Please welcome Vice President and Chief Information Security Officer AWS Stephen Schmidt.
Hello, everyone. Before I get started, um of course, you're gonna ask a question about those, these very bright shoes that i'm wearing. Um these are actually uh sort of a uh representative example or a symbol of the passion that I have for both racing and securing AWS. And uh over the next hour, I'm going to uh spend some time uh sharing some of that passion with all of you.
We've had a ton of exciting announcements this week and I'm, uh, I think that we have some things in here that will actually add to those announcements we already have. And I'm also very excited uh for the Chief Information Security Officer from United uh to join us a little later, uh Denine DeFoe, um and she's going to join us and talk a little bit about her journey at uh at United and how they went about implementing uh AWS in support of uh in support of United Airlines.
But I guess for those of you that don't know me, um Stephen Schmidt, uh the, the CISO at AWS, um and I joined AWS 15 years ago this month. Um you know, back in 2007 seems so long ago and I feel so old now. Um and I've worked on everything from, you know, uh founding or co founding uh the Virtual Private Cloud. Um then GovCloud, then the Intelligence Community, Amazon Dedicated Cloud. Um and now to leading teams uh that build the technologies uh that secure the services that all of you use today. And I'm, I'm excited that every day. Um I get to learn about the problems we can solve for our customers and figure out how to do that and how I can roll up my sleeves and continually, continually raise the bar to meet security needs of customers.
Every one of us is a builder at AWS including me. In addition to being the AWS CISO, I'm also a race car driver, thus the shoes um I compete in SROGT America uh powered by AWS um which is an international sports car series. Um like what you see behind me and there are interesting parallels between racing um and security. Um one is being data driven that is fundamental to both security and successfully completing on track, competing on track. Um there's also safety takes teams to make racing safe just as we team up with our customers to help them operate securely.
One thing that has been consistent throughout my 15 years at AWS is the relentless pace of innovation. Um we've achieved because of customers like you and the feedback you provide to us, customers are always wonderfully beautifully unsatisfied stole the quote from Jeff Bezos obviously um customers. Um but even then when they report being uh happy and business is great, sometimes they don't know it yet, but customers always want something better. And the desire to delight customers drives us to invent on their behalf.
It may sound odd for some, but for AWS, unsatisfied customers are a gift. It gives us an opportunity to build more capabilities that make it easier for customers to get their security risk and compliance, to meet their security risk and compliance goals and then for them to identify new problems. They want us to build solutions for. It's an effective tight feedback loop and it's a core tenet of everything we do. Customer obsession and working backwards from the customer and their problems. More than 90% of all the things uh that AWS has created as a product uh came directly from customers. And the other 10% we invented on behalf of customers to back up a little bit before I joined AWS. I worked at the FBI and part of our mission was counterterrorism. My team there got a copy of every piece of digital media collected in support of the counterterrorism mission in order to correlate it against everything else uh that we knew our goal was to prevent bad things from happening to good people. And my goal at AWS remains the same today.
Back then. Every Friday at 430 it seemed uh you could think of a digital truck that would back up and unload terabytes of data um for us to sort and analyze. Um we're talking 20 years ago now, I'm really dating myself. I am getting old. Um when terabytes of data um was akin to petabytes today. It was a big data. Uh it was big data before the era of big data. We are looking for that one bit in those billions of bits um to identify potential threats and protect people. It was beyond a needle in a needle stack. It was a pile of needles stacked together. Uh and the question was which one of these needles has the potential to lead to a bad outcome. The stakes were and still are incredibly high, zero margin for error. And we were constantly buying new hardware uh to handle that amount of data. It was a challenge to keep up with.
Um it took months and months to procure and to set up the hardware much less, get the money to do. So. Um when we saw AWS launch this thing called Elastic Compute Cloud, that was intriguing and it sounded like a game changer to us. But suddenly they were creating the idea of having 1000 computers processing data in one hour rather than the 1000 hours on one computer that we are used to and thinking about what they were doing, they probably had the scale for what we needed. Being able to decrease the time to actionable results was perfect for our life safety mission at the FBI.
So we started discussions with Jeff Barr who most of you probably already know or have heard of our, our chief evangelist. Um if you don't know him, just look for the purple hair and you'll, you'll know it's Jeff. But after a few months of deep dive conversation, everyone realized AWS at that time was not yet equipped to handle our use case. Um with classified data back in those early days in 2007, but AWS wanted to fix it, they wanted to fix what would the fact that they couldn't do that? They wanted to work backwards from our problems and our challenges. It's a huge national security uh problem where the stakes are as high as they can be. And that's when they offered a few of us from the bureau, the opportunity to join AWS and help build out the technology needed to meet the needs of not only agencies like the FBI but enterprises to run highly sensitive and business critical workloads at phenomenal scale.
