Cloud Sentry Blog https://cloudsentry.evident.io Powered by Evident.io Fri, 16 Feb 2018 20:37:47 +0000 en-US hourly 1 https://wordpress.org/?v=4.9.4 ../wp-content/uploads/2016/08/cropped-evident-shield-512-32x32.png Cloud Sentry Blog https://cloudsentry.evident.io 32 32 Cloud Security This Week – February 16, 2018 ../cloud-security-this-week-02162018/ ../cloud-security-this-week-02162018/#respond Fri, 16 Feb 2018 20:25:34 +0000 ../?p=2318 Evident.io in the News Open AWS S3 Bucket Exposes Private Info on Thousands of Fedex Customers “There’s a whole hacker cottage industry around finding and exploiting S3 buckets, and it’s growing because as cloud environments grow, so do the number of unsecured assets that are discoverable. Hackers are going after S3 buckets and other repositories... Read more »

The post Cloud Security This Week – February 16, 2018 appeared first on Cloud Sentry Blog.

]]>
Evident.io in the News
Open AWS S3 Bucket Exposes Private Info on Thousands of Fedex Customers
“There’s a whole hacker cottage industry around finding and exploiting S3 buckets, and it’s growing because as cloud environments grow, so do the number of unsecured assets that are discoverable. Hackers are going after S3 buckets and other repositories because that’s where the data is, but also because they’re easy to find.” Tim Prendergast, CEO of Evident.io

Service Mesh Amplifies Microservice Management Capabilities
“Security can be applied within and among all of this activity, because the service mesh operates on a data plane,” said John Martinez, VP of security at Evident.io. “This allows security to be managed more transparently when communications can be observed on a plane, between services.”

FedEx S3 Bucket Exposes Private Details on Thousands Worldwide
Tim Prendergast, CEO of Evident.io, comments on the prevalence of hackers who are actively searching for S3 bucket misconfigurations.

Content from Evident.io
WEBINAR: The Evolution of DevSecOps Revisited
Register for our webinar on Thursday, February 22nd, 2018 where our panel of experts will discuss relationship between DevOps and SecOps and explore whether or not it has evolved to be as harmonious as we hoped.

The Olympics and 4,000 Government Websites Got Owned
Two recent discoveries in the world of cybersecurity – from the Olympics and via cryptojacking – highlight potential trends we can expect to see more of. High profile and brash, they portend an alarming extension of hacker activity.

I Heart Security
Save your flowers and See’s Candy for your loved ones, but remember that if you love your job, your customers, and avoiding board-level meetings where you have to explain how a 15 year-old hacker planted malware into an open repository that subsequently leaked millions of customer records and cost the company billions in market cap, then let’s get on board with a concept that applies to every aspect of our lives – say it with me, brothers and sisters: I LOVE SECURITY.

Deep Security Thoughts
Bob, Dick, Pete, and God’s tears. They all play a part in help you create a more secure cloud environment. Find out in our new series, Deep Security Thoughts.

News and Perspectives on Cloud Security
‘BuckHacker’ Search Engine Lets You Easily Dig Through Exposed Amazon Servers
A new search engine makes combing through leaky AWS datasets that much easier. Think of it as a barebones Google, but for info that the owners may have mistakenly published to the world.

Hackers Stole $50 Million in Cryptocurrency Using ‘Poison’ Google Ads
A Ukrainian hacker group dubbed Coinhoarder has stolen more than $50 million in cryptocurrency from users of Blockchain.info, one of the most popular providers of digital currency wallets, according to a report published Wednesday.

New Equifax Security Officer Faces Tough Task
Equifax announced that Jamil Farshchi will now be heading Equifax’s security team as it looks to dig itself out of a major hole after hackers took advantage of an Equifax security weakness and gained access to personal data of more than 145.5 million Americans.

IT Provider for Winter Olympics Hacked Months Before Opening Ceremony Cyberattack
Hackers armed with destructive malware appear to have compromised the main IT service provider for the Winter Olympic Games months before last week’s highly publicized cyberattack.

The post Cloud Security This Week – February 16, 2018 appeared first on Cloud Sentry Blog.

]]>
../cloud-security-this-week-02162018/feed/ 0
The Evolution of DevSecOps Revisited ../evolution-devsecops-revisited/ ../evolution-devsecops-revisited/#respond Thu, 15 Feb 2018 22:14:32 +0000 ../?p=2314 The inception of DevSecOps has created a whole new standard for driving innovation inside and outside organizations. Like DevOps, DevSecOps seeks to achieve greater efficiency and productivity through team collaboration coupled with a foundation in strong security. DevSecOps is pushing organizations to accomplish more, do it faster, and deliver better results more securely. We are... Read more »

The post The Evolution of DevSecOps Revisited appeared first on Cloud Sentry Blog.

