What is the NIST Cybersecurity Framework?

All Things Compliance, AWS Security, Security Research & Strategy
3 Min Read

You’ve SOC 2-ed from here to eternity, and you’ve got GDPR in the bag, but if you’re truly focused on security maturity, you know that your work is never done. So, what’s next? Perhaps it’s time to focus on the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).

Unlike GDPR and SOC 2, organizations will face no penalties for noncompliance with the NIST CSF: It’s purely voluntary. Nevertheless, it serves as a singular guideline that CISOs can look to in a world of fragmented cybersecurity regulations.

The framework was first developed in 2014, after President Obama recognized the growing risk to critical infrastructure. His Cybersecurity Enhancement Act (CEA) of that year called to expand the role of NIST to create a voluntary framework in order to identify “a prioritized, flexible, repeatable, performance-based, and cost-effective approach” to manage cyber threats. A 2017 executive order by President Trump took the framework a step further by making it federal government policy.

After years of gathering feedback, version 1.1 of the framework was released in 2018 to provide “a more comprehensive treatment of identity management,” as well as additional information on managing supply chain cybersecurity. As a living document, the NIST CSF will continue to evolve as the industry provides feedback on implementation.

As the standard developed by the United States for managing cybersecurity risk, organizations would do well to take heed. As with any standard, choosing to comply with the NIST CSF demonstrates to your clients that you’re serious about security, while improving your overall security posture and lessening the risk of a data breach and the resulting financial losses, client churn, and reputational loss that go along with it.

Below we’ll help you understand some of the main points of the NIST CSF so you can begin putting it into practice. Read more “What is the NIST Cybersecurity Framework?”

Understanding Shared Responsibility For a SaaS Environment

Security Research & Strategy
3 Min Read

As a SaaS organization, you may be well-versed in the world of cloud computing and feel confident that the cloud is as secure as any on-prem or data center network — as you should. Cloud Service Providers (CSPs) have gone to great lengths to secure their infrastructure, employing in-house security teams with deep expertise and world-class security tools. Few SaaS companies alone can achieve the same level of collective cloud security prowess that an IaaS provider such as AWS or Azure can.

But security of the cloud is different from security in the cloud, which is to say that you — as a SaaS organization — are not off the hook completely. The shared responsibility model that cloud providers subscribe to means that, while they are responsible for the security of cloud infrastructure, you are responsible for the security of your own data, platform, applications systems, and networks.

The better you understand this division of labor, the better you can secure your SaaS environment. In this post, we’ll explore when you need to embrace your responsibility and when it’s okay to let your CSP drive — so you know exactly where to focus your cloud security efforts. Read more “Understanding Shared Responsibility For a SaaS Environment”

Is Your Infrastructure Too Unique for a Cloud Security Tool?

Security Research & Strategy
3 Min Read

Every organization orchestrates their infrastructure in their own way, but more often than not, most cloud environments have a lot in common. Since infrastructure security is embedded at the technology layer of your stack, many security tools on the market today can meet the needs of even the most unique cloud configurations. In this post, we’ll explain why that is. Read more “Is Your Infrastructure Too Unique for a Cloud Security Tool?”

How to Work Backwards to Develop a Sound Security Strategy

Security Research & Strategy
3 Min Read

In today’s cloud-based environments, security threats can move faster and do more damage than ever before. To avoid a financial and technological repercussions, companies must be proactive with their security strategies and have the ability to act fast.

A common approach is to “over-secure” company systems, but this can unnecessarily limit employee access to important tools and hinder productivity. Alternatively, those who know security well realize that if you offer employees too much access, it can open your business to security vulnerabilities.

A better approach centers on striking the right balance between security and practicality, and the way companies can achieve this is by working backwards from the ideal security scenario to formulate their strategy.

In this post, we’ll explore ways that security leaders can approach technology in a manner that is both usable for employees but also secure for the company. To do this, they must begin with an analysis of the risks and the needs of their employees. Let’s dive in. Read more “How to Work Backwards to Develop a Sound Security Strategy”

What You Need to Know About the Apache Struts Vulnerability – Updated

Security Research & Strategy
5 Min Read

Post updated by:
Christian Lappin, Threat Stack Senior Security Engineer & David WeinsteinThreat Stack Senior Security Engineer

Four months ago we wrote the following:

The Apache Struts “vulnerability is . . . extra-concerning because exploiting it is trivial. Hackers can easily spot vulnerable systems, the Struts exploits are publicly available, and the attack is easy to carry out and repeat. Attackers need to modify just one line of code to trick servers into downloading malicious binary from the internet.”

