Security teams are expected to do a lot these days. From properly configuring the cloud environment, to protecting the organization from today’s latest threats, to answering tough questions from the board and customers, there’s more than enough to be done, but how do you know you’re doing the right things?
In this post, we’ll dive into the five biggest areas of security that all teams should be paying attention to. Addressing these will protect you from a large majority of security threats today, and will also create a solid security foundation that you can incrementally build on as your organization grows and your needs become more complex.
1. Create Guidelines
If you think your developers and operations people are tech-savvy just because they understand secure code deployment and safe access to production, you’re probably wrong. While some may be, most are not, and they need the security team to lead the way. Especially for SaaS businesses, continuous development and deployment are very common, but these rapid changes must be accompanied by basic yet critical security guidelines and practices.
As a security team, you should develop guidelines and practices for each of these teams around:
- User access policies
- Safe access to production
- Automated system updates
- Secure code deployment
The point of these guidelines is not to impose rigid rules and restrictions but to support the teams that need to run fast and secure. By creating guidelines, policies, and processes upfront to govern who has access to what, how code is deployed, and where the checks and balances are along the way, you can develop a culture of security and set yourself up so you can introduce automation to save your team even more time. (We’ll get into the automation piece later on in this post.)
2. Build Employee Security Awareness
The key word here is “effective.” While a 30 minute intro to security during new employee orientation may sound like it fits the bill for security training, it falls short of preparing employees to effectively protect your business, systems, and themselves from threats. Especially considering the rise in attacks such as W-2 scams, exploit kits, and ransomware, employees have never been more of a target. But if they are properly trained, they can actually serve as one of your first lines of defense.
As we explain in an earlier post, security awareness requires that you embed security into your company culture (the earlier the better). Every employee should be aware of why security is important to the business and what their responsibilities are. Building a culture of security requires that employees not only understand the value of following security best practices from day one, but are regularly trained on and reminded about security.
Beyond frequency, the training should be tailored to specific roles within your company. That is, the security responsibilities of a developer will be different from those of a salesperson, so every employee needs to understand what policies and practices apply to their jobs and how to follow them. Developers, as I explained above, need to know what their user permissions are, how code is scanned for vulnerabilities before it’s pushed to production, and how to use 2FA when accessing critical systems and applications, among other requirements.
Salespeople, on the other hand, should understand how to create unique and complex passwords, how to use the company VPN (if you have one), how to spot phishing emails, and so on. They should also know how to talk to prospects about your organization’s security posture.
Educating different staff members on their specific and unique requirements — and also explaining to them why they must do those things — is necessary for success.
3. Look Inward
We often see companies rush to protect themselves from headline grabbing threats such as nation-state attacks and the ominous zero-day threats without first considering what threats their organizations are really most prone to. That’s why we recommend that you spend more time focusing inward on likely threats than outward on the big, headline-inducing ones. Why?
The chances that you’ll be hit by a nation-state attacker are pretty low (that is, unless you’re a government agency or related in some way to one), but the chances you’ll fall victim to a phishing scam, exploit kit, or a common vulnerability you forgot to patch, or cannot patch, are much higher.
To identify the specific threats that your company, industry, and customers are most prone to, turn your security focus inward. Then, understand what kinds of data, systems, and applications could be impacted by these threats. If applicable, you should also take into consideration what protections you need in place to meet compliance regulations. If you’re beholden to HIPAA or PCI compliance for example, putting in place security monitoring, alerting, and auditing — among other protections — will be critical in meeting security best practices and compliance requirements.
Often the protections you need will satisfy many of these requirements, so it can be a great opportunity to do both exercises at once, saving a lot of time in the process. With your bases covered, you can then address other rare but high-severity risks like international adversaries and DDoS attacks — if it makes sense for your organization to do so.
4. Audit Cloud Configurations
There are many moving parts in the cloud. From ephemeral servers to security groups to connected devices, it can be difficult to ensure that each is properly configured and secure. That is, unless you are able to audit these configurations within your environment to identify areas of non-compliance with best practices.
Using a solution like Configuration Auditing, companies can audit their AWS cloud services and get a prioritized list of configuration errors that need to be addressed. You may find out that a security group was left wide open or users do not have multi-factor authentication enabled, for example. These are both high-priority issues that, if not fixed, can be a perfect launch pad for an attack against your company.
With Configuration Auditing, you not only know exactly what isn’t properly configured anywhere within your environment, but you’ll also know how to remediate the issues and make your environment more secure.
5. Automate as Much as Possible
If you’re feeling overwhelmed by any or all of this, or are wondering where you’ll find the time to do it all, automation can help. Given how fast things change in the cloud, security can no longer be a manual task. To ensure that your company is secure by design, and to achieve consistency, speed, and the minimization of errors, as many security processes as possible should be automated.
What automation comes down to is streamlining time-intensive manual work and eliminating employees from having to touch sensitive systems and controls. Both of these scenarios are highly prone to error, and can introduce a wide array of vulnerabilities. Instead, automate as much as you can, including code reviews, user provisioning and deprovisioning, monitoring, alerting, and just about every other routine and sensitive operational task.
This way, potential issues are caught faster, your team is notified immediately, and user error is reduced to near-zero.
Final Words . . .
These are five key steps that many organizations fail to take early on in their security journeys. But as experience tells us, getting back to basics and tending to them rigorously will ensure that you instill security awareness throughout your company, operate using best security practices, and achieve a level of security that is appropriate for your current needs. You’ll also be building a solid foundation that you can build on as your organization scales and your needs become more complex.
If you are an AWS customer and you’re ready to start improving your cloud security now, take the next step by signing up for a Free Cloud Security Audit Trial that will generate a unique assessment score for your AWS environment in minutes!
See Threat Stack in Action
Get in touch for a demo of Threat Stack's comprehensive instrusion detection platform.