Security Superfriends Episode 2: Ely Kahn, AWS

Rich Seiersen

Security Superfriends | Ely Kahn Security Product Manager AWS

Our second episode of Security Superfriends has arrived! In this episode, we learn why Wolverine is possibly the most “security” of all superheroes. If you have a favorite superhero or even think you may be one yourself, please email me. It’s the best way to participate in an episode!

Today’s episode is an interview with Ely Kahn, the principal product manager for AWS Security Hub. Ely’s path to superhero glory was not the typical hero’s journey. He chronicles his adventure from the White House to a startup named after a rodent, and how that startup was eventually acquired by AWS.

This episode also covers current trends in cloud security services and their impacts on careers and startup innovation. We also discuss the shared responsibility model and what it means to a cloud native future.

Ely is definitely one to watch. He has many great feats of strength left in his mighty career. Listen in to discover how he sees the future of cloud providers coexisting with innovators while serving the needs of security practitioners.

Below are some Q&A highlights/excerpts:

Richard Seiersen:
Who is your favorite superhero?

Ely Kahn:
I’m a huge Wolverine geek. I mean adamantium claws. They’re freaking awesome. But if I was going to connect that back to security, he’s a self-healing organism. That’s what we want. Our organizations, processes and technologies to be self healing.

RS: Tell us a little bit about what you’re working on.

EK: I’m working on a a product or service inside AWS called AWS Security Hub. It does a couple of different things.

One, it helps you do automated security checks. Think cloud security posture management. So it’s looking at your various AWS services that you’re using, the AWS resources that you’ve stood up and deployed into your AWS accounts and it’s assessing whether you’re using those services and resources associated and aligned tosecurity best practices.

So we’re doing a whole bunch of automated security checks around those security best practices. We’re also doing some things that are similar to what you would see in a sim - a Security Information Event Management Tool - in that we’re also aggregating and normalizing and helping you prioritize all your security alerts. Ultimately we’re helping customers understand - “Am I secure in AWS and what do i need to do to improve my security?” - by doing both these automated security checks, but also collecting all your other security data that you’re generating from both other AWS services like guard union spectrum. So that is what we are up to now.

RS: How do you see the role of the security practitioner changing, particularly in relationship to cloud native? Cloud native shifts even more of that freedom and responsibility left, meaning that infrastructure as code, when you think about not just containers, but Kubernetes and Kubernetes as a service, serverless functions as a service, backend as a service, etc., all the AAS stuff. How is that going to change the role of security?

EK: There’s an entirely new type of security persona that’s emerging. I haven’t seen this written about much yet, but I’ve seen this with some of our larger customers, the cloud native ones – the ones that have large app development teams on AWS building new solutions.

That persona is the security campaign manager. Traditionally, you had a centralized security operation center, and everything ran through that security operation center. All the alerts were being centralized in a SIEM, you had tier one, two, three analyst teams, sifting through those alerts prioritizing, investigating, resolving them.

That’s never going to completely go away because you do need at least some centralization
to help with large-scale incident management to track incidents that might spin over time and across organizations. There’s definitely a need for that.

But I think what’s happening more and more is that especially with cloud, the primary pain point is less about APT style attacks and more about misconfigurations. Have you configured your services and resources correctly.

That’s the biggest pain point, and for those types of issues, you need a security person or persons that are defining what are those policies or best practices that your organization needs to conform to, and then you need that person to act as a campaign manager, and not only push those policies out across the the organization, but also automate them so that they’re producing automated security results, and then farming those automated security results, the results of those checks, out to the actual resource or asset owners because they’re the ones that are ultimately going to fix them.

So instead of all those alerts going to a centralized security team to figure out, that security campaign manager is taking those alerts and essentially routing them to the right resource owner, asset owner, to fix, and then tracking progress across the organization.

How many of these outstanding security issues have gone unacknowledged, how many have a fix by date, how many have actually been fixed, which parts of my organization have the most problems, how do I properly nudge these resource owners, and incentivize them to take corrective action as a partner, as opposed to just always using a stick, (we need) positive reinforcement to enact change and behavior changes.

So I think this idea of security campaign managers is something that we’ll see more and more of
in the future.

Want to catch the latest and greatest in Security Superfriends? Subscribe to our Youtube channel for updates, and find all episodes of Security Superfriends on Apple Podcasts, Google Play, Spotify, or wherever else you get your podcasts.