As the security industry finally leaves Las Vegas after a full week of Black Hat, Defcon, and Bsides, we wanted to set aside some time to take stock and think about all the trainings, presentations, research, and conversations during our week in the desert. One of the overarching takeaways that was cemented by Dino Dai Zovi’s keynote is the critical need for security to become embedded in our culture.
Black Hat was just the latest conference keynote to focus on the need to embrace security at the most basic level of culture and software development. It was also highlighted at AWS re:Inforce in June and the Gartner Risk Security and Risk Management Summit. With the industry seeming to come to an agreement on the need for security to become ingrained in our culture, it’s time to focus on the “how.”
At Threat Stack, we believe this transformation — a basic shift in the way security is being embraced by organizations and in the way it’s “being done” — is well under way and is positively impacting every aspect of cloud security in terms of what we do, how we do it, and the end-to-end value stream we help to create.
The New Nature of Cloud Risk
The cloud has had a profound impact on our personal, social, and business lives for the past couple of decades, and this will only grow since public cloud adoption is continuing at a significant rate.
As cloud adoption continues to grow, the nature of risk is evolving. As we’ve seen, cyber criminals are becoming more adept at leveraging public cloud infrastructure to launch sophisticated attacks (you can see an example of a sophisticated cloud attack here), and we’re becoming increasingly reliant on the cloud for mission-critical applications and the storage of sensitive information.
The challenge then, is to replace the old perimeter-based, reactive security approach, which is limited in scope, functionality, and effectiveness, with a proactive security posture. This new approach seamlessly integrates security observability throughout the entire tech stack as well as the end-to-end SDLC, facilitating Dev and Ops processes and the alignment of shared business goals. The result: a collaborative, coordinated, comprehensive mindset and practice that ensures that the right people are observing the right things at the right time and are taking the right actions to proactively identify threats and mitigate risk in real time. Making the transition from obstacle to enabler will allow security to be felt throughout all parts of an organization in a way that effectively contributes to the end-to-end value stream.
The New Culture of Cybersecurity
While it’s difficult to do justice to Dai Zovi’s presentation in a couple of paragraphs, he outlined three principles that, taken together, can bring about security transformation.
1. Work Backward From the Job
This involves identifying the actual job that Dev or Ops (or whoever) is trying to do, and finding out how Security can align itself. It involves listening, cooperation, and integration, and as such it makes security an enabler that can collaborate with other groups on the achievement of shared goals. This mindset is diametrically opposed to the old way where the introduction of security could create friction which caused people to devalue security, reject it altogether, or develop shadow-ops workarounds.
2. Seek and Apply Leverage
Dai Zovi’s next principle directly addresses two powerful techniques for making security work:
- Leveraging Automation: In a world where security talent is scarce and where rapid delivery and release are priority #1, leveraging automation builds in speed, standardization, and the ability to scale securely.
- Leveraging Feedback Loops: Using feedback loops proactively builds in observability and enables continuous, incremental improvements. According to Dai Zovi, reliability is important, but without observability, its value is greatly diminished. Securing your environments without continuous monitoring is counterintuitive and counterproductive.
3. Understand That Culture > Strategy > Tactics
Dai Zovi’s third principle emphasizes that “Culture is way more powerful than strategy, which is way more powerful than tactics.” If organizations get the culture part right, productive strategies and tactics will almost naturally follow suit.
Dai Zovi advocates for a culture where security is pervasive and is distributed throughout the organization. This way risk and responsibility are owned by everyone in the organization and are not just the purview of security. If you give your people responsibility, you empower them to make a full commitment to security and quality. You’re also taking advantage of a major opportunity to create teamwork among everyone in the organization and to create a reality where everyone is working towards shared goals.
The New Security Principles in Action: Trash Taxi
As we mentioned, Threat Stack is a huge proponent of the new security principles discussed in Dai Zovi’s keynote and have been at the forefront of putting them into action. One real-world example of how we embrace the idea of security as an enabler rather than a roadblock was on display at Black Hat when Patrick Cable, Threat Stack’s Director of Platform Security, demo’d Taxi Trash, an open source tool that enables developers to do their job efficiently while maintaining a proactive security posture.
In short, Trash Taxi is a lifecycle management tool that helps reduce configuration drift by terminating servers when arbitrary manual commands have been executed on them. It’s a way to balance an organization’s need to allow some amount of unrestricted access to a machine, while ensuring that the machine is terminated at a later time. Developers get the information they need, Operations can share responsibility, and Security can sleep (slightly more) soundly at night.
Making the Transition
According to Dai Zovi, we’re at a transition point in security. On the one hand, there’s the status quo — which has already proven to be of limited value. For those who want to invest in enhanced security and bring significant additional value to the organization, however, there’s an opportunity to become a high-functioning, secure organization by embracing this new cultural shift that’s already making waves in the industry.