Cloud Sentry Blog https://cloudsentry.evident.io Powered by Evident.io Thu, 09 Feb 2017 19:41:22 +0000 en-US hourly 1 https://wordpress.org/?v=4.6.3 ../wp-content/uploads/2016/08/cropped-evident-shield-512-32x32.png Cloud Sentry Blog https://cloudsentry.evident.io 32 32 Proud to Join the GV Portfolio ../proud-to-join-the-gv-portfolio/ ../proud-to-join-the-gv-portfolio/#respond Thu, 09 Feb 2017 12:00:49 +0000 ../?p=1362 We are pleased to announce that Evident.io was recently infused with $22M in fresh capital. This Series C funding round was led by GV (formerly Google Ventures) with participation from our existing partners at Bain Capital, Venrock and True Ventures. This investment strengthens Evident.io for the foreseeable future and allows us to continue operating in... Read more »

The post Proud to Join the GV Portfolio appeared first on Cloud Sentry Blog.

]]>

We are pleased to announce that Evident.io was recently infused with $22M in fresh capital. This Series C funding round was led by GV (formerly Google Ventures) with participation from our existing partners at Bain Capital, Venrock and True Ventures. This investment strengthens Evident.io for the foreseeable future and allows us to continue operating in beast mode, accelerating to fully realize our vision.

Evident.io was founded in 2013, born out of the void of and desperate need for a cloud infrastructure security solution. My co-founder and CTO, Justin Lundy and I experienced, first hand, the entire gamut of how the cloud exposed the weakness of traditional security while working together to reinvent and secure Adobe’s Creative Suite in the Cloud. This is when the lightbulb moment hit — Traditional security best practices do not translate to the Cloud, and we had the opportunity to affect change. As a result, Evident.io was born with a mission.

Since our beginning, we have been working at breakneck speed to create a cloud security capabilities that are as easy to install and use as they are rock solid. The Evident Security Platform (ESP) is a SaaS-based platform that provides complete visibility across an organization’s public cloud infrastructure and enables consistent enforcement of policy requirements in line with industry compliance standards. ESP was designed specifically to help modern IT and DevOps teams automate and maintain security within the shared responsibility model that has become commonplace in today’s services economy. We approach security less like a transaction and more like a partnership. Working together, we’ll secure the cloud, defend your fortress, and increase your security awareness 24x7x365.

Today, with over 200 customers, we automate over 750 Cloud Security Best Practices and analyze more than 360 Million risks per day. ESP’s powerful transparency has thwarted countless attacks and has helped to remediate and secure thousands of vulnerabilities.

This infusion of capital will enable us to deliver our vision faster. We plan to accelerate company growth to address the market demand by enabling support of public cloud platforms beyond AWS to Microsoft Azure and Google Cloud Platform. We plan to accelerate the innovation and development of new features and capabilities of ESP to extend functionality beyond infrastructure security and compliance automation offering. Our new automated Compliance Views for PCI, NIST 800-53, SOC2, ISO-27001 and BCBS 239 remain our focus in the near term.

To support these efforts, we also growing the sales and marketing teams to target new geographies and vertical markets. The team will grow its commercial and government sales teams in the US, Europe, Asia and Australia.

We are excited to work with GV and look forward to learning from their expert team and gaining insights from their impressive network of portfolio companies.

Join our mission –  evident.io/jobs/

View official press release

The post Proud to Join the GV Portfolio appeared first on Cloud Sentry Blog.

]]>
../proud-to-join-the-gv-portfolio/feed/ 0
What Cool Cybersecurity Job is Right for You? ../what-cool-cybersecurity-job-is-right-for-you/ ../what-cool-cybersecurity-job-is-right-for-you/#respond Mon, 06 Feb 2017 17:22:40 +0000 ../?p=1345 Information security is one of the hottest, most-desired careers. When I, however, talk with college students and recent graduates, and even experienced professionals looking for a career change to cybersecurity, there is often a lot of confusion about where and how to begin. Interestingly, this conversation came up during a recent dinner with CSOs. The... Read more »

The post What Cool Cybersecurity Job is Right for You? appeared first on Cloud Sentry Blog.

]]>

Information security is one of the hottest, most-desired careers. When I, however, talk with college students and recent graduates, and even experienced professionals looking for a career change to cybersecurity, there is often a lot of confusion about where and how to begin. Interestingly, this conversation came up during a recent dinner with CSOs. The subject proved to be divisive even among this group who regularly hires cybersecurity professionals.

