What Enterprise Security Can Learn From Silicon Valley

Most enterprises do not build software or operate infrastructure the same way Netflix does. But there’s a lot to learn from the Silicon Valley world that an enterprise can aspire to as policy to improve security posture.  Forward-thinking CIOs should work with the security function of an organization to adopt technology and practices that will empower defense.  Here are some examples:

Read more “What Enterprise Security Can Learn From Silicon Valley”

The Linux “Grinch” Vulnerability: Separating Fact From FUD

Recently, a security firm reported what they claimed to be a flaw with a major impact on organizations running Linux. (And apparently since all the rage these days is to give bugs code names, they pre-seeded the market with this timely one: “grinch”).

Linux software bugs have been huge this year, leaving administrators reeling to patch themselves from Shellshock, Heartbleed, POODLE, etc. With claims that this vulnerability could have an impact similar to Shellshock, I really wanted to dive into what the “grinch” bug means in order to separate the fact from the FUD.

Read more “The Linux “Grinch” Vulnerability: Separating Fact From FUD”

CVE-2014-6271 And You: A Tale Of Nagios And The Bash Vulnerability

The internet is yet again feeling the aftereffects of another “net shattering” vulnerability: a bug in the shell ‘/bin/bash’ that widely affects Linux distributions and is trivial to exploit. The vulnerability exposes a weakness in bash that allows users to execute code set in environment variables, and in certain cases allows unauthenticated remote code execution.

Possible vectors for attack include:

Cloud Security Is Always Your Responsibility

Too many times we hear and read about how insecure the cloud is or worse — that the cloud is already secure because IaaS providers have security groups and protection capabilities. These ideologies are all too common and far too wrong. By using outsourced cloud infrastructure, you are only outsourcing your infrastructure, not your security. Security is always your responsibility.  

Read more “Cloud Security Is Always Your Responsibility”

Richard Bejtlich and Chris Wysopal Join Threat Stack Advisory Board

Since starting Threat Stack in November of 2012, it has been our mission to create the most powerful security monitoring and forensics platform built specifically for the cloud. Since then, we’ve been honored and humbled to work with many of the world’s top cloud and security providers and experts.

Now, we’re excited to announce that Richard Bejtlich, CSO of Mandiant, and Chris Wysopal, CTO and co-founder of Veracode, have joined the Threat Stack Advisory board.

Read more “Richard Bejtlich and Chris Wysopal Join Threat Stack Advisory Board”