So I joined AWS in December 2007. In the next month, we were knocking on the door of a data center near Dulles Airport in our US East region. It wasn't necessarily US East region back then. It was the region that give you a little bit of the timeline. Um and that's where we went ahead and um we're going to try to solve the problem of how we were basically going to isolate workloads within a data center. Things were a little different then. Um if you don't know anything about our data centers, uh you just don't knock on the door. Um there are now layers upon layers of security at the data centers. Um employees can't employees or the public just can't walk up and knock on the door and go inside. Um but back in those very early days, they were told to expect us.
Um so after checking our access badges and they let us in and took us to a room in the corner of the data center that was completely empty, no desks, no phones, no nothing. And that's when they said that's your space, make it the way you want. So we dragged some cat 5 cables down the hallway. WiFi was not allowed back in those days and pulled the beanbag chairs to sit on. It was very much a start a scrappy start up environment. We eventually upgraded to cubicles as AOL was downsizing. Um it was uh I'm sure at least some of you here remember the uh remember dial up internet and the, you know, you've got mail voice. I try to do that but my voice after talking to many of your customers uh this week is almost gone. So, um so you, so we got their hand me downs from AOL for 10 cents on the dollar. True frugality.
We iterated on a lot of ideas on how to isolate data and workloads at the network level. We analyze things like creating separate VLANs uh for each customer like we did for, for various community customers at the FBI. But then you're severely limited by the maximum number of VLANs and VLAN isolation, lacked any of the security requirements that, that we, we would normally need. We kept coming back to the specific use case um of the FBI collecting, organizing and sending out classified data to multiple agencies and how those isolated workloads running in the data center and how a lot of that problem is applicable to enterprise workloads.
So we came up with the idea of virtualizing the network layer where we could easily carve off a chunk of the network um for each and every customer. It wasn't easy. Like I said, it involved dragging a bunch of CAT5 cables around experimenting with physical routers creating our own network protocol which some of you may have heard about. There's been sessions here at ReInvent over the years. Uh that protocol was called NOBIS. This was a scrappy solution at first, but through iteration, it improved and scaled and the core work was all done by a small team in the corner of a data center working in second hand cubes from AOL in just a few months. It's a huge, huge bet. But we launch Virtual Private Cloud after all that work, I was presenting this AWS technology to public sector customers in these days and they were astounded. It's exactly what they've been looking for to be able to use the cloud within their own isolated network environment. Take advantage of the scale elasticity and pay as you go uh pricing model that that was and is still very attractive. The idea of cloud bursting via VPN from their on premises data centers into their own, logically isolated part of the cloud was just the beginning of what was to come.
We've grown a tiny bit from the half dozen services we offered back then seriously though it was hard to imagine that those building blocks would lead to more than 200 services with millions of customers in 80 in an $82 billion annual run rate business. It's our scale and experience that have given us the opportunity to help millions of customers operate securely, even customers with the most sensitive and mission critical workloads. You may have heard belated VP uh Jacob Levanon's quote, there is no compression algorithm for experience. It's a proven fact, we apply all of our experience and lessons learned from scaling globally insecurely every single day and customers benefit from it.
Security is our top priority at AWS for us and for our customers. We're never done innovating to help keep AWS and our customers secure because of our scale. With millions of customers operating on our global infrastructure, AWS handles billions of distinct customer activities from APIs to logging and back again. But we also track quadrillions of events. That's quadrillions, 15 zeros almost takes up the whole slide and we use learnings from everyday events, corner cases, creative uses of our services to help secure our customers by continually updating services like GuardDuty and Inspector based upon the things that we learn and we're observing from all of that data.
We've probably done hundreds of things behind the scenes in any given month to secure workloads without anyone knowing in how anyone knowing how we're protecting them in continuing to raise the bar. And that ties into the shared responsibility of the of security in the cloud. When you think about it, going back to the parallels between racing cars and security teams make up the pit crew, those who maintain and alert us of it, alert of us of issues on the track. Those of us who build and prepare the race cars are responsible for making the underlying infrastructure of racing safe. But it's up to me the driver to ensure i'm operating safely and securely similar to the shared respon responsibility model of security in the cloud.