During the dinner, some CSOs advised that those interested in a cybersecurity career should focus on cybersecurity-specific education, while others argued that it is better to focus one’s formal education in other areas, such as computer science or even business to better understand the nature of the business and the vertical market in which a security professional may work. The student would then minor in security. Perhaps the answers to these questions vary depending on the career path one chooses.

In addition to education and training, there’s the question of where the best jobs are in the field. While “best” is certainly subjective, it is important to give considerable thought to which specialty within the broad field of cybersecurity one wants to specialize. In fact, while many people speak of cybersecurity or information security as a career in itself, it’s actually a diverse field with many specialties ranging from enterprise risk management roles such as application security, forensics, and investigations, infrastructure, malware, to many other disciplines.

In fact, there are so many positions and disciplines in cybersecurity for newcomers that choosing one may not be easy for some. Fortunately, SANs has help for future (and current) cybersecurity professionals who seek an area of focus: The Top 20 Coolest Cybersecurity Career list.

It’s both an interesting and a helpful list. For each career category, there are recommended courses. Here’s what they have to say about the CISO career, for instance:

#10 – CISO/ISO or Director of Security
“Seems like I can get a lot done with little to no push back”

Job Description

Today’s Chief Information Security Officers are no longer defined the way they used to be. While still technologists, today’s CISO/ISO’s must have business acumen, communication skills, and process-oriented thinking. They need to connect legal, regulatory, and local organizational requirements with risk taking, financial constraints, and technological adoption.

SANS Courses Recommended

Why It’s Cool

  •    “Authority always wins.”
  •    “These people get to decide where to build the “watch towers,” how many rangers are stationed in the park, where fires can be safely built, and the rules of engagement.”

How It Makes a Difference

  •    “You have the creative direction to influence and directly contribute to the overall security of an organization. You are the senior security player, the only one whom the CEO will trust.”
  •    “This position usually reports at a very high level, and gets to see and influence the big picture. You work with physical security, IT, the businesses, even the FBI and other law enforcement agencies.”
  •    “You are da Boss. You can pick and choose who does what, what gets done, and motivate and then share the credit with your people. You make a real impact on a daily basis.”

How to Be Successful

Organizations succeed by taking risks. But they frequently fail because they don’t manage the risk-taking very well. The risks are business risks, and the security team needs to see business constituencies as “customers.” The “this is how it’s always worked” approach must be thrown out. Data-driven decisions, devolving perimeter, any-device thinking, collaboration technologies, virtualization, and mobile data are diametrically opposed to prior thinking. Today’s solutions are tomorrow’s threat, and global and geopolitical landscape shifts are tightly coupled to intellectual and informational threats.

Experience is often the training ground; diverse thought and scenario planning are requirements for a good outcome. Focus on the business goals: Never forget that this is the basis for security thinking.

You should take the time to look at the other 19 job write-ups. As you’ll see, there are many paths in the enterprise to a cybersecurity career, so there’s no need for newcomers to feel they are getting themselves locked into something. After writing about cybersecurity for more than 20 years now, I can assure everyone that this field is indeed dynamic and anyone who picks an area of interest today and carves themselves a niche will always be able to shift their focus to another area if they wish with training and additional experience.

The reality is that many cybersecurity jobs either didn’t exist or were very sparse, 20 years ago. And the day-to-day duties from as little as 10 years ago certainly don’t resemble what they are today. No one knows what this field will look like in 10 or 20 years. So if a cybersecurity career is something that is of interest, it’s best to pick an area and run with it. You just don’t know where the path will lead over time.

The post What Cool Cybersecurity Job is Right for You? appeared first on Cloud Sentry Blog.

]]>
../what-cool-cybersecurity-job-is-right-for-you/feed/ 0
How to “Shadow” Shadow IT ../how-to-shadow-shadow-it/ ../how-to-shadow-shadow-it/#respond Wed, 01 Feb 2017 18:21:43 +0000 ../?p=1327 Most CIOs know that employees within their organization have snuck a few applications past the IT department, but a new report from ESG indicates that they are greatly underestimating the extent that Shadow IT has infiltrated their environments. This new brief reveals that “65% of enterprise IT professionals report being aware of a significant or... Read more »

The post How to “Shadow” Shadow IT appeared first on Cloud Sentry Blog.

