After going back and forth with my LinkedIn followers in mid-2022 about a post on vulnerability management on AWS, I transformed the thought into 110 pages (thanks to screenshot and code snippets) into what I believe to be the definitive resource for starting a Security Data Operations (SecDataOps) team with an example project: contextualized vulnerability management on AWS.
This book is representative of nearly a decade of hands-on work doing everything from leading a cloud and offensive security function at IHS Markit to my early career work as a Project Manager.
The SecDataOps and Vulnerability Management eBook is an extended look into putting data-driven security work into practice, starting with vulnerability management. We'll cover what #SecDataOps is and how to apply it in practice including creating SLAs, gathering streaming data of assets on the AWS Cloud and some tricks along the way.
So, what is SecDataOps?
SecDataOps is a term used to describe the process of integrating data into the entire security life cycle, whether for risk management, incident response, or cyber-threat intelligence production. Quantitative data about your environment, assets, business domain, and adversaries must be used. This also means security teams must adopt strong data analysis, engineering and science processes from data collection and storage to dissemination and archiving. The goal of SecDataOps is to ensure that data is always finely curated and accessible, and that security decisions are made with high-fidelity data. I wrote about this more in a recent post on Dark Reading.
Security teams have always been lacking in the department of meaningfully harnessing data (shoving it into Amazon S3 or Snowflake doesn’t count) let alone crafting actionable and meaningful intelligence products from it. We’ve also suffered from internal politics and fiefdoms barring access to the truly useful data to craft said meaningful intelligence products.
Today’s security programs often cannot keep pace with modern adversaries. Only when we as the security community can open our arms to non-security data disciplines and apply the same rigor that “major league” data operations use to our domain, can we hope to keep pace. This means having the right data, at the right time, in the right format to answer the questions we need to with all the proper risk treatment data we need that can be accessed and disseminated in a clear, trackable, and actionable manner.
Vulnerability Management on AWS
The Lightspin CNAPP packs its own robust capabilities in the Threat & Vulnerability Management space – offering agentless scanning of containers, Kubernetes, and virtual machines along with malware detection and SBOM generation – but the theme of the eBook is to be as agnostic as possible when it comes to tooling, opting for cloud native tools versus open source or commercial.
The eBook goes into painstaking detail on the services, architecture, cost considerations, metrics suggestions, and actual Python code to go from “zero to hero” on vulnerability management on AWS. I propose several ways and opinionated data formats with supporting metrics on collecting data from EC2, AWS Systems Manager and the newest version of Amazon Inspector for this purpose. Using supporting services such as AWS EventBridge, AWS Lambda and AWS DynamoDB
Excerpt from: “Setting the Stage: On AWS Services page 13 T
There are also some design considerations, differentiation between batch and streaming workloads, as well as other thoughts and recommendations to further evolve the provided information within the eBook. To avoid spoiling content, all of the snippets are contained within the asset itself for easy copy-and-pasting with links to supporting documentation. I make an attempt to “over explain” several functions and Pythonic attributes to help any industry newcomer or folks not familiar with Python. In the future, we will be looking to put the complete snippets on our community GitHub with optimizations for future editions of the eBook.
Who is this for? How should I use it?
To quote Khamzat Chimaev: “Everybody! Everybody!” that is who the eBook is for, and you do not need to get locked in an octagon with me to read it, either.
In all seriousness, I tried my hardest to provide detail that anyone can take something from. I indexed heavily on over-explaining and making this more a “100-level” asset versus an advanced “400-level” asset and assume the reader has no idea what vulnerabilities are let alone AWS Cloud services or Python.
As far as usage is concerned, you can simply follow along with the sections to directly implement them, as the end-to-end solution provides you with a multi-Region and multi-Account AWS Organizations deployment for both batch and streaming use cases. If the services used do not match your architectural needs or if you do not use AWS, you can largely apply a lot of the enrichment and metrics to other public clouds or vendors as well.
Sample excerpt of a section of The Complete Guide to SecDataOps and Vulnerability Management on AWS
The end section provides a to-do list of sorts for starting your own SecDataOps projects if vulnerability management is not an issue you want to tackle first, or at all. The sections are laid out in chronological order, so while you can skip ahead, if you are using the code and solution as-is that approach will be suboptimal.
You can download the entire eBook here and get to reading and implementing.
Lastly, I am already planning a 2nd edition which will layer in more metrics, privacy and regulatory considerations, as well as patch management and automation use cases. If there are other topics you would like to have expanded, please let me know!
And most importantly: Stay Dangerous.