IT Audit Conference

Prevent Cloud Incidents from Becoming Cloud Breaches

Presenter: Brandon Evans (On-Brand Technologies LLC)

The number of cloud security breaches in the headlines have been staggering lately. It seems like a week cannot go by without a massive amount of sensitive data being leaked from either AWS, Azure, or Google Cloud.

One example that would be funny if it were not so sad is the September 2023 incident where the Microsoft AI team leaked 38TB of sensitive data, including employee workstation backups and 30,000 internal Teams messages, due to a misconfigured storage configuration. How is the industry failing to use the clouds properly, let alone Microsoft, the extremely mature company who created Azure in the first place?

Join Brandon as he shares his analysis on this trend. He will discuss the unique challenges of protecting the cloud, why the cloud providers are unable to solve these problems alone, why multicloud makes matters even more difficult, and how your organization can take practical measures to mitigate the impact of cloud incidents. The presentation will include case studies of real breaches that were made much worse due to a lack of defense-in-depth. Learn how to prevent real attacks with controls that matter.

Making Controls Work for You

Presenter: Valecia Stocchetti (Center for Internet Security)

Have you ever been in the position of implementing and/or auditing against a set of controls? For one framework or multiple frameworks? It can become exhausting chasing down people for evidence, fulfilling hundreds of evidence requests, or worse, falling behind and not being able to keep up with challenging deadlines. And that’s the key word in all of this…CONTROL. However, in this talk, we are going to discuss the context of not just any control, but the CIS Critical Security Controls, a set of prescriptive, prioritized, and simplified best practices that you can use to strengthen your cybersecurity posture. Through implementation of the Controls, an organization is able to demonstrate a commitment to strengthening their cybersecurity posture, but also working their way toward aligning with other frameworks in the world of security and compliance – frameworks such as NIST 800-53, ISO 27001, PCI DSS, HIPAA, and more.

There are two sets of challenges this talk will address and one has to do with frameworks. Any given organization may need to comply with one or more frameworks, depending on the industry they are in. There’s no one “golden” approach to take when implementing these controls. One thing is for certain though, less is more in this scenario. Most frameworks have overlap and therefore, controls can be “mapped” from one framework to another to alleviate the pressure of assessing against each individual framework, which can quickly add up to hundreds and hundreds of controls. To go one step further, CIS helps alleviate this mapping process by providing users with mappings to over 25 security and compliance frameworks, along with the tools that help to streamline the mapping process.

The second challenge has to do with tooling. During an assessment, organizations may face challenges keeping information straight. This includes evidence, the implementation status of a control, who is responsible for a control, and so on. Even with an external audit team, internal tools are still needed for the work that is involved before the external audit. Additionally, an organization may want to adopt a continuous compliance methodology, where audits don’t just happen once a year, but at various points throughout the year. A tool is needed to keep this information in one space. CIS has tools and resources available to help alleviate this burden, through their CIS Controls Self-Assessment Tool (CSAT), which helps them track and prioritize their implementation of the CIS Controls.

Join us for this invigorating talk that will not just highlight the challenges, but also offer solutions!

Using Cloud Security Posture Management (CSPM) Solutions to Mitigate Cloud Misconfigurations

Presenter: Michael Ratemo (Cyber Security Simplified)

The rapid adoption of cloud technology by organizations has led to a shift towards both single and multi-cloud environments. Unfortunately, this shift has also resulted in cloud misconfigurations, which are one of the top risks associated in the cloud. Cloud misconfiguration refers to any errors or gaps in the security measures of a cloud environment.

We will begin by discussing the root causes of cloud misconfigurations. The primary cause is human error followed by poor governance. Additionally, the lack of knowledge and skills in cloud technology is a key factor resulting in misconfigurations. Another challenge is system complexity, as there are numerous cloud services with distinct implementations and nuances.

We will then review case studies of organizations that have suffered data breaches due to cloud misconfigurations, such as Capital One in 2019, eBay in 2014, and World Wrestling Entertainment (WWE) in 2017. These case studies will emphasize the importance of proper cloud security controls and measures.

We will then walk through built-in tools provided by AWS, Microsoft Azure, and Google Cloud, that cyber professionals can leverage to mitigate security risks in the cloud. These tools are also known as Cloud Security Posture Management (CSPM) solutions.

Cloud Security Posture Management tools are automated solutions designed to identify misconfiguration issues and compliance risks in the cloud so that they can be remediated, reducing the risk of successful breaches. We will explore AWS Security Hub, Microsoft Defender for Cloud, and Google Security Command Center, and review how each tool can be used to gain visibility into the current security posture of each respective cloud. Furthermore, we will emphasize how these tools can be applied to determine alignment with relevant regulatory compliance standards and industry-standard benchmarks, as well as identify threats and potential security weaknesses.