]]>

Most CIOs know that employees within their organization have snuck a few applications past the IT department, but a new report from ESG indicates that they are greatly underestimating the extent that Shadow IT has infiltrated their environments.

This new brief reveals that “65% of enterprise IT professionals report being aware of a significant or moderate number of non-IT-sanctioned cloud applications being used at their organization.” This level of widespread Shadow IT can create significant security threats and introduce considerable waste, as employees in different business lines purchase similar unauthorized apps and services for common processes like storage and collaboration.

How can CIOs and CISOs manage, support and protect what is in their cloud effectively without having a true understanding of what might be dwelling in there? If they can’t see what cloud services are being consumed, they can’t see the risk that’s being incurred.

In order to be truly vigilant against security threats, being held for ransom or having data compromised, CIOs and CISOs need to “Shadow” Shadow IT.

As the comic book goes, “Who knows what evil lurks in the hearts of men? The Shadow knows.” We are not saying that the people who are skirting IT protocol to enable their teams with the apps and services they need for success are evil, just that the unknown consequence of Shadow IT may very well turn out to be.

To become the “Shadow” CIOs and CISOs will need to leverage continuous monitoring and automation.

Continuous monitoring is the ability to maintain ongoing awareness of information security, vulnerabilities and threats. Setting up continuous security monitoring and policy controls is no easy task for organizations with a large cloud infrastructure, especially if there are so many services lurking in the shadows. Start by prioritizing what information would be the most valuable to potential attackers and investigate ways to continuously surveil and assess these systems.

Embrace automation wherever possible. Automation tools enable complete visibility into cloud infrastructure while fortifying what has been configured in the cloud with security best practices. As a bonus, automating security controls and risk remediation can free up time for your team to educate the rest of the company on the importance of IT protocol and the dangers of Shadow IT.

To find out more about how our technology can empower you to solve this problem visit our website. ESP provides a single pane of glass view of all of your AWS accounts, regions and services in one easy to customize dashboard. By consuming all of Amazon’s APIs, ESP can detect and reveal accounts that may have been lurking in the shadows and alert security teams of configuration changes and policy violation and provide a path to remediation.

The post How to “Shadow” Shadow IT appeared first on Cloud Sentry Blog.

]]>
../how-to-shadow-shadow-it/feed/ 0
Six security essentials to jumpstarting a cloud security program ../six-security-essentials-to-jumpstarting-a-cloud-security-program/ ../six-security-essentials-to-jumpstarting-a-cloud-security-program/#respond Fri, 27 Jan 2017 17:36:01 +0000 ../?p=1318 When you are securing traditional on-premises systems, you own the responsibility for securing everything from the physical premises to the hardware, operating system, network, and applications. In cloud deployments, it doesn’t work that way. Depending on the nature of the cloud service, there is always part of the technology stack that the cloud provider is... Read more »

The post Six security essentials to jumpstarting a cloud security program appeared first on Cloud Sentry Blog.

]]>

When you are securing traditional on-premises systems, you own the responsibility for securing everything from the physical premises to the hardware, operating system, network, and applications.

In cloud deployments, it doesn’t work that way. Depending on the nature of the cloud service, there is always part of the technology stack that the cloud provider is responsible for keeping secure, and parts that customers are responsible for managing the security on their own. Essentially, this concept is what Amazon calls the Shared Responsibility Model. This model is true whether one is speaking about any flavor of outsourced cloud (of course in on-premises private cloud you own it all).

In public cloud, infrastructure as a service, and platform-as-a-service the provider owns the security of the physical layer, and infrastructure aspects of the cloud as well as the aspects of the Compute, Storage, Database, and Network and application services they offer. You, the customer, own the security configuration of your own operating systems, network traffic, firewall settings, and all of the security on your own systems that are used to connect to the cloud. We will dive more into the Shared Responsibility Model in future posts, but that’s essentially it. And to be secure, it’s imperative that you understand the security you own.

Before we do dive more into the Shared Responsibility Model in the future, it’s important to take a look at some security essentials that need to be taken care of always:

Security Essential One: Classify apps and data

Where do you start your focus on the security you own? Ask yourself what applications and data you have that are critical to running your business. What apps and data would cause executive leadership, stockholders, or customers to abandon ship if breached? What data, if leaked, could cripple the ability to conduct business or to effectively compete? What data would cause regulators to get into a whirr and possibly result in fines or sanctions?