]]>
The inception of DevSecOps has created a whole new standard for driving innovation inside and outside organizations. Like DevOps, DevSecOps seeks to achieve greater efficiency and productivity through team collaboration coupled with a foundation in strong security. DevSecOps is pushing organizations to accomplish more, do it faster, and deliver better results more securely.

We are hosting a webinar that will explore whether SecOps and DevOps have been effective in fostering collaboration of the seemingly contradictory teams to align their disparate goals into a singular effort, or if have they slipped into the primitive security models of the past — Is the union of DevOps and SecOps on rocky ground and in need of marriage counseling, or are they completely copacetic.

Join us on Thursday, February 22nd, 2018 for our webinar where our panel of experts, including Anthony Johnson, Principal Engineer, Cloud at Ellie Mae, Christopher Durand, Information Security Officer at Verizon, and John Martinez, VP of Customer Solutions at Evident.io, will discuss relationship between DevOps and SecOps and explore whether or not it has evolved to be as harmonious as we hoped.

We invite you to register now, while spaces are still available. Click here to register.

To prepare for the webinar, you might enjoy Tim’s perspective on the Marriage of SecOps and DevOps, and it will be helpful to understand how some of our other customers broached this union in the past with this Webinar on Demand.

The post The Evolution of DevSecOps Revisited appeared first on Cloud Sentry Blog.

]]>
../evolution-devsecops-revisited/feed/ 0
The Olympics and 4,000 Government Websites Got Owned ../olympics-government-websites-owned/ ../olympics-government-websites-owned/#respond Wed, 14 Feb 2018 19:15:37 +0000 https://54.68.13.86/?p=2310 Two recent discoveries in the world of cybersecurity – from the Olympics and via cryptojacking – highlight potential trends we can expect to see more of. High profile and brash, they portend an alarming extension of hacker activity. Olympic Destroyer One was a malware attack called “Olympic Destroyer” that targeted the opening ceremonies of the... Read more »

The post The Olympics and 4,000 Government Websites Got Owned appeared first on Cloud Sentry Blog.

]]>
Two recent discoveries in the world of cybersecurity – from the Olympics and via cryptojacking – highlight potential trends we can expect to see more of. High profile and brash, they portend an alarming extension of hacker activity.

Olympic Destroyer
One was a malware attack called “Olympic Destroyer” that targeted the opening ceremonies of the Winter Olympics in Pyeongchang, South Korea. According to reports, the attack resulted in 12 hours of downtime on the official Winter Games website, the break down of wifi in the Pyeongchang Olympic stadium, and a complete disruption of of televisions and internet at the main press center, leaving attendees unable to print their tickets for events or get venue information. The intent, it seems, was purely to embarrass the country of South Korea and not done for financial gain.

In the grand scheme of world order, this is small potatoes, but it’s malicious and disruptive, and further supports the modus operandi of hackers seeking exposure through the media. According to NBC, 28 million people watched the ceremonies, and according to Nielsen, the primetime telecast of the Parade of Nations ceremony grabbed a 16.9 household rating and 29 share. While the digital chaos in the background didn’t appear to thwart the event for viewers, the idea that the biggest media event on the world stage (and one that is so thoroughly dependent upon a technology infrastructure) could be that vulnerable should make security teams take notice. Clearly, a major mishap during the biggest televised and reported event of the weekend would have received major attention had it achieved it total goals.

Analysis of the malware variant indicates that it dropped browser and system credential stealers to obtain authentic log-in details which were then spread to other, connected systems. As we see in almost all attacks of this nature, once inside, the malware clearly wasn’t detected which means no incident response or rapid isolation policies went into effect. What’s especially frightening about Olympic Destroyer is that once installed, the malware immediately deletes shadow copies of files and Windows backup catalogs, turns off recovery mode, and deletes system logs to remain fairly invisible.

Government websites used to mine cryptocurrencies
Hackers are injecting scripts into government websites across the globe to mine cryptocurrencies. The script was discovered in more than 4,000 government websites, including those of the UK’s National Health Service (NHS), the Student Loan Company, and data protection watchdog Information Commissioner’s Office (ICO), Queensland legislation, as well as the US government’s court system.

The script was delivered through a compromised version of a popular website plugin called “Browsealoud”, which is used by websites to provide visually impaired site visitors access to sites by converting text to audio. This version belonged to CoinHive, a mining service that provides website owners revenue by utilizing the CPU resources of site. Users of these government sites had their computers processing power hijacked (or “cryptojacked” as the activity is now being known) and immediately put to use mining in their computing infrastructure without their knowledge.

