Adventures in Vendor Security and Continuous Review

thank you so much for coming over to my presentation after lunch it's always difficult to be awake however I will try my best to give you some exciting knowledge that I have gained over last few years about winter security to begin with my name is Mukesh pedometer I am part of Cisco's cloud and application security where I help the product teams as well as the internal teams whenever they want to consume a third party cloud provider so we perform that review end-to-end review and then help that cloud service or the vendor to remediate the issues that we find during their review till now I have touched more or less 150 or 200 150 to 200 between 150 to 212

providers so I think I've got a good experience from working with smaller vendors to big names all right so I will be sharing names in this presentation and please use your wisdom if you want to use those things in your organization and again I'm not affiliated with any one of the providers or the vendors that I'm talking about here it's just my experience working with them or working on those tools now that we have got the disclaimer away let's start the show so since we are in this theater kind of a setting I will be assuming things on your behalf and by the way it feels really exciting you know like a theater awesome so in terms of the third party

cloud provider ecosystem initially it was more like let's use some third-party vendor for our marketing catalog you know we want to use them for smaller things however the enterprises have evolved their risk appetite evolved and finally we are using them for our enterprise businesses many of our HR vendors our third party cloud services your CRM your infrastructure mainly you know everybody starts building their company on Amazon's on the googles and everything so everybody is working with one or the other cloud vendor in order to get things done now in terms of assessment however we are still not there if you talk about how many small vendors or many startups or even when I work with big organizations when I ask

them how do you assess your providers I get one or the other answer that I'm going to share in the next slide however before that I love this code Microsoft Excel is one of the tools that most of the companies are using to assess their cloud vendors and it was the case with us as well with within Cisco be also used Excel sheets a lot like five years back we were doing most of our assessments on Excel sheets however we graduated to an internally developed tool now so it's it's more automated the question and answer if if you have worked on any of the assessment with Cisco then you'll know that there's a portal where you can log in and get

those things done in terms of assessment tools usually as I shared in my previous slide excel sheet is the number one and then you've got Word document you've got internally developed tools you hire third party consultants there are consultants they they try to work on these things as well and finally if you are very confident about the vendor you just need them over a coffee cup of coffee and then sort this sort things out now I've been talking about Excel sheets but what happens in in those excel sheets so usually if you have follow cloud security lines they have come up with a questionnaire ciq kind of a thing where you can have questions ranging on different topics and those

questions are being sent to the provider they answer those questions as an assessment team you review those responses you meet with them check whether those responses are meeting your criteria or not and then finally if there is any mismatch for example you require a certain thing where as they are not able to provide you give them that kind of finding finally they remediate if you are able to influence and then after a mediation you are proof and this cycle goes on and on for all the providers now in in terms of the categories it ranges from just application security so sometimes I've seen people asking questions about application security only for example do you perform dynamic testing or not do

you perform static testing or not do you perform threat modeling for this application that we are using or not or do you perform any rapid patching for your application so those those are the application security related things however if you look at the CI Q or if you look at any bigger questionnaire it will cover several other categories so you'll have your identities and access management do you perform any single sign-on sam'l 2.0 do you support a sam'l to do you support OAuth or not data security how do you encrypt the data do you store backups how long those backups are stored if we want to get off from you is there a way where you can

securely delete the data so those kind of questions will go into data security and so on once I can talk about these questions all day long and it will not end but just to give you a glimpse like what kind of questions are there now if you were with me till now so we started with Excel sheets we started about the process we then discussed some of the questions that that that are done during this process everything is sequential and then everything is point in time so the interview process when I talk to the provider or when they give me their pen test report it's a point in time situation where you giving evidences for that movement and

then sometimes you don't go back to that provider yes they are approved they'll always be secured however in this day and age it's important to go back to them and ask questions again or maybe review and find out the way to do continuous review for example like I reviewed one provider at the time of assessment they were supporting SSL version 3 and that becomes a finding it was given to them they said ok we'll fix it in six months they fixed it so now after six months they are like we have we don't support SSL version 3 did an SSL I did an SSL scan they are not however after one year when I was trying

to reassess them they are still there they're still on SSL version 3 and I'm like you know you guys fix it and then yeah we had to roll back some of our customers were using older browsers and that was like wow now I did not nor my company did not know about that risk for 6 or 8 months when they were just using it when they were still supporting SSL version 3 so that's the point in time problem also if you again following the process its its time-consuming use and excel sheet then you receive the response then you meet with them then you tell those things so and so forth so this is time-consuming and one thing that we

