Understanding Shared Responsibility For a SaaS Environment

As a SaaS organization, you may be well-versed in the world of cloud computing and feel confident that the cloud is as secure as any on-prem or data center network — as you should. Cloud Service Providers (CSPs) have gone to great lengths to secure their infrastructure, employing in-house security teams with deep expertise and world-class security tools. Few SaaS companies alone can achieve the same level of collective cloud security prowess that an IaaS provider such as AWS or Azure can.

But security of the cloud is different from security in the cloud, which is to say that you — as a SaaS organization — are not off the hook completely. The shared responsibility model that cloud providers subscribe to means that, while they are responsible for the security of cloud infrastructure, you are responsible for the security of your own data, platform, applications systems, and networks.

The better you understand this division of labor, the better you can secure your SaaS environment. In this post, we’ll explore when you need to embrace your responsibility and when it’s okay to let your CSP drive — so you know exactly where to focus your cloud security efforts. Read more “Understanding Shared Responsibility For a SaaS Environment”

Is Your Infrastructure Too Unique for a Cloud Security Tool?

Every organization orchestrates their infrastructure in their own way, but more often than not, most cloud environments have a lot in common. Since infrastructure security is embedded at the technology layer of your stack, many security tools on the market today can meet the needs of even the most unique cloud configurations. In this post, we’ll explain why that is. Read more “Is Your Infrastructure Too Unique for a Cloud Security Tool?”

How to Work Backwards to Develop a Sound Security Strategy

In today’s cloud-based environments, security threats can move faster and do more damage than ever before. To avoid a financial and technological repercussions, companies must be proactive with their security strategies and have the ability to act fast.

A common approach is to “over-secure” company systems, but this can unnecessarily limit employee access to important tools and hinder productivity. Alternatively, those who know security well realize that if you offer employees too much access, it can open your business to security vulnerabilities.

A better approach centers on striking the right balance between security and practicality, and the way companies can achieve this is by working backwards from the ideal security scenario to formulate their strategy.

In this post, we’ll explore ways that security leaders can approach technology in a manner that is both usable for employees but also secure for the company. To do this, they must begin with an analysis of the risks and the needs of their employees. Let’s dive in. Read more “How to Work Backwards to Develop a Sound Security Strategy”

What You Need to Know About the Apache Struts Vulnerability – Updated

Post updated by:
Christian Lappin,
Threat Stack Senior Security Engineer & David WeinsteinThreat Stack Senior Security Engineer

Four months ago we wrote the following:

The Apache Struts “vulnerability is . . . extra-concerning because exploiting it is trivial. Hackers can easily spot vulnerable systems, the Struts exploits are publicly available, and the attack is easy to carry out and repeat. Attackers need to modify just one line of code to trick servers into downloading malicious binary from the internet.”

We warned about the Apache Struts vulnerability before the massive cyber attack that Equifax Inc. experienced — or at least before Equifax announced the breach to the public. Read more “What You Need to Know About the Apache Struts Vulnerability – Updated”

How to Use Automation to Decrease Mean Time To Know

Mean Time To Know (or MTTK for short) is one of the most important metrics in security operations. It measures how efficient the security team is at detecting real threats. The shorter it is, the sooner you will catch an attack in progress and be able to put a stop to it, reducing the negative consequences for your organization. 

But the reality is, it’s not so easy to reduce MTTK. For starters, security teams are barraged with alerts on a daily basis, requiring manual work to sift through the noise to find a signal that indicates a real issue. Add on all the other tasks that need to be done aside from alert investigations, and it’s seemingly impossible to get ahead.

This is where automation comes in. Automation not only eliminates the need to manually handle tedious tasks (like alert response). It also helps you to optimize your existing resources, empowering them to actually focus on MTTK and get it under control.

In this post, we’ll take a closer look at what MTTK is (and isn’t) and how you can leverage automation to effectively decrease it. Read more “How to Use Automation to Decrease Mean Time To Know”

Vulnerable vs. Exploitable: Why These are Different & Why it Matters

Pop quiz: What’s the difference between vulnerable and exploitable?

As we’ve written before, a vulnerability is a weakness in a software system. And an exploit is an attack that leverages that vulnerability. So while vulnerable means there is theoretically a way to exploit something (i.e., a vulnerability exists), exploitable means that there is a definite path to doing so in the wild. Naturally, attackers want to find weaknesses that are actually exploitable. As a defender, being vulnerable isn’t great, but you should be especially worried about being exploitable.

There are a few main reasons why something that is theoretically vulnerable is not actually exploitable:

  1. There may be insufficient public information to enable attackers to exploit the vulnerability.
  2. Doing so may require prior authentication or local system access that the attacker does not have.
  3. Existing security controls may make it hard to attack.

Below, we’ll explain why this matters and how you can use it to improve your security posture. Read more “Vulnerable vs. Exploitable: Why These are Different & Why it Matters”

Why Automated Security Threats are Proliferating and How to Fight Back

We’ve written before about the importance of looking inward, rather than out, when it comes to evaluating what types of cyberattacks are the biggest threat to your unique organization. A large part of the attack landscape today includes automated threats. Rarely do we come across handcrafted attacks targeting specific organizations. A far cry from bespoke and laser-targeted, the vast majority of today’s cyberattacks are built for volume and trolling for the weakest point of entry.

So, what exactly are automated security threats and how can you best protect your organization from them? Read more “Why Automated Security Threats are Proliferating and How to Fight Back”

5 Things All Security Teams Should Be Doing (But Many Aren’t)

Security teams are expected to do a lot these days. From properly configuring the cloud environment, to protecting the organization from today’s latest threats, to answering tough questions from the board and customers, there’s more than enough to be done, but how do you know you’re doing the right things?

In this post, we’ll dive into the five biggest areas of security that all teams should be paying attention to. Addressing these will protect you from a large majority of security threats today, and will also create a solid security foundation that you can incrementally build on as your organization grows and your needs become more complex. Read more “5 Things All Security Teams Should Be Doing (But Many Aren’t)”

The 5 Questions Your Security Team Should Be Able to Answer

In a time when security consciousness is high and stories about security breaches are all too frequently in the headlines, your security team needs to be ready for questions it’s bound to receive from customers, auditors, employees, board members, and other affected parties.

We’ve covered a lot of topics in this blog, including cloud security strategies, basic security hygiene, best practices, and how to mature your security posture. But to make it easy for your security team, we’re going to use this post to address five fundamental questions that any security team must be able to answer and give tips on how you can prepare to answer them. Read more “The 5 Questions Your Security Team Should Be Able to Answer”

Considerations For Creating Secure User Groups on AWS Using IAM

A big difference in the way on-premise infrastructures and cloud infrastructures are implemented centers on the way that user permissions are assigned. As you move towards software-defined everything, where data and systems are far more connected (generally a good thing), you need to pay special attention to the roles and permissions you grant to ensure that users are only given as much access as they absolutely need. No more, no less. Read more “Considerations For Creating Secure User Groups on AWS Using IAM”