Post banner
Cloud Security 5 Min Read

How to Cut Time-to-Security-Incident-Detection on AWS

Time-to-detection is everything these days. If you don’t find a breach yourself, chances are someone else will. A recent study points out that up to 27% of breaches are discovered by third parties. This includes vendors or partners you work with, auditors, and probably most damaging of all — your customers.

The problem most companies are grappling with today is how to cut time-to-detection to ensure that they are the first ones to know about an issue, and in a way that won’t put a resource drain on the team. Last Thursday, Chris Gervais, Threat Stack’s VP of engineering, sat down with George Vauter, a senior software security engineer for Genesys, Jarrod Sexton, the lead information security manager for Genesys, and Scott Ward, the solutions architect at Amazon Web Services (AWS), to have a frank discussion about this in a webinar format.

Genesys is a leader in omnichannel customer experience and customer engagement software, with both on-premise and cloud-based offerings. PureCloud, their cloud-native microservice platform, is run on AWS, so the team has extensive experience launching and scaling in the cloud, as well as building a “secure-by-design” platform.

In our conversation, Genesys outlined several important steps that all companies should be implementing to reduce their time-to-detection, which we wanted to further highlight in today’s post.

You can listen to our full webinar with Genesys and AWS and read our recap below.

1. Create a Single Pipeline for Deployment

One of the main draws of operating in the cloud is that it’s much easier to deploy applications and services. No more drawn out development or deployment schedules. But with more tasks running in parallel in the cloud, Genesys needed a way to ensure that security would not fall behind. They did this by developing a single pipeline for deployment.

During the webinar, George and Jarrod walked us through their entire process, which looks like this:

AWS Genesys Webinar.png

By creating a seamless flow of activities from one team and function to another using AWS and other integrated services, they were able to easily bake in security at every step, as depicted in yellow boxes in the above diagram. As you can see, they installed Threat Stack at the host level to give them deep access to all activities happening across their AWS environment. Threat Stack also automatically monitors and alerts on configurations and other issues before anything is deployed to production.

In this way, they’re always the first to know about an issue. That keeps them out of that 27% statistic, and ahead of the game when it comes to security.

2. Think Like an Attacker

Many people on the Genesys security team have a background in pen testing, but their advice during the webinar is applicable to anyone in security, pen tester or not: You always need to be thinking like an attacker.

Where are the potential vulnerabilities?

Where does the most important data live, and how could it potentially be breached?

Are there any high-value targets on the team who could be breached, and are they well prepared to identify a potential attack?

By taking a step back and looking at your infrastructure from the outside-in, you can begin to see where attackers may find a way in and address those weak spots before a malicious actor does.

3. Centralize Security Events

When alerts are coming in from multiple systems, it can be difficult to piece them together and determine whether there is real malicious activity at hand. The Genesys team quickly realized that in order to cut down on time-to-detection, they had to funnel all their security events into one place where they can be viewed, managed, and responded to automatically.

They invested some time in developing their own web app to do just this, but there are many solutions out there today that can also do this for you. Now, all of their security events, whether they came from Threat Stack, AWS, or other scripts they have written, are managed from a single dashboard. The investment they made to build this solution was well worth it in their opinion, because it has reduced the need for security engineers to toggle between systems and correlate inbound security alerts. Instead, they can focus on non-trivial tasks like web app pen testing and conducting deeper forensics.

4. Get Organizational Buy-In

Oftentimes, security is looked at as a cost of business, or a black box that nobody really understands outside of the security team. The Genesys security team wanted to challenge that notion by increasing awareness about security throughout the business. They’re already quite active in the sales cycle, speaking with prospects about security in order to close a deal. But it was also important that the executive team saw the value in what they were doing.

George and Jarrod demonstrated their process to management — everything from what kinds of alerts come in to how they see them and respond. This way, it was clear what the team is doing day-in and day-out and how they’re leveraging technology to catch issues fast, and often automatically.

5. Be Secure by Design

Security should never be an afterthought, nor should it fall behind in favor of rapid development and deployment schedules. To say you’re truly a secure organization, you need to have security built into every layer and function of the business. From monitoring file activity and user activity, to automatically patching vulnerabilities and scanning configurations, security is ingrained within the Genesys infrastructure.

By deploying Threat Stack at the host layer (depicted in the diagram above), all of this is done automatically. With out-of-the-box rulesets, real-time vulnerability monitoring, threat intelligence correlation, and more, Genesys was able to become secure by design without the extra legwork. We’ve seen time and again companies go from 4 hours to 4 minutes in terms of detection and knowledge about a security event, Genesys included. That alone can drive massive cuts in time-to-detection and enables security to truly be scalable. Not only that, but because Threat Stack correlates all cloud and non-cloud security activities into a single platform, companies like Genesys are armed with the intel they need to respond immediately — not hours or days later.

Securing the Unknown

In the cloud, new threats crop up almost daily. Especially for a company like Genesys with over 10,000 customers across 100 countries, the threat landscape is far and wide. By consolidating and automating their development, operations, and security functions, they were able to get a handle on all activity, cut time-to-detection by an impressive amount, and say with confidence that they are a secure company.

By leveraging the Threat Stack platform, they can spot both known and unknown threats without needing to fine tune any rules or alerts. Threat Stack is built to detect anomalous activity anywhere within their environment, correlate it with other activities, and surface real issues that they can respond to immediately with full information.

We’d like to thank Genesys and AWS for contributing to such an important conversation today, and we’re honored to power a big part of Genesys’ security organization.

Final Words . . .

If you’d  like to learn more about Threat Stack’s intrusion detection platform (IDP), click here to arrange a demo.