Tag Archives: Security

Cisco cries foul over security flaw in Zoom Connector

Cisco slammed rival Zoom for a security lapse that left the management portals of many video devices exposed to the public internet. It’s an unusually public spat between two of the industry’s leading video conferencing providers.

The dispute revolves around Zoom Connector, a gateway that connects standards-based video devices to the Zoom cloud. In addition to providing a management portal for the hardware, the service makes it possible to join Zoom meetings with one click.

The Zoom Connector previously allowed anyone with the correct URL to access the admin portal for Cisco, Poly and Lifesize devices from the public internet without login credentials, according to Cisco. That would have let a hacker commandeer a company’s video systems, potentially allowing them to eavesdrop on conference rooms.

Zoom released a patch last week that password-protected access to the control hub via those URLs. But in a blog post this week, Cisco said the quick fix did not go far enough, alerting customers that Zoom’s connector service did not meet Cisco’s security standards.

To create the connector, Zoom built a link between the Zoom cloud and a Cisco web server running within a corporate network, said Sri Srinivasan, general manager of Cisco’s team collaboration group. The configuration provides a point of access to the endpoints that lies outside the network firewall. 

“You don’t want to have firewall settings open for a management interface of this sort, even [when] password-protected,” Srinivasan said.

Similarly, in a statement Tuesday, Lifesize said it considered Zoom Connector an unauthorized integration “built in an inherently insecure way.” However, the company concluded that the security flaw spotlighted by Cisco did not put customers in immediate risk.

In a statement Tuesday, Zoom said it considered the issue fully resolved. While insisting customers were safe, Zoom said it did advise companies to check device logs for unusual activity or unauthorized access.

Zoom added that it was not aware of any instances of hackers exploiting the vulnerability. The URLs necessary to access a device’s management portal are long and complicated, similar to a link to a Google Doc or an unlisted YouTube video. Most likely, a hacker would have needed to first gain access to an admin’s browser history to exploit the flaw.

Zoom has come under fire before for security shortfalls. Experts criticized the vendor in July for quietly installing a web server on Mac computers. The software left users vulnerable to being forcibly joined to a meeting with their video cameras turned on.

Cisco has raised issues with Zoom about the connector in the past, but only became aware of the URL vulnerability on Oct. 31, Srinivasan said. A customer who wished to remain anonymous reported the problem to Cisco and Zoom around the same time, he said. Zoom patched the issue on Nov. 19, one day after Cisco said it contacted the company about the problem. 

Adding fuel to the fire, Zoom has been using the Cisco logo on its connector’s admin portal. Cisco said this likely led customers to believe they were accessing a website supported by Cisco.

“This has been going on for a long, long time,” Srinivasan said. “Now, we know better to make sure we check everything Zoom does.”

But it seems unlikely Zoom will heed Cisco’s directive to obtain certification of the service. The vendor has a financial stake in the matter, as it charges customers $499 per year, per port for Zoom Connector.

Zoom has emerged in recent years as perhaps Cisco’s biggest competitor in the video conferencing market. Eric Yuan resigned as Cisco’s vice president of engineering to start Zoom in 2011. Yuan was one of the chief architects of the Webex video conferencing software that Cisco acquired in 2007.

In the coming months, Cisco is planning to release a SIP-based integration for Zoom and other leading video conferencing providers. The technology would let users join third-party meetings with one click from a Cisco device.

Cisco already supports SIP-based interoperability. But taking advantage of it requires businesses to build an integration themselves or pay for a third-party service. Srinivasan said the forthcoming SIP integration would eliminate the need for a service like Zoom Connector.

Go to Original Article
Author:

Rethinking cyber learning—consider gamification

As promised, I’m back with a follow-up to my recent post, Rethinking how we learn security, on how we need modernize the learning experience for cybersecurity professionals by gamifying training to make learning fun. Some of you may have attended the recent Microsoft Ignite events in Orlando and Paris. I missed the conferences (ironically, due to attending a cybersecurity certification boot camp) but heard great things about the Microsoft/Circadence joint Into the Breach capture the flag exercise.

If you missed Ignite, we’re planning several additional Microsoft Ignite The Tour events around the world, where you’ll be able to try your hand at this capture the flag experience. Look for me at the Washington, DC event in early February.

In the meantime, due to the great feedback I received from my previous blog—which I do really appreciate, especially if you have ideas for how we should tackle the shortage of cyber professionals—I’ll be digging deeper into the mechanics of learning to understand what it really takes to learn cyber in today’s evolving landscape.

Today, I want to address the important questions of how a new employee could actually ramp up their learning, and how employers can prepare employees for success and track the efficacy of the learning curriculum. Once again, I’m pleased to share this post with Keenan Skelly, chief evangelist at Boulder, Colorado-based Circadence.

Here are some of some of her recommendations from our Q&A:

Q: Keenan, in our last blog, you discussed Circadence’s “Project Ares” cyber learning platform. How do new cyber practitioners get started on Project Ares?

