How to Conduct a Blameless Security Post-Mortem

When someone in your company clicks on a bad link, it can spell bad news. But you know what’s worse? Them never telling you.

When employees are afraid to come forward about a mistake they’ve made (or think they’ve made), it makes security responders’ jobs that much more difficult.

Unfortunately, this kind of negative atmosphere is a reality at many companies. The good news is the culture can be improved, and one way of doing this is by conducting blameless security post-mortems. I spoke about this in my DevOpsDays Austin talk in May, 2015. Threat Stack partners VictorOps  and PagerDuty have also written on the topic. You need your whole team to be security ambassadors (not roadblocks), and blameless security post-mortems can help enable this.

Below, we’ll explore what a blameless post-mortem is and how it applies to your future security incident response.

Read more “How to Conduct a Blameless Security Post-Mortem”

The 5 Ingredients of a Successful SecOps Implementation

Ask three people what SecOps is and chances are you’ll get three different descriptions:

  1. It’s a team
  2. It’s a job title
  3. It’s a methodology

All of these definitions are, in fact, correct. Smaller companies may implement a SecOps methodology where everyone is a security ambassador, whereas larger companies with more personnel can assemble an entire team and designate specific SecOps job titles.

Our team defines SecOps as “automating runtime security in your infrastructure in a way that aligns security and operations tasks.” The goals are to reduce risk, stabilize infrastructure, and improve operational efficiency.  With operations and security teams dealing with rapidly transforming infrastructure (which likely includes some combination of containers, microservices, or serverless architecture) and a severe resource shortage, it’s tough to know where to begin building a mutually beneficial security program that considers security and operations priorities and goals.

To help get you started, here are five ingredients that must be part of any successful SecOps implementation. Read more “The 5 Ingredients of a Successful SecOps Implementation”

Increasing Security Response Velocity

I recently added a Starz subscription to my Amazon Prime and found a new supply of science fiction movies. One of these, Deja Vu, is a time travel story from a decade ago; a weird mashup of the post-9/11 terror attack genre mixed with science fiction. In the film, a terror attack takes place in New Orleans and a small army of government men-in-black from various state and Federal agencies respond. Because the attack involved a ferry, the NTSB and FBI collaborate along with elements of the ATF, including a talented investigator played by Denzel Washington.

Read more “Increasing Security Response Velocity”

Will SecOps Finally Close the Security and Operations Gap? A Q&A with Pete Cheslock

At Threat Stack, we’ve been a SecOps-oriented team from day one. This means our developers, operations, and security practitioners all work together to make sure that every line of code we release is secure. It’s how we eat our own dogfood.

But we know that getting started with SecOps isn’t always easy, especially since little has been said so far about the practicalities of how security and operations can come together to enable SecOps.

Pete Cheslock, our Senior Director of Operations and Support, has been on the frontlines of SecOps for much of his career, so we decided to spend some time quizzing him about the practical aspects of getting a SecOps program started. Read more “Will SecOps Finally Close the Security and Operations Gap? A Q&A with Pete Cheslock”

IoT Botnets and DDoS: A New Reality With New Responsibilities

Last Friday, multiple massive distributed denial ofservice (DDoS) attacks hit Dyn, an internet performance management company headquartered in New Hampshire. Dyn is a managed DNS provider to many of the large companies on the internet such as Twitter, Reddit, GitHub, Paypal, Spotify, Heroku, SoundCloud, Crunchbase, Netflix, Amazon, and others.

News surfaced over the following weekend that the Mirai IoT (internet of things) botnet was at least partially responsible for the attack, and according to Dyn, was generating traffic from “10s of millions of discrete IP addresses.”

Instead of rehashing details of how this could have occurred, we want to discuss botnet attacks as part of the new reality in our connected world, and as such, how device manufacturers and device users need to respond. We also want to take a look at the role that governments can or cannot play.

Read more “IoT Botnets and DDoS: A New Reality With New Responsibilities”

Five Lessons We Learned on Our Way to Centralized Authentication

In many startups, centralized authentication is a “future us” problem. Setting up centralized auth is useful for managing your network, but requires time, domain knowledge, and patience to get many of the technical solutions working. Compare this with the ease of user management via configuration management (CM) tools that your DevOps teams are already using — they work well enough (and, did we mention, are already in place?) — so it makes total sense that many organizations “punt” on this issue.

Read more “Five Lessons We Learned on Our Way to Centralized Authentication”

Better Security Through UX, Part 2: Visual Design and Emotion

In Part 1 of this series, I introduced the theme that good user experience (UX) design can actually promote better security overall, by fostering trust and encouraging people to use their security tools more often. We looked at how Threat Stack approaches this topic through the lens of onboarding, or first-time use. Now we’re going to see how this theme plays out in the overall aesthetics, and visual appeal, of the Threat Stack Cloud Security Platform™.

Read more “Better Security Through UX, Part 2: Visual Design and Emotion”

How to Create a Security-Minded DevOps Organization: Three Best Practices

You’re a week into your new job and a colleague shouts out across the room before a big deployment: “Hey John, you’ve got security covered, right?” You rush over to your good friend Google for a few quick ideas on implementing security best practices into DevOps and timidly shake your head “yes” at your colleague.

Read more “How to Create a Security-Minded DevOps Organization: Three Best Practices”

Why All Employees Should Be Security Ambassadors — and How to Do It

A recent Motherboard article caught our eye and got us thinking about who is — and who should be — responsible for security in an organization. The article, titled “We Need to Change the Psychology of Security,” makes the argument that, by treating security as a specialization that belongs only to a few people in an organization (the security team), we are crippling our ability to successfully achieve security at scale.

The author, Adrian Sanabria, makes some excellent points. After reading the article, we wanted to share some actionable ways that organizations can go about deputizing their employees as security ambassadors.

Read more “Why All Employees Should Be Security Ambassadors — and How to Do It”

DevOpsDays Chicago 2016: Dev, Ops, & the Role of Security

Last week I spent two great days at DevOpsDays Chicago. Usually, I attend conferences to listen to the talks, but in Chicago I was representing Threat Stack (one of the event’s Gold Sponsors), so my job was mostly listening to engineers discuss their organization’s security stance and requirements. I learned a lot from the conference — especially about the integration of Security into a DevOps world.

Read more “DevOpsDays Chicago 2016: Dev, Ops, & the Role of Security”