AWS is responsible for security of the cloud from the data center perimeter to the hardware inside to the hypervisor um that we provide for hundreds of services and customers. The drivers are responsible for security of what they run in the cloud. And this is something to remember if you have access or control, you have responsibility. I'm gonna say that again. If you have access or control, you have responsibility that said we don't ever leave you alone on your side of the shared responsibility model. We never stop working to make it easier for you to be successful when managing your responsibilities with better defaults, better tooling, better analytics and better monitoring and alerting.
But we often get the question with the scale of AWS. What are you seeing out there in the terms of security show of hands in the audience? How many of you actually wondered or asked that question? What are we seeing? Well, I'm gonna talk about a few of those and we normally in the past haven't done this. So hang on. I've got a lot, lot to share what we're seeing is common and known. Security threats continue to proliferate. The good news is these are easily fixable and preventable with the right security fundamentals in place.
Yeah, distributed denial of service attacks remain a common security threat targeting the availability of infrastructure and applications from January to September of this year. We saw the volume of DOS events rise at a rate of 35% over the previous period of the year. In September of this year, we prevented two instances from participating in 106,000 bedos attacks in Q3 of this year, we reported a 256% increase in compromised EC2 instances to the AWS Trust and Safety from the fourth quarter of 2021.
If you're not familiar with, uh AWS Trust and Safety, um, it's an internal team that contacts customers when we see an environment, they, that may have been compromised um that has been or has been reported to have bad behavior. Um we take it a step further after that though and reach out to organizations outside of AWS where sources of malware or command and control servers are hosted, organizations such as domain registrars, hosting providers, ISP and others with the, with their help, we can go to the source and take down entire attacker networks by working with the broader community. We strive to make the internet a safer place.
AWS does a lot for you automatically, but customers should take action to further protect the availability of their applications and workloads by building adidas resilient architecture using AWS Shield Advance and AWS WAF at the edge. Eddie West Shield can automatically detect and mitigate DOS events and Shield Advance, integrates with AWS WF um giving customers an advance protection against bots, scrapers and other unwanted sources using threat intelligence from Amazon itself. Again, the things we see we help defend against, we're also seeing that threat actors are continuously trying to exploit application vulnerabilities to gain unauthorized access to compute instances.
Part of AWS's ability to, to provide strong security services is from the scale at which we listen. One example of this is that we run a network of sensors that simulate commonly used software and applications with versions uh with inversions with known issues by listening, we are able to better construct our defenses and to provide security services to our customers that are already built with our threat intelligence as a key ingredient like our Duty detections as an example, AWS s sensors um processed over 224 million malware samples over six months and distilled them down into more than 28,000 unique types of malware that data informs the capabilities of our services to help customers stay secure.
Customers should always ensure proper security and access controls for two instances and use Amazon GuardDuty to help protect their EC2 instances with anti malware and you know, endpoint uh protection and scanning. Amazon GuardDuty can expose threats quickly across AWS accounts. EC2 workloads, container applications and data stored in S3 using anomaly detection, male machine learning behavioral modeling and threat intelligence feed from AWS in leading third parties can help to initiate responses. This is a service that's learning every day and your instance of a service like this is augmented by the cloud's overall usage that novel threat on Monday morning becomes a known quantity in minutes or maybe hours later. And both AWS and our partners are operating with customers to make sure the learnings get wide distribution.
We're also seeing the importance of protecting against the disclosure of security credentials. The AWS Customer Incident Response team found that ransomware events typically lead to the destruction of customer data. And the most common cause of customer security events is the unintended disclosure of security credentials and secrets.
One of the most important uh best practices to protect against unintended disclosures of credentials is to enable and if you haven't heard it yet this, this week, a footstep multi factor authentication or MFA and limit the use of root credentials for human identities. We recommend using IAM Identity Center for centralized access management to all of your AWS accounts and applications. You can create identities and IAM Identity Center with flexible MFA options or connect to an external identity provider.