All of these are the type of highly-coveted business data, or government regulated data, that you have to classify as critical and protect it as such. This is the data, applications, servers, and systems that decide where you start your security efforts first, and likely always keep the highest level of focus.

Security Essential Two: Keep an eye on application security

At times your attackers are going to target vulnerabilities in your web applications. And you do have attackers targeting your assets. Whether you believe you do, or not, doesn’t matter: They’re still targeting you. To make sure your applications are as free of software vulnerabilities as you can make them you have to actively look for vulnerabilities that create security risks. If the applications are open source or off-the-shelf applications, make sure to patch regularly and be sure to patch critical security flaws immediately. When building your applications, it’s important that developers be trained and use secure coding practices and that applications continuously be examined for potential flaws. A good place to look for guidance on how to start an application security program is the Open Web Application Security Project (OWASP).

Security Essential Three: Get user identities and access under control

Put the processes in place to manage your user identities. This entails knowing who your users are, what job roles they have, and from that what applications and resources they should be able to access. It means limiting access to only those who have a reasonable need for those resources. And when the roles of these people change, change their access. When they leave for whatever reason, have their access revoked. This is one of the most important things one can do to keep a good security posture – and yet it’s one of the areas so many organizations skimp.

Security Essential Four: Policy and Configuration Management

It’s crucial to establish policies for security checks, settings, and configuration levels for all of your systems, workloads, and apps. And just like vulnerability scans are important to find systems that out of date, it’s important to check and to ensure systems are configured and running to policy.

Security Essential Five: If it can be automated, automate it

If there is a security task that can be automated through scripts or cost-effectively offloaded to a security services provider – it should be done. Good reads on continuous security and continuous policy monitoring can be found here and here. If you are a smaller organization, scale the advice down to your size – but the precepts remain similar.

Security Essential Six:  Be ready to respond

Of course, being on the steady lookout for security deficiencies in the organization is important but many organizations, unfortunately, don’t bother to think about what comes next: remediation. When you start looking for security vulnerabilities, what will the organization do to remedy them? When you find violence’s to policy compliance – how will the gap be closed quickly? Be sure to think this through and plan ahead of time.

These essentials are just the beginning, and they aren’t meant to be comprehensive. They are meant to get the gears turning toward putting in place a cloud security program. There’s many more posts coming, and in the next post on this subject we’ll take a closer look at what the Shared Responsibility Model means for securing cloud services.

 

The post Six security essentials to jumpstarting a cloud security program appeared first on Cloud Sentry Blog.

]]>
../six-security-essentials-to-jumpstarting-a-cloud-security-program/feed/ 0
Hadoop, CouchDB Users Latest Attack Targets ../hadoop-couchdb-users-latest-attack-targets/ ../hadoop-couchdb-users-latest-attack-targets/#respond Thu, 26 Jan 2017 13:42:54 +0000 ../?p=1307 The attacks on databases just keep coming. First, it was the MongoDB attack, then as Evident.io’s John Martinez wrote last week in Elasticsearch Now In the Crosshairs – MongoDB Ransom Attackers Have New Targets, the Elasticsearch search and analytics engine came under assault. Now, most recently, poorly configured Hadoop and CouchDB databases were the targets... Read more »

The post Hadoop, CouchDB Users Latest Attack Targets appeared first on Cloud Sentry Blog.

]]>

The attacks on databases just keep coming.

First, it was the MongoDB attack, then as Evident.io’s John Martinez wrote last week in Elasticsearch Now In the Crosshairs – MongoDB Ransom Attackers Have New Targets, the Elasticsearch search and analytics engine came under assault. Now, most recently, poorly configured Hadoop and CouchDB databases were the targets of similar vicious attacks.

This time, at least for the Hadoop attacks, instead of attempting to extract a ransom from users, the attackers are simply infiltrating the targets and deleting whatever data they can. If that’s not a wake-up call for maintaining a good security posture, then I don’t know what would possibly do the job.

In this blog post, Fidelis Threat Research Team pegged the potential number of exposed Hadoop installations ranging from 8,000-10,000 HDFS installations worldwide. “A core issue is similar to MongoDB, namely the default configuration can allow “access without authentication.” This means an attacker with basic proficiency in HDFS can start deleting files,” they wrote.

It’s interesting that the Hadoop attackers did start to destroy data, unlike each of the other attacks which involved a ransom note demanding payment. And that’s exactly the pattern the CouchDB attacks followed.

