Tag Archive for: Dr. Mike Lloyd

Why Cloud Security Posture Management Is Essential to Your Overall Security Plan

I think we’d all agree the last year and a half has brought disruption, and cloud security wasn’t exempt. The Covid-19 crisis has dramatically expanded attack surfaces as companies transitioned to remote work and embraced the cloud. But let’s be clear: the cloud is not a magic bullet. Yes, the cloud is relatively new and exciting, and it does prevent some of the old security mistakes. And yes, the cloud does close off some previously vulnerable spaces. But at the same time, it opens up new ways to do things wrong.

This is where a strategy called cloud security posture management (CSPM) comes in. The goal of CSPM is to find and reduce attack surfaces, and then eliminate misconfigurations through continuous monitoring of cloud infrastructure. This is important, because more than 99% of cloud breaches have their root cause in customer misconfigurations and mistakes, according to Gartner.

House on fire

I like to use the analogy of a brick house. Even if a house is made of perfect bricks, is it immune to falling down? No. Naturally, when you build a house, you want to make sure the bricks you’re using are solid. But even then, the house can still fall if built incorrectly. Cloud innovators push an approach called “shift left” (meaning detecting problems sooner in the build process), but this is no replacement for checking the final result. After all, no matter how carefully you check a building’s blueprints, the final structure will inevitably be different.

CSPM automates the process of ensuring the individual bricks are OK, but more importantly, makes sure the house as a whole is constructed properly, so it won’t collapse when the big bad wolf (or a squad of hackers) comes along and tries to blow it down.

But what makes CSPM so compelling from a security standpoint is that it’s proactive, not reactive like endpoint management or extended detection and response (XDR). These are analogous to fire alarms for your building. Alarms are necessary for sure, but you have to actually prevent some fires, not just wait and react. So, while firefighting is critical, part of your budget should be for tools that prevent fires in the first place and plan ahead for resilience of your infrastructure when a fire does break out.

CSPM is all about being proactive and putting the right processes in place so that fewer fires start, and spread less when they do happen. Sure, mistakes and misconfigurations will still happen. CSPM recognizes this reality, but proactively hunts for the ingredients that drive security fires rather than just accepting that they can’t be stopped.

The fantasy of DevSecOps

Your developers are not security gurus. The framework called DevSecOps advocates adding security practitioners into the software development and DevOps teams. DevSecOps strives to find a happy balance between development teams that want to release software quickly and security teams that prioritize protection. But, to me, this is too optimistic a notion – it glosses over the fundamental differences that must exist between security thinkers and app developers. Developers think “how can I make this work?”, but security is about thinking backwards – “how can this be abused?”

Security is also fundamentally a big-picture problem, where all interactions have to be considered. Getting back to the building analogy, CSPM lets you compare the final structure to the blueprints used to construct it. It allows you to examine the building to see whether there are any flaws or points of structural weakness that the bad guys can exploit to get in. Humans aren’t good at continuous detail checking, but it’s a great job for automated software.

Context is king

Context is everything. The blueprints don’t tell you whether you’re building on sand or building on bedrock. CSPM provides that critical context not just for one section of your structure but for the entire building and its surroundings.

CSPM also automatically determines whether all the cloud applications and services across your entire organization are configured correctly and securely. It’s simply not possible to hire enough security professionals to do that on their own. It’s not that people you have aren’t good; it’s that you’ll never have enough people who are experts in all the rapidly changing cloud languages and configurations.

Bad guys are actively hunting for new openings in your cloud. CSPM is quickly becoming one of the best ways to close the gaps in your security posture and shut the door on those who intend to do you harm.

Check out RedSeal Stratus – our new CSPM tool that offers the worlds most accurate, reliable, and actionable approach to calculating access and exposure. You can join the pilot program now!

Cloud Security Posture Management (CSPM) Done Right

Cloud security is maturing – it has to. We’ve had too many face-palm worthy incidents of organizations hearing “hey, I found your data in a world readable S3 bucket”, or finding a supposedly “test” server exposed that had production data in it. Happily, we are emerging out of the Wild West phase, and some order and maturity is emerging, and along with it, new lingo.

Gartner divides the emerging ideas into three main disciplines – CASB, CWPP, and CSPM. Think of these as if you’re securing a (pre-pandemic!) office building. CASB is your ID badge reader, and CWPP is your video surveillance. Cloud Security Posture Management (CSPM) is everything else you do to secure your building, like having a security guard walk around to look for gaping holes in the wall, or the sounds of someone drilling through a safe.

CSPM is arguably the hardest area to understand, since it’s so broad, but that same breadth is what makes it the most important to get right. In comparison, having no badge readers at all would be bad, but you don’t have to go overboard – you just need a reasonable check that you’re not letting everyone in. Posture management is different – CSPM isn’t a point solution, it’s the approach of always asking “what else have we forgotten?”

CSPM in more detail

If you ask for a crisp definition of CSPM, it’s hard to find one – after all, Posture Management can refer to the mindset of “how could we be attacked, what are the consequences if it happens, and what can we do it mitigate it?” I find it easiest to split this into three main questions – what have you got, what are you doing to protect it, and what’s the level of risk? All of these are familiar to experienced security professionals – we’ve been asking these same questions about IT networks forever. So why is it different in Cloud?

For legacy on-premises networks, the hardest question was “what have you got?” – rapid growth and technology change made keeping an accurate inventory challenging. Cloud disrupts this in some interesting ways. Each cloud account has a controller for the software defined network, which solves one problem, but then goes and creates another. It’s impossible for any network to exist in a software defined cloud that the controller did not create for you. This means you can always tell exactly how big any one cloud network is. Problem solved, right? Not so fast – anyone who’s tried to inventory cloud footprint realizes that this same controller is changing things so quickly you can’t keep up. It’s also so easy to add new cloud networks that people do it and then forget to tell security, so the inventory problem just moves up a level – not “find the missing router”, but “find the missing cloud account”.

