Ashish Rajan: [00:00:00] Hello, and welcome to cloud security podcast today. I’ve got a special guest from the us. I shouldn’t Patil. I got recently introduced to him through the blog article that he wrote about capital one and AWS Azure, but that, and a lot more a trend. Welcome to the show. 


Ashwin Patil: Thank you for having me. 


Ashish Rajan: So people who don’t know you, how would you introduce yourself to the rest of the audience? 


Ashwin Patil: Yeah. So when I was actually probably less, you already said, so I work as a senior program manager for Microsoft threaten digital center. So my team is. The sharp corners is like mistake Microsoft, Trenton didn’t center. And then my role is like senior program manager. So I’m part of the mystic R and D team. 


My day-to-day working was writing detection. So on various data sources, including cloud, we pretty much published published my detection. So. I do like a bunch of Python day work as well. So my team has done like an open source library called mystic by which does some of the data analysis and data industry. 


For a way, the security, when it sources and also it has some Jupiter notebook utilities to do some impactful relation on sacred, even noted as well. 


Ashish Rajan: Awesome. [00:01:00] And that’s, that’s definitely a good segue into a capital one article that’s been floating around on the internet and how AWS CloudTrail and fentanyl and how Sentinel can consume cloud trail. 


So people who don’t know. What I’m talking about, how would you explain what you guys did and what that talk when the blog was about? 


Ashwin Patil: Right. So we did a, so I did a couple of blogs around the Capitol and breach, in back in November. So. Like the other side, is recently recently, last year. 


So one of the things that we have been trying to do is like coming up with the more case studies, so that to show like, how does your, it like, can be used in a real world environment? So the capital on beach was a pretty good example where we can show the, AWS and Azure story. So I was just sending that has like a big. 


Integration to read logs from the cloud train. So that’s how we started thinking about how we can. The capital one breach analysis using Azure Sentinel back home. Right? So what we did like we use the, some simulation software, so should be showed up to like rhino secretary labs. They [00:02:00] came up with the open source tool called cloud goat. 


So that particular tool is basically a bunch of Terraform scripts through which you can pretty much simulate the same, well, durable infrastructure in your AWS lab. Right. Oh, 


Ashish Rajan: right. So yeah, what’s an example of a wonderful and Marmon that had created 


Ashwin Patil: so similar to capital one. Right? So if you take example of capital one, so we have like one virtual private cloud with one, one easy, two instance deployed, which has a web application, which is misconfigured with SSR claw. 


And then it has a backend S3 bucket, right? So it has basically has this one notable misconfiguration already set up. 


Right. So that, that makes a life much more easier for us. So you can just exit, get the data on scripts and how the Latin sectors ready. Right. And then the. The tool also has like the pretty good guidelines. I don’t like, how do we similar the same steps that right. So this is still like a simpler way to simulate the, what happened? 


The capital one, the actual attack may have been like a bit complex, but the TTPs. Right. Yep. 


Ashish Rajan: So quickly for people who [00:03:00] don’t know what TJ TTP is. Yes. 


Ashwin Patil: Yeah. It’s the tactics, techniques and procedures. That’s pretty much the, the different ways that I can get an access to your, in one, the 


Ashish Rajan: TDP was driving a quite similar. 


Ashwin Patil: Yeah, it’s pretty similar. So, once he deployed the vulnerable infrastructures, so you can start executing some commands. So what happened in, so the simpler explanation of capital on BG is like you have a sensitive data stored in a private S3 bucket, which is not accessible from the public. Right. 


And that which is not accessible from a public. Right. So, and then you have like one lettable web. Site, which is all stirred on the easy two instance, which is misconfigured, right? So it has a SSI flaw. So with DSR flaw, you can basically initiate request to your internal infrastructure. Right. And then, so with that setup, the attacker can just send like a web request by sending requests directly to the, to metadata. 


