It’s the end of the year — a classic time for reflection. So before we charge into 2017, let’s ask:
- What went well in the world of security this year?
- What are the areas for improvement?
- How can you stay ahead of the bad guys in 2017?
Cloud security in particular took some big leaps forward over the past year, but there is still a lot to learn and improve upon in the year ahead. So let’s take a look at where and how.
The Big Shift in Cloud Security: From Nice-to-Have to Must-Have
Just a few years ago, security was very much viewed as insurance — it was nice to have, but wasn’t at the top of the list until the need was right in your face (and by then it was often too late). But the tides changed fast over the past year, namely because:
- Security threats were permeating the landscape
- Companies were being forced to rethink security as they moved into the cloud
- Many companies were nervous about the cloud, and security became their safety net
Organizations large and small are being forced to fundamentally rethink how to protect their data in the cloud, especially amidst threats like encryption back doors, DROWN (a major SSL vulnerability), and and so on.
To protect data in the cloud, you need security built for the cloud, and more and more companies are turning to cloud security as their silver bullet. But there’s one hangup…
Hanging Onto Old Vices
Security is a must-have in the cloud, but it will only be effective if we can get out of our own way and let it do its job. Two areas in particular need to change:
1. Over-Reliance on Manual Tooling and Processes
One of the biggest problems companies have is knowing when to let go. Take user deprovisioning, for example. When someone leaves your company — willingly or not — you need to be sure they’re removed from all systems. If an ex-employee has bad intentions, and they discover that you forgot to remove them from a low-level server they were given access to years ago, that could be their easy way in to launch an attack and siphon data, steal money, or act on some other malicious motive. You can’t leave situations like this up to chance: insiders are a real and growing threat. (Also see Insider Threats: What You Need to Know and Do.)
Since it’s such a high-severity risk, many don’t want to leave user deprovisioning to the machines, but humans are not immune to error either. By automating user deprovisioning with cloud security, you can create an accurate, consistent, end-to-end process that will be followed every time to ensure that no task will fall through the cracks.
Consider alerting as another example where automation can increase speed, accuracy, and security. Many companies still require their security staff to manually dig through all alerts to determine whether there’s an issue or not. But your team could be receiving hundreds, thousands, or hundreds of thousands of alerts per day, and each could take an hour to review. There’s not enough staff in the world to do it! So by letting the machines automatically prioritize and triage alerts, you can not only accelerate incident detection and response, but significantly decrease human error and missed threats.
2. Inappropriately DIYing Security
At a time when cloud security solutions abound, it’s surprising how many companies are still attempting to DIY security. It’s a time-consuming and expensive process that’s fraught with risk and is mostly unnecessary.
Yes, your cloud environment has its own special characteristics, but it’s not unique. It’s not a complete one-off. And yes, your developers may be highly skilled at building solid, scalable tools. But security isn’t their core competency, and their time would be better spent building tools that will add value to your customers. It’s just not a realistic approach for most.
Security is a complex discipline, and creating a system that will truly protect you, and scale as you grow, requires a massive amount of subject matter expertise — more than most people calculate at first blush. So, if you build in-house without the proper planning, knowledge, and expertise, what you’re left with is often an expensive, leaky sieve instead of a shiny coat of armor. The reality is that most companies’ security problems are fairly standard and can be most effectively addressed by developing a security strategy and then implementing an appropriate security tool or tools built by security pros.
Security Planning in 2017
It’s time to look forward and decide how we, as defenders, can get ahead and stay secure in 2017. Here are some questions to ask yourself during this season of reflection:
- If you’re in the cloud, what does your security posture look like?
- Are all of the boxes checked? How do you know?
- Is it truly addressing your main security objectives and vulnerabilities?
- Do you have executive support for your security strategy? And do they understand the value of security and what you’ve accomplished to date?
All of these factors are important in determining the success of your security organization, so here are three ways to improve your security:
1. Get Strategic
This year, aim to strike the right balance between smart and simple. Your security posture should be smart so it specifically addresses your organization’s needs, but simple so you don’t overcomplicate the whole thing.
To achieve this balance, you should conduct a high-level analysis of:
Once you do this, you can begin prioritizing and adding the right tools, processes, and workflows to address them. It’s as straightforward as that. (For more on developing your cloud security strategy, check out our Cloud Security Playbook: Strategies & Best Practices for Today’s Volatile Threat Landscape.)
2. Look Inward More Often
Don’t be distracted by the news headlines: they’re filled with stories about massive data breaches, exotic ransomware incidents, and so on. Instead, look at what really matters to your own company. (Remember: while your organization has its own specific mix of security requirements, there’s no need to reinvent the wheel.) For example, nation state attackers get big press. But your company’s biggest threat might actually be automated SQL injections. So rather than latching onto the latest news headline and trying to defend against something that may never come to pass at your organization, focus on your real challenges.
3. Use Metrics to Assess and Improve
Numbers are often the best way to determine what’s going on with your security posture and to set goals for improvement. They’re also an objective way to explain what needs to change. So use them to your advantage. For example, let’s say you can see what activities your users are conducting on a daily basis. This means you should also be able to capture any risky behaviors and know how often they’re occurring. For example, you could track how often someone logs in from an insecure WiFi network, or how quickly users are deprovisioned when they leave the company or change roles.
Using this data, you can have a data-driven discussion with the development team lead about what needs to improve in order to minimize errors and reduce risks. So rather than starting the discussion with, “Our security policy mandates that developers must reduce risky behavior when on production servers,” you can say, “Looking at the data, we need to make this metric look better over time. How do you think we can do that?” This shifts the conversation from adversarial to factual and collaborative. Instead of pitting one group (Security) against the other (Dev and Ops), metrics let both groups focus on common objectives. This is a great way to make sure that DevOps teams see security as a way to protect their hard work, and it can go a long way toward improving the entire security culture in your organization.
Wrapping Up . . .
Reflect back on 2016 and take advantage of the fact that the tides have shifted. Leave old habits behind and embrace new approaches that grow out of strategic cloud security planning. In 2017, resolve to make your cloud security healthy and your business prosperous.
How will you improve your organization’s security posture in the coming year? Any areas where you’re stuck? Let us know on Twitter @threatstack.