don't have in this day and age is time if you ask anyone you know this is a time consuming process it takes three weeks they will ask immediately can we automate this so so that that's the problem with this process and then also we are relying on their answers we are not able to verify it independently it's inconsistent some people are doing Excel sheets some people are doing five questions ten question and so on so these are the challenges all right so now when we were looking at these challenges we wanted to identify how we can solve this and during my internship I got exposed to pen testing I had I loved it and I loved the recon phase a

lot because you gather information like whatever resources you can put your hand on and then where we thought that why can't we use the tried and tested method that was being used in penetration testing red teaming in this winter security assessment so we started brainstorming the idea of collecting information from Internet and this became the foundation of the solution so now again this solution is still work in progress however the proposal is you collect information from several sources that are already scanning or giving information about these providers so I briefly introduced you all to a source which was SSL scanning now that there are several websites tools available on internet where you can just put the URL

and it will tell you the SSL score for example which SSL version this support what kind of cipher suites they support do they support any modern cipher suite or not HSTs everything so that is the kind of resource that I am talking about now this is only related to TLS so instead of asking questions to the provider what kind of SSL TLS version SSL or TLS version do you support we'll just do a scan and we'll just go back with the report if we have anything if not then we'll just continuously scan maybe every day we are just scanning all the URLs then there are other sources for example something like Sudan or HD bridge mobile

where you can scan the mobile app of the vendor or you can perform vulnerability whatever vulnerability information is out there so that you are getting that flow continuous flow now all these sources you have to identify which are the high impact ones versus the low impact ones for example SSL becomes a high impact for us where we are continuously monitoring and then if there is any mismatch with the kind of data that we are putting so again the requirements change based on the data classification if you are putting the sensitive information then TLS 1.2 is absolute must versus if it is a marketing catalog then we have some affinity where the epithet is like yeah we can survive with TLS 1.1

as well because it's just a marketing catalog so those kind of things based on impact and accuracy the overall score must be calculated now this is the basic table that I'm sharing what we can do with this kind of data but if you notice there there are two columns which are not very much into the zone of collecting information for example sock 2 is the one that I am referring now song 2 is something soft to type 2 is something that you cannot get directly from Internet you have to sign an NDA with the provider and then they will send you that talk to so the plan is not only relying on the the information that

we are getting from internet but also massage it with some some of the information that you might receive through soft reports of these vendors so that that that way you can get an overall health of the provider at any given point of thing yes they're soft to type who is still valid and the other things that we found out in on internet are green so this is good versus yeah the things are yellow or in red so let's go back to the provider and ask questions so let me share more resources so SSL scan was one of the resource now let's map these resources to the categories that we discussed earlier like the categories of questions how can

we identify more resources that will help us bridge the questions that we are asking in different categories so that's where I started searching and whenever I come across any tool I just bookmark started bookmarking those things and finally was able to come up with a good list of 20-25 providers that can give me information on a continuous basis so I've documented those things as well in in the github page the awesome cloud ocean where you can find out more about this but quick overview of this you can find SSL score if the provider is giving you mobile app because like everyone is mobile so you can have mobile scans so that their new app if it is vulnerable to anything or

not you will get it easily then there is IP reputation whether that provider is hosting or they have an IP address which was flagged for malware or anything that you can find breach information is an important thing you know it's always important to keep a tab onto those Google queries where you can just search for breach information or those Twitter accounts that are reporting this information because your provider might not be sharing that thing with you the moment they got breached however through all the resources you can get to that and then the next thing will be oh we heard in the news that you got breached did our data was part of that that data

breach so that kind of a thing will happen once you start building this monitoring capability now to give you examples of what these tools look like so let me take the example of mobile because I'm assuming SSL is a very minimum bar so most of you would have done SSL scan in the past or maybe doing it today this that's why I'm considering the category of mobile app so the HD bridge is the open or rather else a free premium solution which is available currently they support only Android so what I used to do earlier whenever we are consuming any cloud service I was just putting their app if we are going to use it then we'll just put their app

