How to Transform Alert Fatigue Into Proactive Security Management — 4 Must-Read Blog Posts

by    •   May 23, 2018
posted in How To Strengthen Security

The cybersecurity talent shortage is real, with an estimated 1.8 million unfilled roles expected by 2020. And with 72% of CISOs claiming that their teams are facing alert fatigue, there’s not a lot of margin for error when it comes to getting accurate, context-rich alerts in front of under-resourced teams.

Traditional approaches to managing security alerts have often driven teams into a reactive mode where they’re overwhelmed by huge volumes of alerts or spend way too much critical time gathering information and digging around in log files. If this proliferation of data can be transformed into actionable intelligence, however, teams can become significantly more proactive and reduce risk over time.

Today, we’ll take a look at four must-read Threat Stack blog posts that provide great advice on how you can more away from reactive, ad hoc tactics and adopt a more structured, proactive approach by making alerts a key element of your overall information security strategy. Read more “How to Transform Alert Fatigue Into Proactive Security Management — 4 Must-Read Blog Posts”

GDPR: What Compliance Says vs. What DevOps Hears

by    •   May 22, 2018
posted in Compliance & Customer Requirements

The deadline for the General Data Protection Regulation (GDPR) is fast approaching, with May 25 marking the official day of reckoning. The updates to the data protection directive of 1995 (Directive 95/46/EC) are designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy rights, and to reshape the way organizations across the EU approach data privacy.

There’s a likelihood that Compliance has approached your DevOps team to get on board. But when Compliance talks, what do you hear? Are you truly understanding what’s required of you to become GDPR compliant? Let’s take a look at some of the possible gaps in knowledge below. Read more “GDPR: What Compliance Says vs. What DevOps Hears”

SLDC, SOC 2, and Other Four Letter Words

by    •   May 18, 2018
posted in Development, Op-Ed

Developers gonna develop. That’s why we’re developers. We want to set some implementation goal and then make that a reality. We like to stay heads down and focus on the immediate task at hand. Unfortunately, this can sometimes cause collateral damage. Secondary objectives can get ignored or even trampled in the race to meet the primary target. It’s also likely that other promising developments will get missed as they fall off the main path. Dealing with these issues is one of the many functions of compliance regulations.
 Read more “SLDC, SOC 2, and Other Four Letter Words”

21 InfoSec and AWS Experts Reveal the #1 Mistake Companies Make When It Comes to AWS Security (and How to Avoid It)

by    •   May 16, 2018
posted in How To Strengthen Security

More companies are moving to the cloud than ever before. Amazon Web Services (AWS) is one of the most popular cloud platforms, and for good reason: AWS provides a robust set of features and services that give it broad appeal among businesses of all sizes. But when it comes to security, many companies continue to fall short, putting their sensitive data at risk. In a recent Threat Stack study, for example, we discovered that 73% of companies have at least one critical AWS security misconfiguration that enables an attacker to gain access directly to private services or the AWS console, or that could be used to mask criminal activity from monitoring technologies.

To gain some insight into the biggest (and potentially most devastating) mistakes companies are making related to AWS security as well as tips and strategies for avoiding them, we reached out to a panel of InfoSec pros and AWS experts and asked them to answer this question:

“What’s the number one mistake companies make when it comes to AWS security (and how can they avoid it)?”

Read more “21 InfoSec and AWS Experts Reveal the #1 Mistake Companies Make When It Comes to AWS Security (and How to Avoid It)”

20 Dev Leaders and Hiring Managers Reveal Their Favorite DevOps Interview Questions

by    •   May 10, 2018
posted in How To Strengthen Security, Op-Ed

We champion a security-first DevOps culture at Threat Stack, and I’ve had the opportunity of building DevOps best practices into the company since its earliest days. In our experience, this is the best way of simultaneously reducing risk and achieving peak operational efficiency.

Getting the right players on your DevOps team is crucial to this goal, of course. But how do you filter out the star players from the mediocre? Beyond a careful analysis of a candidate’s background and experience, asking the right interview questions can reveal valuable insights that make it possible to find the ideal candidate to complement your existing team’s skill sets and personalities.

To find out what questions today’s dev leaders turn to during interviews for these all-important insights, we reached out to a panel of hiring managers and dev team leaders and asked them to answer this question:

“What’s your favorite DevOps interview question (and why)?”

