AWS Security Profiles: Don “Beetle” Bailey, Senior Principal Security Engineer; Brian Wagner, FSI Compliance Specialist

In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.

How long have you been at AWS, and what do you do in your current role?

Beetle: I’ve been at Amazon for eight and a half years, and I’m a Senior Principal Security Engineer. I helped build the AWS Security team from scratch, and for a while I wrangled security operations, threat intelligence, application security, and security engineering for all of AWS; reporting to our CISO Steve Schmidt. I’m still fairly involved with all that, while focused on proactive outreach to independent and academic security research communities. I also represent AWS for the Linux Foundation’s Core Infrastructure Initiative. When I get the time and can put my head down, I geek out on fun things for re:Invent that I think will benefit our customers. Before Amazon, I was a Principal Engineer for the Mitre Corporation for eleven years, and before that, I was in the US Army. I’ve always felt that being a “security geek” is a calling. Whether I’m helping people tackle emergent issues in the moment, or figuring out how new customer experiences that can be delivered in a secure manner, it’s all very rewarding.

Brian: I’ve been at AWS just over five years. I joined AWS as a Solutions Architect in Berlin, Germany, in 2013 where I worked in the enterprise space. I wasn’t a security guy by title, but it came up a lot in my day-to-day work — the cloud was pretty new back then and there was a lot of discussion about the security of it. In 2016, I moved to London and joined Professional Services as a full-time Security Consultant, which allowed me to work with customers in-depth and for very long periods of time, primarily in the financial services industry. Recently, I took on a new role as a Compliance Specialist in financial services. I’ve basically taken the in-depth experience I gained from my time in Professional Services and turned it into a position that lets me help multiple customers. I should note that when I was in Professional Services, I owned the incident response messaging activities for Professional Services and Security globally, which is relevant because our session at re:Invent this year is about incident response. My new job title of Compliance Specialist might make attendees wonder, “What’s he doing up there talking about incident response?”

How do you explain your job to non-technical friends?

Brian: I just tell people that I sell dictionaries door-to-door. It’s much simpler than the truth.

Beetle: For the longest time, my kids thought I filled the Amazon boxes that show up on people’s doorsteps. Again, it’s a lot simpler than the truth. But I usually just ask folks if they’ve heard of “the cloud,” then explain that if you do things online like shopping, or storing data, or completing a banking transaction, a lot of those experiences are actually happening on the AWS cloud — and I’m one of the security geeks that helps make sure those activities happen in a secure manner.

Brian: Yes, that’s how I’d also describe it. For my particular role, I’d add that my focus is on helping AWS customers be secure.

What’s your favorite part of your job?

Beetle: My favorite part is interacting with customers. The opportunities that I get to talk to customers during re:Invent, the Summits, and the pop-up Lofts are super important to me. That interaction is absolutely my favorite part of the job.

Brian: What I love the best is getting to watch customers have that “ah-ha” moment. I’ve been living and breathing the cloud every day for over five years, but plenty of people are just getting started and figuring out how to make it all work. It’s very satisfying to see that lightbulb moment, when they go from “trial-and-error” to “this is working out…” and then, “Hey, now it all makes sense!” There’s always that moment with customers and it’s absolutely my favorite.

Beetle: Sometimes we see those lightbulbs go off in the audience when we’re presenting, and it’s great!

Speaking of the crowd, tell us about your re:Invent topic.

Beetle: So the title of our talk is AWS Security in your Sleep, and it builds on a number of talks that we’ve given in the past that demonstrate how to achieve security goals through automation. When you start doing things at scale, or if you want to be able to scale with a certain amount of consistency, you’re going to need automation. But often when we say “security automation” — whether that’s wrangling security events, incident response, or even forensics — customers will shy away, because it sounds intimidating. What we demonstrate is that there’s a lot you can achieve with security automation, and it can actually be fun!

Brian: There will be three demos this year. The first is what we’re calling a “low judgment” incident. This is a “security in your sleep” incident, where no human being has to think about what to do because you’ve automated the response. The second and third demos move on to increasingly complex scenarios based on real-world experiences. In our short hour together, we want to show people that they can automate even these more complex scenarios in a way that elevates their security.

Beetle: That’s right: achieving security goals with automation is not just a necessary thing, but it’s absolutely a possible thing for any of our customers to achieve. There’s this notion that only well-funded enterprises with large security teams and massive developer resources can achieve security goals through automation — particularly in security operations and incident response — and that’s actually not true. We want our demonstrations to show that all of our customers have these capabilities, right now. Our presentation is largely about democratizing security. We’re showing people that everyone can achieve their security goals through automation on AWS. We also throw in a few humorous tidbits to keep it interesting.

What are some of the most common misperceptions about cloud security that you encounter?