try to identify the potential flaws now again this data is very basic the reason is a it's an unauthenticated scan so if you are asking the provider about a pen test report herbal remedy scan report for their mobile app it will be much better then what this will provide because that will be where the pen testers will try to identify other flaws bypass authentication and other things versus vulnerability scan they might use authenticated scan so that's a better one however this is giving some information oh they have a hard coded ticket in their Android app very easy the code is not office gated problem they supported the they started supporting a library which is obsolete

absolute spot on so you can go back to the provider and do it now and that's how you get those things as you can see in the screen this little utility can find out issues with the mobile app now I was talking only for the category I was sharing about most of the tools were in free whereas there are premium vendors as well and as a premium those are the vendors who are providing this kind of service searching the internet are searching the mobile apps and then providing and then giving a security information so those vendors are the vendors that you can also tap on to so we what we are doing internally is to

have a mix of both so wherever we can find impactful data wherever the trust is high on the data we are going we are going with that it's difficult sometimes to convince the management that you know we are going to use a solution that will cost money and that will help us reduce five questions however in the longer run it helps because if you are on the other side then you are just filling out questionnaire day in day out like 150 questions 200 questions and then people are just hiring big teams just to answer however if you go back to them ask only two questions ten questions then the team will be very happy so in a longer run this will be

very helpful now let's come back to this so we started having some free tools and then we started looking to buy as in getting licenses for some tools as well so I'll give you an example of now secure Intel now just to have a parity the previous example with the free category was HT bridge similar space company named as now secure they also play they have a tool called his Intel that can go into Play Store and iTunes and then identify this course so that's good now you can have a premium tool that can identify so if you have 100 apps that you are consuming you can just put those things here and start monitoring those

things whatever alerts you are getting send it back to the vendor and then they will be able to work on those now not only this helps in after the fact for example till now I've been sharing the advantages in the form of yeah we are using XYZ app and they are we assess them improve them and now we are monitoring so so that's the value no not only that is the value it also provides value before the assessment so even before the assessment or before any acquisition you can start monitoring that particular company and then get to know how's their health it helps to Foltz one if you are just going to assess them for lower data

classification you might want to just use that available information and auto approve them without going through this questionnaire phase or if you're going to make ask questions it will be less questions also the acquisitions and partnerships so if you are going to make an acquisition just to get the health instead of asking questions around you you can get a continuous staff for the last six months how did they respond and then make a decision and finally it is what consistent approach now in the question and answer approach or exit approach it's more perception so I whatever the engineer things or whatever the other company thinks if the engineer thinks that yes this I am fine with TLS

1.1 because yeah I have not seen any attacks although the policy says one or two but I am fine with that so now you don't have control as a company you are allowing another vendor to have lower-grade of TLS or data and encryption yeah we just do disk level encryption we do not encrypt data on database level or on app level so those kind of things are easy when when those kinds of things will change from person to person however if we have this approach then at least a section of questions will be very consistent so that's the advantage but with all said again recon has its own disadvantages like false positives limited information and other things so we cannot ignore

that and it requires lot of engineering for example I've been working on this for last two and half years and we are still like we got two commercial tools and some free tools and trying to build more redundancy trying to build more calculate trying to come up with more calculation to come up with that number so that's still going on finally I will conclude my presentation with three things everyone every company is using third party clouds in some way or the other some are assessing them some are not assessing them so that's a fact however it is very important as security professionals to identify the security company that you are using whether it's secure or not so if you if your company

is not doing it at least try to do it in some form or shape the second thing that I will leave you with is the solution so one of the things one of the continuous feedback that I get from all the cloud providers that I have assist you are asking too many questions so that's the that's the direction that we have to go where we are not asking too many questions so that the relationship is still built where they are ready to talk to us finally in the future I expect we can have a mutual a portal where everybody is sharing their security things so that it's a you know we don't have talk to the vendor directly and we can

get whatever information we want maybe it's an API so that we can just consume whenever we want and continuously tap onto our vendors so that's pretty much it from my side I would like to thank besides for giving me opportunity to share some of the things that we are doing in terms of vendor security and also to all of you for coming to the session especially to my colleague who came here all the way to support me so thank you so much if you need more information you can contact me over Twitter or this github link is where I'm putting more of these continuous security solutions so you can use that as well thank you so much seems like you're

building an internal tool for your company is there a prioritized version of this as of no it's not but we also plan to share more algorithm on how to come up with the risk scores so that's where we are going to share more details