When these attacks hit, they scale rapidly. For instance, according to accounts, the MongoDB attacks spiked from 12,000 to more than 27,000 in a day. And if you don’t want to get a message like the one that MongoDB users received, you need to continuously keep track of your configuration settings:

“Your database has been pwned because it is publically accessible at port 27017 with no authentication (wtf were you thinking?). Your data has been dumped (with data types preserved), and is easily restoreable [sic].

“To get your data back, email the supplied email after sending 0.15BTC to the supplied Bitcoin wallet, do this quickly as after 72 hours your data will be erased (if an email is not sent by then). We will get back to you within 2 days. All of your data will be restored to you upon payment.”

Access policies often have a big role in attacks of this nature. When it came to attacks on users of AWS Elasticsearch, in his post Martinez noted the following on securing resource-based policies:

AWS recommends that you don’t use an open access policy on your Elasticsearch domain, except for when testing with non-production data. We would go as far as to say that testing with an open access policy shouldn’t ever be practiced period. Our experience shows that development and pre-production environments are ripe for exploitation due to the lower security hygiene and less/lack of monitoring placed on them. What’s even worse is we sometimes think it’s easy to test in pre-production with real customer data (please DO NOT do that! or if you must, always make sure you anonymize).

If you have been fortunate enough not to have been victimized by any of these attacks, that’s great news: but now is a good time to check the security settings of your servers, workloads and cloud systems. Because attacks like this on cloud-based systems are quickly becoming the new normal.

The post Hadoop, CouchDB Users Latest Attack Targets appeared first on Cloud Sentry Blog.

]]>
../hadoop-couchdb-users-latest-attack-targets/feed/ 0
Today’s D’oh! Moment Could Be Tomorrow’s Front Page News ../todays-doh-moment-could-be-tomorrows-front-page-news/ ../todays-doh-moment-could-be-tomorrows-front-page-news/#respond Wed, 18 Jan 2017 23:47:58 +0000 ../?p=1263 Keys left in the front door when I was focused on getting inside safely. Garage door left open all day because I was wondering if I shut off the iron. Credit card left at the Starbucks as I made sure I had all my belongings. Yes, I’ve done all those things. Perhaps I was just... Read more »

The post Today’s D’oh! Moment Could Be Tomorrow’s Front Page News appeared first on Cloud Sentry Blog.

]]>

  • Keys left in the front door when I was focused on getting inside safely.
  • Garage door left open all day because I was wondering if I shut off the iron.
  • Credit card left at the Starbucks as I made sure I had all my belongings.

Yes, I’ve done all those things. Perhaps I was just channelling my inner Homer Simpson.

Let’s face it — we’ve all made silly mistakes in our day-to-day lives that create security risks and privacy risks for our families and jobs. Thankfully, none of my mistakes have led to anything disastrous, at least that I know of, yet.

No matter how careful we are, or how well-versed we are in security best practices, it’s a safe bet that we all are making silly, absent-minded security mistakes daily that lead to security vulnerabilities in our cloud environments.   

We know we shouldn’t keep root API access keys but don’t have time to create the other IAM users. We know that we shouldn’t use customer PII in test environments, but we’re in a rush, under pressure and don’t have time to anonymize. We know that there should never be open ports, but it will be easier to run the tests, and it will just be 10 minutes. We know that Welcome123 is a horrible password, but we’re drawing a complete blank at the moment, and plan to change it really soon. But, then stuff happens. You get distracted by your cube mate’s cat videos. You start thinking about something you need to do when you get home. Your mind moves on to the next task, and BOOM — you forget to fix the security mistake despite all your good intentions just moments ago.

The recent rash of MongoDB and Elasticsearch attacks have had me wondering how many of those open access policies and vulnerable clusters were caused by absent mindedness rather than blatant incompetence. How many times did developers think “I’ll fix that other problem as soon as I get this thing working” and the next thing they know the code has been deployed and their to-do list of fixes has been forgotten?

As security professionals (and these days we all need to be security professionals), we need to focus, quickly remediating risks and the identifying ways to ensure that the mistakes don’t happen next time. However, keeping staff trained, and tracking of all the changes that takes place in our dev, test and prod environments is impossible.

With continuous security and compliance monitoring, seamless integration into SIEMs, and real-time alerts that get issued out to the right team at the right time, we can use cloud security automation to our advantage and limit the liability that our mistakes can have on our business. So, while checklists on the cubicle wall and continuous training are great for reminders of security best practices, there is nothing better than building security policies and checks directly into the workflow.

