Preventing Security Breaches: Strategies for Effective Threat Detection and Prevention

Welcome to beyond the Screen, an Ionis podcast where we share insights and tips to help you scale your business's online presence, hosting genuine conversations with the best in the web and IT industry, and exploring how the Ionis brand can help professionals and customers with their hosting and cloud issues. I'm your host, Joe Nash. Welcome to another episode of beyond the Screen, an Iona's podcast. Joining us today is Mukhtar Kabir, current senior cloud security architect at GuidePoint Security. He's been a key figure in the cybersecurity landscape throughout his career, with a back catalog of employees including Metrica, Deloitte and Amazon Web Services. You may follow him on LinkedIn or you might have recently attended his webinar on cybersecurity and cloud security topics for your interviews and resume. Today, he's here to talk about cybersecurity and the potential vulnerabilities the cloud market faces. Welcome, Mukhtar. Thank you so much for joining me today. Well, thanks for having me. So happy to be here. So we mentioned a bunch of big company names that might be familiar to our listeners in that introduction. So I want to get started on your career. Can you talk us through your career thus far and how your motivations have changed throughout that time? Cybersecurity has always been a passion of mine. I started at a community college here in the United States, electrical engineering. When I switched to IT at some point later on and I, I thought to myself, this is exactly what I want to do. I love the topics that were covered in there. I love everything about helping protect systems. I also worked in the IT department. And then after college it was tough getting a job in the field and I learned really fast. The certifications really go a long way. So there's one recommendation in terms of my background and how I got here, I would definitely highlight getting certifications in the field really helps a lot. Yeah, that's really interesting. Well, actually, when we've had cybersecurity guests on here in the past, they've also said kind of a similar thing. And it seems, at least to me, that certifications are much more important in the cybersecurity space than, you know, other IT and software fields. Do you think that's the case? Yeah, I strongly think that's the case because coming out with my Bachelor of Science degree in computer networks and security, I thought, you know, who wouldn't hire someone with such a really good major? And I got to learn really fast. Again with that, I applied to a lot of jobs and even with my title, it wasn't just working out until I got my cissp, right? So that took a lot of time to study for. After that, I would apply to like five jobs. And before I know it, I get calls from like three companies looking to interview me. Why do you think that is? Is it just because there's more up to date knowledge? I was gonna say. I shouldn't say. I think I said that degree doesn't really matter. It matters. I highly encourage it. But from what I've learned from some of my mentees is sometimes they don't have bachelor's degrees or any type of associate college level degrees. So what I typically recommend to them is certifications really work. Because I myself have seen that. And as you can see, many companies today are removing the requirements of having like a bachelor's degree. Right? So that really should push individuals even more to go for certifications if they don't have a bachelor's degree in the tech field. Right, okay. Yeah, that makes sense. So one of the things you mentioned there, you know, when we talk about your career history, was that, you know, you really enjoyed the topics you were covering in your cybersecurity classes, et cetera. What is it about cybersecurity in particular that you found more interesting than those other fields that you looked at? I think what I'll do here is compare my electrical engineering background. So when I was in cybersecurity courses with electrical engineering, it's not that I was failing the classes, right? There was calculus too. There was, you know, physics. But sometimes I would spend nights, right, studying for those and I ended up getting good grades on them. But then it just wasn't something that I was being continuously motivated to do. So I looked into the IT courses. I spoke to my supervisor, right? I talked to them and got to learn more about other technical fields, STEM related. So saw the curriculum for the IT learned we're going to be talking about networks and other cool topics, tested and just loved it from there on. I took a cabling class where we built network cables, right? Literally in the labs, right? We built the cables, we configured networks like routers. I'm like, this is cool, right? You have a router, you go into the CLI console, you configure it. I love being in the cli, right? I was used to using the console, but when I got in the cli, like, this is pretty cool, right? It reminds me of those movies you see. Yeah, this is fun. And then just knowing that you're doing this to help protect systems, right, was kind of also the Highlight of me wanting to continue to do that could imagine like helping protect the company, the university's IT systems and just making sure that the systems are running as expected and keeping the bad guys away. Perfect. So moving on from your career and your motivation to date through