A full list of websites affected by the attack has been provided by PublicWWW.

Whether the effort was simply brazen, or if it targeted sites known to have loose security controls is not yet known. Whether the effort was simply brazen, or if it targeted sites known to have loose security controls is not yet known. It does, however, highlight the need for IT teams to be vigilant about every element of their infrastructure and employ automated and continuous security as well as rapid incident response practices. With 4,000+ sites affected, it may be awhile before we fully understand the magnitude of this particular attack, as well as the potential for more cryptojacking across government and commercial websites.

The post The Olympics and 4,000 Government Websites Got Owned appeared first on Cloud Sentry Blog.

]]>
../olympics-government-websites-owned/feed/ 0
I Heart Security ../i-heart-security/ ../i-heart-security/#respond Wed, 14 Feb 2018 08:48:58 +0000 https://54.68.13.86/?p=2302 There isn’t a state of being that any organism seeks more than security. Pleasure and excitement are wonderful, but unless doled out in small doses, their effect wears out quickly. Security never loses its appeal, and in a world that can be unexpectedly harsh at times, security braces us and provides comfort. In the pursuit... Read more »

The post I Heart Security appeared first on Cloud Sentry Blog.

]]>
There isn’t a state of being that any organism seeks more than security. Pleasure and excitement are wonderful, but unless doled out in small doses, their effect wears out quickly. Security never loses its appeal, and in a world that can be unexpectedly harsh at times, security braces us and provides comfort.

In the pursuit of security, we bend over backwards to achieve financial stability, healthy bodies, and a safety membrane around our family and loved ones. It’s strange, then, that many will go to such great lengths for some things, but neglect others. Cloud environments also need to be secure, but many of those responsible for them throw caution to the wind and simply hope for the best. It’s not only a bad strategy for the security of data and internal resources, but it breeds a mindset of irresponsibility that prevents important efforts at girding against hacks and breaches.

It’s time to frame cloud security in the same context of the security applied to other areas of our lives and embrace a a love for it. Save your flowers and See’s Candy for your loved ones, but remember that if you love your job, your customers, and avoiding board-level meetings where you have to explain how a 15 year-old hacker planted malware into an open repository that subsequently leaked millions of customer records and cost the company billions in market cap, then let’s get on board with a concept that applies to every aspect of our lives – say it with me, brothers and sisters: I LOVE SECURITY.

This isn’t romantic kind of love, unless you’re into that kind of thing (and we’re not judging). But it’s a love borne of responsibility, and those tasked with managing user, customer, and internal data have to bear that responsibility and carry out whatever measures will keep it secure. You don’t have to love writing remediation scripts to make your security posture more manageable, but you have to love maintaining control and order. Without that, you’ll lose one of your most critical competitive weapons, and there will most certainly be no love sent in your direction.

Security is not a zero-sum effort. Your cloud environment, for example, is a dynamic state, so you’re always working to achieve and maintain a level of security that is acceptable; the process is a continuous one and will always require attention. Like any type of security, obsessiveness may serve a purpose, but it probably won’t help you achieve your goals because a dent in your security posture could come from innumerable possible places. Sitting around staring at it doesn’t constitute constitute effective management of it, and frankly, it doesn’t accomplish much, either. This is where automation is key; automated and continuous monitoring of security controls in a cloud environment will keep you aware of the pulse and specifics of your resources and data, and it will free you to think about some of the more strategic aspects of keeping your infrastructure safe.

Security is, when done in the interests of others as well as yourself, an act of love. So on a day that celebrates love, let us not forget why we do what we do. We who endeavor to keep things safe love security, and even though we may not get a box of nuts and chews for it, we aren’t truly happy unless we spread that love…across every cloud resource, service, and environment.

The post I Heart Security appeared first on Cloud Sentry Blog.

]]>
../i-heart-security/feed/ 0
Cloud Security This Week – February 9, 2018 ../cloud-security-this-week-02092018/ ../cloud-security-this-week-02092018/#respond Fri, 09 Feb 2018 16:54:00 +0000 https://54.68.13.86/?p=2299 New from Evident.io WEBINAR: The Evolution of DevSecOps Revisited Register for our webinar on Thursday, February 22nd, 2018 where our panel of experts will discuss relationship between DevOps and SecOps and explore whether or not it has evolved to be as harmonious as we hoped. The Growth Mindset Applied to Cloud Security in Five Steps... Read more »

The post Cloud Security This Week – February 9, 2018 appeared first on Cloud Sentry Blog.

]]>
New from Evident.io
WEBINAR: The Evolution of DevSecOps Revisited
Register for our webinar on Thursday, February 22nd, 2018 where our panel of experts will discuss relationship between DevOps and SecOps and explore whether or not it has evolved to be as harmonious as we hoped.