The Key Takeaways from this session are:

• Most cloud breaches are due to misconfigurations or human errors.
• Do not rely on your Cloud Service Provider to secure your data (Understand the Shared Responsibility model).
• You cannot protect what you do not have visibility into (CSPM solutions can help).
• Cloud security should begin with implementation of Cloud Governance.

“I ran a data science livestream every day for 100 days. Here’s what I learned about the future of data science in your organization”

Presenter: Dennis Salguerna (Data Science With Dennis)

I have been fortunate to build a global community of data science enthusiasts and have more than 15,000 followers on social media. I also run what I believe to be the world’s first daily data science stream. In this presentation, I want to discuss the meta-themes that have emerged during this period. There are fundamental risks that exist in how data science is currently executed; people understand the How (development tools, processing power, etc.) but not the Why or When (methodology). There is also an emerging risk in the level of creativity that will be required in future data science development work. Finally, I will present a framework that your organization can use to address these risks and be better prepared for the changing landscape of data science.

Brandon Evans
Owner and InfoSec Consultant @ On-Brand Technologies LLC

Brandon is the owner and an InfoSec Consultant at On-Brand Technologies LLC, a consultancy helping organizations secure their applications and other workloads in multi cloud environments, specializing in AWS, Azure, and Google Cloud. Prior to starting his consultancy, Brandon led the secure development training program at Zoom Video Communications. He began his career as a Software Engineer, where he worked on both the core product of a startup, later acquired by a Fortune 500 organization, and on various products spanning a multi-billion dollar enterprise.

Brandon is lead author for SANS Institute course SEC510: Cloud Security Controls and Mitigations a contributor to SEC540: Cloud Security and DevSecOps Automation, host of Cloud Ace podcast, Season 1, an analyst for the SANS Multicloud Survey, a multi-year RSA Conference presenter, and participates in bug bounties, such as when he found a critical vulnerability in Microsoft Defender for Cloud.

Valecia Stocchetti
Senior Cybersecurity Engineer @ the Center for Internet Security, Inc. (CIS®)
GCFE, GCFA, GSEC

Valecia Stocchetti is a Senior Cybersecurity Engineer at the Center for Internet Security, Inc. (CIS®). As a member of the CIS Critical Security Controls team, she has led multiple projects including: the CIS Cost of Cyber Defense for IG1, CIS Community Defense Model (CDM) v2.0, CIS Risk Assessment Method (CIS RAM) v2.1, as well as multiple Living off the Land (LotL) guides. Stocchetti was also one of the principal authors of the Blueprint for Ransomware Defense.

Prior to joining the CIS Controls team, she led the Cyber Incident Response Team (CIRT) at the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC® and EI-ISAC®). While managing CIRT, Stocchetti spearheaded multiple forensic investigations and incident response engagements for the MS-ISAC and EI-ISAC’s state, local, tribal, and territorial (SLTT) community. Stocchetti was also the Information Security Audit Manager at CIS where she evaluated and managed the control implementation within CIS and measured compliance to various standards and best practices. Stocchetti came to CIS from the eCommerce field where she worked complex financial fraud cases. She holds multiple certifications, including GIAC Certified Forensic Examiner (GCFE), GIAC Certified Forensic Analyst (GCFA), and GIAC Security Essentials Certification (GSEC).

While she enjoys all things InfoSec, Stocchetti particularly finds the cybercrime and espionage fields fascinating, which is what prompted her career choice. Stocchetti earned her Bachelor of Science degree in Digital Forensics from the University at Albany, State University of New York, as well as her Master of Science degree in Information Security at Champlain College.

Michael Ratemo

Michael Ratemo is a Principal Security Consultant at Cyber Security Simplified, a boutique security firm that provides Cloud Security and Cyber Security solutions. He speaks security in a language businesses can understand and has built a career advising organizations on effective security strategies.

Michael is a thought leader in the field of Cyber Security, and the author of the LinkedIn Learning Courses; “Cloud Security and Audit Foundations in AWS, Microsoft Azure, and Google Cloud,” and “Building and Auditing a Cyber Security Program.” In addition, Michael is the co-author of the “Cloud Auditing Best Practices” book.

Finally, Michael is a speaker and trainer at major industry events including RSA Conference, Cloud Security Alliance, and Stronger Conference.

Michael gives back to the community by providing mentorship and guidance to future security practitioners.

Dennis Salguero
Principal @ Data Science With Dennis

Dennis Salguero has been a technology professional for more than 20 years. He has worked for companies such as Citi, IBM, Ticketmaster, and Caesars Entertainment. He is also a Top Data Science Voice on LinkedIn and has more than 15,000 followers on social media.

In his free time, he enjoys playing poker, golf, and traveling the world. He has visited 6 continents and only Antarctica remains as the final continent to visit.