Yup. With which you can get the instance credentials and that sort of thing. Right? So once you basically shoot the rev request to [00:04:00] the, instance Medidata proxy, you will get Credentials for the IAM role, which is the identity. And what happened is the identity has the highly , which is S3, full access was given to that. 


Ashish Rajan: Right. Right, 


Ashwin Patil: right. So once you compromise or once you dump the credentials for that identity, you can basically list all the S3 buckets because you have already had that. Right. Yep. And then you can list down the buckets and then you can figure it out. What is the private bucket, which are sensitive data. 


And then it’s just a matter of time that you can use the S3 API is to basically copy that data from S3 bucket to some letter report. 


Ashish Rajan: Sure. And Sentinel a hundred Sentinel layer partners. 


Ashwin Patil: Right. So if we dig the hole at Beck, so you need to, I mean, as an analyst, like you need to understand, like, where are the each of the data sources that you can identify, which we did take these activities, right. 


AWS has like various monitoring data sources that they have permission to that page, which is like a CloudWatch CloudTrail, then S3 access logs, PC logs. Right. So there are a [00:05:00] bunch of offers, right? So in this scenario we can see like there is a cloud trend as well as the S related operations have happened. 


Right. So what you can do is basically on. The respect to data sources into the Sentinel and then start writing deductions to detect that sort of activities. 


Ashish Rajan: All right. Okay. So is it okay so far it’s something that we have defined or sentiment would be able to detect it itself, or I guess. ‘ cause that’s kind of where people get lost. 


Cause they’re going to be having somebody that AI machine learning behind it, or is it going to be something that you notice as a behavior, which is not good and you, then you can figure Sentinel to detect that in the future. Is that how it feels? 


Ashwin Patil: And so in this case, like you did make some research to basically come up with what actually have. 


And then how do we detect those tactics or TTPs? Right. So in this case, we basically onboarded the log data sources and then came up with some reputable logic that we can turn into a detections. Right. And then once we have those logic onboarded, so once we have those rules on, you can basically detect similar type of activities [00:06:00] from the future. 


Ashish Rajan: All right. And I think to your point, Essentially and was able to consume AWS cloud trail, but it doesn’t go beyond that as well. Can it go other cloud providers and like, what else can it be consuming at your point data sources wise? What else? It could be. 


Ashwin Patil: Yeah. So, there is also like a working plan to onboard GCP and other cloud providers, as well as yeah. 


As well as the AWS has the SD access log, which is, which does not go to the cloud. Right. So you do have that. STD access logs enable, and then that will potentially go to the S3 bucket. Right. So to have like that log ingestion pipeline so that you will bring that data into the center line. Right? So in this case, what we did was like, we use the Logstash which is again, like community support. 


There are like community supported plugins available. Logstash has the S3 input plugin and the Sentinel output login. Right. So you’ve, you can get the locks from the S3 bucket to the 


Ashish Rajan: Sentinel. Okay. So maybe let’s take a step back then, I guess. I have an AWS environment. I have an Azure environment. 


I [00:07:00] may be an enterprise. What do you recommend for people who have not started doing August, who haven’t really considered SOC in for cloud, they’re still doing on-prem SOC and they’re looking at well, how do I do soak in the cloud? And what do you recommend to those folks? Who may hand off, I guess, made it maybe starting off today and have no idea. 


What do you recommend as the first baby steps that could be doing? And if central would be the first step or should that be step three, four, but it’d be interesting to know for people who are listening in, if they want to start doing some kind of threat analysis of their current environment, how do they do that? 


And what should be almost like a strategy for. 


Ashwin Patil: Right. So, I mean, coming up with the secondary marketing strategy was a lot more discussion. Right. So, yeah, it’s, it starts with the, I didn’t even buying your assets and infrastructures. How scattered it is across clouds or across from on-premises to cloud. 