Also set up automated alerts and have a plan for responding to findings related unexpected activity. The best place to start building your incident response from books is to look at findings that are that GuardDuty generates and make sure you have a plan to respond to
Those. Have a look at the AWS Security Hub, automated response and remediation solutions to see how you can get started and ensure you have a backup and recovery plan and test it regularly. A tested, an untested plan is, is asking for trouble. You can use AWS Backup for, for this AWS Backup has helped customers protect over an exabyte of application data on AWS. Just over a year ago, we added a feature to help protect against ransomware called back backup vault lock using feature. Uh using this feature data cannot be deleted by even the most powerful administrator or ex except except for preconfigured data retention and deletion policies. T this all together at the fundamental level means a defense in depth approach where you have the protections all the way from the perimeter down to your data. Don't let one do one line of defense uh be the entire equation. Well, there's a lot of hype around the phrase, this is the core uh in truth behind the idea of zero trust network access should never be your last line of defense. Network perimeters are still valuable, but they must be combined with identity and access controls all the way down to the data. These tools are stronger when used as part of a holistic strategy because an a, if an actor does gain access to your network, then you still have another layer based on the defense of i am. And in addition to that, you need effective intrusion detection, active logging and a lease privacy scheme to act as your security differentiators. You want compensating controls throughout where no single aspect of your security program is on the hook for everything.
But there's more to the story when it comes to operating securely since becoming the CIO at AWS earlier this year, I've had the opportunity to talk to even more customers than I did before. Thus, my voice today, one common thread is having the best security tooling is just the beginning. We really have to focus on the human element of security. And I've been sharing with customers ways to prioritize building a security first mindset within the organizations based on what we've learned at AWS.
First, focus on educating people educating everyone about security no matter their role or job title is critical to operating securely. This includes everyone from software developers to customer representatives to the C suite. Sharing a common language to talk about security means proactively educating everyone on security best practices, expectations and risks. When people are educated on security, they are empowered to make better decisions that result in positive security outcomes and better customer experiences.
Education is just the beginning though, you have to build a security first culture that's going to allow, allow or align that knowledge with default behaviors. What people do naturally without really thinking about it is exactly what culture is in a security. First. Culture, developers are aware of security requirements before writing a single line of code, product managers, think about security before architecting a new product or service and the C suite decision makers think about how security risks can impact the bottom line.
Most importantly, a security 1st, 1st culture enables everyone in your organization to always be aware of how crucial security is for customer experiences and why proper investment in security is business critical. It also creates a sense of ownership because security is everyone's responsibility, hire and develop the best is one of our leadership principles, attracting the best talent from diverse backgrounds and developing security leaders reinforces the security first culture. Employees. Today expect companies to provide a to provide c career path upscaling opportunities and leadership development. At AWS, we offer internal mentorship and apprenticeship programs, certification opportunities and provide many on ramps for individuals who want to grow in their career, their grow their career in security and makes us a better word for it.
Shift left and automate as much as you can e embedding security as early as possible in the product development. Life cycle leads to a be to a better builder experience and more secure outcomes. Automating as much as possible. Al also helps builders focus on solving high value problems for customers. Technologies like automated reasoning, machine learning, not only save time for builders can also quickly surface unknown security risks to help organizations better protect their infrastructure applications and customers.
You should also invest in dynamic in a dynamic workforce. The past two years have shown us anything is that people want flexibility and choice and where and how they work. Securing the tools and environments, employees used to work no matter where they are located, helps keep organizations safe, but just like builder experience, security for all employees should be easy, frictionless, as automated as possible. Make the secure path, the easy path and you'll get the outcomes that you want.
Finally do not make the security department the land of no, make security, the department of yes but or yes. And the conversation starter is let's work together to figure out how to achieve your goal without compromising the security. We need to maintain it and even better how we can enhance it in that same process. Together. These priorities can help organizations improve their security posture by focusing on people and the culture within their teams. Using the best security tooling helps build the foundation for secure operations. But raising the bar on security means building pillars on that foundation where security minded people are empowered and can create it, create in a culture where security comes first in everything they do through education, professional development and making security as easy as possible for everyone so that your tools are as eff as effective as they can be.
Looking ahead to 2023. I've also been thinking about what customers are should be expecting. We're still coming out of two years of unprecedented pandemic where we have a dynamic geopolitical landscape. We're seeing an increase in activity for malicious actors. We also have immense amounts of data being generated stored and analyzed ever since cloud made it easy and cost effective to do so. With all these moving parts between technology and humans, we're entering a time where it's going to have to be the right mix of tech and people. And here's what I think people should be thinking about in the coming year.