The Growth Mindset Applied to Cloud Security in Five Steps
Cloud security never stops, so it behooves IT teams to approach their security efforts with a growth mindset and focus on continuous improvement in managing their organization’s security posture.

Measure Your Cloud Security in 5 Steps
Because of constant change, you’re never dealing with the same cloud environment for very long, so it makes measurement difficult. Here are five steps to follow to determine if your team is actually making progress towards your cloud security and compliance goals.

The Stoic’s Guide to Cloud Security
Stoics practiced negative visualization; think about what you DON’T want to happen so you can experience its pain without having to actually go through its consequences. Turns out, it’s also a pretty good strategy for those responsible for the security of their organization’s cloud environment.

16 Ways to Protect Your Cloud from Ransomware
Cloud environments with poor configuration, lack of policies, and permissive behaviors lead to too many openings that are exploitable by ransomware. In this ebook, we look at the different pieces of the cloud stack and address their unique security needs with precautions that enterprises should take to make their environment far more resistant to ransomware threats.

News and Perspectives on Cloud Security
New Zero-Day Ransomware Evades Microsoft, Google Cloud Malware Detection
Google Drive and Microsoft Office 365, both of which have built-in malware protection, failed to identify a new form of Gojdue ransomware dubbed Shurl0ckr. The zero-day ransomware evaded most major antivirus platforms: only seven percent of 67 tested tools detected it.

Test Your Knowledge of the AWS Shared Responsibility Model
In a traditional data center, an enterprise exercises total control over its facility and assumes full responsibility for infrastructure security and operation. But with the public cloud, that all changes, and now, many users need to grow accustomed to the AWS shared responsibility model.

Mind the Gap: This Researcher Steals Data With Noise, Light, and Magnets
Cybersecurity experts spend a lot of time on preventing hackers from getting in to cloud environments, but new research emphasizes the importance of exfiltration prevention.

What is Cryptojacking? How to Prevent, Detect, and Recover From It
Criminals are using ransomware-like tactics and poisoned websites to get your employees’ computers to mine cryptocurrencies. Here’s what you can do to stop it.

Intel Releases New Spectre Patch Update for Skylake Processors
After leaving million of devices at risk of hacking and then rolling out broken patches, Intel has now released a new batch of security patches only for its Skylake processors to address one of the Spectre vulnerabilities (Variant 2).

The post Cloud Security This Week – February 9, 2018 appeared first on Cloud Sentry Blog.

]]>
../cloud-security-this-week-02092018/feed/ 0
The Growth Mindset Applied to Cloud Security in Five Steps ../growth-mindset-cloud-security-five-steps/ ../growth-mindset-cloud-security-five-steps/#respond Tue, 06 Feb 2018 22:58:49 +0000 https://54.68.13.86/?p=2281 Psychologist Carol Dweck has done research on the concept of “mindset” in humans, and she’s determined that those who seek growth and progress are happier, more fulfilled, and actually achieve more than those focused on quick wins. Turn that idea to the world of cloud security and you’ll see that the same thing applies; a... Read more »

The post The Growth Mindset Applied to Cloud Security in Five Steps appeared first on Cloud Sentry Blog.

]]>
Psychologist Carol Dweck has done research on the concept of “mindset” in humans, and she’s determined that those who seek growth and progress are happier, more fulfilled, and actually achieve more than those focused on quick wins. Turn that idea to the world of cloud security and you’ll see that the same thing applies; a strategy and path centered on growth will ultimately yield better and more sustainable results.

Cloud environments are dynamic and constantly changing, as are other elements of your IT infrastructure. Those responsible for security therefore have a mandate to stay continuously vigilant in identifying and guarding against vulnerabilities. Hackers keep creating new ways to ply their trade, so security efforts can never stop. While that definition may draw parallels to Sisyphus and the boulder he was condemned to keep pushing up a hill, your cloud security and compliance efforts can, with the right approach, show demonstrable progress towards less risk over time and a more controlled overall environment.

The Evident Security Platform (ESP) is continuously monitoring AWS and Azure accounts so you have a picture of your cloud security status. It’s highly visual and you can see how your accounts, regions, controls, and signatures are performing against expectations and best practices. Controls that register in green are passing and therefore being managed correctly. Red controls indicate issues, and automated alerts with remediation steps are immediately delivered to the appropriate people. For those who are struggling with this concept, you want more green than red.

