Seeking solutions that make a difference
Sometimes I take consulting calls from clients to help them with cloud security solutions via the phone. Customers will get on the phone and say, “Tell me what everyone else is doing.” I understand why people would want to take this approach. However, when I get this question, I generally respond that I don’t think you want to do what everyone else is doing. Just look at the breach statistics. I’m not a status quo or a “because that’s how we’ve always done it” type of person. Let me get that out of the way up front to save us both some time, if you are. If you are open to new ideas, or want to know why I think differently about security solutions, read on.
At companies where I previously worked or got training, I was not always in agreement with the status quo in approaches to cybersecurity and application development, which led to some of my early white papers and presentations on cloud security and data breaches. I know everyone is doing the best they can, but I’m always seeking better solutions, and especially when the current solutions aren’t working. I want to help organizations close security gaps in a more efficient manner. I see a problem right now in cybersecurity, and I want to help people solve it in better ways with tangible solutions not abstract concepts. I’ll talk more about forward-looking solutions in a minute but consider this when you want to know why you probably don’t want to do what everyone else is currently doing.
2019 was one of the worst years on record for data breaches, if not the worst. The report indicates there is a silver lining based on the number of records stolen. However, I wonder if this number includes cases where attackers encrypted files in a ransomware attack, but did not expose or exfiltrate them. I don’t know exactly how they calculated these numbers, but either way, it’s not a fantastic statistic.
Data breaches soared by 17% in 2019: 'We also saw the rise of a significant new threat'
Data breaches were on the rise last year, but there's a silver lining. The number of reported data breaches rose 17% to…
This article states that 2019 was the worst year on record for health care.
Report Reveals Worst State for Healthcare Data Breaches in 2019
A report into the spate of data breaches that ripped through America's healthcare industry last year has revealed that…
Here’s another report with breach statistics for 2019.
In 2019, a total of 7,098 reported breaches exposed 15.1 billion records - Help Net Security
In 2019 the total number of records exposed increased by 284% compared to 2018, according to Risk Based Security. In…
Based on the things I report on my Twitter account @teriradichel as time allows where I report breaches and comment on what caused them, if that information is available, 2020 is not looking much better. Some companies are handling security differently, and their names are not in the headlines. Some companies are doing a great job with their cybersecurity and are just unlucky or had a very targeted attacker after them. But I can tell you from personal experience, some companies that have not yet been in the headlines are just lucky. Holes exist in their cybersecurity practices — gaps that can be identified and fixed.
When you’re approaching something in a futuristic way, sometimes people aren’t comfortable with that and want to stick with what they know. When I say futuristic, I mean projections based on experience, data, and logic, not new-fangled ideas without any basis. Some people proposing “new” and “modern” security ideas are throwing out all the principles from many years of experience with data breaches and security. I’m not one for tearing down the house and building a new one if the disruption and cost will cause more problems than the status quo. We should learn from history to avoid past mistakes. But when something isn’t working, why would you continue to mimic it?
I prefer to present forward-looking security solutions. Some people like this and are open to new ideas. Others want to stick with the things that they are used to and comfortable doing or using. I understand this and am not suggesting companies are doing everything wrong, either. I’m just trying to provide some ideas that might help reduce those breach statistics based on what causes them to rise. You can take a gradual approach to get to some future improved state. It doesn’t need to happen overnight. Figure out small iterations of change you can implement to move toward an objective that will bring about positive change.
Sometimes people think the things I suggest are not feasible or possible. I know they are. My entire life, I’ve been telling people about things that are going to happen, and they don’t believe me — and then it does. My first presentation in my first class when I started my master’s degree in 2013 at SANS Institute was about cloud security. I presented on security automation at SANS Networking 2016 when no cloud security classes existed. I knew the cloud was a thing, and it was not going away.
I saw the benefits that automation could bring, along with the risks associated with moving to the cloud due to the potential lack of visibility and control. In my opinion, the pros outweighed the cons, depending on the specific cloud provider and customers’ continued efforts and assessments to keep them honest. Additionally, security controls need to be implemented correctly. I go over all of that at a high level in my book, Cybersecurity for Executives in the Age of Cloud.
One company recruited me to architect their cloud solution and lead a team to do it. I said, “I’ll come if I can do it the way I want to.” We built a secure, automated pipeline and development environment with segregation of duties built in. We only had a team of 30 people with 3 people on our DevOps team. You can do it too. I wrote about those ideas in my 2016 white paper about deployment pipelines with built in security checks and automated security remediation: Balancing Security and Innovation with Event Driven Security. Now many people are talking about and doing those things but at the time, they were not. I had many other ideas that never got implemented before I left. Some of those thoughts are incorporated into my book.
