Security Superfriends: Ely Kahn, AWS

Posted by Rich Seiersen on July 29, 2020
Rich Seiersen
Find me on:

Security Superfriends | Ely Kahn Security Product Manager AWS



Our second episode of Security Superfriends has arrived! In this episode, we learn why Wolverine is possibly the most “security” of all superheroes. If you have a favorite superhero or even think you may be one yourself, please email me. It’s the best way to participate in an episode!

Today’s episode is an interview with Ely Kahn, the principal product manager for AWS Security Hub. Ely’s path to superhero glory was not the typical hero's journey. He chronicles his adventure from the White House to a startup named after a rodent, and how that startup was  eventually acquired by AWS. 

This episode also covers current trends in cloud security services and their impacts on careers and startup innovation. We also discuss the shared responsibility model and what it means to a cloud native future.

Ely is definitely one to watch. He has many great feats of strength left in his mighty career. Listen in to discover how he sees the future of cloud providers coexisting with innovators while serving the needs of security practitioners.

Below are some Q&A highlights/excerpts:

Richard Seiersen: 
Who is your favorite superhero?

Ely Kahn: 
I'm a huge Wolverine geek. I mean adamantium claws. They're freaking awesome. But if I was going to connect that back to security, he's a self-healing organism. That's what we want. Our organizations,  processes and technologies to be self healing.

RS: Tell us a little bit about  what you're working on. 

EK: I'm working on a a product or service inside AWS called AWS Security Hub. It does a couple of different things.

One, it helps you do automated security checks. Think cloud security posture management. So it's looking at your various AWS services that you're using, the AWS resources that you've stood up and deployed into your AWS accounts and it's assessing whether you're using those services and resources associated and aligned tosecurity best practices.

So we're doing a whole bunch of automated security checks around those security best practices. We're also doing some things that are similar to what you would see in a sim - a Security Information Event Management Tool - in that we're also aggregating and normalizing and helping you prioritize all your security alerts. Ultimately we're helping customers understand - “Am I secure in AWS and what do i need to do to improve my security?” -  by doing both these automated security checks, but also collecting all your other security data that you're generating from both other AWS services like guard union spectrum.  So that is what we are up to now.

RS: How do you see the role of the security practitioner changing, particularly in relationship to cloud native? Cloud native shifts even more of that freedom and responsibility left, meaning that infrastructure as code, when you think about not just containers, but Kubernetes and Kubernetes as a service, serverless functions as a service, backend as a service, etc., all the AAS stuff. How is that going to change the role of security?

EK: There's an entirely new type of security persona that's emerging. I haven't seen this written about much yet, but I've seen this with some of our larger customers, the cloud native ones – the ones that have large app development teams on AWS building new solutions.

That persona is the security campaign manager. Traditionally, you had a centralized security operation center, and everything ran through that security operation center. All the alerts were being centralized in a SIEM, you had tier one, two, three analyst teams, sifting through those alerts prioritizing, investigating, resolving them.

That's never going to completely go away because you do need at least some centralization
to help with large-scale incident management to track incidents that might spin over time and across organizations. There's definitely a need for that.

But I think what's happening more and more is that especially with cloud, the primary pain point is less about APT style attacks and more about misconfigurations. Have you configured your services and resources correctly.

That's the biggest pain point, and for those types of issues, you need a security person or persons that are defining what are those policies or best practices that your organization needs to conform to, and then you need that person to act as a campaign manager, and not only push those policies out across the the organization, but also automate them so that they're producing automated security results, and then farming those automated security results, the results of those checks, out to the actual resource or asset owners because they're the ones that are ultimately going to fix them.

So instead of all those alerts going to a centralized security team to figure out, that security campaign manager is taking those alerts and essentially routing them to the right resource owner, asset owner, to fix, and then tracking progress across the organization.

How many of these outstanding security issues have gone unacknowledged, how many have a fix by date, how many have actually been fixed, which parts of my organization have the most problems, how do I properly nudge these resource owners, and incentivize them to take corrective action as a partner, as opposed to just always using a stick, (we need) positive reinforcement to enact change and behavior changes.

So I think this idea of security campaign managers is something that we'll see more and more of
in the future.

Check out the full interview in the video, and subscribe for more exciting episodes.

Topics: Kubernetes, Cloud Native, CISO, DevSecOps

Rich Seiersen

Written by Rich Seiersen

Rich is Cofounder and CEO for Soluble. Prior to Soluble, Rich spent 20 years deep in the salt mines of security operations and development. Along the way, he became a serial CISO with stints at LendingClub, Twilio and GE. But he got his start in security startups building vulnerability management products for companies like Qualys and Tripwire. He’s also the co-author of “How To Measure Anything In Cybersecurity Risk,” and the forthcoming “The Metrics Manifesto: Confronting Security With Data.”