to your current work and I guess the current state of the industry, what trends are you seeing in cybersecurity in the past year or so? From both a security perspective, you know, your work keeping systems safe. But also from the hacker's perspective, is there anything that stands out as particularly interesting in recent developments? Yeah, so there are a couple of things that really stands out, especially when you have a lot of companies going into the cloud today. And you know, when I say this, I'm saying this from real life perspective. You may read in news articles that you know, companies are not enforcing mfa, but those are actual facts, right? You go into a client environment and again what I see hands on, right? I'm not talking from reading news articles, right. You go into a client environment, you're brought into, hey, tell us what we're doing wrong. Right? And you continuously see the same thing. Companies are not enforcing mfa. With that said, I think there's a lot of security awareness training that really be happening in organizations. And take this from a senior cloud security architect, companies are not putting automations in place. Companies are using weak passwords. These are not things that I looked at and I said, you know, everybody should know that. Right? Because working hands on in the field has really made me know that. No, not everybody knows those. One of the other things I see right is consistently with multiple clients, they expose their resources to the public Internet. It's 2024 and we still see that. And in part of my recommendations to these clients is you have to lock this down and have visibility. And one of the biggest things you can do to that is alert when those types of things happen. A lot of companies do not have that in place. Proper alerting, right. If a developer or user goes into for example their AWS account where they're developing or pushing things into production, they open firewalls to the public Internet. Right. The central security team should be aware of that, right. It shouldn't be an active fact that, okay, later on we found out as a result of a breach, do you really have to put automations in place today to make sure that we are notified immediately in real time when users, developers open up systems to the world? Interesting. So just to ask from an engineer who doesn't go into aws, how often isn't Configuring stuff and isn't on the security side of things. What are those alerts triggering on you? Talking like an account level alert that a change to any settings have been made? Or is this like a network level alert that like, hey, some ports are exposed that weren't before Level alert, like what exactly do you mean? Great question. All of it. Cool. Okay. It's usually been difficult in the past, Right. There's no question about that. Right. Configuring this automated alerts, Right. To alert the security team on these types of findings. Right. But today it's become extremely easy. And if there's anyone here maybe using AWS specifically around the use of Control Tower, is it okay if I mention services? Yeah, absolutely. Yeah, please do. Recommendations are very helpful and it contextualizes things. Right. If people are using it, they know what you mean. Right. I can imagine today a lot of people hearing this podcast on AWS do not use Control Tower. Right. This service has made it extremely easy for you to be proactive in keeping an eye on the configuration of your AWS accounts and resources. Exposed security groups. Right. The use of root credentials, that should never happen except for a few cases. Right. But when it comes to managing workloads, you know, run applications, you really do not need to use root credentials for those. So I was talking about Control Tower as a means to allowing that easy process of alerting on misconfigurations. Right. I think my key contribution to this is every company should on aws. Right. And they're similar on Azure or gcp. I'm more familiar with AWS as you know, but service like Control Tower, right, that helps you to easily just check and say, I want to alert when a root user credential has been used. I want to alert when a security group is exposed to the public Internet and take automated actions right from there to quickly go in and resolve those issues. Yeah, absolutely. Yeah. I think that's a very fundamental piece of advice to kick us off is a enable mfa, but you know, also be aware of what's happening in your network. So I think the variety of MFA options we have is somewhat of a new thing. But businesses not following best practice is probably a tail as old this time. But do you think there are any dangers that have arisen in the last five years or so? Like anything that's become prominent because of the way that we orchestrate cloud services now? Is there anything pressing and new that you think you would caution people to keep an eye out for in this industry, you just have to keep up to date. There's a lot of discoveries every day of credentials, right, Being put in application codes. Love to push my private keys to get. Exactly. And we still see that a lot. But to answer your question, some of the dangers that we see today is mostly in configurations. There are tools that are better equipped with AI and ML today compared to five years ago. That takes a lot of the burden, right, that we put on ourselves five years ago and have taken that completely away. Even before ChatGPT and generative