In the cloud, it’s the constant change that prevents you from being always green. But then, to achieve a perfect score would require you to essentially freeze your cloud, and that defeats the whole purpose of operating in a highly connected, agile, and dynamic environment. But if adhere to Professor Dweck’s idea of growth, you can use ESP as a way to constantly improve your security posture and measure progress towards better control. To do that requires that you and your team to apply some discipline and best practices in order to use ESP as both a yardstick for your performance, and a way to ensure you are truly growing in your ability to limit the risk of your cloud and data.

Growth towards a more secure cloud will be unique to each organization, but these are some steps you can take to help you and your team demonstrate growth and progress:

Create an action plan
The first question you need to ask is, “What do you want to achieve as a security team and how can ESP help me get there?” A lot more green is kind of a goal, but it doesn’t address the specifics of your actual environment. Instead, start by prioritizing your risks and move forward with a plan to resolve them according to importance. If you build requirements around these priorities, it will keep you and your team on track and the positive feedback loop you’ll see from ESP report histories should clearly identify the improvement in the overall health of your security posture.

Start with the CIS benchmark
The CIS AWS Foundations Benchmark can be a great starting point as it provides the framework for AWS security best practices that go beyond AWS out-of-the-box controls. These should mostly align with the typical enterprise’s high priority issues, but the standard itself provides a commonly-accepted and understood framework against which your team’s efforts can quickly start to see progress. cisbenchmark3

S3 bucket fitness
Far too many major enterprise breaches have been caused by poorly configured and managed AWS S3 buckets. With that knowledge, it’s important to recognize how quickly lack of oversight of S3 buckets can create high risk situations. A good way to measure growth towards a more secure cloud is by applying remediation according to AWS S3 bucket fitness reports and measuring progress as controls move from any risk state (high, medium, or even low risk) to a passing score and the coveted green button. awsbucketfitness

Signatures
Within the ESP dashboard is the ability to view and identify risk status for all signatures of your cloud as well as custom ones you created. As more of these move from a risk status to a passing status, so too does your organization’s overall security posture become less vulnerable. The signatures reports will constantly change as more are created and adopted; seeing a progression away from signatures that are risky is an important metric towards a desirable cloud. signatures4

Track project goals and assign KPIs
While seeing your reds turn to greens is a great way to demonstrate success, we recognize that some controls and signatures are fine with a medium risk score, or some aren’t worthy of any attention beyond their current state. The better way to grow is by attaching KPIs to growth in areas like region, severity, signatures and timeframes. Know what you want to measure, an accepted timeframe for resolution, and then use ESP history reports to identify success in terms of growth and, ultimately, a more secure environment.

There’s long been a notion that the cloud frees IT departments from regular management work. To the contrary, the cloud is complex and requires rigorous oversight and management; it’s the pay off for all its advantages. But that complexity need not prevent an organization from having control over their resources and data. It’s certainly not a one-and-done proposition, but rather, something that is addressed and managed continuously. By approaching it with a growth mindset, you and your team will know what to emphasize, when to work on it, and how to measure progress.

 

Photo by Alex King on Unsplash

The post The Growth Mindset Applied to Cloud Security in Five Steps appeared first on Cloud Sentry Blog.

]]>
../growth-mindset-cloud-security-five-steps/feed/ 0
Cloud Security This Week – February 2, 2018 ../cloud-security-this-week-02022018/ ../cloud-security-this-week-02022018/#respond Fri, 02 Feb 2018 18:51:43 +0000 https://54.68.13.86/?p=2275 New from Evident.io Evident.io CEO Tim Prendergast on AWS Acquisition of Sqrrl Amazon’s move to fold Sqrrl, a threat detection startup, into AWS security services could help bring together its growing list of disparate security tools. WEBINAR: The Evolution of DevSecOps Revisited Register for our webinar on Thursday, February 22nd, 2018 where our panel of... Read more »

The post Cloud Security This Week – February 2, 2018 appeared first on Cloud Sentry Blog.

]]>
New from Evident.io
Evident.io CEO Tim Prendergast on AWS Acquisition of Sqrrl
Amazon’s move to fold Sqrrl, a threat detection startup, into AWS security services could help bring together its growing list of disparate security tools.

WEBINAR: The Evolution of DevSecOps Revisited
Register for our webinar on Thursday, February 22nd, 2018 where our panel of experts will discuss relationship between DevOps and SecOps and explore whether or not it has evolved to be as harmonious as we hoped.

The Stoic’s Guide to Cloud Security
Stoics practiced negative visualization; think about what you DON’T want to happen so you can experience its pain without having to actually go through its consequences. Turns out, it’s also a pretty good strategy for those responsible for the security of their organization’s cloud environment.

Your Cloud Security Guide to the Super Bowl
The build up for this Sunday’s match-up has been massively filled with hype, but it’s nothing compared to what will happen if security teams don’t take care of their data and cloud environment.