Read more “20 Dev Leaders and Hiring Managers Reveal Their Favorite DevOps Interview Questions”

DevOpsDays Austin Recap: Getting Back to Basics

by    •   May 9, 2018
posted in Op-Ed

What’s old was new again at DevOpsDays Austin last week, with the 7th annual conference featuring fewer attendees, the elimination of sponsor tables, and a format that put the focus back on knowledge-sharing and human interaction. Running May 3–4 at the Darrell K. Royal-Texas Memorial Stadium, the conference was an interesting exercise in returning to the roots of DevOpsDays, and the payoff was quality presentations and conversations. Read on for a few of the highlights. Read more “DevOpsDays Austin Recap: Getting Back to Basics”

Profile of an Ideal Security Hire in 2018

by    •   May 8, 2018
posted in Business Insights, How To Strengthen Security, Threat Stack Product

It seems that organizations are finally understanding the importance of bridging the gap between security and operations. In a survey we conducted recently, 85% of respondents said that employing SecOps best practices is an important goal for their organizations. Nevertheless, only 35% reported that SecOps is currently an established practice.

When it comes to the ideal of marrying security and operations, many are held back by a lack of expertise. The cybersecurity skills gap has created a severe talent drought in the industry, which is expected to leave 3.5 million cybersecurity jobs open by 2021.

It’s worth looking at what the qualities of an ideal security hire are in today’s business climate, and why it’s so difficult to find these types of professionals. In this post, we’ll outline the skill sets that cybersecurity professionals need to cultivate in the age of the cloud, explain why that ideal is so hard to find, and offer practical advice for moving your SecOps program forward, regardless of who you’re able to bring on your team full-time. Read more “Profile of an Ideal Security Hire in 2018”

What Happens When You Sacrifice Security for Speed (And Common Ways Security Gets Sacrificed)

by    •   May 3, 2018
posted in How To Strengthen Security

No matter where you sit in your organization, you should know what happens when you sacrifice security for speed. Threat Stack recently surveyed DevOps and security pros and found that more than half (52%) of companies make this very sacrifice, cutting back on security measures to meet a business deadline or objective. Additionally, 62% of security professionals surveyed stated that their Operations teams push back when asked to deploy secure technology — often because Ops fears it will slow things down.

This might not seem like a large problem until you consider what actually happens when you sacrifice security for speed. By putting speed above security best practices, you open your organization up to breaches and attacks. But ironically, contrary to the belief of some operations professionals, applying security best practices doesn’t necessarily require you to slow down forever.

In this post, the fourth in our SecOps survey series, we’re sharing what happens when you sacrifice security for speed, as well as some best practices your organization should apply in all circumstances. Read more “What Happens When You Sacrifice Security for Speed (And Common Ways Security Gets Sacrificed)”

5 Tips for Managing Security for APIs

by    •   May 2, 2018
posted in How To Strengthen Security

Creating APIs for your SaaS products provides invaluable benefits to your customers, allowing developers to plug into your resources and bring their products to market more quickly and efficiently than ever before. An API also allows you to integrate easily with other SaaS organizations, expanding your range of functionality to offer customers new features, increase your inherent value as a provider, and gain a competitive edge in the marketplace.

As with most beneficial technology, however, APIs are not without their risks. Exposing your APIs can leave you vulnerable to theft of API keys, a fairly easy way for cybercriminals to carry out denial of service attacks if you haven’t implemented the right security measures. These attacks overwhelm your server with data requests, crippling the availability of your product, and even costing you money, should the attackers demand a ransom.

At Threat Stack, we recently released Version 2 of our REST API, which serves as a way for customers to connect to our organization and extract critical information around security concerns in their environments. With Version 2, we have incorporated updates to meet industry best practices and to better protect ourselves and our customers’ data. Drawing on this experience, we have outlined below the ways in which you as a SaaS company can better manage security for your own APIs. Read more “5 Tips for Managing Security for APIs”

Three Unique Things About DevOpsDays Austin 2018

by    •   April 30, 2018
posted in Op-Ed

I’ve always found DevOpsDays to be some of the best gatherings for practitioners — the people in the trenches every day. I’m a regular at these events and consistently learn a ton from my peers — it’s some of the best DevOps training you can get! And I often get the chance to talk about some of my own experiences as well. At the April DevOpsDays in Denver, I had the opportunity to share some advice on integrating security into DevOps.

The upcoming Austin summit promises to switch up the format a bit, focusing more on interactions between practitioners and less on preselected talks. Ernest Mueller has a great post about the organizers’ motivations for changing the format and what to expect, but here are the three things I’m most excited about. Read more “Three Unique Things About DevOpsDays Austin 2018”