I’m posting this from my San Francisco hotel room the night before the first full day of RSA Conference 2019. This is the first time SaltStack has sponsored RSA but I’m happy to report we’re fitting right in. The Death Star stickers were very popular at the opening night welcome reception, and everybody wants a chance to win the Death Star Lego kit prize. Stop by booth 3105 to learn how SaltStack can help make sure your thermal exhaust ports are compliant and to learn more about cyber hygiene and intelligent automation.
Last week SaltStack SecOps was named to the CSO Online list of the Hottest Products at RSA 2019. This right after we had more than 450 SecOps professionals watch our first public overview and demo of SaltStack SecOps which launches later this month. Eighty percent of all SaltStack customer transactions since the beginning of Q4 2018 have included pre-orders of SaltStack SecOps.
The interest in SaltStack SecOps has been substantial for good reason. In my last post I wrote about the challenges facing SecOps teams with a post-mortem analysis of the state of cybersecurity in 2018. This post will propose what can be done to help IT and security teams escape compliance hell in 2019.
Automated cyber hygiene, intelligent automation, and protection against a volatile threat landscape
Digital business demands a better approach to application and infrastructure security. The solution must start with the realization that most security breaches are preventable with proper day-one infrastructure configuration combined with ongoing system hardening and rapid, automated response to emerging threats at scale.
A sustainable solution to the SecOps challenge must leverage the benefit of automated configuration and policy compliance through a platform like SaltStack SecOps.
About a year ago I remember talking to Mehul Revankar, SaltStack senior product manager, as we were defining and designing SaltStack SecOps. At the time, Mehul suggested a basic challenge most organizations face is an inability to adhere to basic cyber hygiene and intelligent automation. Applying a basic cyber-hygiene framework correctly will help significantly mitigate cybersecurity risk.
Automation applied to this cyber-hygiene framework can help proactively and reactively protect digital business against a volatile threat landscape. The framework defines five specific steps that every SecOps team can implement today:
Know your assets and what’s connected to and running on your network. Enterprise networks are constantly changing as infrastructure is updated and new servers and services are deployed. Don’t forget to identify all Internet-connected devices. Anything online is a potential attack vector. Good cybersecurity hygiene tracks existing assets and any changes to ensure all cyber assets are accounted for.
Human error led to 424% increase in misconfigured cloud servers. I can’t write a simple blog post without numerous errors. How can our understaffed, under-resourced SecOps teams be expected to do much better with enterprise infrastructures at scale? We must automate configuration, deployment, and compliance. Every system and service comprising enterprise digital infrastructure needs to be configured with security in mind. Humans alone can’t do it without help.
Code must be written and applications must be developed with security in mind. Application security can’t be left to be resolved in production when it is often too late and hackers are knocking at the door. Shifting security left, or DevSecOps, has been written about by Mehul for The New Stack in this article on security-first development titled, “Building a DevSecOps Power Trifecta.”
Easier said than done, but SecOps teams must regularly update all apps, software, and operating systems. Staying on top of software updates can be a challenge (just look at the dozens of of Windows and Adobe vulnerabilities found each month) but timely patch management is essential.
The unfortunate reality is patches are often not applied for years and the window of time between known vulnerability and exploit is often just a few days. Without intelligent automation, patch management at scale is outpaced by the time the first exploits start showing up in the wild. Hindsight is 20/20 but we all know what happened when Equifax didn’t patch their Apache Struts servers in time.
Regularly revisit the top cybersecurity priorities for your business to create a solid foundation. An annual review is not sufficient for most companies, especially those with a large digital footprint. Most of our customers are implementing continuous reassessments.
SaltStack customers automate SecOps
In my next blog post I will provide a few examples of how SaltStack customers are applying these five steps to their cybersecurity strategy. Each of these steps has a common theme, when implemented at scale security tasks must be automated to avoid mistakes and overlooked systems, to speed implementation and ensure security policy compliance.
I will be in San Francisco all week at RSA Conference 2019 and through tomorrow at the AGC Partners West Coast Information Security & Broader Technology Growth Conference. Connect with me on LinkedIn. I welcome the chance to meet and discuss.
And check out Tom Hatch discussing cyber hygiene on our podcast The Hacks.