In CSPM, most of the key innovations are focused on the second question – “what are your protections, and are they working?” Cloud disrupted this too, bringing innovations that are incompatible with a lot of the traditional security stack. It’s not that question 3 – risk assessment – is unimportant. It’s just that it isn’t so deeply impacted by the differences between cloud, hybrid, and on-prem. Risk assessment is strategy, not tactics.

So why has cloud disrupted the question of whether you have working protections in place? Well, going back to the start of the article, that unintended exposure of a cloud storage bucket represents a mistake we simply couldn’t make until there was a cloud. Sure, every cloud comes with many strong security controls. But that’s the problem – there are so many enforcement controls that are all new, all different, and are like nothing we did for the past 40 years in on-premises data centers. Novelty is great for innovation, but terrible for security. Coordinating all the new controls and ensuring they are used correctly is the core job for CSPM. Basic checklists aren’t enough – just as we’ve found with all previous network technologies, a network built out of individual compliant elements can still fail as a system, like a house built out of perfectly formed bricks which can still fall down if assembled incorrectly.

This is why the core discipline in CSPM is visibility, so you can achieve end to end understanding of what is exposed and what is not. Figuring out access – what can reach what, and especially, what is exposed to the Internet – sounds so basic, but has become explosively complicated. It’s impossible to hire enough certified security professionals with deep enough understanding of all the cloud dialects used across an organization. So the only solution is to focus on CSPM – building up a map of your cloud assets, then looking across all the layers to ask “what is exposed?”

For more information on RedSeal’s CSPM solution, RedSeal Stratus, check out our website. Or sign up for our Pilot Program and test drive RedSeal Stratus yourself!

Why don’t we live in walled cities anymore?

IT Pro Portal | April 27, 2021

Let’s analyze security and defense over the ages through a Covid lens.

From ancient Jericho through to medieval Constantinople, people built walls around cities as a main method of defense for around 10,000 years.  But we don’t live in walled cities any more – why not?  That’s a really big change, and it deserves an explanation.

Our companies aren’t walled cities, but they certainly had a strong tradition of being centralized and walled off.  A year ago, we suddenly found that we couldn’t do that any longer. I’ve spoken to many managers who were frankly surprised at how well it has worked to abruptly change the paradigm, and let people work out in the community, away from the supervisor’s beady eye, and outside the protective walls of the building or the network.

2021 Cyber Predictions from Dr. Mike Lloyd, Chief Technology Officer of RedSeal

Solutions Review | February 2, 2021

Today, we present new 2021 Cyber Predictions from Dr. Mike Lloyd, Chief Technology Officer of RedSeal.

It’s hard to conceptualize, but we only just started 2021. Given how much has already occurred, both carrying over from 2020 and fresh challenges, it can prove easy to forget that the year is still young. There’s plenty of time yet to change course on your business’ cybersecurity and respond to predictions.

As such, we wanted to share these 2021 predictions on enterprise cybersecurity from Dr. Mike Lloyd, Chief Technology Officer of RedSeal. These predictions were submitted as part of our first annual Cybersecurity Insight Jam.

Simplifying security: how to navigate the integration challenge

Computer Fraud & Security | January 2021

We deploy a lot of security technology, but breaches continue. Either we’re bad at this or the game is stacked against us.

It turns out it’s the latter – there are structural reasons why security remains so elusive. We’re short staffed, up against a heavily automated group of adversaries, and our IT infrastructure is fragmenting. Mike Lloyd at RedSeal suggests that we need to find a better way to target investments in security to where they are most needed, and then integrate a single view of our ever-widening attack surface.

Key learnings, how to prepare and the next big thing in security

VM Blog | January 15, 2021

The rules of the security game keep changing. We were finally getting close to perfecting the art of securing data centers and VPNs, when along came cloud, multiple cloud environments, and a pandemic forcing many of us to work remotely, disrupting all aspects of work and home life.

From a data center point of view, there was a great migration of who needed access to what, from where. Here are some thoughts of what to expect in security in 2021, some of the key lessons from the year and how businesses can prepare for the new year.

 

Security Think Tank: The year of the work-from-home hangover

Computer Weekly | 4 January 2021

After a year of unprecedented disruption thanks to Covid-19, it looks like remote working is set to remain with us for now, which means security strategies will change in 2021. What will this change look like, and what tools and services will be selling like hot cakes?

How Can We Vaccinate Our Networks?

Security Weekly | December 29, 2020

 

The news is flooded with updates regarding the COVID-19 vaccine.  Cyberattacks are targeting the vaccine supply chain.  Phishing attacks are exploiting sign-ups for the vaccine.  There are even attacks to get access to vaccine data.  Sounds a lot like our enterprises every day!  We’re all learning about human immunology from the headlines, but what are the equivalent defenses for our networks? How do we achieve resilience at scale, when we don’t really have a network immune system?

Deepfakes and deep fraud: The new security challenge of misinformation and impersonation

IDG Connect | September 1, 2020

Deepfakes, until recently, have just been an amusing part of the internet. Videos emerged of various celebrities in the wrong movie or interview, some were quite poorly made but others were almost like the real thing. They were entertaining and funny; not really given much thought and left to a corner of the internet. However, it was not long before politicians were the next target, videos emerging of significant figures like Barack Obama, Nancy Pelosi and Donald Trump.

It was at this point that some serious concerns started to develop over the security implications of this technology.