How to Stay Secure on Slack

If you’re already on the Slack bandwagon, then you have probably experienced first-hand how it can make communications between teams far simpler and more streamlined. With 1.7 million daily active users, it’s clear Slack has come to dominate the team chat world, especially in tech and tech-savvy industries.

From a security perspective, Slack has done a solid job of keeping its assets on lock. In 2016, they scored Geoff Belknap from Palantir to become chief security officer. And they have been pretty transparent about their approach to security. They have dedicated a whole section of their website to it and published interviews with Belknap and others that delve into Slack’s precautions and philosophy around security. Belknap says, “My job is to worry. Professionally. So that our customers don’t have to.” We love that attitude!

The company has also gone to the trouble of certifying many of its products to meet stringent compliance regulations like FINRA, HIPAA, and SOC 2 and 3, which makes it a no-brainer for small teams and enterprises alike.

So, we feel that it’s perfectly possible for companies of all shapes and sizes to lean on Slack for team chat and ops without worrying too much about security. But, we also believe in the shared responsibility model when it comes to any form of online security. No one’s perfect, and Slack’s ubiquity and popularity mean that it will always be a target for cybercriminals looking to steal information.

There’s no need to run scared, but you do need to be smart about how you use this valuable tool. Here are our tips for running Slack securely at your organization. Read more “How to Stay Secure on Slack”

Don’t Make Perfect Security the Enemy of Good Security

We’ve written before about what it means to meet compliance standards without going completely overboard. Today, we want to talk about how that applies to cloud security as well. Some teams mistakenly believe that their security posture needs to be absolutely perfect. That’s not only overwhelming — it’s impossible.

More to the point, the reality of today’s security landscape is that cybercriminals are always looking for the path of least resistance. If company A has reasonably good security safeguards in place and company B does not, criminals aren’t going to waste resources poking at company A until they find a weakness. They’ll go after company B.

This is why we tell organizations that, when it comes to security, perfect can often be the enemy of good. Rather than trying to make your organization perfectly airtight, it’s time to focus on making your company as unappealing an attack target as possible. Here’s how. Read more “Don’t Make Perfect Security the Enemy of Good Security”

How to Talk to Your Prospects About Cloud Security

Security can be a huge sales and business enabler, as I’ve mentioned before. If your company and its prospective customers are in a regulated industry — and even if they’re not — you can bet they’re going to ask about your security posture during the sales process. For a number of reasons (including the many high-profile security breaches over the last few years), sales prospects are more aware of risks to their data than ever before. Naturally, they are upping the security requirements for doing business with vendors and partners alike.

This means it’s more important than ever that your sales team understands how to talk to prospects about security. In this post, we’ll outline a number of ways that businesses can do this and do it well. Read more “How to Talk to Your Prospects About Cloud Security”

How to Use Ops Tools for Security and Security Tools for Ops

Investing in SecOps doesn’t just mean hiring folks who know how to blend together software development, IT operations, and security skillsets. It also doesn’t just mean telling your DevOps team to run secure or scolding your security team into moving fast enough to keep up with continuous deployment.

Truly committing to SecOps means investing in tools that can do double (or triple) duty — helping you not only release code continuously but ensure that everything from your back-end infrastructure to your customer-facing applications is 100% secure. It means investing in tools that make meeting both DevOps and security best practices simple and straightforward.

As DevOps expands to include more security functions and security evolves to be more agile, it’s never been more important (or economical) to be able to use operational tools for security and security tools for operations. DevOps teams want software that can integrate critical functions of security, like alerting, directly into their current processes. Security teams want tools that let them seamlessly interact with DevOps.

Here’s what that should look like. Read more “How to Use Ops Tools for Security and Security Tools for Ops”

How Securely Configured is Your AWS Environment?

This post offers valuable tips on how to easily assess how well your AWS environment is configured using Configuration Auditing. So, let’s get started…

What is a Cloud Security Baseline?

The phrase is bandied about a lot, so let’s get to it: What is a security baseline?

One of the problems that many organizations run into, especially when they are starting out in cloud security, is not knowing where to start and not having specific data to help them define and improve the status of their cloud security.

That’s where a baseline proves critical. CERN Computer Security defines a security baseline as “a set of basic security objectives which must be met by any given service or system.”

If you put this in the context of cloud security, a baseline will show you how closely a snapshot of your current cloud environment conforms to industry best practices and benchmarks.

This sounds a bit academic, so let’s get down to specifics by taking a look at Threat Stack Audit— the new product we are offering to help you establish and maintain a baseline. Read more “How Securely Configured is Your AWS Environment?”

FFIEC Guidance: A Cloud Security Perspective

As reported in a recent post on our blog, banks are rapidly moving to the cloud. Another recent post discussed how banks can make this move securely. If you are a financial institution looking to make the move to the cloud, this post can help you meet the information security program management requirements of the FFIEC Information Technology Examination Handbook published in September 2016 (“the Handbook”).

Read more “FFIEC Guidance: A Cloud Security Perspective”

W-2 Phishing Scams: What You Need to Know to Stay Secure

The IRS recently issued a warning that W-2 phishing scams are on the rise. In fact, 29,000 victims have already been claimed in 2017 to date! The attacks this year have started earlier than in previous years and are targeting a broader range of businesses. It’s time we learned how to better protect ourselves against this rampant form of fraud. Read more “W-2 Phishing Scams: What You Need to Know to Stay Secure”

Ignore the Splashy Headlines: Why Security Should Look Inward, Not Out

It’s easy to get distracted by splashy headlines about breaches at corporations with household names. And of course state-sponsored, targeted cyberattacks are sexier than your average phishing scam. But just because a particular threat is newsworthy doesn’t mean it’s the right thing to spend your organization’s valuable resources protecting against.

The reasons for this may not be completely obvious, so let’s take a moment to understand why looking outward at newsworthy security attacks can actually hurt your company’s security posture. Then we’ll explain why an inward-facing approach is more effective. Read more “Ignore the Splashy Headlines: Why Security Should Look Inward, Not Out”

Threat Stack Blog Series: Starting Your Cloud Security Journey

More and more companies are migrating to the cloud — and for good reason considering the many benefits such as speed, flexibility, and reduced costs.

One of the key questions that always comes up in this transition centers on cloud security. Not so much in the form of “Is the cloud secure?” but more in terms of “What is your company doing to make sure its infrastructure is secure?”

In the best scenario, companies include a cloud security service in their business plan on day one. In the worst case, they limp along for years without a strategically planned, comprehensive security roadmap that will provide real protection for their IP, data, systems, customers, and reputation.

In both cases, these organizations have one thing in common: Regardless of how long they’ve been in business, they are at an early stage of cloud security maturity. They are just starting out on their cloud security journey.

And that’s where we can help. Read more “Threat Stack Blog Series: Starting Your Cloud Security Journey”

Threat Stack’s New Packaging for Your Cloud Security Journey

Security maturity in the cloud is an important topic lately, from evolving security with existing DevOps practices, to automating security across your infrastructure, to getting the information you need to piece together what occurred when there is a security incident.

And at the same time, many organizations just don’t know where to start. Read more “Threat Stack’s New Packaging for Your Cloud Security Journey”