Security by Design or by Accident

AWS Security, Security Research & Strategy
2 Min Read

Security has such a large number of subtopics that it’s sometimes difficult to define what the field looks like as a whole. It means something vastly different to a Security Engineer, a CISO, and a Developer. Realistically, at most companies, Security is the prevention of leaking customer data or exposing secrets. Usually this manifests as “let’s make sure only the logged-in user can view this information” or “make sure the password is stored securely.” These are important, but they don’t cover enough. Read more “Security by Design or by Accident”

Create a Security Risk Assessment for Containers in 5 Steps

Containers, Orchestration & Security, Security Research & Strategy
4 Min Read

When adopting containers, organizations need to create a risk profile for the types of threats and vulnerabilities they expect to experience. This type of analysis is especially important with containers, since the attack surface increases significantly, while the level of security visibility across hosts, containers, and the infrastructure control plane decreases.

For example, one of the most prominent attack scenarios in containers is the idea of blast radius. After the initial point of compromise, an attacker can escalate privileges quickly to gain control of other containers in the cluster. Since attackers are looking for the greatest returns for the least amount of effort, a vulnerable Kubernetes or Docker cluster may be a great place to strike quickly and do a lot of damage across a wide attack surface.

New, sophisticated attacks to cloud infrastructure emerge every day. But, if you follow the five steps outlined below to create a cybersecurity risk assessment, you can anticipate where your organization may be most vulnerable and strengthen your system’s security accordingly before an attacker gets the chance to strike. Read more “Create a Security Risk Assessment for Containers in 5 Steps”

45 Useful and Informative GDPR Presentations & Resources

All Things Compliance
15 Min Read

The months leading up to May 25, 2018 produced a steady barrage of articles urging organizations to get ready for the GDPR and warning about the consequences of failing to comply.

After May 25? . . . To be honest, not much. There are still lots of articles — “Tips For What Comes After,” “What to Watch For” — but no big stories. And therefore, it has been tempting to take a bit of a snooze.

But not so fast. Just because the headlines haven’t been filled with stories about violations and massive fines, that doesn’t mean you can sit back and do nothing if you’re operating within reach of the GDPR. The GDPR became fully enforceable on May 25, 2018, and fines for non-compliance can reach up to 20 million Euros or 4 percent of an organization’s annual global turnover for the preceding financial year, whichever is higher.

While it’s too early for these fines to have been imposed, it’s not too early to take another look at the GDPR and then strategically determine what you still need to do to ensure that your systems and processes are protecting your organization and your customers’ data.

Our advice? If you come under the GDPR — which is binding and applicable without the need for national governments to pass any enabling legislation — do your homework, shore up any deficiencies, and take whatever measures you need to become compliant or to maintain compliance.

And remember: While there are challenges to the GDPR, there are also opportunities, including the opportunity to create visibility and control over the data in your systems as well as the opportunity to build greater trust with your customers.

To help you out, we’ve put together this catalogue of 45 useful and informative resources that provide guidance on an extensive array of GDPR-related issues and topics. Read more “45 Useful and Informative GDPR Presentations & Resources”

Top Compliance Pain Points by Industry

All Things Compliance, Security Research & Strategy
4 Min Read

Whether you are adhering to mandatory regulations or voluntary cybersecurity frameworks, taking compliance seriously can be a huge boon to your organization. It can help you avoid costly penalties, signal to your customers that you’re serious about security, and improve your organization’s overall security maturity. Meeting compliance requirements can also help open your business up to new markets, whether you’re targeting specific industry verticals or going after international customers, and finally, it can speed up your sales process along the way.

But let’s be honest: Compliance can seem like a necessary evil. It’s time consuming and complex, and it can be a huge pain in the you-know-what. Just because the benefits outweigh the costs doesn’t make the process any less painful.

Certain frameworks make their pain felt across industries. GDPR, for example, applies to any organization doing business even nominally in Europe and requires notification of a breach within 72 hours. SOC 2 is a rigorous standard that applies to any company operating in the cloud, and one of the main challenges for Threat Stack in achieving SOC 2 compliance was eliminating the disconnect between our engineering team’s tickets and the code associated with those tickets.

Other compliance frameworks reserve their pain for specific industries, and those can feel especially burdensome. What are the main pain points by industry, and, more importantly, how can you mitigate them? We dig into the specifics below. Read more “Top Compliance Pain Points by Industry”

How a DevOps Recruiter Hires for Containers and Serverless

Containers, Orchestration & Security, Dev & DevOps Knowledge, Security Research & Strategy
5 Min Read

A Q&A With Michael Race, Head of DevOps, Salt Digital Recruitment

When it comes to hiring for DevOps, there’s much to consider, especially if you’re looking for someone to manage containers and serverless infrastructure. There’s no doubt that it’s a talent-driven market — DevOps professionals are in demand.

