Note: For a recap of Day 2, please take a look at AWS re:Inforce Recap: A Look Back at the First AWS Security Show.
Day 1 of AWS re:Inforce 2019 — the first-ever AWS conference dedicated entirely to security — has wound down, and Day 2 is already underway, but we wanted to provide a quick recap for those of you who couldn’t make it to the show or were too busy to get the big picture. Here are a few of the high-level takeaways from the Threat Stack Team on the ground at re:Inforce 2019.
While re:Inforce was obviously a much smaller show than what we’ve come to expect from re:Invent, it was large in its own right with a reported 10,000 people in attendance, and it seemed like most of them were in attendance for AWS VP and CISO Steve Schmidt’s keynote.
The overarching trend of the keynote was the need for security to become an integral part of each and every aspect of your company. Starting from the culture and working its way down, security needs to be baked into the entirety of your development and operations. This was music to the Threat Stack Team’s ears as we are big proponents of extending security throughout the full tech stack and across the entire software development lifecycle.
With that as a kickstart, some of the dominant trends we noticed throughout Day One were:
The Need for a Culture of Security
In plain terms, organizations need to embrace a realistic and holistic approach towards security responsibilities and coverage. Simply put, they need to:
- Become realistic and honest by removing FUD (Fear, Uncertainty, and Doubt) from their thinking and practices.
- Develop repeatable best practices for all factors — both human and technical — to leverage their resources proactively with optimal effectiveness.
- Apply security to all people and make it Job #1 in order to eliminate blind spots in security systems and processes.
The Need for Security Automation Across the SDLC
As Schmidt pointed out, “The goal is not to insert security into certain parts of the lifecycle.” Security needs to be embedded everywhere using a multi-layered approach throughout the tech stack and across workloads — and it must span the SDLC from end to end. In other words, it needs to be driven by a comprehensive approach that’s built on full stack security observability, encompassing both build-time and runtime environments. To quote Schmidt again: “DevSecOps just has to be the way Ops happens.”
Regardless of whether you’re a startup, an emerging company, or an enterprise, and regardless of the precise nature of your security and compliance requirements, all organizations seem to share a common underlying need for a cloud-native solution that’s built on a comprehensive, highly automated platform that has a well-developed customer- and partner-facing API strategy. Whatever the specific features of such a platform, it is likely to go a long way toward addressing everyone’s technical, operational, and business needs, and it’s also likely to go a long way toward helping them deal with the growing, global cybersecurity talent shortage.
The Need to Augment With Professional Services & Expertise
Given the pervasive talent shortage and tight budgets — along with the realization that successful organizations maintain a hyper-focus on their core competencies — many providers are offering professional services. Organizations are increasingly leveraging these services to access the deep security expertise that’s so difficult to find and expensive to hire and to thereby acquire the continuous coverage and insights they need to proactively identify security risks and maintain real-time threat detection.
Cutting Through the Hype
One thing we heard again and again on the show floor was that most cloud security vendors are sounding very similar, and it’s difficult for show attendees to cut through the marketing hype. As you’re walking the floor today, ask questions that are relevant not just to your role, but to other stakeholders in your organization both to the right and left. It’s important to remember that while this is a security show, security needs to fit the entire business.
Ask the vendors about things like ChatOps integrations, support for improving your security posture over time, and the ability to support both runtime and build-time security. It’s easy for vendors to say they do cloud security — the key is to find the tools that fit your use case and help you avoid issues before they occur.
Quick Hitting Observations
We’ve covered the big trends but not all interesting takeaways end up being big trends. Here are some of the other fun observations from our team:
- Many people have commented on the marathon level hours of the expo floor. But even with doors opening at 7 a.m., the crowds were steady throughout the day both on the expo floor and in breakout sessions.
- While the side-by-side speaking sessions with headphone audio were certainly a novel, space-saving concept, they gave off a certain “I, Robot” vibe on more than one occasion.
- While nearly everyone at the show understands the need for security, many were surprised by the physical security procedures in place at the entrance to the Boston Convention Center.
Updates From Threat Stack
The weeks leading up to AWS re:Inforce 2019 were busy here at Threat Stack with two major product announcements:
- First we launched Threat Stack Application Security Monitoring, expanding on our vision for full stack security observability. With Application Security Monitoring built into the Threat Stack Cloud Security Platform® (at no additional cost), our customers have built-in protection against runtime attacks on applications, proactive application risk reduction, and eLearning capabilities designed to help developers learn how to reduce security risks in their code.
- We also announced a new Threat Stack Agent for Windows Servers. It’s a completely new agent implementation that aggregates security signals from native Windows subsystems, and runs its own proprietary driver for file integrity monitoring.
To learn more, drop by Booth 614 today to speak with our experts and see a live demo of the Threat Stack Cloud Security Platform and Threat Stack Application Security Monitoring Solution. If you couldn’t make it to Boston, feel free to reach out to the team or schedule a free demo.