After all, we all get lost in our thoughts now and then and forget to…

The post Today’s D’oh! Moment Could Be Tomorrow’s Front Page News appeared first on Cloud Sentry Blog.

]]>
../todays-doh-moment-could-be-tomorrows-front-page-news/feed/ 0
Elasticsearch Now In the Crosshairs – MongoDB Ransom Attackers Have New Targets ../elasticsearch-now-in-the-crosshairs-mongodb-ransom-attackers-have-new-targets/ ../elasticsearch-now-in-the-crosshairs-mongodb-ransom-attackers-have-new-targets/#respond Tue, 17 Jan 2017 17:16:37 +0000 ../?p=1249 As if the MongoDB sacking fiasco wasn’t enough, bored attackers have added ransacking of open AWS Elasticsearch clusters to their list. Late last week (and who knows how long before that), they began attacking Elasticsearch domains with open access policies. Access and permissions to AWS Elasticsearch domains is controlled via resource-based policies. AWS recommends that... Read more »

The post Elasticsearch Now In the Crosshairs – MongoDB Ransom Attackers Have New Targets appeared first on Cloud Sentry Blog.

]]>

As if the MongoDB sacking fiasco wasn’t enough, bored attackers have added ransacking of open AWS Elasticsearch clusters to their list. Late last week (and who knows how long before that), they began attacking Elasticsearch domains with open access policies. Access and permissions to AWS Elasticsearch domains is controlled via resource-based policies.

AWS recommends that you don’t use an open access policy on your Elasticsearch domain, except for when testing with non-production data. We would go as far as to say that testing with an open access policy shouldn’t ever be practiced period. Our experience shows that development and pre-production environments are ripe for exploitation due to the lower security hygiene and less/lack of monitoring placed on them. What’s even worse is we sometimes think it’s easy to test in pre-production with real customer data (please DO NOT do that! or if you must, always make sure you anonymize).

Evident.io takes these types of exploits in the wild very seriously. In order for our customers to identify, remediate and monitor for Elasticsearch domains with open access policies, we have released an Evident Security Platform (ESP) custom signature in our open-source repo: https://github.com/EvidentSecurity/custom_signatures/blob/master/elastic_search_open_access_policy.rb

We recommend that everyone that uses AWS Elasticsearch install and activate this ESP custom signature immediately. Instructions for creating a custom signature are here: http://docs.evident.io/#custom-signatures.

If you have any questions installing this custom signature, please email support@evident.io.

—The Evident.io Team

PS – Not yet an Evident.io customer? You can try ESP free for 14 days  and start securing your cloud infrastructure within minutes. Get started now to see if you have any high priority risks in your AWS environment.

The post Elasticsearch Now In the Crosshairs – MongoDB Ransom Attackers Have New Targets appeared first on Cloud Sentry Blog.

]]>
../elasticsearch-now-in-the-crosshairs-mongodb-ransom-attackers-have-new-targets/feed/ 0
The Big Cloud Security Skills In-demand Right Now ../the-big-cloud-security-skills-in-demand-right-now/ ../the-big-cloud-security-skills-in-demand-right-now/#respond Fri, 13 Jan 2017 23:11:17 +0000 ../?p=1244 Whenever one looks at the cybersecurity job market, there’s never a lack of speculation as to the shortage of cybersecurity skills. And I don’t recall recently speaking with a chief information security officer who thought it was easy to find security talent. Consider a recent report from the Center for Strategic and International Studies titled... Read more »

The post The Big Cloud Security Skills In-demand Right Now appeared first on Cloud Sentry Blog.

]]>

Whenever one looks at the cybersecurity job market, there’s never a lack of speculation as to the shortage of cybersecurity skills. And I don’t recall recently speaking with a chief information security officer who thought it was easy to find security talent.

Consider a recent report from the Center for Strategic and International Studies titled Hacking Skills Shortage. This study found that a majority of the 775 IT decision-makers surveyed believe that their organizations lack workers with the necessary cybersecurity skills. About a third of these respondents believe this cybersecurity-skill shortage is so severe that it makes them hacking targets.

Don’t expect this cybersecurity-skills-demand gap to close any time soon. According to the 2015 (ISC)2 Global
 Information Security Workforce Study conducted by Frost & Sullivan, there will be a staggering 1.5-million-person global cybersecurity worker shortfall in 2020.