In this competitive environment, how do you make the right choice about who to hire? According to Michael Race, Head of DevOps at Salt Digital Recruitment, patience is a must. But even if you’ve got time on your side, you still want to make hires that prioritize security, can advocate for tools and methodology, and have experience creating DevOps environments.

We sat down with Michael recently to get his perspective on hiring for containers and serverless. Michael — who’s helped dozens of companies fill DevOps roles — shared his thoughts on where security fits in, what he likes to see in a candidate, as well as red flags that may crop up. Read more “How a DevOps Recruiter Hires for Containers and Serverless”

Magic for DevOps Teams — Threat Stack Announces Containerized Agent

Containers, Orchestration & Security, Dev & DevOps Knowledge, Security Research & Strategy
3 Min Read

Every day, malicious actors are taking more complex routes into cloud infrastructure and leveraging increasingly covert traits to persist for longer periods of time. As Dark Reading put it in a recent article, “Attackers are abusing the characteristics of cloud services to launch and hide their activity as they traverse target networks.” With the rapid adoption of containers and orchestration tools as part of that infrastructure, organizations are presented with yet another layer to protect from these complex attacks.

Containers bring many advantages to DevOps such as easier write-test-deploy cycles, flexibility to explore new frameworks, and a simpler way to make updates to individual resources or a range of components in your applications. As more teams move towards containerized workloads, DevOps teams expect the security tools they leverage to keep pace without slowing them down.

To ensure alignment with those expectations, Threat Stack is excited to announce a containerized agent that will be available to customers next month. The containerized agent will provide the deployment and velocity benefits of containerization while concurrently monitoring and alerting on container activity across the entire infrastructure, no matter where customers fall on the container adoption spectrum. Read more “Magic for DevOps Teams — Threat Stack Announces Containerized Agent”

Lessons in Resilience: A Conversation on Security at REdeploy 2018

Containers, Orchestration & Security, Dev & DevOps Knowledge, Security Research & Strategy
4 Min Read

I spent last week out in San Francisco at REdeploy to learn about Resilience Engineering and what it means to build solid, sustainable infrastructures, organizations, and teams. This was the first conference of its type, and it did not disappoint.

While there was an incredible lineup of speakers, the real value, in my opinion, came from the engagement and discussions that took place after the on-stage talks. Not only did the speakers and attendees mingle at every break, but the conference organizers also hosted a speaker panel at the end of each day where attendees could ask questions, and the speakers themselves could discuss some of the themes presented throughout the day. I eagerly took advantage and sat down with a few people to find out what Security means for Resilience Engineering. Read more “Lessons in Resilience: A Conversation on Security at REdeploy 2018”

Security Observability: Operationalizing Data in Complex, Distributed Systems

Dev & DevOps Knowledge, Security Research & Strategy
3 Min Read

It’s 2018 — companies are using multiple cloud providers, shifting to microservices, moving monoliths into containers, or maybe even moving to a serverless-style architecture. And while these are the trendy things to do right now, are they right for the business today? Will they be right or wrong for the business tomorrow? Is what we’re doing too complex if the Next Big Thing comes along and you want to leverage it without having to complete a major lift-and-shift?

Regardless of the direction your company is moving in, change is a great opportunity to evaluate your security practices and consider how you can add observability to your operations. Read more “Security Observability: Operationalizing Data in Complex, Distributed Systems”

What’s In Our SecOps Stack: 6 Top Integrations

Security Research & Strategy
3 Min Read

When it comes to creating a solid SecOps program, an organization must consider people, processes, and technology. It’s not one area that makes a secure program, but a combination of all three working together.

As good as our people are, however, they would not get far without systematic processes backed by powerful tools and integrations. Here at Threat Stack, we use the following tools to ensure that our organization is safe, secure, and operating effectively. Read more “What’s In Our SecOps Stack: 6 Top Integrations”

How to Find and Remediate Open Infrastructure Ports

AWS Security, Security Research & Strategy
3 Min Read

The evidence is clear — open infrastructure ports lead to security vulnerabilities. When AWS S3 buckets or SSH ports are left open, they can leave your organization at risk for security breaches.

For example, in July 2018, an open S3 bucket at a political autodial company, Robocent, exposed nearly 2,600 files relating to political campaigns. The leak included voter records containing sensitive information such as phone numbers, gender, and birth dates. The files were then indexed by GrayHatWarfare, which has a database of 48,623 open S3 buckets.

Leaks like Robocent’s highlight the need for organizations to maintain visibility into where data is located within their cloud infrastructure, as well as whether the storage system is risk-appropriate given the sensitivity of the information. It’s easy, but never acceptable, for a fast-growing or seasonal organization like this one to lose track of that risk over time.

It’s important to ensure that certain gateways into your infrastructure are password protected or are configured properly to prevent events like this from affecting your organization. That’s why, in this post, we’re highlighting how to find and remediate open infrastructure ports. Read more “How to Find and Remediate Open Infrastructure Ports”