don’t get an IPT. We don’t get it out to television with like a camera or whatever you want to use.
You should. But the assumption that we are being, given that, Hey, they’ve taken care of security for you.
Nathan Case: That that is incorrect. I mean, even as we go back to the cloud and whatnot, I think what was one of the scariest things that happened for me? Oh, So right after I came from AWS to this job, one of our vendors said, well, we put it in S3 and S three takes care of all the malware.
No, in fact, , they say they don’t. So there’s little things like that, that go into a lot of the vendor relationships that I think are really important. And that’s why, , Vinny’s job is probably one of the more important jobs we have. We have to rely on Vinny to get that three P assessment, correct?
Because if he doesn’t and the vendor thinks that they put their stuff in S3 and it’s taken care of, then , now we’re trusting that that supply source for us, because well, the vendor said it’s fine. And so, , how did you walk that in. And it gets even more complex when we go into libraries for, , we’re talking about supply [00:33:00] chain and we’re talking about software libraries or open source libraries or anything else.
Yeah, right now, one of the things that I’m having my team do this year is to begin to pick out open source projects that they want to focus on. So I’ve talked a lot with Andrew crew over the years. And one of the things that we’re both really passionate about is open. And I think a company’s responsibility specifically a company like resilience with a name like resilience.
One of our responsibilities is to contribute back to the community and pick open source projects that we think are actually making us more resilient. And so carrying that strategy down the line and making sure that we’re contributing to the world around us, I think , is important.
Ashish Rajan: I think so it’s about, I think, especially if you’re, if you have been able to figure out a way that, well, Why not share it.
I know we you’re talking about this offline as well, but it will be the amazing world if you can live with everyone’s like kumbaya every day, but unfortunately,
Nathan Case: yeah. And I mean, like, that’s what that is, , we’re not going to fix that you and I together today, but , at some point in the future I can see a hundred, 200 years down the line where maybe we actually start looking at it.
Like, , we’re all earthlings and we’re all here to contribute and it’s.
Ashish Rajan: Yeah. And keeping and making money. There’s nothing wrong with making money. No, [00:34:00] one’s saying they can, you can still profit. You can still provide value to people, give them what they want and solve their problems. Give a heart surgery without like the pacemaker being hacked.
Like, , all that, all that. And
Nathan Case: that’s the thing let’s, let’s stop competing on security. Let’s start competing on actual things. Like what’s your actual product. Let’s compete on that and let’s do security together. Let’s focus on getting security as one team. And then from there moving forward,
Ashish Rajan: I have a fence.
And I think maybe this a, this is probably a good segway into one of the questions that I get asked quite often. Right. What does incident response threat detection look at scale because people are obviously, they’ve been sold . The idea that if you go to cloud easy yep. We can see it’s easy, but there’s obviously a few steps.
You kind of have to figure it out and do yourself because Hey code shared responsibility. What I’ve always find that a lot of people, because initially there was a thing that I only had one AWS account. I only had one or two because for some reason, people didn’t want to go from multiple. Now we’re at that stage where people have hundreds of AWS accounts and you almost like sometimes one business unit may have trained.
For [00:35:00] no good reason. This should just have one or two for one dev one test, one product, but Hey, what, I’m going to take 20 because that’s what my team wanted. So I feel like if we were in a very from a scale perspective, we also get quite complex quite quickly as well. But it has been an example that you can share where.
You felt that incident response or threat detection at scale was done? Well, maybe, and I think this is more for people to think about, Hey, what is it? What would this look like? Like at scale, obviously this, our AI machine learning, but what can this look
Nathan Case: like? So I tell you what, I’ll give you two examples.
One of which totally failed and was bad, and one of which totally worked and it was good. And. Precursor to that statement. However, Sam Ella Mack, myself, and about five other people and about 20 other people that didn’t get named, unfortunately wrote a paper right before I left AWS and it got published and it deals with specifically this.
And how do you deal with multi accounts in AWS? The original paragraph that we wrote for that paper specifically called out the fact that it didn’t have to do with AWS alone, but rather dealt with the cloud in general. And how. Cloud [00:36:00] resources that got cut. But I think it was a really good paper and I think it speaks to this actual issue.
It was a bit naive and having been on the other side of it now, I know why it was naive. That’s a different discussion for a different beer on a different day. However, to the actual question And incident where it went really well was a customer that I had had for a long time. And we had discussed their specific efforts that they were going to go through as a fin, serve a financial services customer and how that was going to look for them in the event of a.
And it was really about segmentation because they didn’t have a lot of technology in their opinion, or in my opinion, they were just getting into the cloud and getting into technology and understanding how that needed to work for them. And so they set it up so that each of the accounts could be easily kind of chunked off and then shut down.
And it was brutal. I , it was as, crude and brutal as you could possibly make it. And that worked wonderfully. So , in the case of the event that one of the developers on the team obviously left their AWS credentials in code. They put it up and GitHub and magic happened.
And five minutes later, , the entire account is popped [00:37:00] and it was shut off at about 15 minutes. Was that great? I would tell you, , for a very non-technical crude scenario, I was pretty proud of the way that worked out, actually, that was as good as it gets. Right. There’s another side of this scenario where we have a much larger company that decided that they weren’t going to listen to AWS and they wanted to do it all on their own and they didn’t want to Tam and they didn’t want okay.
