Abstract: Although modern cloud software is radically different from that of the past---being thousands of times larger, composed from a hodgepodge of closed and open-source components and external services, each ever-changing with new features and security updates---the 1960's notion of "anomaly detection" is surprisingly well suited to securing the cloud.
As with most software, cloud operations are a convoluted, messy affair, with no lack of dark nooks or dusty corners. However, compared to most legacy systems (aka enterprise systems), the cloud is far more homogenous, essentially comprising a set of virtualized (Linux) nodes that can only communicate via IP networking. Furthermore, the architecture of cloud software is likely to be very stable, since the difficulty of reliably operating software at scale will deter superfluous change. As a result, for cloud software there exists a sense of what is "normal," as well as what is "abnormal" or "anomalous," in particular from a security point of view.
I describe how a sense of "normal" can be a foundation not just for better cloud security, but also for a better working relationship between development, operations, and security teams in modern computing. My talk is based on several years of real-world experience from a thousand different cloud organizations and workloads. I aim to give convincing evidence that, for each workload, machine learning can build a sense of "normal" that powers not only detection of new malicious behavior---i.e., unknown threats---but also enables more agile devops, better vulnerability and compliance management, as well as more insightful incident response. In particular, I'll explain why exploits of issues like Log4J should be transparently detected the minute they occur, and why remediation of such vulnerabilities should be orders of magnitude simpler than what is currently industry standard.
Bio:Ulfar Erlingsson is the Chief Architect at Lacework, a cloud security company. A wandering mind, he's published on data structures and algorithms, computer architecture, operating systems, data-parallel processing, as well as computer security and privacy mechanisms. Prior to Lacework he was at Apple, leading their work on privacy-preserving technologies, having held a similar position at Google Brain. Before this, he led research in cloud security in Google's infrastructure security team, as well as at Microsoft Research, Silicon Valley. Early on, his startup GreenBorder Technologies provided the security foundations of the Chrome web browser.