Five OpSec Best Practices to Live By

Often when we talk about security, we focus on the mechanics of how to keep technical infrastructure safe. It can be easy to forget that operational security is just as important. When done right, strong OpSec practices will keep your business safe from leaked information, competitive disadvantage, and even public embarrassment.

Without good OpSec, your business may be vulnerable to information theft via an attack surface that has little or nothing to do with computers. With that said, here’s what you need to know about OpSec today.

Read more “Five OpSec Best Practices to Live By”

73% of Companies Have Critical AWS Security Misconfigurations

Threat Stack Delivers Wake Up Call

Wide open SSH and infrequent software updates among top risks identified in the majority of cloud-based environments

How effective are your AWS security configurations? And how do you know for sure?

In a recent eye-opening study, Threat Stack found that 73% of companies have at least one critical security misconfiguration, such as remote SSH open to the entire internet. By “critical”, we mean configuration lapses that enable an attacker to gain access directly to private services or the AWS console, or that could be used to mask criminal activity from monitoring technologies.

If we caught your attention with that opening statistic, please read on. Read more “73% of Companies Have Critical AWS Security Misconfigurations”

5 Things All Security Teams Should Be Doing (But Many Aren’t)

Security teams are expected to do a lot these days. From properly configuring the cloud environment, to protecting the organization from today’s latest threats, to answering tough questions from the board and customers, there’s more than enough to be done, but how do you know you’re doing the right things?

In this post, we’ll dive into the five biggest areas of security that all teams should be paying attention to. Addressing these will protect you from a large majority of security threats today, and will also create a solid security foundation that you can incrementally build on as your organization grows and your needs become more complex. Read more “5 Things All Security Teams Should Be Doing (But Many Aren’t)”

Why You Should Think of Security as a Skill, Not Just a Role

A common mistake that we see organizations make is putting off security until they hire someone who specializes in it. Depending on the size of your company and the nature of your business, this could mean waiting several years to start taking security seriously. In today’s threat environment, that’s not realistic or practical. And, even when you decide you’re ready to bring someone in-house to focus on security — given the current security talent shortage — odds are it could take a while to find the right hire.

This is why we believe that organizations should start thinking about security as a competency, rather than simply a job description. You don’t need to have a CISO or a SOC or even a security analyst on your team before you can start taking steps to improve your security posture. The potential consequences of a breach (financial loss, reputation damage, downtime, or IP loss, to name a few) are too serious to ignore.

With that in mind, here’s how to start viewing security as a skill and how to boost that skill across your organization. Read more “Why You Should Think of Security as a Skill, Not Just a Role”

The 5 Questions Your Security Team Should Be Able to Answer

In a time when security consciousness is high and stories about security breaches are all too frequently in the headlines, your security team needs to be ready for questions it’s bound to receive from customers, auditors, employees, board members, and other affected parties.

We’ve covered a lot of topics in this blog, including cloud security strategies, basic security hygiene, best practices, and how to mature your security posture. But to make it easy for your security team, we’re going to use this post to address five fundamental questions that any security team must be able to answer and give tips on how you can prepare to answer them. Read more “The 5 Questions Your Security Team Should Be Able to Answer”

Resources for DevOps Pros to Learn About Security

These days, security should be part of everyone’s job. This is especially true for DevOps teams, which are responsible for developing, delivering, and maintaining critical applications for many organizations, and must therefore prioritize security as part of their role. But the world of security can seem like a bit of a mystery until you’ve been exposed to it.

If you or someone on your team is looking to learn more about what it takes to run a secure organization today, we have provided a list of resources below, from conferences to reference books to Twitter handles, that are worth checking out. Read more “Resources for DevOps Pros to Learn About Security”

How to Stay Secure at Conferences

Conferences can be an amazing way to connect with like-minded folks and educate yourself on what’s new and trending in your industry. At Threat Stack, we regularly attend and speak at conferences like BSides and DevOpsDays, and it’s been exciting to see a bigger focus on security topics in the DevOps world in recent years. Since we attend so many conferences ourselves, we wanted to offer some helpful advice on how you can keep your devices secure while you’re attending conferences. Read more “How to Stay Secure at Conferences”

The Three Pillars of Continuous Security Improvement

Security should never be a one-and-done proposition: It requires a continuous improvement mindset to keep you on top of security initiatives and to accommodate new issues as you detect them. Once your security program is up and running, you need to measure, evaluate, and modify it on an ongoing basis to maintain or improve your results. This doesn’t necessarily require a ton of time and effort; it simply requires a strategy.

So today, we want to take a look at what it takes to build an effective security program with continuous improvement at its core. In our view, there are three key pillars to continuous security improvement, and if you have been following along with our Starting Your Cloud Security Journey blog post series, then you’ll be well-acquainted with these concepts. Read more “The Three Pillars of Continuous Security Improvement”

How to Implement a Security Awareness Program at Your Organization

Security isn’t just a technical problem. It’s also a people problem, and keeping the people side of the security equation strong requires that all people in your organization have an awareness of security. This is why security awareness programs are so important.

The goal of a security awareness program — as you may have guessed — is to increase organizational understanding and practical implementation of security best practices. A program like this should apply to all hires — new and old, across every department — and it should be reinforced on a regular basis.

Here’s what you need to know to create a first-class security awareness program at your organization. Read more “How to Implement a Security Awareness Program at Your Organization”

Ask Us Anything: Recap on How to Get Started With DevOpsSec

You’re probably familiar with DevOps by now. It’s the collaboration between Development and Operations teams by leveraging the same tools and processes to get things done more efficiently. Now, Security is being brought into the fold, and this is called DevOpsSec.

Since DevOpsSec is a much newer term and development practice, we wanted to take the opportunity to discuss how companies can get started with many of its foundational elements. There are no two people better equipped to talk about it than Threat Stack’s own Head of Operations, Pete Cheslock, and CTO, Sam Bisbee.

Rather than walking you through a polished slide deck, Pete and Sam wanted to open up the discussion in an AMA (Ask Me Anything) format. We fielded questions from Twitter, LinkedIn, Facebook, as well as email and received hundreds of submissions. On Tuesday, March 14, in the middle of a blizzard here in Boston, they sat down for an hour to answer many of these questions live. Read more “Ask Us Anything: Recap on How to Get Started With DevOpsSec”