AI and all these new AI models that are coming out, cloud providers have been providing threat detection services, right, to allow customers be able to automatically detect threats as well as misconfigurations. So I think today what has been different within last 5 years is the use of AI ML within security tools, right, to help with detecting misconfigurations. And you might have heard the term csbm, right? Cloud security posture management. What I see today is still a lot of companies are not using that. Even though this talk of leveraging CSPM has been ongoing now for years, but a lot of companies are still not adopting it. And what I typically have to do in my reports is I'm recommending that you deploy a CSPM tool, right? And for those in this and never heard of that before, a cloud security poster management tool to help with checking for misconfigurations. Two things, at least three, but I can't remember the third that I wanted to make sure that I highlight, right? Having a CSPM in place and also proper vulnerability management process in place, and that could involve using vulnerability management tools. But as a highlight of answering this question, having a CSPM tool in place to help with checking misconfigurations, sure. Yeah, that makes sense. And then for the vulnerability management, you're talking like being aware of new CVS and making sure that they're being processed, that kind of thing. Am I correct on the set? Yes, yes, exactly. So, you know, you've spoken a lot so far about your personal professional experience and things you're seeing actually in the field. But also, of course, you know, obviously you are at the hub of a bit of a community around this on LinkedIn and you're hosting these events and talks about cybersecurity. What are you hearing from the people on the ground that you're interacting with who are attending these events? Are they seeing the same kind of issues? Do they bring anything to these events that surprises you? So with what I typically host on LinkedIn is more of educating the community and kind of being like a mentor to help them when they get on the jobs. Right. So it's mostly from my own personal experience working in the field in terms of what the audience have brought to my attention. I think some more around what I've been able to bring to the table. Right. Compared to what I've heard from them. Right. Because for the particular audience that I have on that LinkedIn audio events is kind of just enlightening the community more the early in career people who are getting their start. That's awesome. Exactly. Yeah. Okay, perfect. So you've spoken so far about a lot of the cloud level and cloud technology level security practices, configuration management, you know, having these automated tools and alerting. But obviously a big factor in a lot of the things you mentioned, especially MFA weak passwords are the things that happen away from the computer. Right. Like we're talking social engineering, we're talking like stolen key cards in the offices. Can you talk a little bit about some of the ways that the businesses you work with could be securing their workplaces to minimize cloud security issues? Yeah. So in terms of physical security aspect, I think more of that has been kind of gone now right after we all are now working from home. So I don't think the physical aspect of security is more of an issue today as opposed to how you're allowing your users bring their devices into your environment. Now the trend that we're seeing and that you may have heard is since it's more around not thinking about those physical security boundaries anymore. Right. Companies are not shifting to what is called using a zero trust type of access. So with zero trust you now have many companies that have adopted these zero trust principles as we call them. Right. Strategies to make sure that their users are able to connect to companies resources from anywhere they're in whatever geographic location they find themselves. Right. And one of the things that I'm actually currently doing is helping companies assess their zero trust architectures. Right. They point that in cloud or they want to deploy that on premise. But most of what I'm working on now is around the cloud. Right now most companies, again they don't have individuals, are working from home. Right. I myself, I'm always working from home. Right. So the physical boundaries today, I think most of it are gone unless you're working in a data center. Right. And then you could think about things like having bollards in place and a lot of all this physical security control that you put in place. But for today it's more around especially when companies are deploying their workloads in the cloud or they're having a lot of remote users. Right. Because everyone today is asking to work from home. Right. Looking at now is the implementation of zero trust. And what I've found is yes, companies are implementing zero Trust, but they're not putting proper security best practices in place to actually architect the environment for zero trust access. Yeah, the remote, everyone working from home, everyone working on their own devices, everyone working from random places aspect is certainly evolving dimension on it, I guess. So that kind of brings me to another train of thought, which is, you know, we've spoken about things like control tower and options for configuring quite sophisticated cloud environments. Really. Do you have any