"There has been a cultural shift at Storebrand," says Øyvind Bergerud, Head of Security Operations at Storebrand.

My career in cybersecurity started with OS hardening, so I am rather passionate about the topic. When it comes to the cloud, many organizations have embraced automation. Yet, most skip hardening of the operating system or only do a bare minimum hardening baseline. I've also seen the pre-hardened CIS images used, but to my frustration, it update less frequently than other images. I am writing this as a companion post to my talk at NICConf. So, what are the options for hardening images in the cloud?

Ever since Cody introduced me to threat modeling at our previous place of employment I have had an ever-growing interest in the field. When I saw that a conference solely dedicated to the topic was announced by a lot of people I respect in the industry I knew I had to be there. The timing of it being a “pre-con” to the OWASP 2023 Global AppSec made it a no-brainer.

On October the 25th, Microsoft Incident Response and Microsoft Threat Intelligence released a report on a threat actor they refer to as Octo Tempest. The report describes a threat actor adept at attacking cloud environments, using many techniques previously only seen in the latest offensive cloud security research. The report details the TTPs of the threat actor group, and Microsoft's recommended hunting, defensive controls, and detections of the group. To O3 Cyber, this shows that threat actors are increasingly adopting attack techniques for cloud services that have been most commonly observed in cloud offensive research circles in the past and are innovating to get ahead of defenders in this fairly new space. The reporting by Microsoft is of high quality and should be taken very seriously by any organization utilizing cloud services. In this blog, we will dive into our key takeaways and recommendations. For the full report, you can go to the Microsoft security blog.

When it comes to navigating the complexities of cloud security, it's essential to adopt an approach that suits the unique cloud environment. Traditionally, many security managers have turned to frameworks as the one-size-fits-all solution.

Whether you've already embarked on your cloud journey, are midway through migration, or are still in the early stages of cloud adoption, security is hopefully at the forefront of your mind. But let's be honest: Cloud security isn't a walk in the park, especially when facing a shortage of experts with an in-depth comprehension of cloud security.