Whatever. And they decided that they would do security. And they had one account and they had dev test and prod all in one account. And obviously when that type of account gets popped, bad things happen because now all of a sudden, all of your stuff is in one place you don’t know, , is my prod impacted?
I don’t know. I’ve got customers in prod right now. So are they getting viruses for me? All of these questions begin to. Bubble up and it was really, really awkward. And could they do incident response at scale? Yeah, we could run all sorts of incident response and commands on that one AWS account really, really easily.
And so could the attacker. And so as we look at something like that, I would generally push people to the left as opposed to the right on that one so that we look at well. My left over here, I guess. So we would [00:38:00] actually have some level of automation, even if it’s crude and simple to shut things down and begin to segment things out as opposed to have a single.
Chunk of stuff that just everything’s bunched into it. It’s very much like an old school data center where it’s all layer two connected. Everybody’s in a, in a switch that pretty much acts like a hub. And, , it’s all connected together in the passwords, the same for all the servers. And, , it’s just, it was a bad idea then, and it’s a bad idea.
Now. It doesn’t matter the fact that it was in a data center in the cloud, it’s just a. Segmentation scheme
Ashish Rajan: segmentation. That’s a good segway into the last section that we have, which is a fun section.
I had a lot more questions, but I’m going to, I’m just mindful of everyone’s time here as well. Everyone said sitting at odd hours. But I definitely feel like I have a lot more conversations about others with you for hours. And so maybe as you said for another beer, I’m not going to bring you back. But I’ve got fun questions.
It’s three fun questions. And there are four people get to know you. It’s funny. One of the questions I was asking that common thread was one of, one of them was listed. It’s something that I ask people. So I want to start with the first one. So what do you spend most time on me and not working on cloud or technical?
Nathan Case: So I actually really, really liked to [00:39:00] do woodworking. I actually made the desk that we’re talking to me on now. Oh, wow. So over COVID I made two tables and entryway table, my desk, a number of bowls, a bunk bed for my daughter and redid my oldest daughter’s room. Wow.
Ashish Rajan: Yeah. Well, I told her when he said woodwork, oh, I made this a chopping board.
Maybe we’ll start. I’m like, oh, just like chopping board. I’ve made like all these shapes of chopping board, like you just mentioned like bunk bed and everything. Well, that’s good, man. That’s what I did not. I would run a pick that up. Next question. What is the support is something that you’re proud of, but is not on your social media?
Nathan Case: What is something I’m proud of, but not on my social media. Wow. So I’ve got a really great wife who was a school counselor and I’m really proud of the job she does and the way she impacts her world and the fact that she helps a bunch of kiddos that really need help. And I think that’s one of the, , if you look at things that I’m proud of in my life, I’m really proud of her and the way that she acts the fact that she’s, , kind of taken my kids to a point where they’re more interested in social and trying to understand how to help.
, between she and [00:40:00] my kids. And I like to think that, , the fact that I want to focus on how to help people impacts them as well. And so, , the kids, the wife, things like that, that just, , I’m, I’m really happy that they’re growing up and wanting to help the world around them and not just.
Ashish Rajan: Brilliant so way that they haven’t come up with the move yet.
Right? They’re definitely favored, man. They’re already doing much better than they go. But I, I agree. I think helping others, there’s no bigger satisfaction than helping others. And it could be for helping in any form. It could be just spending time over here, sharing what , and like letting people know, Hey, this is all.
It’s not the end of the world at that place. All right. So last question. What’s your favorite cuisine or restaurant that you can share?
Nathan Case: So there’s, Rudy’s the worst barbecue in Texas. It started in San Antonio. I, I don’t live in San Antonio. My grandfather at the time lived in San Antonio. And it was probably the coolest.
Place that I went to as a kid and really like drove a whole love of barbecue and cooking and whatnot, and me like at 13. So yeah.
Ashish Rajan: Yeah,
Nathan Case: yeah. You can still go down and get Rudy’s the worst barbecue. And at least it was before COVID. I don’t know that it is now
Ashish Rajan: But yeah. What is [00:41:00] the, actually the worst is that where people are going or
Nathan Case: that’s what they call it.
That is the name on the side.
Ashish Rajan: Right? Right. I’m like, why are people going to the barbecue in Texas? Okay. Fair enough.
Nathan Case: Marketing, sorry. Sorry. Marketing’s marketing. Not me.
Ashish Rajan: Oh yeah. Marketing, definitely marketing. I think we thanks so much for everyone. Who’s come on so far, but For people who want to maybe have follow-up questions on what connects with you as well.
They can, they find you LinkedIn.
Nathan Case: I’ve got a Twitter account that I barely ever log into. So yeah I would say LinkedIn or Twitter, whichever whichever works for you.
Ashish Rajan: Awesome. And I’ll drop them on the shoulders of people. People can have a look and maybe connect with you as well, but I really enjoyed this conversation, Nate.
So thanks so much for coming on and I’m looking forward to having you again, maybe finish the second half of incident response and Threat detection. All right. Thanks everyone. We’ll see you in the next weekend episode,