News and Perspectives on Cloud Security
Security Not Keeping Up with Cloud-First Business Strategies
A new study from Hurwitz & Associates indicates that while more organizations are taking a “cloud-first” approach to their business operations, 40% felt that their security solutions aren’t as flexible and scalable as the rest of their cloud initiatives.

Google Cloud Gets Custom Access Controls
Google launched a new cloud security feature that allows its Google Cloud Platform customers to set up custom access policies for different user accounts, only allowing access to particular aspects of specific services.

Hackers Have Already Targeted the Winter Olympics – And May Not Be Done
The Olympics pit nations against each other for athletic supremacy in a hugely popular, global platform that lasts two weeks and is responsible for billions in advertising and revenue. Hackers are already exploiting it and it looks like it could get worse before the final medal is awarded.

Inside the World’s Biggest Cryptocurrency Hack—and How the Scammers Pulled it Off
Last week, more than $500 million worth of currency was stolen from Coincheck, a Japan-based cryptocurrency exchange. Questions abound about how hackers were able to penetrate a highly secure environment and what it means for the future of crypto.

Breach-Proofing Your Data in a GDPR World
Great advice from DARKReading: six key measures for enterprises to prioritize over the next few months.

The post Cloud Security This Week – February 2, 2018 appeared first on Cloud Sentry Blog.

]]>
../cloud-security-this-week-02022018/feed/ 0
The Stoic’s Guide to Cloud Security ../stoics-guide-cloud-security/ ../stoics-guide-cloud-security/#respond Wed, 31 Jan 2018 17:06:59 +0000 https://54.68.13.86/?p=2266 “It is in times of security that the spirit should be preparing itself for difficult times; while fortune is bestowing favors on it is then is the time for it to be strengthened against her rebuffs.” – Seneca The Stoics were a school of thinkers in ancient Greece who developed a philosophy of personal ethics... Read more »

The post The Stoic’s Guide to Cloud Security appeared first on Cloud Sentry Blog.

]]>
“It is in times of security that the spirit should be preparing itself for difficult times; while fortune is bestowing favors on it is then is the time for it to be strengthened against her rebuffs.”
– Seneca

The Stoics were a school of thinkers in ancient Greece who developed a philosophy of personal ethics based on logic and integration with the laws of the natural world. It has become fashionable today to invoke the spirit of the Stoics for everything from product development strategies to long distance swimming because their advice was irreverent, yet sensible, and using it has helped athletes, world leaders, and business people perform better. It can even help those responsible for cloud environments to create and stick to a strategy for long term security.

In an effort to create an admirable and successful life path, the Stoics recommended using negative visualization and practicing misfortune. The idea is to create an experience and get your head around being in a worst case scenario. Visualizing that will ideally spur you to take steps to avoid that as an actual fate. It’s not a bad way to go because it enables you to try on failure without actually having to experience the repercussions of failure. In fact, it’s better because by working to avoid that failure, you can drive yourself in the opposite direction.

So how do we use the lessons from the Stoics, move past inertia, and get started on our path towards a more secure cloud environment? I started thinking about this in the context of GDPR. Those who are not in compliance with the standard by the May 25 deadline are liable to be fined the greater of either 20 million Euros or 4% of global annual revenue. Yet, preparing for GDPR is complicated in light of it’s fuzzy language. Some are choosing to take a wait-and-see approach, which will likely not end well. What would a Stoic do? He’d visualize having to go to his manager to explain why the company has to fork over 20 million Euros, and then consider the vitriol that will spew forth and the ensuing stress that will work its way up the chain of command, eventually to a board of directors meeting and his potential firing. Get that feeling in your gut and you will probably want to think backwards about how to avoid that fate.

That’s just GDPR. Think about your overall security and compliance posture. Consider being out of compliance with NIST – are you prepared to have your government contracts nullified? Or imagine not having comprehensive and continuous security automation, and think about what it must have been like when Equifax discovered their breach and had to watch $6 billion in market value evaporate within a week. Creating some control over all of this and using best practices to avoid a terrible outcome is dependent upon using this kind of Stoic negative visualization to avoid a bad situation.

The Stoic philosopher Seneca said, “Ignorance is the cause of fear,” but ignorance can no longer be an excuse. Over the past year, we’ve seen malware and ransomware top the list of offending hacks to major organizations. But there still exists a vibrant market for attacks with bots, DDoS, phishing, and even easier to discover issues like when an employee inadvertently neglects to secure an S3 bucket or leaves API keys in a public GitLab account. You have an advantage though, and that’s that you know these are possibilities, and you know how these kinds of attacks penetrate an organization’s environment.