So first step is like basically identifying like how your assets are deployed and then how are we mentioning those inventory? Right. The second thing is like, there is. You need to come up with some law collection [00:08:00] strategy. So on-premises is much simpler. Like you can have like a centralized location strategy and start collecting logs, but in the cloud it can get a little bit complex, I would say, because you can imagine like, I mean, so I’ve been doing like secretary monitoring since like 10, 11 years back in the days. 


Like we used to have like some intermittent. And just have some DMZ zone, which has some website where having like public interface and all that is a better meter. Right. So you can apply the way as I said, the perimeter and then start collecting logs or start monitoring those things. Right. So your bedding meter was well-defined in those. 


But with the it landscape has evolved a lot. Right? So you have like bring your own device and then now you have like cloud, so you can, right now you can basically have like your serverless application deployed in a container and hosted in Azure cloud. Right? So the log collection strategies will be a lot different in the cloud. 


Right? Yeah. So I think there’s like cardboard discussion, needs to be done, like when you are developing cloud collection strategies. So most of the cloud [00:09:00] providers have guidelines around like what are the lock sources that are available and how do we consume logs? They also have like some built in controls that you can enable. 


Yeah. I learned, say never. Right? So for example, for Azure, we have like Azure security center. So once you have those assets or workloads enable, the ASC will start Basically guiding you like about securing those assets. So we have something called secure score to basically start recommending like the basics. 


Maybe baby-steps like, so patch your systems are like like how MFA enabled or that sort of like various guidelines. Right. And then once you start mitigating one by one, and then once you are. Then basically the lock collection or the Sentinel comes into play. Right, 


Ashish Rajan: right. Oh, so, and it’s configuring Sentinel as, as simple as say, oh, I’m just going to start giving out the logs or. 


Ashwin Patil: Right. So the good thing is like Sentinel can be deployed as just a resource in the cloud. So, which is simpler than the traditional same solutions. Right? So, with the traditional SIEM solution, you need to invest time and [00:10:00] resources to basically stand up server and do that sort of things. Right. We descending just like one leak that you can basically do. 


In the cloud as a resource, and then the Sentinel has something called a data connector. So it has a native integration with the, most of the Azure services. So it’s pretty much like a one-click button to onboard those native Azure services for AWS. And some of the third party providers also have like a data connector. 


So. Yeah, 


Ashish Rajan: so, okay. So, so if I’m just going to this for the first time, I guess first step is to have my assets listed. How like profiling all the assets that I have, all the applications that I’m running across multiple clouds. The second one would be once you’ve done that. If there’s an Azure go for Azure security center and then once you start basically feeding that up next step for I guess, trend detection and monitoring perspective, you would go into central. 


And basically it should be have out of the box connectors anyways, but if you have AWS, you can go add another connector for it. Right, 


Ashwin Patil: right. Yeah. So, the doc deal the data collection. So then lack of the identification will come into [00:11:00] picture. Right? So the Sentinel comes pre-built with detections that we have basically publishing on the guitar. 


Right. So it has more than 200 deductions right now, publish. Right 


Ashish Rajan: to leverage. Oh yeah. And I’ll add the link to the show notes of the episode as well. So that’s a great basic start. And it’s. What about people who may have BCI compliance or SOC compliance? Can that be added in a Sentinel as well? Or is that a separate. 


Ashwin Patil: I’m not sure about the compliance piece, but, I’ve been there like that wouldn’t be a separate thing. I mean, the PCR may have like their own check marks to logging and auditing, so that can be fully fulfilled with the Sentinel. And then there may be like other compliance aspects that may be covered by let’s say agile has its own, whether it be compliance or that sort of thing. 


So security and compliance, maybe. 


Ashish Rajan: Oh, sure. And how does cause, and to your point about how SOC has kind of evolved right. Trend detection was a very different thing when we were talking on prem. Well, it’s almost like something I imagine a guy looking at log screen basically is looking for some, some way of identifying an anomaly, but these [00:12:00] days, thanks to things like Sentinel and the stuff that other cloud providers are doing. 