Increasing threats and risks continue driving a shift to the cloud where security will be built into everything. Organizations do up and down their technology stack and across their teams. More and more security can be thought of as a data science problem. But most customers have data on security coming from many sources. Customers have been wondering how they can possibly do anything with all of that data. If it's all siloed and requires a bunch of data cleanup to make it accessible for analysis. That's why we're so excited to now provide customers with Amazon Security Lake. I know you may have already heard of this. We'll talk about it a little bit more though Amazon Security Lake automatically centralized security data from the cloud on premises and customer uh custom sources into a purpose built data lake stored in your account Security Lake makes it easier to analyze security data. So you can get a more complete understanding of your security across the entire organization and improve the protection of your workloads, applications and data Security Lake automatically optimizes and manages all your security data across accounts in regions at petabyte scale and you can use your preferred analytics tools while retaining control and ownership of your security data.
Security Lake implements the open cyber security framework and open source standard making it easier to normalize and combine security data from AWS and a broad range of enterprise security data sources. Uh like our partners, CrowdStrike and Wiz do. Now, you can now your analysts and engineers can get broad visibility to investigate and respond to security events and improve your security across the cloud and on premises.
Something else we'll continue to see in 2023 as the scale of customers moving to the cloud grows, the need for security professionals is going to continue to grow with it. Diversity is a big part of the solution to this problem. And I believe that organizations that prioritize hiring people with diverse educational career backgrounds, people who are neuro diverse people from different cultures and so on while perform insecurity than those that don't.
Next, machine learning and artificial intelligence will add a critical layer of automation to cloud security in 2023 and beyond. Part of what is driven, the success of a I and ML is the amount of data being generated is growing exponentially. In 2020 people created 1.7 megabytes of data every second, 100 and 50 exabytes of data have traversed the internet since its creation. And some projections say that 463 exabytes of data will be created in 2026. All of this data has been beneficial to training machine learning models for the growing number of use cases. But his organizations manage increasing volumes of data. Identifying sensitive data data protection.
For example, customers rely on AWS Key Manage Key Management Service or KMS to centrally and more easily manage encryption across their data workloads and applications to keep, to keep everything secure. There are some customers who have to follow very strict regulatory where their encryption keys are stored and they've asked for an easier way for us to meet those requirements. So I'm excited to say that we now offer External Key Store for AWS Key Manage the, the AWS Key Management Service. Customers can now store AWS KMS customer manage keys outside of AWS on hardware security modules that they operate on premises or any other where anywhere else they would like to, to to do so. This new launch supports our new AWS Digital Sovereignty pledge that we announced earlier this week.
XKS supports all the critical features of KMS and works with the over 100 AWS services that already integrate with KMS customer keys. Next. While organizations are going to invest more in data protection, they are also going to continue investing more in fine grained access controls within their organization.
Builder. Teams want to move fast to provide sea user seamless access to applications and data with a consistent user experience also having fine grain controls over permissions. Security teams use uh build or are building excuse me, zero trust architectures that require users and systems to strongly prove their trustworthiness. Ultimately, access control is critical to business agility and strong security posture. Security can be a business enabler when access controls are flexible, granular auditable and scalable. But application developers often spend months building custom permissions at the expense of working on business logic of their application compliance teams also struggle to obtain visibility and analysis into what users are permitted to access. It's also difficult and costly for security teams to manage fine grain permissions across custom built applications. Applying the principle of lease privilege within applications by enforcing lease privilege in fine grain permissions and evaluating every access request is also difficult.
That's why I'm happy to announce Amazon Verified Permissions is now available in preview, a scalable fine grain permissions management and authorization service for custom applications gives developers a consistent way to define and manage fine grain permissions across applications simplifies changing permission rules without a need uh to change code while also improving visibility to permissions with Amazon Verified Permissions application administrators get a comprehensive audit capability that scales millions of policies using automated reasoning authorization requests running through Amazon Verified Permissions are evaluated in milliseconds to provide dynamic real time decisions. The continual re verification of user permissions helps align your applications to the principles of zero trust. Developers now have a more granular and dynamic access management solution with control of exactly what users are permitted to do within an application.
Another trend I see continuing in 2023 is that by moving towards multi or to continue moving towards multimodal forms of authentication, the future of MFA will combine security with usability ensuring that users have frictionless experience while improving their security posture to help solve for this. AWS is now providing support for multiple MFA authenticators for customer root and AWS. IAM users, customers can now register up to eight authenticators choosing from a range of authenticator options to help raise the bar on their security. And if you need a security key as part of the National Cybersecurity Initiative, we are offering free MFA security keys to customers here at re invent. As a thank you gift, just go to the Security Identity and Compliance booth 1335 in the village here in the Venetian.
