Doing things right: Cloud and SecOps adoption
There is hardly an organization out there that isn’t planning or hasn’t already taken advantage of the cloud. And, according to Threat Stack CTO Sam Bisbee, there is hardly a technology-oriented organization anywhere on the small-business to-enterprise spectrum that isn’t a good candidate for SecOps.
But the use of these technologies has to be well thought out and implemented, to prevent it becoming, down the line, an operational problem or a way in for attackers.
Security risks and the cloud
CISOs must reevaluate their risk profiles before moving to the cloud and determine detection strategies build specifically for those profiles.
“Too many organizations opt to stretch existing defenses to ‘cover most’ of the risk. That is almost always a mistake,” Bisbee points out.
“Every public cloud provider implements security controls and visibility differently. For example, IAM and network segregation will be different, the quality and type of visibility, etc. This makes mapping on premises strategies difficult, especially if attempting a hybrid or multi cloud strategy.”
By leveraging public cloud infrastructure, attackers can more easily exploit existing vulnerabilities in an organization’s system by doing things like:
- Quickly standing-up and tearing-down attack specific infrastructure, including inside a target environment
- Switching out IP addresses or whole attack infrastructure when attacking a perimeter, thereby more easily avoiding attribution, or
- Leveraging the cloud providers’ publicly exposed APIs to circumvent traditional network controls.
To keep up with the speed and sophistication of current attacks, while enabling both security and ops teams to work together, organizations must begin relying on cloud-native security tools.
“In tandem with relying on cloud-native tools, organizations must also practice good security hygiene to avoid giving attackers potential threat vectors,” says Bisbee.
“Using Threat Stack’s tools, I recently found that too many companies running AWS were making avoidable mistakes, such as leaving SSH wide open to the internet, not implementing multi-factor authentication for AWS users, and not deploying AWS-native security services (such as CloudTrail) universally across all regions.”
Into the future with SecOps
The goal of SecOps is to help companies deliver software more efficiently and more securely, while reducing risk for the organization over time. The reality is that due to the new operating model in cloud environments security and operations teams must work together as the security team identifies risks and then works with operations to remediate them.
“No matter what resources you do or do not have at hand, including personnel, budget, or tools, SecOps is both critical and achievable,” he believes. But one thing crucial to its implementation is leadership buy-in – the people in charge must realize that security is on equal footing with availability and performance.
“If the e-retail boom taught suppliers that they must invest in site availability like they would to ensure their brick-and-mortar has its lights on, they must also invest in security like they would to ensure that the alarms work and doors lock.”
Those facing the problem of integrating SecOps into a massive and complex security architecture should start by embedding security team members with the builders they’re supposed to be working with.
“This is easily accomplished by having them sit together,” he notes, but stresses that it is not the security team’s goal to overhear and squash, but instead to slowly build a rapport, offer advice, and – most critically – build empathy.
“When security sees an issue, such as a rise in privilege escalations, they can have a productive and data driven conversation, discussing why it is happening more often and seeing whether there is a solution that is positive for everyone such as automating away a menial task in return for blocking that privilege escalation.”