recommendations for smaller businesses? Businesses that are not only just beginning their security journey, but also beginning their cloud journey. Right. Like they might not have the expertise to kind of even get their AWS support, like humming along nicely, let alone like properly configured security wise. What can they be doing to keep up with everything, which is a lot. Absolutely. Hear my recommendations. Yes, the cloud, I don't want to say it's complicated because it's really not right. The cloud today does provide a lot of tools to help with mitigating all of this security risks that are still prevalent today in the industry. For small businesses, the easiest thing you can start with is ensuring that you are not using long term credentials for access into your AWS environment. That really has to go AWS called IDC Identity center and that allows your users to use temporary credentials. Right. So the use of long term credentials should be a thing of the past. And in addition to that, I have a CSPM tool in place. And I say this because there are open source options today natively in AWS as well. We have the Security Hub service that companies can leverage to constantly check if there are misconfigurations within the environment, because at the end those are going to happen. So the minimum thing everyone can do, especially if in the cloud today, is go make sure that you have a CSPM tool in place. Network misconfigurations have a dedicated security team. It could be just one person. If you're a small business, have them always look through those misconfigurations every day within the Security Hub console or within some of those open source tools that are out there that they can use to do that. Have them look through those every day. You know a security group is open to the public. Go lock it down to specific IP addresses or to specific private networks within your organization. Ensure mfa enforce mfa. MFA should never be optional. Right. This is some of the basic things that I recommend small businesses to do. But if there's one above all, it'll be having that CSPM tool in place in AWS though. Security Hub. Everyone should turn it on. Awesome. Yeah, no, I'll try and track it down and put it in the show notes. Thank you. So you mentioned something there, a small comment you made which was, you know, misconfigurations happen. And I think that's one of the things I always take away from from chatting with security people, which is the somewhat inevitable feeling that there will be a breach at some point and that it's not necessarily about totally avoid. Obviously do everything you can to avoid a breach, but you should also be ready for it to happen and act appropriately when it comes to a breach. Do you have any tips for investigating to find out exactly what's gone wrong, what's been compromised, what's been accessed, et cetera? Investigation is kind of. This is what we try to avoid. Right. And that's why what I typically recommend is taking proactive measures. A lot of those breaches could have been avoided. Right. And one of the things we mentioned earlier is ensuring MFA avoiding the use of long term credentials. Now when you have a breach, what you really need to focus on is learning from that and making sure that never happens again. Did that happen as a result of again coming back not having a CSPM tool in place or not having a threat detection tool in place? Right. There are two takeaways from this talk today is CSPM and threat detection. If you're on aws, we're talking Security Hub and guardduty for threat detection. Right now for companies that are even more security conscious and have the money to spend, you need a managed service. So something like AWS SHIELD Advanced to help with advanced threats in the environment and talking about things like large DDoS attacks. I think every enterprise should have AWS Shield Advanced enabled in their environment. Now after the fact, again, just to make sure I'm coming back to the point, I just want to make sure I highlight those. Right. We don't always just want to learn after the fact. Right. What are the prerequisites that we should have already taken and that is again CSPM threat detection. And then after the fact is more on learning what went wrong. We identified there was a misconfiguration. Right. But did we put our automation in place to have prevented that? So what we want to do now is in our playbooks, runbooks, whatever the company calls it. Right. We're noting down what will make us avoid this in the future. We have in launch and learns. Now there has been a breach. We just have to do what we can to avoid this same type of breach next time. So we have regular launch and learns where you discuss security related topics, new events that were seen in the industry. I recommend every organization look forward to reading the release of Unit 42's threat report. There's one key takeaway. Palo Alto Networks comes out. I don't know how often they come, but I discovered it last year. Amazing, right? The research they do. Every company should have teams go through the Unit 42 threat report that comes out. Go to Palo Alto website, subscribe to the email to get alerted when those reports come out. Because in there you will see key things that every organization should focus on. Right. Misconfigurations. We got authentication and exact steps that you can do as a team. Right. To help you prevent that. Because at end you really want to avoid security