A

You're listening to the Cyberwire Network, powered by N2K.

B

The other thing that really needs to be considered is my identity systems and how those are structured and how I authenticate into these environments and where, not only how I authenticate, but how I authorize and who has access to what. You know, obviously with this sprawl of non human identities, that's becoming very challenging to manage that across the identity establishment state.

A

Hello and welcome to another episode of Data Security Decoded. I'm your host, Caleb Tolin, and in this episode I sat down with Matt Castriada, field CTO for Cloud at Rubrik. We spoke about the misconceptions about cloud security during a digital transformation, the anatomy of cloud ransomware attacks, and the actionable steps defenders can take to harden their cloud cyber resilience. Let's get into it. Well, Matt, welcome to the Data Security Decoded podcast. I'm super excited to have you on. I would love to kind of zoom out and take a look at your career, where you've been at IBM, Oracle, Accenture, and now you're at Rubrik as a field CTO for cloud. Was there a moment in your career journey where you realized that cloud ransomware was fundamentally different of a problem than the industry was really prepared for?

B

Yeah, I think started to happen probably. I mean, just, just in my background. I've worked in data and data management my entire career, as you noted, mostly on the structured data side, but. But how to turn on the unstructured data side when Big Data became a thing in the mid 2010s and then joined Rubrik around 2018 to sort of help bring an innovative acquisition that Rubrik had done, bring that to market. Since then, that's basically been what I've done here at Rubrik. Work on early stage, sort of

A

early

B

stage, you know, go to markets. So, yeah, I mean, the ransomware problem really was centered in the data center. I mean, it really took off back in the 2017 or so when the Colonial Pipeline incident really got into the news, into the zeitgeist. And I felt like it wasn't going to stay contained to the data center for long. And that was accurate. And in around 2020 21, we started to see attackers move laterally into cloud environments and SaaS environments and impact data in those environments as well. And it really all has to do with the identity system. Right? That's sort of where the attacks start and how they're able to gain a foothold into all of these environments. So you could see it happening as privileges Got escalated as identity systems authenticated into, into multiple places. As the data state really sort of became this, you know, became sort of just a, a big, you know, thing. Right. It's, it's not like individual pieces anymore. Your data state can live everywhere and anywhere that, that you could see that cloud intrusions were going to become more common. Fast Forward to probably 2023, 2024. Scattered Spider really became sort of in the news and that that threat specific TTPs associated with cloud environments and how they infiltrate cloud environments. And then you started to see Microsoft come out with some threat intelligence regarding this group Stormo 501 which was again very specific cloud TTPS. So again it just evolved over the years and yeah, kind of see it coming and I don't think it's going to end anytime soon. It's only going to accelerate from here, so.

A

Right, right. Because more and more organizations are moving to hybrid and multi cloud workloads as they kind of go through this full digital transformation.

B

Yeah, not only that, but also AI assisted attacks as well is going to enable attackers to be more proficient, to be able to move laterally to different places, to be able to impact different parts of the data estate very quickly. And I think it's become an end sum game. Detection and response is sort of dead at this point because we're doing human response against the machine attack. That's not going to work. We really need to focus on recoverability and survivability and how we bounce back. And I think the organization is really centering around that.

A

Right, right. I'd love to ask you about that recovery aspect in a little bit and we'll definitely get to that. But kind of stepping back, when you're walking into an organization that you're consulting with that is going through one of these cloud migrations right now, they're kind of in the middle of it. What are two or three security assumptions that they're making that you have to challenge when you're walking into those rooms?

B

Yeah, I think one of the assumptions, one of the very frequent assumptions I see are this lift and shift mentality that I can take what I'm doing in the data center and just replicate it in the cloud. And while you can, because there's hypervisors in the cloud just like this, hypervisors in the data center. There's block storage in the cloud just like there's block storage in the data center. It's not the process around ensuring visibility and control in that environment is very different in the cloud than it is on prem And a lot of organizations that I work with tend to step into that unprepared. I can honestly say I think a lot of organizations are starting to use third parties to assist in migration, that sort of helping. So the question becomes, do I use lift and shift services in the cloud when I migrate or do I go directly, do I refactor my environment and go directly to cloud native services? So that is a push pull that I see in a lot of organizations and is something that needs to be considered. The other thing that really needs to be considered is my identity systems and how those are structured and how I authenticate into these environments and where, not only how I authenticate, but how I authorize and who has access to what. I think a lot of that is obviously with this sprawl of non human identities that's becoming very challenging to manage that across the identity estate. Whether that's identity within the data center or whether that's identity in the cloud or in your SaaS environments. I feel like organizations are constantly playing catch up and whack a molecule in regards to that. So I would say that those are the two biggest areas. I think organizations tend to over rotate on one of the other ones. Another one that kind of came to mind is just, and this one's a straightforward one, I think everybody feels this pain is that there's this idea that there's going to be an immediate organizational shift in savings and in how I do things in the cloud versus how I do them on prem and also an assumption that there's going to be a cost savings as well. And that always tends to not bear out, you know, as you start to consume these services, as these, these services tend to charge you by the drip. That tends to be. The cost equation tends to go upside down very quickly. And a lot of organizations still are caught by surprise there, believe it or not. So.

