It is the season for new year’s resolutions and planning. In an environment of a constant bombardment of security advice, where do you start? This blog combines decades of hard lessons with newer best practice distilled into a few practical pieces of advice, ready to take your security team to the next level.
Prioritize Metric Driven Impact Security
Change your security metrics from measuring work done, to measuring achieved security outcome:
- Some measure time until patches are applied
- Others measure how many high-risk vulnerabilities they have.
- Measure the percentage of machines that are PCI compliant and improve on that metric.
Measure daily and provide instant feedback to the security engineers:
- Some companies measure their security posture every quarter and spend days or weeks collecting data in spreadsheets and make the graphs by hand, at which point the metrics are shared with senior management.
- A leading CISO calculates their posture every day and every security engineer gets the rewards of the work done the day before.
Trend directionality is more important than absolute values:
- Some CISOs count the number of non-compliant hosts and despair when the number increases.
- Some calculate the percentage of non-compliant hosts and despair when that number is high.
- A leading CISO knows that workloads in the cloud scale up and down. Plus, that it is more important to measure the percentage of compliant hosts and that the percentage is moving in the right direction.
Pivot from counting vulnerabilities to counting compliant hosts:
- Counting absolute vulnerabilities made sense when the number of vulnerabilities was manageable.
- Leading CISOs realize that counting compliant and secure hosts is more relevant.
Remediate for the highest impact of work done and not the highest CVSS score:
- Many organizations sort their vulnerabilities by CVSS base score and do the highest scoring vulnerabilities first, typically one at a time.
- A leading CISO consolidates remediations so that the cumulative service pack or SSL certificate which fixes most vulnerabilities and hosts is done first.
Reduce Blast Radius
Are you containing your blast radius? Segment your networks, data, applications, and cloud infrastructure to make watertight compartments to ensure that attacks will not sink your company:
- Separate functions like Exchange and Outlook Web Access onto different servers
- Have different AWS accounts (and passwords) for production systems and their S3 storage for backup
- Have many small AWS security groups
- Separate subnets for public access and backend systems
- Multiple DMZ subnets for different functions
- Multiple database servers for different functions
- Smaller separate subnets in large offices
DevOps Your SecOps
Ensure your security tools have APIs, SDKs, and examples
- Many companies manually schedule scans, download reports, and review results.
- Other organizations have security alerts sent to them via email.
- Cybersecurity providers are increasingly making APIs available. The best APIs comes with SDK in popular languages like Python ready for integration into your code and plenty of examples.
- A leading CISO only buys from companies with robust APIs, SDKs, and examples and applies their DevOps methodologies to integrate their security vendor into their security operations.
Bake security into your “golden image” by creating a pipeline:
- Some companies take months to make a new “golden image” with manual regression testing.
- Better organizations have their “golden image” built in a “create pipeline” with daily builds using the newest patches and full unit testing.
- A leading CISO has configuration testing and vulnerability assessment as part of their “golden image” build a pipeline, with the break of the pipeline if vulnerabilities are found.
Bake security into your cloud deployment pipeline:
- Modern cloud implementation push to production several times a day using continuous integration pipelines.
- A leading CISO runs vulnerability and configuration assessment as part of every deployment.
Automatically retire cloud instances that fail a vulnerability scan:
- Some cloud software teams launch their workloads in auto scaling groups that are self-healing, automatically restarting workloads that fail.
- Better teams ensure newest images are used when restarting a workload.
- Best teams monitor workloads for health, CPU, RAM, disk, and “shoot” under-performing instances instead of repairing them, to allow the self-healing process to launch the newest version of the image.
- A leading CISO expands on that process and automatically retire older images with vulnerabilities as part of their daily automatic scans.
Ensure your secure in the cloud this year by partnering with Alert Logic.
