Don’t Make Perfect Security the Enemy of Good Security

We’ve written before about what it means to meet compliance standards without going completely overboard. Today, we want to talk about how that applies to cloud security as well. Some teams mistakenly believe that their security posture needs to be absolutely perfect. That’s not only overwhelming — it’s impossible.

More to the point, the reality of today’s security landscape is that cybercriminals are always looking for the path of least resistance. If company A has reasonably good security safeguards in place and company B does not, criminals aren’t going to waste resources poking at company A until they find a weakness. They’ll go after company B.

This is why we tell organizations that, when it comes to security, perfect can often be the enemy of good. Rather than trying to make your organization perfectly airtight, it’s time to focus on making your company as unappealing an attack target as possible. Here’s how. Read more “Don’t Make Perfect Security the Enemy of Good Security”

How to Use Ops Tools for Security and Security Tools for Ops

Investing in SecOps doesn’t just mean hiring folks who know how to blend together software development, IT operations, and security skillsets. It also doesn’t just mean telling your DevOps team to run secure or scolding your security team into moving fast enough to keep up with continuous deployment.

Truly committing to SecOps means investing in tools that can do double (or triple) duty — helping you not only release code continuously but ensure that everything from your back-end infrastructure to your customer-facing applications is 100% secure. It means investing in tools that make meeting both DevOps and security best practices simple and straightforward.

As DevOps expands to include more security functions and security evolves to be more agile, it’s never been more important (or economical) to be able to use operational tools for security and security tools for operations. DevOps teams want software that can integrate critical functions of security, like alerting, directly into their current processes. Security teams want tools that let them seamlessly interact with DevOps.

Here’s what that should look like. Read more “How to Use Ops Tools for Security and Security Tools for Ops”

Ignore the Splashy Headlines: Why Security Should Look Inward, Not Out

It’s easy to get distracted by splashy headlines about breaches at corporations with household names. And of course state-sponsored, targeted cyberattacks are sexier than your average phishing scam. But just because a particular threat is newsworthy doesn’t mean it’s the right thing to spend your organization’s valuable resources protecting against.

The reasons for this may not be completely obvious, so let’s take a moment to understand why looking outward at newsworthy security attacks can actually hurt your company’s security posture. Then we’ll explain why an inward-facing approach is more effective. Read more “Ignore the Splashy Headlines: Why Security Should Look Inward, Not Out”

Three Good Reasons to Get Compliant Now

When things are hectic at your organization, compliance may not feel like the highest priority. If you aren’t in an industry that absolutely requires compliance, it can feel like a box to check — more of a nice-to-have than a must-do. In other cases, it may seem like a good idea . . . but one that can be kicked down the road indefinitely. However, we believe it’s a good idea to approach compliance early — often earlier than you may think.

Indeed, there are some situations in which compliance can actually move the needle in a big way for your business, either positively or negatively. Here are three specific, value-driven reasons why you should consider being proactive about compliance and get out ahead of it before it’s too late. Read more “Three Good Reasons to Get Compliant Now”

How to Choose the Right Tools for Incident Management and Reporting

Your incident management process is greatly impacted by the tools you have available to carry it out. Technology should be your friend when it comes to gaining visibility and obtaining contextual data. You need tools to send alerts when issues arise, as well as track activity for compliance reporting purposes.

So, how do you choose the right incident management tools for your organization’s use cases? Read more “How to Choose the Right Tools for Incident Management and Reporting”

How to Use Automation to Improve Your Cloud Security Posture

Automating security processes and workflows can help teams lower Mean Time To Resolution (MTTR), maintain or strengthen an organization’s security posture, and drive operational efficiency. Sounds pretty good, right?

In our recent Cloud Security Use Cases Playbook, we took a look at the key operational processes that all teams should have in place and some of the ways they can continually optimize those processes over time. Today, let’s take a look at how automation can provide ongoing, deep visibility and supercharge your security operations, all while saving you time and resources. Read more “How to Use Automation to Improve Your Cloud Security Posture”

To Build or Buy Your Own Security Platform: That is the Question

What’s your priority: to become a Security Company or be a Secure Company?

If you’re truly in the security business, then of course you’ll be building your own security platform. For all the rest, please keep reading . . .

In this post I will cover some of the challenges involved in building a cloud security platform like Threat Stack. My goal is to give you a clear idea of what is involved and the complexity, so you can make a decision about building or buying that is meaningful from both an engineering and a business perspective.

Spoiler alert: In my view, the right choice for most companies is not to build their own security. Most should strive to become Secure Companies so they can get on with their core business.  Read more “To Build or Buy Your Own Security Platform: That is the Question”

To Predict Cloud Security’s Future, We Must First Understand Its Past

The conversations about cloud security are changing rapidly. A few years ago, companies were hesitant to even talk about moving to the cloud because of all the unknowns — specifically in regard to security. Cloud service providers like Amazon, Google, and Microsoft have made bold commitments to security, so today the conversation is shifting from how secure the cloud itself is, to how individual companies can better secure their data and systems.

On Tuesday, January 17, Threat Stack’s Director of Products, Vikram Varakantam, and OneLogin’s CISO, Alvaro Hoyos, hosted a webinar to discuss where they each see cloud security headed in the coming year. Read more “To Predict Cloud Security’s Future, We Must First Understand Its Past”

Why You Can’t Wait Until a Security Person is Hired

Organizations wait to implement security solutions for a variety of reasons. One that we often hear is that they’re looking to land that cloud service security expert to help them make all the right product selections and correctly implement and maintain the solutions they choose.

This would be great in a perfect world: These organizations would make that hire, buy those products, and start improving security.

Unfortunately there’s a big gap between the ideal world and the one we actually operate in. Read more “Why You Can’t Wait Until a Security Person is Hired”