A

Yeah, right, right. Which is something we're even seeing too as organizations are adopting these different AI tools throughout their business and like the token basis.

B

Yeah, exactly. Right, yeah. So you're paying per token, just like in the cloud, you're paying per CPU cycle, let's say.

A

Right, right. So. Yeah, right, right. So looking at the, the attacks, you, you've. I already kind of referenced it a little bit when you're talking about some of the different threat actor groups that have emerged over the past several years. So when you look at how a ransomware attack operates within a cloud environment, what are the biggest things, organizations, what are the things that they have wrong about what those attacks actually look like.

B

Yeah, I think, I think we assume that the attacks tend to follow the same patterns and the same IOCs as they do on prem. And that's not necessarily the case in the cloud. It is less about encryption of data, although we do see mass encryption attacks in the cloud, which is a very common tactic or you know, of the, of the threat adversaries within the on prem environment. But we see more mass deletion and, and again, both are impactful, both are denial of data attacks. Both, both deny access to the data that you rightfully have access to. So, so again, privilege escalation through the, through the identity system, that's, that still remains the same. The attacker figures out how to move laterally. That's breakout time. So the amount of time it takes them to move laterally within the network and infiltrate the environment and doing that across the data estate is going to give them a better chance of getting paid. And that's obviously what they're looking for. Still the same concepts around exfiltration, which is again the attacker's main goal, it's not to encrypt your data or to delete your data. That's more just them flipping off the lights on the way out the door. That's to get you to the table to negotiate. They've already exfiltrated most likely data and have access to some sensitive data. And sensitive data obviously can be stored on prem, be stored in the cloud and be stored in SaaS environments, et cetera, et cetera. So that doesn't change. Those ttps are the same. Where we see the difference. Sort of where it changes is when that detonation occurs in the cloud. It's typically some sort of mass deletion or not necessarily a mass encryption attack. A lot of the attacks in cloud are malwareless, meaning I've gained access, I have privileged access now and I can do anything with the data at will without having to land malware and necessarily do some sort of encryption attack. So again, malwareless mass deletion, that typically is how things diverge when you, when we're talking about on prem versus versus the cloud.

A

Right, right. It gets down to that human layer and how humans are typically the biggest vulnerability for organizations many times. So I want to kind of shift gears and talk a little bit about some misconceptions around a resilience strategy. And I'm sure you hear assumptions like this all the time. Something like we have S3 versioning, we have cross region replication, we're covered. When you're working with an organization. And you have to explain that that's not actually a resilience strategy. How do you walk them through that thought process?

B

Yeah, I tend to look at it and again, we do this on prem as well because people do tend to sometimes fall into this trap of that business continuity equals resil and those two things need to be independent of each other. As a matter of fact, an organization should be prepared for a business continuity event as well as cyber resiliency event or a cyber attack. And those playbooks should be separate, those playbooks should be gamed out regularly because both are high impact events. But the probability of those things happening is where it diverges. A continuity event or in terms of like an entire data center, let's say being out of, or an entire region in the cloud being unavailable tends to be a low probability high impact event. Whereas a cyber attack in today's day and age, if you just, all you have to do is open the, open the newspaper in the old days or, or get online, those are high probability high impact events. So again, it all depends on what you want to prepare prepare for. Should you prepare for both? Absolutely, because they're both high impact events. So we advise our customers have a continuity strategy, but don't conflate continuity with resiliency. Those are two different things. So I think that's, and again, the continuity strategies you just mentioned, versioning, cross region replication, those are abilities to bounce back from an operational event, not a cyber event.