Also on the horizon, quantum computing is going to benefit security. Yeah, I said it AWS has been working on quantum computing for several years and in quantum resistant security is advancing in the form of cryptography. In the fullness of time, we expect quantum computing to help make things more secure and you should make sure you're using the latest encryption methods to protect data today. While the encryption in signing algorithms we use in AWS a offer best of breed security with high performance. We're looking at what customers will need in the future. The emergence of quantum computing over the next several decades will likely make some of these algorithms unsafe for use and affect the forward security of customers existing data.
Now that NIST and the cryptographic community have collaborated and announced the new standards for quantum resistive cryptography. We are engineering uh these proposed schemes into our existing protocols and of course, this potential risk refers to asymmetric encryption. Our implementation of hybrid post quantum key agreement is one example, we've made this available as an open open source in our Signal to Noise or S2N library for implementing TLS. We've also made these hybrid post quantum algorithms an option for the TLS connections to public endpoints for three AWS services, AWS KMS Certificate Manager and Secrets Manager. Look for us to deploy more of these this more in AWS services over time. The nice thing about our hybrid key agreement implementation is that it allows us to deploy these new designs and implementations alongside existing critical cryptographic solutions. This belt and suspenders approach ensures the current baseline of security. Even if future research finds a weakness in newly defined post quantum algorithms, we are actively working on this new TLS related standard with the IETF where internet protocols are defined as more post post quantum algorithms are approved for cryptographic operations. AWS will retain will remain at the forefront in both implementing and optimizing them for our customers production environments.
In some, I'm optimistic about the outlook for 2023 and to continue seeing customers innovate and grow their businesses within AWS. One example of a great success here is United Airlines and I'm excited for them to be joining us here today. This is the story of an airline but wait, it's about more than just planes. It's a sci fi story about a piece of trash that becomes sustainable aviation fuel. It's a rescue story about saving thousands of connecting flights. It's a romance, an adventure, a musical, but most of all, it's a people story starring more than 80,000 hero characters on a mission to do good in the air and beyond. Because this, this is the story of an airline when good leads the way, stay.
Please help me welcome Dine Dave Bia a and get, get that out properly co at a w or at uh United Airlines. Thank you so much for joining us at re invent. Um you know, it might have been a long trip, but i figure you probably have connections in the airline industry that can get you here. Lots of planes. I can use that. Absolutely. Absolutely. So, um so many people around the world uh fly on united every day, me included um about to go over uh 50,000 pqp. So i'm looking forward to global services, please. Um um and the stakes are high when it comes to operating securely, um where an impact operations could affect millions of people. I'm curious to hear how you think about the relationship between security and resiliency when united chose aws to run uh its workloads.
Sure. Well, first off before i answer the question, i'm, i'm usually the one that has the cool shoes. So i'm very jealous right now
Anyway, um yes. So at United Airlines, um we value resi resiliency as a part of our digital strategy, as you all know, um any, any, any time you have to get a plane and passengers from point A to point B, there's thousands of interactions and dependencies on digital systems, uh technology and data. And if that those things aren't available, there's a sys there could be a systemic kind of, you know, collapse within the system. So we definitely take resiliency seriously.
But we have cybersecurity as a key part of that resiliency strategy. We fund fundamentally recognize that an insecure system, a vulnerable system is not a resilient system. So we're building those types of um requirements and from a cyber resiliency perspective to make sure that if we do have a security incident or an event that we have um those, those techniques and tools and approaches from the recovery process to lessen the impact.
That's great. So a lot of customers use services like Amazon GuardDuty that I was speaking about to help uh with automation through anomaly detection, machine learning, behavioral modeling and threat intelligence feeds. That's a mouthful. Um how does United uh use automation to help improve security and bake security into their products, services and applications?
So we absolutely use uh services like a um ad AWS GuardDuty to help us um with uh identification detection and um response as well. Um and we're also doing things that are a little bit. Um we're, we're trying to advance our capabilities as well, too, so that we can um understand how the thread actors are working, what are commercial tools entitlements are. And we're moving into more of a custom content development and custom detection type of model. So we're doing that.
Um the other thing that is uh you know, interesting is we're kind of in like a a shift everywhere type of mentality, right. So from the left, the center to the right, we understand and we've recognized that uh developers kind of do their thing wherever they want when they want it, right? So what we're trying to do is make sure that we have um the the tooling and the automation in place that can um give us, you know, control over our environment.
