How many times have you explained defense-in-depth?
Now that we’re moving to the cloud at a faster pace, how is your analogy holding up? In the process, how is your thinking?
As I’ve written about before, migration to the cloud is happening. Security leaders have a choice. We can lead the way or get left behind. When we embrace the potential, it turns out the cloud acts as a forcing function to help drive change.
Turns out it also helps remove constraints and shift thinking. That’s the thrust of what Brian Ahern and I recently talked about.
Brian (LinkedIn) is the Chairman and CEO of Threat Stack (@threatstack). A seasoned technology executive with nearly two decades of experience, Brian is passionate about disruption. He joined Threat Stack in 2015 from Industrial Defender where he was Founder and CEO, and which he saw through a successful acquisition by Lockheed Martin in April 2014.
Our conversation was energetic and inspiring. Brian laid out compelling ways security leaders can engage executives and use the cloud to improve security and bolster their leadership.
Here are my five questions with Brian Ahern:
Talk about the change in the constraints and why that is important
Today’s organizations have become atrophied after several decades of building transitional security strategies where “protecting the perimeter and network intrusion detection” took priority over gaining deep insights into application and data environments to better understand and monitor how applications and data can, and does, become compromised. Now – in the era of the cloud - these organizations are being forced to quickly change their way of thinking when it comes to security. With a move to the cloud, the physical constraints of IT scaling to support business growth are gone. But, a new constraint emerges: how to think about the cloud in the context of security. Organizations must understand the need to rethink approaches to IT security when transitioning from traditional on premise to cloud infrastructure. To simply apply on-premise security technology to the cloud is a recipe for disaster. Cobbling together point solutions results in a fragmented security approach that, due to the nature of the cloud, simply yields an inadequate security strategy. Companies need to forget what they did before, step back, and really work to understand the nature of the cloud first and why the traditional “perimeter and networks” no longer exists.
A key shift in thinking about the cloud is defense-in-depth. How does this work without a customer managed perimeters and networks?
This is the area that excited me the most about joining Threat Stack; that we were fundamentally changing the approach to security when it comes to the cloud versus the traditional on-premise security space of the last several decades.
In the cloud, traditional approach to defense-in-depth security, starting at the perimeter and moving inside to the host (cloud workload) must be inverted; as we have transitioned from the physical infrastructure world to the virtual infrastructure world (also known as the software-defined everything world). In inverted defense in-depth approach, cloud security needs to start from within the workload (software) and then add context around the workload with other security indicators. By eliminating the constraints of securing physical infrastructure (perimeter and network), companies can gain an innovation and scaling competitive business advantage. They can scale with confidence and maintain real-time visibility at all times. In the traditional on-premise world, innovation and scale were held hostage to engineering, purchasing, installation and testing. Nowadays, scale can happen nearly instantaneously with limited human intervention - it’s just incredible.
So what can the workload tell us from a security perspective? Everything! Workload Linux kernel shares everything you need to know about users, files, processes, networks and host behavior – all of those details are made available standard by the kernel. Leveraging those details, in conjunction with behavioral analytics, allows customers to baseline “normal” and then be alerted to anomalies. Process connects? Monitor all inbound and outbound process connects and compare with known black-list IP’s which may be indicative of command and control. Vulnerable Software? Collect all workload software packages and compare with known CVE’s (Common Vulnerabilities and Exposures). All of this from inside the workload without even having to think about the traditional perimeter and network.
Security is always under pressure to move quicker. You see the cloud as a tremendous advantage for CIOs and CISOs. How so?
It took the industry roughly three decades to evolve on premise data security to the current point of “security instrumentation” and sophistication. What took three decades in on-premise security was replicated at 300 times that rate. Confidence and visibility at scale is available now; less than a decade after the launch of the first public cloud offering from Amazon.
What I spend a lot of time evangelizing is, first and foremost, companies not thinking about embracing cloud right now are going to be at a significant disadvantage over time. Companies forced to purchase the multitude of security point solutions have always been constrained by the physical aspect of buying, engineering, installing, wiring and testing. Moving to the cloud eliminates the historical time and cost constraints. Now CIO’s and CISCO’s can move a pace whereby they enable business growth and not be seen as an inhibitor to growth.
Security at scale is nothing more than baking cloud native security solutions into the standard configuration management tools designed to support auto-scaling in elastic computing environments; so infrastructure auto-scaling from 100 to 300 servers means that the security “goes along for the ride” and provides the real-time security visibility and protections necessary to scale with confidence. Modern day, cloud native security tech is designed specifically for this – to securely scale with growth. Concerns over Shadow IT are a thing of the past.
The cloud acts a forcing function. It’s evident in technology. You suggest it goes further.
Cloud culture extends beyond cloud technology. It becomes ingrained in the people, the tools and all the ways we think about and approach business challenges. It’s hard for companies to embrace this at the level it needs to be adopted, which is why it’s important to challenge outdated perceptions or notions in order to start that cerebral shift away from what we’ve always known, to what we now need to understand. This is a very different paradigm than most IT folks are used to, so companies need to work on building a culture around the cloud that embraces DevOps and thinks differently about its processes and people.
If you don’t understand how and where your people interact with applications and data, than you’re operating blindly. It’s about more than just protection. Of course, protecting data is key to compliance and security, however without context about activities happening within and around the applications and the data, your security posture becomes the weak business link. Security isn’t a smash and grab. Bad actors spend time within your environments, poking around. If you have the context to understand when a behavior is breaking the baseline of expected activities, you can leverage that context to immediately identify and eliminate that threat before they walk out with the crown jewels and create business nightmare.
You suggest that a security leader not only “start small,” but to actively seek out and engage with a group externally. Where do they go?
Start anywhere. Start small. Start in non-mission critical apps and data because those are the ones that are easily available and less vulnerable to missteps. Start in the dev environment – not in production. You have a sandbox of servers established - start from there to gather insights and visibility and ramp from there. Be thoughtful and don’t attempt to force fit point solutions not natively designed for the cloud. Get to know the solution first; understand how cloud-native differs from enterprise point solutions, because they are inherently different.
Also, find a company that is already steeped in the culture and ask them questions. At Threat Stack, some of our favorite clients are other security companies. We use the technology ourselves to monitor our own security and we love educating other companies about cloud security. It’s also rewarding for us to see customers begin to gain that deeper level of insight and visibility that understanding context in the cloud provides. You would be amazed at what you find; both internal and external. Actions which potentially put your business at risk are constant. Knowing when it’s happening is extremely powerful – you can’t protect against what you can’t see.