A

If you like what you're hearing so far and interested in learning more about forensics behind an attack targeting critical infrastructure, check out our episode with Daniel DeSantos from Forescout about a honey pot his team set up mimicking a water treatment plant. Now back to the interview. And I promised we would get back to cloud ransomware recovery and a cyber recovery and that's a perfect segue. So let's say an organization does get hit and they're going to their backups. What does that recovery story look like from a cloud perspective? Knowing you don't want to restore to a point where attackers are still within your network?

B

Yeah, I, I, the most important thing is ensuring that whatever you're recovering is, is clean. And if you can do that preemptively, that's going to make things much faster when you go to recover. In any cyber recovery event, the end sum game is time. How much time is it going to take me to get my business back? So it starts with qualifying what comprises my minimum viable business. If I can identify that first, then I know what are those pieces that I need to go and recover before, before I go and recover other, you know, other parts of the environment. So that's number one is really get a center on what your minimum viable business is, what services comprise that, what workloads comprise that, and ensuring that you have a resiliency posture for those things. And then once you've, once you've sort of centered on that, the, the biggest, and some, the, you know, the biggest problem after that, once, once I ensure that I have survivability of my backups, which again is foundational. Ensuring immutability and air gapping or credential isolation of your backup data. That is not a given in the cloud. So those are configurations that need to be enabled and turned on. Whereas obviously with rubric, this is something that we do inherently, this is foundational. It's been foundational for us since, since we launched our first product. So survivability of backups, super important. If you have nothing to recover from, then you're dead in the water. The other piece is understanding what happened, what was the blast radius, what was impacted. So understanding the scope of impact, what services, what accounts, what regions, what hyperscalers, if you're cross cloud, all of those things come into play in understanding the scope of what I need to go and attack first and obviously focusing on anything that is minimum, that comprises my minimum viable business, which goes back to that comment. Understanding a sensitive data scope, because again that was the primary objective of the attackers. Find and exfiltrate sensitive data. So what did they have eyes on and what could have possibly been exfiltrated and then understand any egress that happened within the environment so that you can understand what your impact was. Data breach and data breach reporting is not only a regulatory problem, but it's a legal problem and a cost problem. So being able to have a really tight process around that is critical. And then threat identification, you know, if, if malware was part of the equation or if threats were introduced in the environment, ensuring that I'm not recovering those things back and therefore getting, getting myself into a bad state again. 80% of customers that are impacted by a ransomware attack within six months tend to be, tend to be compromised again. And that is, is, is usually for two reasons. The first is they didn't do a good job of removing persistence in the first place, which is, which tends to happen. And then the other reason is they didn't do a good job of closing the holes that then get sold to other attack groups to, to then go and, and play out against the same company six months later. Again, we see that very frequently. So knowing, going into that, eyes wide open, understanding that, that, that there's a good chance that this repeat can occur, you want to make sure that you're, you're doing a really good job of ensuring clean, in a clean environment before you, before you open things up. And then the last piece, I think this goes unsaid very, very frequently is sort of the unsung hero, I think, of the process is not having a user at the keyboard restoring what could potentially be thousands of cloud VMs or thousands of storage accounts or hundreds of databases. It really needs to be done programmatically, which goes back to having a resiliency playbook, having all of that resiliency built and then having a safe place to instantiate resources like an isolated recovery environment, separate account to be able to do those things and test that process regularly, test recovery regularly so that you know, when the day comes, because it will for all of us, is that you know exactly where you are in your playbook and you can, you can, you can basically articulate that to management. The, the time pressure of, of a, of any sort of attack is very acute. And being able to limit that ability, you know, being able to limit that outside noise and just focus on getting the environment back up and running, it's really critical to ensure that you have a playbook to point to and that everybody's on the same page. So these are all best practices. This is what we talk about within our customers environments.

A

Right? Right, absolutely. And you sent, you spoke over just a great list, you just went over a great list of different things organizations can do to kind of check the boxes and make sure that they are addressing their cloud cyber resilience. But for the crowd, for the cloud administrator who's listening right now, who has a backlog of patches and have to address all of these different misconfigurations that are on the list to address. What are the three most actionable steps that you would recommend they take to harden their cyber resilience right now?