My ideas about automation, security, and metrics come from a broad range of experience. I have performed due diligence for venture capitalists, worked in telecom when an oil company moved from leased lines to frame relay, and managed systems a prior company I founded in my ‘data center’ (ok it was a rack at Internap, but still, I had the lovely experience of racking and stacking). I tried to write a SAAS content management solution and web application firewall when those terms did not exist. No one understood what I was trying to do.
Later I moved to a managed hosting service, managed email services, and managed spam filters back in the day when spam was everyone’s worst nightmare. I found out how cloud solutions pose a risk if you don’t have the logs to solve problems when needed. I learned that vendors don’t always have more security knowledge than you, nor are they always taking care of your security when you think they are. You need to ask, review third-party assessments, and continue to monitor over time.
As both a software engineer and a security professional, I see the convergence in these spaces and potential new technology solutions that would help stop many breaches. I’m a database person and an e-commerce and financial application specialist, though I’ve built systems for sales organizations, retail, security cameras, firewalls and security appliances, the printing industry, manufacturing, health care, and many others. I see so many ways that IT systems and cybersecurity can learn from the way the financial systems manage money. I see how transactions in security systems need to add up the same way financial transactions do. Because I have new ideas about how we can use convergent technologies in new ways doesn’t mean that I, like some, want to throw out old solutions because they are hard or present a smoke-and-mirrors solution that doesn’t actually work.
I am a fan of data-driven and automated solutions based on tried and true fundamentals and axioms. Certain things do not change, even though the technology does. These are all the things I write about in my book. I end the book with a history lesson showing how the more things change, the more they stay the same. I walk through fundamental security principles initially — things that cost me a lot of my own money through experiences and training to learn. I explain how some of these things change or stay the same in the cloud. There are about 40 pages of references to back up what I’m telling people about cybersecurity if anyone wants to do a deeper dive on the topics.
In the final chapters, I propose new ideas and methodologies for better metrics, compliance, and security management. These chapters are not on my blog, though most of the content is, in a very raw form with many typos. The book has additional content you won’t find on the blog in just about every chapter with the real summation of the reason for the questions in the book at the end.
If you come to me for advice and ask what everyone else is doing, I may not be able to or even want to give you that solution. Because I don’t think what many companies are doing, especially if not correctly leveraging cloud technologies, is working. Additionally, in some spaces I believe the technology will be evolving and improve in the near future to provide better solutions than exist currently. I want to give customers a plan for better security based on a culmination of experiences across many different domains. Additionally, I tend to see into the future in some cases as to where trends and technology are going. When a fellow developer told me people would never use Linux as a desktop when I was young, I said, of course not — it’s for data centers.
Rather than just purchase the latest technology, companies have to use it appropriately. For some of the security problems that exist currently, I don’t think we have the best answers right now. There is a lot more work to be done. I may not give you a solution based on what everyone else is doing, but I can provide the information to evaluate and come up with a better one than the ones that exist currently in some cases. I can also provide strategies for assessing and implementing solutions that provide better value using existing products and technologies. Most vendors are open to suggestions — especially companies like Amazon and their #awswishlist. Customers and vendors can work together to come up with better solutions than those that exist today.
If you engage me in a consulting call or read my book or blog, and you are seeking the status quo, you may be disappointed. I encourage clients to do better than what we are currently doing in cybersecurity. My company, 2nd Sight Lab, is researching new tools to help us provide more value for assessments and pentesting using automation, combined with manual analysis that dives into how systems work at the core. We base our cloud security assessments and penetration tests on and what causes data breaches and what most effectively prevents them. If you want to hire someone who is always researching and testing out better solutions and looking for a better answer, you can reach out to me on LinkedIn. I currently answer questions for customers of IANS Research. IANS does not accept all types of companies as clients. If you fall outside the bounds of their services, I may be able to answer your call directly.
Teri Radichel — Follow me @TeriRadichel
© 2nd Sight Lab 2020
Want to learn more about Cloud Security?
Check out: Cybersecurity for Executives in the Age of Cloud.
Cloud Penetration Testing and Security Assessments
Cloud Security Training
Virtual training available for a minimum of 10 students at a single organization. Curriculum: 2nd Sight Lab cloud Security Training
Have a Cybersecurity or Cloud Security Question?
2020 Cybersecurity and Cloud Security Podcasts
2020 Cybersecurity and Cloud Security Conference Presentations
Prior Podcasts and Presentations
Azure for Auditors ~ Presented to Seattle ISACA and IIA
OWASP AppSec Day 2019 — Melbourne, Australia
Bienvenue au congrès ISACA Québec 2019 — Keynote — Quebec, Canada (October 7–9)
White Papers and Research Reports