Seneca also said, “Difficulties strengthen the mind, as labor does the body.” Therein is a core tenant of Stoic philosophy, but as part of a security team, you probably want to avoid actual difficulties. So it will help to consider the different types of potential issues and then work backwards to apply security automation along with rigorous cloud security best practices to strengthen your overall security posture. You can’t control the future, but you can make every effort to control your cloud environment.

The post The Stoic’s Guide to Cloud Security appeared first on Cloud Sentry Blog.

]]>
../stoics-guide-cloud-security/feed/ 0
Cloud Security This Week – January 26, 2018 ../cloud-security-this-week-01262018/ ../cloud-security-this-week-01262018/#respond Fri, 26 Jan 2018 22:10:44 +0000 https://54.68.13.86/?p=2261 New from Evident.io WEBINAR Replay: AWS S3 Security: Your 1 Week Action Plan In this webinar, Justin Hubbard, Enterprise Solutions Architect at Evident.io walked through the AWS S3 security features that will help keep your data secure. He discussed common mistakes, remediation steps, and showed you how you can keep tabs on your bucket security... Read more »

The post Cloud Security This Week – January 26, 2018 appeared first on Cloud Sentry Blog.

]]>
New from Evident.io
WEBINAR Replay: AWS S3 Security: Your 1 Week Action Plan
In this webinar, Justin Hubbard, Enterprise Solutions Architect at Evident.io walked through the AWS S3 security features that will help keep your data secure. He discussed common mistakes, remediation steps, and showed you how you can keep tabs on your bucket security no matter how dynamic your cloud environment is.

Deep Security Thoughts
Bob, Dick, Pete, and God’s tears. They all play a part in help you create a more secure cloud environment. Find out in our new series, Deep Security Thoughts.

Get Cloud Fit: 11 AWS Cloud Security Best Practices
Get pumped up to get CloudFit with this informative infographic that walks you through the 11 best practices to help you secure and control your cloud environment. Just like your own efforts to be fit require continuous attention, so does the effort required to prevent hacks and breaches.

Patriots or Eagles? Everyday is Super Bowl Sunday for Cloud Security Teams
Football teams and cloud security teams are both playing on fiercely competitive turfs that require coordination of an endless number of moving parts.
News and Perspectives on Cloud Security
Ransomware Was Most Popular Cyber Crime Tool in 2017
Ransomware attacks on business increased by 90% in 2017, while attacks on consumers leapt by 93%.

Better Cybersecurity is Critical to Protecting Future Elections
Paul Rosenzweig of The Hill says that the cornerstone of democracy, the electoral process, is vulnerable to manipulation by hostile powers and bad actors.

Which CISO ‘Tribe’ Do You Belong To?
New research categorizes CISOs into four distinct groups based on factors related to workforce, governance, and security controls.

Bitcoin’s Fluctuations Are Too Much For Even Ransomware Cybercriminals
Bitcoin’s price swings are so huge that even ransomware developers are dialing back their reliance on the currency.

The post Cloud Security This Week – January 26, 2018 appeared first on Cloud Sentry Blog.

]]>
../cloud-security-this-week-01262018/feed/ 0
Measure Your Cloud Security in 5 Steps ../measure-cloud-security-5-steps/ ../measure-cloud-security-5-steps/#respond Fri, 26 Jan 2018 21:01:14 +0000 https://54.68.13.86/?p=2258 Our world is obsessed with measurement, and I blame Moneyball. Once it became a bestseller, everyone wanted to use statistics to evaluate everything. How bad is your mother-in-law? Well she scored <6.7 in nine different categories related to emotional smothering; you know, that kind of thing. I actually really loved the book, but I also... Read more »

The post Measure Your Cloud Security in 5 Steps appeared first on Cloud Sentry Blog.

]]>
Our world is obsessed with measurement, and I blame Moneyball. Once it became a bestseller, everyone wanted to use statistics to evaluate everything. How bad is your mother-in-law? Well she scored <6.7 in nine different categories related to emotional smothering; you know, that kind of thing.

I actually really loved the book, but I also subscribe to W. Edwards Deming’s apocryphal comment, “In God we trust. All others bring data.” That’s not a bad mantra for cloud security where it is critical to always know the status of your security posture and measure it against previous performance, and with with the foresight to aim at rigorous goals.

The cloud presents a unique environment in which to pull metrics and determine success or failure. Much like Heraclitus’ river, you’re never dealing with the same cloud environment for very long, so it makes measurement difficult. For example, you may open an S3 bucket in your environment, configure it, and supply it with rigorous access controls. But then maybe that bucket gets accessed by an admin who doesn’t know about these controls and he inadvertently removes the credentials, or perhaps posts them to a Github repository for future reference by his team. Unless you have a tool to measure efficacy of your security policies, you’ll never know if you’re getting a passing or failing score on S3 bucket risk.