B

Yeah, I guess the one thing I would say is it's not just about squashing configuration misconfigurations because those are endemic, those are going to get introduced regularly. You're going to constantly be playing that game of whack a mole. So yes, that's important and yes, that should continue to, to, to be part of, part of the process. But widening your scope beyond that, thinking about survivability of data, I think is really critical. So Applying those same concepts that we apply in the data center around immutability and air gapping for any sort of backup to ensure survivability of backup data is really critical. Immutability and air gap in the cloud is a thing. You may do it differently than you're doing in the data center, but it's a thing. Right. And it still needs to be. And it still needs to be, you know, taken care of in the cloud as it does in the data center. The second is a focus on the identity system. I know that identity may not be a cloud admin's job, but understanding things like non human identities that get introduced into the environment, understanding things like just in time privileges so that you're not allowing admin privileges for any period of time, for a long period of time, to particular identities, understanding what my domains have access to in isolating domain data, incorporating things like domain separation into the environment is really critical. And again, these are all things that a cloud admin, in conjunction with their identity team should really be focused on because again, identity is ground zero. That's how they're going to get into the environment, that's how they're going to be able to move laterally and ultimately that's how they're going to be able to impact the data. And then the last piece, I think this is something every cloud admin deals with is controlled sprawl. Yes. As you can, if you're new to the cloud, as you consume more services, I can guarantee you you're going to end up with service sprawl. You might end up with service sprawl in a single account initially, but you'll probably end up with service sprawl across multiple accounts, across multiple regions, and then even across multiple hyperscalers. The, the goal is to control that sprawl, understand what I have, understand what comprises my minimum viable business. And then I have a recoverability strategy across all of those assets, regardless of where they live, regardless of which regions, which services comprise them or which hyperscalers they live in, having a single visibility and control over all of that, so that I can click a button and get it all back if I need to. That, to me is the third and obviously I think the most important one.

A

Right? Absolutely. And so for the organizations who are either beginning or are in the middle of their cloud transformation, what are the two inconvenient truths that they need to kind of face as they go through that modernization?

B

Yeah, I guess the easy one here is understand the costs.

A

Right.

B

A lot of times we'll make Very poor assumptions that moving to the cloud is going to be cheaper than being on prem the way hardware is nowadays. That may be the case in some instances. Probably the way that's probably becoming pretty common where the cost equation could be more in favor in cloud than it could be in on prem. But understand what you're walking into. Understand the cost structure. Understand how the hyperscaler charges you, you know, have EDP or agreements in place to save on that cost. Just understanding the cost structures in general and how that works is super critical. I guess the other thing that for me that I think is really important and for any cloud forward organization is that not all services are created equally. Know the limitations of each service. A VM in the cloud may not operate the same way as a VM on prem and obviously from a configuration perspective it'll be very different. So understanding the differences between those services and how to best optimize for those services is going to probably get you to a better state, especially when it comes to resiliency of those services and how you get those services back I think are really, really important things for cloud Admin Focus on Absolutely, absolutely.

A

Well Matt, thank you so much for your time. Let's leave it on one final note. What is the single most important thing that you want listeners to walk away with today?

B

I would say go and learn and get really smart on the shared responsibility model that the hyperscalers employ in the environment. And what that basically says is that the hyperscalers are responsible for the uptime and the performance of the service itself. What they're not responsible for is the data that you put in those services. And then treating the cloud like you would your data center. The data that you put in the cloud needs protection just like the data that you put in your data center. Don't just assume that because the cloud provider has your data that they're ensuring due care of your data. They're not. That's not their responsibility as dictated by the shared responsibility models. So really understand that. Internalize it. Build a resiliency framework that is going to protect you and one that is going to meet the RTOs of the business. You have to look at the worst case scenario again. I think Mythos opened everyone's eyes that a machine is able to exploit vulnerabilities that a human hasn't been able to exploit in 30 years. This is the new reality we live in, is that we have to assume that a breach will occur. And when it does occur, how long is it going to take me to get my business back and then doing that in the cloud is a little bit more complex than doing that in the data center, but it's the same problem, so treat it the same way. That would kind of be my final message, right?

A

Great advice to end it on. Matt, thank you so much again for your time today. And until next time.

B

Foreign.

A

That's a wrap on today's episode of Data Security Decoded. If you like what you heard today, please subscribe wherever you listen and give us a review on either Apple Podcasts or Spotify. Your feedback helps me understand what you want to hear more about and is the best way to help support the show. If you want to reach out to me about the show, email me directly at data-security-decoded2k.com thank you to Rubrip for sponsoring this podcast. The team at N2K includes producer Liz Stokes and executive producer Jennifer Ibin. Content strategy by Mayan Plout Sound design by Elliot Peltzman Audio mixing by Elliot Peltzman and Trey Hester Video production support by Bridget Kirke Wild and Sorrel Joppe. Until next time, stay resilient,

B

Sam.