What Enterprise Security Can Learn From Silicon Valley

Most enterprises do not build software or operate infrastructure the same way Netflix does. But there’s a lot to learn from the Silicon Valley world that an enterprise can aspire to as policy to improve security posture.  Forward-thinking CIOs should work with the security function of an organization to adopt technology and practices that will empower defense.  Here are some examples:

Embrace configuration management (CM) to manage your infrastructure.

Treating “infrastructure as code” means now your technical security controls become documented code.  The benefits to this are many, but from a security perspective you can’t argue with rapid deployment of security protections and ability to build tools to analyze security state.

In a world without CM, the following things become much harder:

Can you accurately assess state of technical security controls and perform gap analysis?

  • A ticketing system where a user requests a port open on a firewall is not sufficient ‘documentation.’  What firewall rules are ‘really’ in place?  How do you analyze gaps?

Can you rapidly deploy a new protection or detection mechanism in response to an upcoming threat?

  • E.g., you want to deploy a new snort rule, or kill C&C malware on a box

Can you rapidly track and modify user access in your network?

  • Developers and system administrators have high levels of access to infrastructure and data.  If someone’s fired, or credentials compromised, can you remove access in minutes?

It’s true that CM systems have the potential be an attractive target for an attacker and abuse, but benefits outweigh the risk.

What you can’t manage, log + monitor excessively.

Begin with collection of logs and metrics then slowly start to instrument detection / response to threats that apply to your business.  Disk is cheap.  Be thoughtful about what you present to a security analyst for responsive actions; empower the security team to determine what is important enough to bubble up as as potential security event.

Don’t be afraid of ‘cloud’.

Not all cloud is equal.  Infrastructure as a service (IaaS) gives you a good balance of control over security, isolation, speed, and flexibility.    Adopting SaaS services, due to opaqueness of security measures, can mean more potential risk, so think carefully about the classes of data you are trusting to third-parties.

Empower your security team via automation.

Humans are good at pattern matching and strategic decision making; machines are not.  Machines are good at rapidly executing well-defined tasks — humans perform these tasks much more slowly.  Use automation strategically to keep your human capital focused on security problems machines are bad at.

Why are your security analysts manually submitting samples to Virustotal?

Integrate development capability into your security team.  Identify discrete, repetitive tasks that are taking a lot of time, and build tools to automate them.

Make secure coding the easiest thing to do, by default.

To address common AppSec problems, integrate security into your dev teams. Build small teams of security-oriented developers with lightning focus on building APIs and tools that make it harder for developers to ‘screw up’ application security for common patterns.

  • Are you worried about segmenting access control for sensitive data in your applications?  Could a developer accidentally ‘expose’ multi tenant data and break the ACL model? Build a unified interface to the data (e.g. a security ORM or API) that developers interface with.
  • Are you worried devs are messing up crypto?  Build standard libraries that abstract away intricacies of OpenSSL for your crypto use cases.
  • Are you worried about web devs making basic mistakes? Build APIs and libraries for the platforms you use that build in protections against XSS, XSRF, etc.

Embrace “service-oriented” security.

Build internal security ‘PaaS’ functionality to standardize on applications and processes for security-sensitive use cases.  Provide well documented, API driven security services.

  • Department X building an internal app that requires PKI?  Is there any reason why department X’s IT team is building and managing their own CA server?