Cloud, DevOps, and automation have each become tremendous propellants for cloud-based companies to accelerate their releases, innovation, and app scalability. But this speed and unlimited scale can come with drawbacks. Very real repercussions arise when you can build without restrictions.
Whether you’re a new SaaS or a more mature organization like Reddit, discoverability of your assets is necessary to detect costly vulnerabilities. But visibility is elusive for even large and well-resourced teams - just see the CapitalOne data breach from last year. The frequency of changes in a DevOps pipeline or engineering cycle are chaos to security analysts and engineering working to spot vulnerabilities. So how can companies keep up without slowing everyone down?
Companies leading in digital technology like Reddit, Auth0, Databricks, and others are taking a methodical, data-driven approach that powers a continuous security and governance solution to efficiently conduct vulnerability management.
Data should be priority number 1
Whether it's security reviews, compliance audits or self-assessments, monitoring changes over time, enforcing policies and procedures, digging through alerts, or remediating gaps in your security posture, asset visibility, and data reliability is critical.
You can’t protect what you can’t see. Most organizations are probably not seeing the whole picture of their complex environment right now.
For example, misconfigured public S3 buckets continue to “get” people. It sounds like it would be a simple problem to identify and fix, but without the right tool to constantly and consistently provide that up-to-date data, you may not be able to discover how far-reaching the problem was, what the root cause was, and who the owners were to best remediate.
For companies like Reddit and Auth0, routinely collecting and consolidating their disparate infrastructure data are foundational to their vulnerability management process. Automating resource discovery ensures they can reliably identify infrastructure-vulnerable packages.
Automate context, not just action
Much of how your team determines priorities is tied to the context of a task, risk, or vulnerability. Treating alerts or notifications from your various security tools equally is a recipe for disaster. It’s literally missing the forest for the trees. The most effective security teams are able to assess context to address the most critical needs - context derived from living in your environment.
Your organization’s combination of infrastructure, tooling, policies, and team members is completely unique. Out of the box automation is undoubtedly compelling for security teams unable to keep up with the onslaught of vulnerabilities, but this automation will fail to address the root cause of the issues and will lack the context your team has of your operations.
So rather than enabling poor security and development hygiene by auto-remediating issues, automate context through relationship mapping of resources and their owners to increase accountability.
Cloud security teams can automate accountability by mapping the relationships between their resources and the owners of those resources. The ownership and other relationship details live in the resource's metadata.
Vulnerability and risk management
With the data in place, the security teams at Reddit are able to deploy a vulnerability management program seamlessly (whether its an open-source, agentless script to collect vulnerability data or commercial solutions) and assess what has or has not been scanned for their entire infrastructure, as well as who is responsible for remediation -- the technical owner of a server instance, or maintainer of a code repo, for example.
These companies can use data and query to easily report on the percentage of servers in production that are scanned daily and know how many services/products exist in their organization, including a break of resources that are missing required tags. Or quickly identify a resource and gather all its attributes and contextual relationships within seconds to respond to an active threat or incident.
It’s visibility and security assurance in the midst of perceived chaos.
Avoid noise at all costs
One more thing is critical. Never forget, your goals are 1) preventing security incidents from happening, when possible, and 2) being able to quickly spot and remediate incidents when they occur. Let me stress that it is when, not if, they occur. Knowing that you should prioritize visibility and simplicity in your security operations - especially when it comes to tooling.
Noise is the enemy, even if it is from tools aiming to make your job easier. When there is noise in data and reporting, your operations slow. Noise also impacts your urgency and response to alerts, leaving you vulnerable.
Simplified, reliable security operations
By centralizing the data collection, consolidation and aggregation from their infrastructure, DevOps and security tooling, Reddit, Auth0, Databricks, and others are able to build on this data-driven foundation for their overall security operations. They have insight into all of the resources that exist in their environment in a single place and visibility into the owners accountable for remediation. They are able to find that needle in a haystack quickly and make decisions with high confidence.
NetOps teams, like Spider Man, have great powers and great responsibilities. Increasingly, they are adopting a Zero Trust approach to network operations to help fight their battles.
Senior stakeholders who want to hold on to their CISOs must ensure that they have sufficient incentives and, more importantly, support to cope with the burden of risk that they are carrying.
The most alarming takeaway from Cisco’s new Cybersecurity Readiness Index report is that even after decades of having the importance of cybersecurity driven home, cyber threats are still taken too lightly.