This is good news if you are a job seeker, especially if you have the right set of security skills that employers need now. And with that in mind, I have been asking, quite informally, CISOs and CIOs over the past few weeks what cloud security skills they see as the most in demand in the near future. The skills I list below are the cloud security skills that came up repeatedly in these discussions.

Cloud Security Architects

Those who can manage cloud security assurance processes understand how to review cloud vendor proposals, and vet planned deployments will be in high demand. Individuals involved in this type of work, such as cloud security architects, need to have strong communication skills to communicate with technical teams and business units alike. They need a good understanding of IT regulatory controls, privacy controls, and data security processes and controls. They must also be adept in many different types of technologies that intersect with the cloud, including networking, firewalls, encryption, identity management, virtualization, DevOps practices, and many other technologies depending on the nature of the organization and its technology needs.

They must also be expert at migrating legacy on-premises systems to the cloud. Organizations need to know how to choose secure cloud apps and services and know how to securely move systems to public and hybrid clouds.

Cloud regulatory and policy compliance expertise

As more applications, storage, and networks move to the cloud, more regulated data is sure to follow. Enterprises are going to need to understand where their regulated data resides, how it is managed, how is the data secured, and how the security and regulatory compliance management of the data can be verified, as well as provided to regulators and auditors if need be.

Not only must the individuals in these security and compliance roles understand the technologies behind security and compliance controls – such as vulnerability and configuration management, encryption, change management and more –they must also understand SLAs and how to parse complex cloud services contracts, how to negotiate these contracts, or how to help those who will be negotiating in their organization to better negotiate with cloud service providers.

Security data analysis

Increasingly good security is about good insight about what is happening within and without cloud services and software-defined networks. This requires good data and the ability to analyze that data. Most of that security data today is gleaned from within application, server, and network logs, behavior management systems, and other systems.

Skills that will be in demand here will be understanding how to analyze structured and unstructured data, and platforms such as data processes frameworks like Hadoop, predictive model development, decision modeling, and working with advanced visualization.

Secure cloud application development

As enterprises continue their digital transformation efforts, they will be developing more applications for cloud than ever before. And to meet app demand, they’ll continue to implement and optimize their continuous development pipelines. This increases demand for application security experts and those who can also automate tests in continuous development and integration pipelines.

Organizations are going to need more help when it comes to training and coaching development teams to develop applications more securely.  

Of course, these skills will also be in demand for years to come, and likely help build the foundation for any long-term career in cloud security.

The post The Big Cloud Security Skills In-demand Right Now appeared first on Cloud Sentry Blog.

]]>
../the-big-cloud-security-skills-in-demand-right-now/feed/ 0
PagerDuty Incident Response Guide to Avoid the 3 AM Call ../pagerduty-incident-response-guide-to-avoid-the-3-am-call/ ../pagerduty-incident-response-guide-to-avoid-the-3-am-call/#respond Thu, 05 Jan 2017 18:20:18 +0000 ../?p=1224 No one likes a 3 AM phone call, it doesn’t matter if you’re running for President or if you’re the lead DevSecOps engineer. Unless you’re prepared, 3 AM phone calls generally suck. Running Evident.io’s ESP will help prevent those dreaded 3 AM phone calls from happening. Prepared AWS enterprises will do everything in their power... Read more »

The post PagerDuty Incident Response Guide to Avoid the 3 AM Call appeared first on Cloud Sentry Blog.

]]>

No one likes a 3 AM phone call, it doesn’t matter if you’re running for President or if you’re the lead DevSecOps engineer. Unless you’re prepared, 3 AM phone calls generally suck.

Running Evident.io’s ESP will help prevent those dreaded 3 AM phone calls from happening. Prepared AWS enterprises will do everything in their power to mitigate potential downtime.

Our partners at PagerDuty recently released a version of their incident response guidewhich covers pretty much everything from preparing to go on-call, definitions of severities, incident call etiquette, how to run a post-mortem, providing a post-mortem template, and they even include their security incident response process.

I’d encourage you to check it out, even if it’s just a refresher of the best practices you’ve already got in place.

PagerDuty Incident Response Guide

 

The post PagerDuty Incident Response Guide to Avoid the 3 AM Call appeared first on Cloud Sentry Blog.