So for instance, from provisioning, you know, the, the um uh the app devs have access to, you know, secure hardened uh cloud formation templates, um their accounts are automatically integrated to a cloud posture management system. So everything that we are doing um is consistent across the the life cycle, we're absolutely gonna lean into Control Tower um to make sure that we are using the automation in that platform around um you know, landing provisions and landing zones, our security controls, application and also around access management.
Got you, got you. So were there any of the announcements that we had uh this week that are beneficial or helpful to you?
Yeah, I mean, I was listening to you there, so I was kind of taking notes while I was going, going down. We'll definitely be uh speaking some more.
Oh, great, great. So I talked a little bit earlier about the human side of security. Um, and how everyone should be a security owner. Um how do you build a security culture to make uh security to a bin for everyone, especially if they're shifting left, right and in, in between.
Yeah. So the benefit that I have and I'm, I'm very fortunate to have this is, you know, commercial aviation has been a safety minded industry since the inception. So 100 plus years that commercial aviation has uh safety has been top of mind. So I'm able to use uh that as a, you know, as a, you know, as a leverage point for cybersecurity because we do have a cybersecurity uh safety component, you know, at United Airlines, we, we start every single meeting out with no matter what it is with a safety briefing and it's not just around, you know, knowing where your exits are, what an active shooter do. It's, it's a, it's about cybersecurity, it's about emotional security and things like that. So it's a very comprehensive.
Um no, no, but that's a good thing. We should have a little uh little choreograph. Yeah. Yeah, for sure. But one of the things that we're doing is making sure that um we're giving people the information around cybersecurity and digital risk management. I'll say that is applicable to what they do on a day to day basis in the moment that they're doing it.
So, of course, I know probably everybody in the audience. Right, you have your annual cyber security or compliance training that you sit through and everybody checks the box. But if you're able to, you know, go in the moment, right. And then just have those little blurbs of insights that people can start to condition themselves like they do with safety. It makes a difference.
So for an example, when a flight attendant goes to pick up their new um you know, uh uh mobile device for their in flight um in flight device, they have to, we give them information around how to secure the device, not only physically but is, you know, logging on to applications securely making sure their password is um you know, strong understanding what an m fa because we're, we're i was implementing an m fa everywhere, understanding what an m fa kind of um bombing attack would be and not to, you know, i mean, not to let that distract you and just hit, hit that.
So we're doing things like that. Another example would be like, you know, pilots who use um iPads electronic flight bags and they have access to applications and data that allow them to plan their flight and get information to change the, you know, change the course of the flight if they need it and fly. Um it operationally safe and secure and you know, part of their pre flight checklist, what do they need to do from a security perspective is their iPad software up to date? Are there no vulnerabilities? Does it look like it's secure from a configuration standpoint?
So we're just, we're doing things like that to reinforce that um security culture because uh you know, just like you had mentioned in um in your uh previous uh uh segment, you know, it, we as security professionals can't, we can't do like 80% of our job without everybody else doing something. So that's what we have to do.
And then lastly, we are moving into and everybody is in a, in a mode where we're giving people autonomy to devices, they use data, they use technology use and they have to have be understanding around what the, what the they have to have the information they need to make the right choices or at least know the consequences of the choices they make. So, you know, that's kind of how we're, we're approaching it United.
Yeah. One of the things that we've done uh from an education perspective and trying to help others is our uh our security training. Um we've actually made available for both individuals and organizations to, to download from learns security uh dot Amazon dot com. So you're able to actually download it, put it into your learning management system and just use it. Um we iterate on it for probably the last 15 years or so. So it's uh it's short to the point and also entertaining. So I think that's some of the things that we've learned. But um so the past few years, a pandemic, a shift to remote work um and unpredictable, you know, geopolitical landscape and thrust security, uh even more to the forefront of people's minds. Um, a security leader who recently uh was appointed to the uh to president Biden's national infrastructure advisory council. Um curious to hear what your top priorities asso um are looking ahead to 2023 right?
Yeah. So, I mean, you're being part of the, the presidential council, the NYAC. Um I'm, I'm very proud and humbled and honored to serve that way. So we'll see how, how that goes as you're the only one from the airline. I am. I am. Yeah. Yeah. So we'll, we'll see uh you know, represent the airline industry, but I think there's a lot of things around um nuances for particular infrastructure sectors. But the the, you know, the the thing that we have to do from a cybersecurity, understand it. Uh understanding is that is an ecosystem, you know, you're, you're an an, an airline, but you're dependent on the energy sector, you're dependent on the water. So you, you know, all that, all those types of things. So we have to, we have to figure out how to look at systemic dis digital risk management versus use cybersecurity for each of the sectors. So we'll figure out how to tackle that.