A lot of it is automated. All right. How do you look at incident response in the cloud environment? To your point? It is so complex these days that you could have a container that a function and then it just logged somewhere, but then you lose it and lose the virtual server in the Metro for half an hour. 


And you’re like, well, I’ve lost everything, but how do you see instant response changing from what you had seen before and what it does. 


Ashwin Patil: Yeah. So, I mean so I don’t think like incident response has changed a lot. It just like you need to get family a little bit, the tools and technologies that the cloud provider provides. 


And how do you feed that into your incident response plan? Right. So the traditionally the incident response has like a four or five. So it starts with preparation identification, containment, eradication. Recompete right. So the preparation identification it’s pretty much like we go out like, finding out your asset inventory, then collecting the log analysis, clicking the logs that are required. 


Right. And then I ended up pretty much. You will [00:13:00] start writing the rules. And then the response will come into picture like eradication and recovery. So let’s say like, if you are one of your cloud resource has got compromised, let’s say, so you will have like way to set up a response control. I will able to prompt the cloud, right? 


So if you are identified that a particular identity is compromised, so you can basically block that. Or you can send like password reset for those things where Azure active directory or that sort of things. 


Ashish Rajan: All right. And to a point, the, the, the main two stages, you can create that as a detection in, or the, I guess, something that you detect and Sentinel, so that in future, if it happens again, you get notifications for it, or there’s an automatic action that. 


Ashwin Patil: Right. So the same has like the sophomore, right? Once you enable the specific rules, it will start creating the incident. Right. And then once the incident triggers, that’s when the, your incident response plan will start. Right? So for the setting, we have something called us logic app, which is basically an automated, investigation that you can do. 


So it will [00:14:00] basically like once the incident is triggered, you can basically have like logic app. So basically, push a rule to the firewall to basically block that IP, or you can send a request to the Azure active directory to block that identity. 


Ashish Rajan: Okay. And I don’t know if this is the right question to be asking here, but do you have any examples of any incidents yet you may have seen and how it was like, what’s a good way to respond to an incident and I showed her and then there’s one way to do it in AWS is another way of doing Google cloud. 


Is there a almost I’m thinking for the listeners who are listening in, we haven’t even talked about what do I do when there’s an incident? Yes. Like Sentinel is great, but it’s something that I have to detect first before I can put in Sentinel. What do you see as I guess a good incident workflow, I guess for isolation type of virtual server is compromised. 


And I’m assuming you have to isolate and you basically changed this security group around it, or what I mean, what does that look like in your mind? 


Ashwin Patil: Right. So, I mean, Azure has like. Bunch of secretive products portfolio already built in. Right. So we have [00:15:00] like, for the endpoint specifically, we have like Microsoft different ADP, which is basically a endpoint detection and response solution EDR solution. 


Right. So that allows you to basically centrally manage your points and then how like automated response. So once it detects that the endpoint is compromised, You attracted, to the UDR, et cetera, that you can basically, how like response mechanisms to isolate that host from the network. Right? So you can trigger that workflow as part of the different ADP ADI. 


You can also have like a logic app, which will basically, wait for a specific incident to trigger in Sentinel and then reach out to the different ADP to basically do that response. 


Ashish Rajan: Right. Okay. Also, it’s very different than some, because I think a lot of people look at isolation very differently in the cloud provider, because they’re almost like, well, I need to give my friend tech team access to the server once it’s all isolated. 


How would that play out over here? So the EDR would be able to isolate the instance, and the forensic team would be [00:16:00] onboarded, or I guess if they were not already there, but if an already dead. Watch your side will be given access to through another watch with forensic tools on it. 


Ashwin Patil: Yeah. So the EDF has like been the EDR basically isolates the host from your internal network. 