The sad reality is that in most organization’s instances of the cloud, they simply don’t know what they don’t know. It’s wildly eye-opening to find out how many major organizations operate under a presumption of security until they are breached. A bad policy and one that often results from lack of measurement.

Thankfully there are tools and frameworks to help you measure your cloud so your organization’s and customer’s data is protected. While the flexible nature of the cloud precludes a specified silver bullet checklist, organizations can be astute about how they pursue cloud security measurement with these steps:

Step 1: Identify all your cloud activity and access
Some organizations have centrally controlled IT environments while others are distributed. Many companies offer liberal admin rights at all levels across the organization in order to facilitate DevOps processes and expedite testing; many groups give developers authorization to create new buckets and virtual databases as needed. If you don’t have a snapshot of your entire cloud landscape and where activity exists, you need to first do that if you want to measure activity and performance.

It’s important not just to know where services and resources exist, but who manages them, the purposes they’re used for, admin rights for them, and what (if any) security policies by which they abide. This exercise may begin in a spreadsheet or checklist, but will eventually become a critical catalog for you you apply solutions to help you identify, monitor, and remediate security and compliance issues.

Step 2: Understand your current security policies
This might take you weeks of detail work, or it might take 30 minutes; it all depends on how you’ve approached security thus far. While cloud security is complex, don’t worry if you’ve been operating just on AWS or Azure out-of-the-box configurations. As best practices, they take a reasonable approach to things like least privilege for access, resource configurations, and handling third-party assets like APIs.

This step is not meant to be comprehensive. Rather, it’s intended as a way to level-set so you know roughly where you are so you can predict how far you have to go. If you have strict policies (and they’re being followed), then you’re probably in a state where you can accurately measure progress. But if you’ve been loose in your governance then you may need to initiate some structure as you move forward. The key is to know where you stand and anticipate how far you have to go.

Step 3: Apply necessary measurement
Fortunately there are a variety of cloud-specific security and compliance frameworks that give you policies and guidelines for how to construct your security posture. For example, the CIS AWS Foundations Benchmark, developed by the Center for Internet Security, can help you remove the guesswork because it provides a cost effective and commonly accepted path to deploy and assess your AWS security measures with confidence. The CIS benchmarks represent consensus-based security best practices for organizations of all types—government, business, and industry.

For organizations doing business with the federal government, the NIST Cybersecurity Framework and related standards like NIST 800-53 and NIST 800-171 offer comprehensive frameworks that strictly lay the foundation and ongoing compliance for strict security policies. There are a variety of different types of security and compliance guidelines like PCI for payments, HIPAA for healthcare data, and a host of others, all intended to be foundational for your cloud activities and something that can be measured against.

Step 4: Initiate continuous security automation
A cloud environment never stops changing, and security simply never stops, so continuous awareness and knowledge of what’s happening in your environment is critical. It’s also humanly impossible to do manually. Using a tool that automates the continuous monitoring of your environment provides visibility into all your security controls and policies, and provides both a scorecard and a built-in measuring instrument so you can identify problem areas, track successes, and report on overall security performance when needed to fulfill SLAs and KPIs.

One of the reasons that so many organizations neglect to create a strict discipline around security is because baselining their current security stance, and then performing ongoing measurement is nearly impossible. As a result, continuous tools have been built to align with AWS and Azure controls, and for specific types of controls and signatures like those found in standards like NIST, PCI, HIPAA, and others.

Step 5: Continuous measurement
With the enormity of deployments in the cloud, it isn’t unusual for organizations to have millions of data points that need to be evaluated. After implementing a strategy like we’ve outlined here, you can begin to get a handle on all your cloud data in real time and rely on a sound infrastructure to rapidly isolate any security variation or deviation from known states. The key is that this needs to be continuous; the advantages are both that you identify issues when they occur, and you can begin to track your success (and failures) over time. Knowing this will help you apply the right level of attention to areas where vulnerabilities exist.

Teams need to be able to measure and demonstrate security and compliance progress daily, not just during the yearly audit. With the right platform, you should be able to view your past and present security and compliance stances at the push of a button.

Deming is also credited for having said, “A rule should suit the purpose.” Cloud security will always be governed by rules – those created within your organization, by standards bodies, by the government, or any of a number of groups who aim to make people and data safer. Heeding Deming’s advice means that measuring against those rules will help you define your purpose and identify the goals you need to hit.

 

Photo by Helloquence on Unsplash

The post Measure Your Cloud Security in 5 Steps appeared first on Cloud Sentry Blog.

]]>
../measure-cloud-security-5-steps/feed/ 0