Beetle: One of the focal points of our presentation is the transition from traditional on-premise incident response workflows to the cloud. Traditional incident response requires you to put your hands on physical resources, whether you’re connecting and disconnecting cables, or plugging in forensic dongles to clone drives, etc. We want our presentation to dispel the myth that you can’t achieve security incident response goals in the cloud. In fact, you can have some of the most intricate, customized incident response workflows and run books, and you can still translate and map those responses onto capabilities that reside on our platform, with automation to execute at scale and speed. Sometimes, the terminology is different. Sometimes, the timing is different. But generally, you can accomplish more and faster within the cloud than from an on-premise environment.

Brian: Like Beetle said, you really can achieve those same goals, as long as you understand that the cloud might look a little different. But the goals themselves are the same. In fact, I like to think that they can be improved — that you can have more goals from within the cloud, and that you can achieve them with less effort.

If you had to distill your talk down to a single takeaway for your audience, what would it be?

Brian: Demos. Cats. And comedy. You’ll laugh, you’ll cry.

Beetle: Awkward comedy.

Five years from now, what changes do you hope to see across the security landscape?

Beetle. Five years is a long way out in this business! But I think we’ll see even more involvement from partners who flesh out holistic security capabilities that empower our customers to leverage AWS for all sorts of security-related purposes. Most notably, I think we’ll see much more capable solutions in incident response and incident management — decision support and services that help people quickly address concerns and get back to a known good state. I think we’ll continue to see more security-related products and services catering to our customers’ environments, whether it’s microservices, or containers, or whatever the next whiz-bang language or execution environment is.

Brian: When customers do something with AWS in the name of security, they do it because they perceive a risk of something bad happening. The whole point is to reduce risk. And the thing about risk is that it will always exist, whether in five years, or ten years, or fifty years. But if security is done correctly, we can reduce that risk to as close to zero as possible. Reaching zero will always be impossible — we don’t know what we don’t know, and so we can never mitigate all risk. But as time goes on and new threats emerge, AWS is able to offer customers the ability to continue to sleep well at night because we’ve helped them, or we’ve given them tools, or there’s a partner, or we’ve simply taken care of it for them per the Shared Responsibility Model. In five years, I’d like to be up on a re:Invent stage talking about something totally mundane because that’s all that’s left to mitigate — the big risks have been taken care of. I would love for re:Invent five years from now to be the most boring re:Invent ever.

Beetle: It’s interesting — we’re getting to have conversations now about security capabilities that generally reside at the top of the Maslow’s hierarchy of InfoSec needs. At the bottom are basics like inventory and patching, and it turns out that the inventory and patching story in an AWS environment is pretty boring these days: There’s an API call to make, and agents you can deploy on instances at boot that inventory any vulnerabilities and ensure they’re reported, and you can have AWS Lambda function automatically deploy patches. Configuration management isn’t quite there yet, but it’s also becoming a boring story. But as you move further up, toward the top of the Maslow’s hierarchy of InfoSec needs, you get to things like anomaly-based intrusion detection, user behavioral analytics, and even deceptive infrastructure like honeypots. These are like the bonus levels of security engineering. You only get the luxury of indulging in these things if you’ve eaten all your vegetables beforehand. Currently, these things are bleeding edge, but in five years, maybe intrusion detection will be boring and incident response will be boring, because that will all just get done by a capability innate to the platform or from a one-click-deployable partner solution, and then we’ll be eyeing some other type of cherry on top of the security sundae.

Do you have any tips for first time conference attendees?

Beetle: Beyond general health tips, like wearing comfortable shoes and drinking enough water, I think the mobile app is super helpful, particularly when you customize it and choose which talks you’re interested in. Also, people may not realize this, but AWS has always made a significant investment in re:Invent’s wireless infrastructure. (It’s been a privilege of mine to help plan and deliver some of that infrastructure in years past.) It’s fast, and likely better than any hot spot or overloaded cell tower. There are Wi-Fi access points every twenty yards or so, nearly everywhere you go at re:Invent.

Brian: If you have questions or need help with something, look for the Security booth signs and the people with AWS shirts — everybody is super-helpful and our approach is basically, “if I don’t know the answer to your question, I’m going to find someone who does!” The other thing I’d recommend is networking: Bring your business cards and try to step outside of your comfort zone. If you don’t know anything about security, come to a security session. If you’ve always wanted to learn about IoT, this is a really great place to do it. Rarely will you see a higher quality bar for presentations, so mix in stuff that might feel tangential to you personally or to your business. Diversify your schedule and take advantage of as many of the opportunities as you can.

Beetle: One final recommendation: there’s a charity fun run that we hold at re:Invent that benefits Girls Who Code. They close off streets in Las Vegas for thousands of runners, and there are different distances to choose from. It’s a fantastic and fun event. Sign up and run!

If you had to pick any other job to do, what would it be?

Beetle: QA for Comixology.

Brian: You had that answer in your back pocket! Wow.

Beetle: Amazon acquired Comixology, I’m a big comic book geek, and I love Comixology — it’s great for reading digital comics. I’m angling to convince them that they need a security engineer dedicated to them full time, making sure their comic books render correctly.

Brian: I cannot top that.

The AWS Security team is hiring! Want to find out more? Check out our career page.