Futurex Crypto Chat with Coalfire: Cloud Security, DevSecOps, and Scooby-Doo
Adam: Do you think organizations are aware of the cyber threats they face?
It depends a lot on the size of the organization and the industry that organization is in. Obviously, the organizations that have direct financial accountability for cybersecurity, they feel the pain of breaches and are more acutely aware of the risks and regulations they face. When you look at large organizations and regulated industries, especially the ones that deal with finance and money, they have a pretty good feel for risk, loss avoidance, exposure, and external compliance requirements.
If you look at really small organizations, they don’t necessarily have awareness of the possibility of that type of impact, so that’s where we have seen a tremendous amount of damage due to ransomware. The trick is in the middle, where organizations are growing to a size where they’re more of an attractive target, where they have significant assets that they need to protect. This is a challenging area: How do you help characterize the landscape for them so they can make good risk decisions?
Adam: What are a few cloud security questions you think organizations should ask? Cloud security tips?
It’s interesting to me that people view cloud security as being different from the security of other assets, when I think the fundamentals are very much the same. In the first place, what are the cloud assets that you have that may be exposing you to risk? What cloud environments are you using? What are the assets in those cloud environments? Do you have a handle on those?
One potentially interesting difference about the cloud is the ability to expand or contract your exposed assets much more quickly than if we’re looking at a traditional data center where you have rack and stack servers.
The first tip is to know what assets you have out there that are exposing you to risk. Have you looked at those assets and their architecture to see what your exposure is? Based on those, are you doing some sort of cloud security posture management, scanning, or testing? From an architecture standpoint — from a threat model standpoint — do you have your architecture set up in a way that is minimizing your risk? And that’s really the fundamentals of any systems development, security, and environment. Organizations want cloud security to be something special, but really, it’s just mostly about getting those fundamentals right.
Adam: What do you predict to be the next stage in cloud security development?
From my vantage point, which is more of an application security and a systems development background, what we have seen is there’s a lot of pressure from the business side of things. Questions such as: How quickly or how agile? Are we using technology to provide great experiences to customers and other stakeholders? How do we work effectively with partners to provide these types of seamless experiences?
You see organizations that do this very well and you also find organizations that don’t do this as well — and that creates risk. I see that as a business existential risk. Where as a business, you “zig” and the industry and your partners “zag” and take a different view of how to satisfy the stakeholders.
What we see trickles down to the IT organization where we hear: “We need you to be able to innovate faster, we need you to be able to iterate faster.” Those organizations are starting to adopt a DevOps culture, hopefully a DevSecOps culture, where they are breaking down barriers between different teams in order to get those cycle times down. They’re also adopting a lot of cloud constructs and asking, “What can we do if we use cloud services? What if we turn over and use these cloud data stores so that we don’t have to manage this stuff? What if we start looking at things like serverless, so that we don’t have to manage the servers?”
The trick is that a lot of the development teams that are building systems don’t necessarily have a lot of experience with these types of constructs. They’re trying to figure it out. This is where the role of the security organization needs to evolve. In these cloud environments, the role of the security organization is to help the business do what they need to do but in a secure manner. For example, here are cloud controls that you want to put in place. I think that’s really the future of security organizations, especially when looking through the lens of the cloud: How do they show up as a business advisor about risk, as opposed to simply looking to constrain the business or implement controls?
Adam: How do you transform DevSecOps with ThreadFix?
With ThreadFix, we have the opportunity to look at organizations’ really cool implementations. We’ve been able to distill and look at, for example, how they are adding chat ops, automation, how they are getting faster cycle times on testing and being able to turn around results to customers faster. We’re on this journey with organizations and as we push innovation on our end, we get to see the cool DevSecOps programs underway — and then bake that into the product so that it is easier for other teams to roll out similar impressive capabilities.
Adam: Do you have a favorite industry story you’d like to share?
We were brought in to help an organization mature its security in the wake of an incident they faced where there were some direct financial losses. Part of this was briefing their board on what had happened during the incident as well as making recommendations on how to be more resilient in the future. One of my business partners was leading this briefing and a board member misunderstood — he thought that my business partner was the criminal responsible for the fraud and was grilling him: “How did you think you were going to get away with this?!” As if my business partner were going to confess (in classic Scooby-Doo form): “I would have gotten away with it, except for those meddling kids!” Fortunately, one of the executives recognized the miscommunication, pulled the board member aside and cleared things up — “No, these are the people who are here to help us fix the breach…”