]]>
../pagerduty-incident-response-guide-to-avoid-the-3-am-call/feed/ 0
Cybersecurity, Regulatory Compliance and the Big Senior Management Disconnect ../cybersecurity-regulatory-compliance-and-the-big-senior-management-disconnect/ ../cybersecurity-regulatory-compliance-and-the-big-senior-management-disconnect/#respond Tue, 03 Jan 2017 20:16:03 +0000 ../?p=1209 When it comes to cybersecurity and regulatory compliance some things never change. Despite the increasingly higher fines being levied and rising number of data breaches and more stringent government and industry regulations, too many C-level executives and senior-level managers remain out of touch when it comes to understanding data security, privacy, and regulatory compliance. This... Read more »

The post Cybersecurity, Regulatory Compliance and the Big Senior Management Disconnect appeared first on Cloud Sentry Blog.

]]>

When it comes to cybersecurity and regulatory compliance some things never change.

Despite the increasingly higher fines being levied and rising number of data breaches and more stringent government and industry regulations, too many C-level executives and senior-level managers remain out of touch when it comes to understanding data security, privacy, and regulatory compliance.

This makes it quite challenging for security professionals because, without C-Level executive leadership behind cybersecurity efforts, it is way too easy for these efforts to simply be shoved aside. Who wants to have to deal with threat modeling new services, checking contracts for security obligations, putting in place good access control, or making sure applications are developed as securely as is reasonably possible? All these things do is bog projects down…

Of course, if an organization wants to remain secure such measures are essential. But the natural tendency of people and teams is the same as water: it’ll travel the path of least resistance unless guided otherwise. When it comes to cybersecurity, it’s guided not by riverbeds or plumbing but executive leadership. This is why a recent survey is so concerning.

According to the 2016 State of Compliance survey (conducted by Liaison Technologies) nearly half of the C-level executives and senior-level managers don’t know for sure what information security and privacy regulations apply to their organizations. About 500 executives and senior-level managers took part in the survey.

Additionally, and nearly as concerning, about 25 percent of survey respondents reported that they are not sure who is responsible for security and compliance in their organization and about half don’t think their data is secure in the cloud.

This kind of senior leadership and cybersecurity disconnect should surprise me, but it doesn’t. In the 2015 US State of Cybercrime Survey, conducted by PwC, CSO magazine, the CERT® Division of the Software Engineering Institute at Carnegie Mellon University, and the U.S. Secret Service found that 28 percent of respondents don’t make any presentation to their board of directors and 26 percent (one in four) have a CISO or equivalent, present to the only board annually.  

That means about 30 percent of respondents said their senior security executives were in regular contact with the board through quarterly cybersecurity presentations.

These are dismal results, of course. And they point to the long on-going discussion regarding the cybersecurity and business executive disconnect that exists – and why it is critical this disconnect be closed. As NSS Labs CEO Vikram Phatak told me for the story Top executives and cybersecurity: a fickle relationship?Board oversight is intended to keep executives focused on those things that are strategically important to an organization. As such, board involvement means that executives will see cybersecurity as one of the long-term strategic objectives they need to balance and place value on it accordingly.”

Of course, none of this is easy, or most organizations would be doing this already. And ensuring business leadership and cybersecurity goals are properly aligned will be an important topic area covered here in the next year. In the meantime, there are lessons to be learned from other industry efforts when it comes to affecting culture change.

In this story, Aligning Cybersecurity with Corporate Culture, the author cites researcher Philip Sutton’s four shifts in emphasis that characterize the evolution of workplace safety culture:

  • From an employee responsibility to a management responsibility.
  • From post-accident coping to prevention.
  • From nonsystematic management to whole system management.
  • From risk reduction to risk elimination.

“When managers took up the safety mantle—establishing and enforcing safety protocols, providing worker training, and encouraging supervisors and employees to report hazards—accidents and injuries declined sharply. Eventually, most organizations established strong workplace safety programs aimed at eliminating risk altogether,” JR Reagan, global chief information security officer, Deloitte Touche Tohmatsu Limited wrote in his post.

There’s good reason to think, as Reagan said, that such lessons learned about risk reduction from other domains should be embraced – and they need to be embraced not just by security practitioners – because they know what is at stake and largely what needs to be done. And they’re placed at a disadvantage without the proper support being in place. Because without that leadership involvement, and even a culture of security, too often cybersecurity is just something that gets in the way and so it gets pushed aside.

The post Cybersecurity, Regulatory Compliance and the Big Senior Management Disconnect appeared first on Cloud Sentry Blog.

]]>
../cybersecurity-regulatory-compliance-and-the-big-senior-management-disconnect/feed/ 0