We warned about the Apache Struts vulnerability before the massive cyber attack that Equifax Inc. experienced — or at least before Equifax announced the breach to the public. Read more “What You Need to Know About the Apache Struts Vulnerability – Updated”

How to Use Automation to Decrease Mean Time To Know

Security Research & Strategy
5 Min Read

Mean Time To Know (or MTTK for short) is one of the most important metrics in security operations. It measures how efficient the security team is at detecting real threats. The shorter it is, the sooner you will catch an attack in progress and be able to put a stop to it, reducing the negative consequences for your organization. 

But the reality is, it’s not so easy to reduce MTTK. For starters, security teams are barraged with alerts on a daily basis, requiring manual work to sift through the noise to find a signal that indicates a real issue. Add on all the other tasks that need to be done aside from alert investigations, and it’s seemingly impossible to get ahead.

This is where automation comes in. Automation not only eliminates the need to manually handle tedious tasks (like alert response). It also helps you to optimize your existing resources, empowering them to actually focus on MTTK and get it under control.

In this post, we’ll take a closer look at what MTTK is (and isn’t) and how you can leverage automation to effectively decrease it. Read more “How to Use Automation to Decrease Mean Time To Know”

Vulnerable vs. Exploitable: Why These are Different & Why it Matters

Security Research & Strategy
3 Min Read

Pop quiz: What’s the difference between vulnerable and exploitable?

As we’ve written before, a vulnerability is a weakness in a software system. And an exploit is an attack that leverages that vulnerability. So while vulnerable means there is theoretically a way to exploit something (i.e., a vulnerability exists), exploitable means that there is a definite path to doing so in the wild. Naturally, attackers want to find weaknesses that are actually exploitable. As a defender, being vulnerable isn’t great, but you should be especially worried about being exploitable.

There are a few main reasons why something that is theoretically vulnerable is not actually exploitable:

  1. There may be insufficient public information to enable attackers to exploit the vulnerability.
  2. Doing so may require prior authentication or local system access that the attacker does not have.
  3. Existing security controls may make it hard to attack.

Below, we’ll explain why this matters and how you can use it to improve your security posture. Read more “Vulnerable vs. Exploitable: Why These are Different & Why it Matters”

Why Automated Security Threats are Proliferating and How to Fight Back

AWS Security, Security Research & Strategy
4 Min Read

We’ve written before about the importance of looking inward, rather than out, when it comes to evaluating what types of cyberattacks are the biggest threat to your unique organization. A large part of the attack landscape today includes automated threats. Rarely do we come across handcrafted attacks targeting specific organizations. A far cry from bespoke and laser-targeted, the vast majority of today’s cyberattacks are built for volume and trolling for the weakest point of entry.

So, what exactly are automated security threats and how can you best protect your organization from them? Read more “Why Automated Security Threats are Proliferating and How to Fight Back”

5 Things All Security Teams Should Be Doing (But Many Aren’t)

AWS Security, Security Research & Strategy
5 Min Read

Security teams are expected to do a lot these days. From properly configuring the cloud environment, to protecting the organization from today’s latest threats, to answering tough questions from the board and customers, there’s more than enough to be done, but how do you know you’re doing the right things?

In this post, we’ll dive into the five biggest areas of security that all teams should be paying attention to. Addressing these will protect you from a large majority of security threats today, and will also create a solid security foundation that you can incrementally build on as your organization grows and your needs become more complex. Read more “5 Things All Security Teams Should Be Doing (But Many Aren’t)”

The 5 Questions Your Security Team Should Be Able to Answer

AWS Security, Security Research & Strategy
5 Min Read

In a time when security consciousness is high and stories about security breaches are all too frequently in the headlines, your security team needs to be ready for questions it’s bound to receive from customers, auditors, employees, board members, and other affected parties.

We’ve covered a lot of topics in this blog, including cloud security strategies, basic security hygiene, best practices, and how to mature your security posture. But to make it easy for your security team, we’re going to use this post to address five fundamental questions that any security team must be able to answer and give tips on how you can prepare to answer them. Read more “The 5 Questions Your Security Team Should Be Able to Answer”