But as far as like 2023 goes, um, you know, I kind of think of our, our priorities aligned to, you know, three different buckets. So I have what's, and I, and this term has been used before, but I, I like it so I keep using, it is being brilliant at the basics, right? So you have to have things like vulnerability management, right? And that has to be operationalized, like to like just, just the way you do things, but you have to continuously improve that and figure out what, you know, I mean, what needs to get better.
So for instance, we have to figure out because of the way the threats evolve and the way they're, they're accelerating ex everybody's accelerating exploits. It's to say, ok, how do we identify vulnerabilities quicker? And then how do we, you know, remediate them in a more automated fashion? So like, you know, being brilliant at the basics in that for that example.
And then secondly, advancing our capabilities as our threat environment evolves and our um and the business environment evolves around and regulatory, you know, just let's, let's put it out there as well too. So, you know, things like um uh you know, the, the the increase of ransomware and destructive of attacks and um you know, just the, those those those weren't really there be like, you know, they were there but they weren't like top of mind, it was top of mind was data protection, right?
So we're trying to figure out how do we do things around um shift our security programs and take concepts like work, workload, segmentation and say, ok, no, you know, historically, it's done from a data type like here's the pc i zone, here's the, here's the high risk data zone. But what does that segmentation strategy have to look like? And what does that mean from an operational resiliency perspective?
So these are the the these are the minimum viable operational applications and services that need to be up to run the airline. And how do you segment and look at that from an architecture, security architecture perspective and resiliency perspective to, you know, to get it to shift it that way because, you know, data gets kind of popped all the time. That's, you know, you're gonna manage that reputational risk. But if I can't run the airline and I can't recover quickly from a, from a cyberattack, so you were advancing our capabilities.
Um you know, you talked about immutable backups as we like, we, you know, we have to be able to do that as well too. So those are, you know, we're being brilliant at the basics advancing our capabilities. And then lastly, um we have to enable the business you talked about, you know, not being the department of no, right. I always say we have to enable secure outcomes for our business.
And we have, you know, United Airlines is in a huge growth trajectory right now. The airline industry is coming back with a vengeance and I'm so happy about that. Um but we, that means we have almost over 500 planes in the next couple of years that are gonna be inducted into our operation and they're all connected aircraft. So that's a digital infrastructure that has to enable cyber safety, airworthiness. Um that wasn't there before there's new types of planes.
So we're building all that and ensuring a framework and a continuous monitoring um approach that will make sure that we continue to have, you know, um that cyber safety built into that and then there's also the customer side of that. So we're trying, you know, we wanna enhance the customer experience, it with all that growth and new capabilities. We're really leaning into digital to have new ways to interact with our customers.
And we also wanna enable a digital trust concept with them to make sure that they understand and what the expectations are around that digital experience from a security privacy and data protection. So we'll start off with, you know, I always say identity is kind of like the cornerstone of your, it has to be the cornerstone. So um we're gonna really take a look at what our customer experience is and how identity can um help us, help us enable that.
Got you. So, uh you know, I said that uh you're the only uh airline industry representative on the council. Do you feel any extra pressure? Stress? I could almost hear it in your voice when you were explaining all the things that you guys are doing. So, is that something that uh you know?
Yeah. No, it is. I mean, it, it is a, it's a big responsibility but i think, um you know, I've got a support of um my whole company and the industry. The one good thing about um you know, like a lot of industries and in cybersecurity is like you, you know, that you have to be, you have to work on it collectively. So, um like I said, being the only airline in that council, there's different um representative in that council. So there's different risks and nuances to the airline industry. But I really think it's more about, you know, how do we see, how do we make sure that we are taking those uh resiliency factors, cybersecurity, data protection factors across the critical infrastructure. And so what are the commonalities and how do we kind of raise the baseline across those commonalities? And I think we'll all be better for it because of that.
Absolutely, definitely. So, um Dean, I want to thank you for all your insights um and sharing us uh on your AWS journey here. Um and I want to thank all of you for being here and i hope uh you all en uh enjoy the rest of the week. My voice is now almost completely gone. Um and I actually hope to see you all at replay tonight if I can make it. Um and definitely want to see you all at Reinforce uh next summer. So, thank you.
380
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