Media still has a way to communicate that isolated host, right? So you can basically communicate to that guy. So can host from the UDR. So the different ADP has a lot of command line utilities through which you can remotely gathered some artifacts from the. Right. So the foreign 60 is a whole different conversation. 


Like how do we take, memory images and disk images? So that will be a different workflow itself. But with the defender, you can basically collect like important artifacts. What happened? And then how do we, how does it scoping the internet 


Ashish Rajan: work or that sort of thing. And for, I guess for organization who may be a lot mature where. 


The what she’ll say, well, maybe not say, or like not a, not a pet, but a Catholic kind of a thing where it just, you know, comes up and goes every half an hour in those kinds of [00:17:00] scenarios. That’s the defender ATP still kind of comes in handy, or I guess, because the end point doesn’t really exist anymore. 


Would they, how would you, and this is me thinking out loud, right. Because I’m like, I didn’t even know that for legal case, but if that’s what that were to be the case, then you would go into Sentinel to see what had happened in the past or how we’re display on the Azure ecosystem. 


Ashwin Patil: Yeah. So, I mean, so the, this transient assets is like pretty challenging in most of the enterprise environment that we have seen. 


So you will almost have like a. Some process where it like assets will come and go up. So monitoring those assets is always challenging. So in those cases, I think the best possible ways like, find out the other data sources through which you can model, what are those things? Right? So the, those assets will still go through your firewall and other network devices. 


So you can still monitor that activity from those data sources. So brief, because like once you provision a host, if you, you need to still fall a certain actions to onboard it, to send in a land, start collecting those logs. Right. So before it starts [00:18:00] onboarding to send in a leap, it just goes away. 


Then you have to rely on other data sources to see like what active data. 


Ashish Rajan: Wait how often, and I think based on what you see and what you recommend, where do you see as the maturity level in Azure or across support? I’m assuming there’s like some people who are really mature have Franzia. So it was a come up and go every half an hour, then there’ll be other house which are manually deploying. 


What’s a stuff which would never die. So do you see that disparity, like, is there like a lot more mature people versus a lot less mature people? Like, is there almost like a average graph, I guess, that you have seen? 


Ashwin Patil: And so, I do not work for most of the customer environments, but I’ve seen like, this is the case. 


This may not be like large portion of your network. It may be just like a small portion of your networks. So, yeah, so the coverage may look like a little off in those cases. So each organization tracks basically market coverage of their assets. So, With these special cases that go to get little complex. 


Ashish Rajan: Okay. All right. And to your point I guess going back to the monitoring of threat, [00:19:00] because these days people are talking about internal and external thread, and to know it would be great for internal threat and external type threat, as long as you have those data sources going into Sentinel. Is that right? 


Oh, sweet. And, but just the, kind of the same as any other enterprise as well. Okay. And because this is our security podcast and I probably should have started off by asking what is cloud security, according to you? I’m going to ask that now. What, where do you think is cloud security for you? Like what does that mean for you and Thomas is cloud security. 


Ashwin Patil: Yeah. So, I mean, as an analyst. We pretty much expect, like to have those new assets to be defended and new data sources to be onboarded in our monitoring strategy. Right? So it’s about getting familiar with the new attack vectors that the cloud will bring in. How do we protect those attack vectors with either the built in alerts are to develop some new ones. 


Ashish Rajan: Sweet. The, the next section are MythBusters basically in this question, is there a myth that you hear about cloud security? Like what’s that month thing that people, [00:20:00] you hear people talk about cloud security and you feel like that’s actually not true. Most common that I get is that cloud is not secure, but I’m curious if you had, have heard of any of the myths around cloud secure. 


Yeah, I 


Ashwin Patil: guess. I mean, so as you say, like the cloud is not secure is pretty predominant that we used to get here a lot, but, I guess it’s pretty much the same. And then in sacredness space we actually start with the Azure breach mindset. So that means that no matter how many, like preventive controls that you have deployed, you have to accept the fact that you will. 