breaches because those end up leading to what litigations. All right. And talking about that again, a lot of companies don't know what types of data they're storing. You really need to know, especially if you need to comply with things like pci, dss, having some other type of compliance requirements you need to adhere to. Right. So know what data you have and classify your data. Do your due diligence. A lot of companies are not doing their due diligence. Right. And that's why you get all of these breaches. How often do you look at what your CSPM tool is alerting you on? Right? Oh no, we will take care of that. Oh no. And then no, put automations in place. Right? Yes. It'll take time to put all of those in place, but it is worth the effort. Right. And again, the cloud has made that easy today. No, it's perfect. Yeah, it's super useful. Yeah. The data point especially I think is really important. Especially with a lot of the SaaS options that people just throw in. Datadog or whatever data metrics platform nowadays, it's very easy for companies to just hoover up all the data they have access to and not think about what they're collecting. So I think that's a really important point. Thank you for raising it. And the open source tool I was talking about. Sorry, I was just going to mention, I just, just came to my head. Prowler. Prowler is an open source ESPM tool. Perfect. Awesome. I'm so glad you remember that. I'm definitely going to be checking that out. So we're coming up close on time and I want to make sure we squeeze one last question in because obviously, as we spoke about, you do a lot to help people who are getting their start in this industry. And so I want to know what are your top recommendations in terms of resources? Books, websites, people, podcasts that people should follow when they're new to the industry and looking to learn or to keep up with what's changing, including yours, obviously, as we say here, shameless plug. Right? And I'm not plugging plug away. You have permission to plug, right? So I do this week I try, Right. Sometimes I do have to cancel, but I do this weekly, you know, live events where I talk about different topics that's relevant in the industry. I do research and seeing what has changed around these topics. So I come and I discuss this with mentees or anyone that's interested in learning about these topics. In terms of resources, apart from following me on LinkedIn and making sure you click the bell icon right to get notified of my events, definitely read about white papers from all of these different cloud vendors for every aspiring cloud security architect. Definitely read well architected documents from cloud providers. Right. Like know it in and out. One thing I think that has benefited me a lot is also just understanding the security pillar of the aws. Well architected framework and Azure has theirs, GCP has theirs as well. As a security practitioner, you need to make sure that you understand those aim for certifications. The cissp. I know, yes. A lot of people, they see the book, they give up, right? No, I'm not doing this. Anyone can do it. When you go and try to get this certification, you learn a lot along the way. Some of the things I've said on this call, it's knowledge from some of the things that I learned. Right. While I was studying for the cissp. One of the things I forgot to mention also is, for example, companies should store all logs, right? If you're touching a system and that system provides logs, collect logs from the system, even if you have to keep those logs for 30 days. I've been asking for how long should we keep logs? I say at least a year, if you're able to. Some companies are able to do that, but at the end of the day, you know, continuous learning and the resources to do that are plentiful today. Right. I'm not the only cyber security, cloud security, should I say influencer on LinkedIn. There are others as well that I recommend individuals make sure they follow when they see their posts. Right. On LinkedIn, there's a guy, I can't remember his name right now. He focuses more on grc, right. Governance, risk and compliance. Follow him, follow people on LinkedIn, right, that you see. Talk about security. In terms of books, the books I've read around certifications, so the CISSP book by Cybex, the CCSP book by Cybex. In terms of aws, it's more of Udemy courses that I recommend and there's a very popular guy on Udemy, his name is Steve Stefan Marek. So if there's anyone that's studying for AWS courses, Stefan Marek has awesome certification related courses on aws. I think those are the kind of things that have helped me so far. Thank you so much. And of course also the unit 42 threat report that you mentioned as well, to throw that on there as well. And Prowler. Wonderful. Well thank you so much McLaus. It's been super. I mean I've definitely learned a lot. I did not know about CSPMS before this call, so thank you so much and I'm sure our listeners have as well. So yeah, thank you again for joining us today. Thank you. Thank you. Beyond the An Ionis Podcast to find out more about Ionos and how we're the go to source for cutting edge solutions and web development, visit ionos.com and then make sure to search for Ionos in Apple Podcasts, Spotify and Google Podcasts or anywhere else podcasts are found. Don't forget to click subscribe so you don't miss any future episodes. On behalf of the team here at Ionos, thanks for listening.