We basically fail at some point in time, and then you will get compromised. So you are a different, that strategy should be like if you win, if your monitoring control fails, how do we defend against we just sort of attacks, 


Ashish Rajan: oh, is that an example of this kind of a thing where like, what’s an example of a very simple example of this defending? 


Like almost like before. Defensive layers as I like to call it. The different layers of security is an example for that you would have seen or heard of, which is very simple use case for this. And I don’t know what you mean. 


Yeah. Yeah. Yeah. 


Ashwin Patil: So in a [00:21:00] simple term, like we used to have quite depends in depth, right? So you’ll have like multiple layers of like, let’s say you have a, internet network and then that is predicted by firewall ideas, IPS applies and then some other applies. Right. And then you will have like a false sense of security. 


Since you have like a lot of plants since the host is behind with a lot of monitored controls, you don’t need to worry about monitoring are different in that asset. Right. Which is wrong. So you need to consider the fact that all of those the predictive controls. But I did it by bypass or something happened on the host or some sort of activity. 


And then your host will get compromised. So you need to still have like a meaningful monitoring strategy. I don’t the host, to detect certain things. 


Ashish Rajan: Yeah. I think that that’s the example I was looking for as well. Now. That’s awesome. What to say cloud security, but actually what’s a, what’s a sock or a threat. 


The question you wish I had asked. Or from a cloud security perspective, because I’m getting into the last section, which is the fun section. So, which is not technical at all. So before we get into the non section, what’s that one thing you wish I had asked you, or [00:22:00] as not being talked about enough in cloud security or in red protection and monitoring. 


Ashwin Patil: So I think most of the time, like people have like a. Presidency in both on-premises and cloud. Right. So they also need to think about like how does that be wording works, right? So you may have certain identities which are basically have access to the board environment. Right? Most of the time, what happens is like the attacker can. 


Gum from the cloud. And then since it has access to your on-premises people, basically people networks, right? So you need to have that identity, that isolation or that sort of thing. So, yeah, I mean, that is where the monitoring strategy and those things come into picture. And there are like, I mean, I guess like the. 


There are like certain standards, like, 


Ashish Rajan: CIS. 


Ashwin Patil: Yeah. Sort of like an ISD they have basically published, like how do we secure your cloud? So that’s like a, actually a good starting point, I would say. Yeah. Each cloud provider has its own 


Ashish Rajan: guidelines. Oh yeah, of course. After that, it kind of goes into the charging. 


That’s an awesome segue for me to get into my last segment. Just the fun question. Where do you spend most time on when [00:23:00] you’re not working on detecting our threats and monitoring? 


Ashwin Patil: Yeah. So mostly like in normal person. So pretty much like BV playing X-Box games is always 


Ashish Rajan: my go to place. The next question is what is something that you’re proud of, but it’s not anywhere on your social. 


Ashwin Patil: I guess I’m pretty good swimmer. So I still do like. Yeah, I’ve been doing like swimming since my school days parties participate in my college competitions. 


Ashish Rajan: Ah, last one. What’s your favorite cuisine or restaurant that you can share with the audience? Yeah, me 


Ashwin Patil: and my wife basically Hines for like a lot of Indian restaurants, which has like authentic Indian dishes. 


So they’re like couple of restaurant, like. I guess is the one which is in red mud, pretty good dishes. And then there is one in Seattle called Safran spice. That 


Ashish Rajan: sounded well. Where can people find you on socials? 


Ashwin Patil: Yeah, so I’m on the Twitter. My, I shouldn’t buy a good to handle, and then you can have some such on LinkedIn. 


So what are the good places for me 


Ashish Rajan: to reach out? Perfect. Well dude, thanks so much for your time and I’ll talk to your socials on [00:24:00] my show notes as well. So people can reach out if they have any follow-up questions, but thank you so much. I really appreciate it. Bye man. 


Ashwin Patil: Thank you. Thank you. Thank you for.

‍