A: The way that Project Ares is set up allows for a user to acquire a variety of different skill levels when launched. It’s important to understand what kind of work roles you’re looking to learn about as a user as well as what kinds of tools you’re looking to understand better before you get started on Project Ares. For example, if I were to take some of my Girls Who Code or Cyber Patriot students and put them into the platform, I would probably have them start in the Battle School. This is where they’re going to learn about basic cybersecurity fundamentals such as ports and protocols, regular expressions, and the cyber kill chain. Then they can transition into Battle Rooms, where they’ll start to learn about very specific tools, tactics, and procedures or TTPs, for a variety of different work roles. If you’re a much more skilled cyber ninja, however, you can probably go ahead and get right into Missions, but we do recommend that everyone who comes into Project Ares does some work in the Battle Rooms first, specifically if they are trying to learn a tool or a skill for their work role.

Project Ares also has a couple of different routes that an expert or an enterprising cybersecurity professional can come into that’s really focused more on their role. For example, we have an assessments area based entirely on the work role. This aligns to the NIST framework and the NICE cybersecurity work roles. For example, if you’re a network defender, you can come into that assessment pathway and have steps laid out before you to identify your skill level in that role as you see below:

Assessment pathway.

Q: What areas within Project Ares do you recommend for enterprise cyber professionals to train against role-based job functions and prepare for cyber certifications?

A: You might start with something simple like understanding very basic things about your work role through a questionnaire in the Battle School arena as seen in the illustrations below. You may then move into a couple of Battle Rooms that tease out very detailed skills in tools that you would be using for that role. And then eventually you’ll get to go into a mission by yourself, and potentially a mission with your entire team to really certify that you are capable in that work role. All this practice helps prepare professionals to take official cyber certifications and exams.

Battle School questionnaire.

Battle School mission.

Q: Describe some of the gamification elements in Project Ares and share how it enhances cyber learning.

A: One of the best things about Project Ares is gamification. Everyone loves to play games, whether it’s on your phone playing Angry Birds, or on your computer or gaming console. So we really tried to put a lot of gaming elements inside Project Ares. Since everything is scored within Project Ares, everything you do from learning about ports and protocols, to battle rooms and missions, gives you experience points. Experience points add up to skill badges. All these things make learning more fun for the user. For example, if you’re a defender, you might have skill badges in infrastructure, network design, network defense, etc. And the way Project Ares is set up, once you have a certain combination of those skill badges you can earn a work role achievement certificate within Project Ares.

This kind of thing is taken very much from Call of Duty and other types of games where you can really build up your skills by doing a very specific skill-based activity and earn points towards badges. One of the other things that is great about Project Ares is it’s quite immersive. For example, Missions allows a user to come into a specific cyber situation or cyber response situation (e.g., water treatment plant cyberattack) and have multimedia effects that demonstrate what is going—very much reflective of that cool guy video look. Being able to talk through challenges in the exercises with our in-game advisor, Athena, adds another element to the learning experience as shown in the illustration below.

Athena was inspired by the trends of personal assistants like Cortana and other such AI-bots, which have been integrated into games. So things like chat bots, narrative storylines, and skill badges are super important for really immersing the individual in the process. It’s so much more fun, and easier to learn things in this way, as opposed to sitting through a static presentation or watching someone on a video and trying to learn the skill passively.

Athena—the in-game advisor.

Q: What kinds of insights and reporting capability can Project Ares deliver to cyber team supervisors and C-Suite leaders to help them assessing cyber readiness?

A: Project Ares offers a couple great features that are good for managers, all the way up to the C-Suite, who are trying to understand how their cybersecurity team is doing. The first one is called Project Ares Trainer View. This is where a supervisor or manager can jump into the Project Ares environment, with the students or with the enterprise team members, and observe in a couple of different ways.

The instructor or the manager can jump into the environment as Athena, so the user doesn’t know that they are there. They can then provide additional insight or help that is needed to a student. A supervisor or leader can also jump in as the opponent, which gives them the ability to see someone who is just breezing by everything and maybe make it a little more challenging. Or they can just observe and leave comments for the individuals. This piece is really helpful when we’re talking about managers who are looking to understand their team’s skill level in much more detail.

The other piece of this is a product we have coming out soon called Dendrite—an analytics tool that looks at everything that happens at Project Ares. We record all the key strokes and chats a user had with Athena or any with other team members while in a mission or battle room. Cyber team leads can then see what’s going on. Users can see what they’re doing well, and not doing well. This feedback can be provided up to the manager level, the senior manager level, and even to the C-Suite level to demonstrate exactly where that individual is in their particular skill path. It helps the cyber team leads understand what tools are being used appropriately and which tools are not being used appropriately.

For example, if you’re a financial institution and you paid quite a bit of money for Tanium, but upon viewing tool use in Dendrite, you find that no one is using it. It might prompt you to rethink your strategy on how to use tools in your organization or look at how you train your folks to use those tools. These types of insights are absolutely critical if you want to understand the best way to grow the individual in cybersecurity and make sure they’re really on top of their game.

The Dendrite assessment and analysis solution.

Q: How can non-technical employees improve their cyber readiness?

A: At Circadence, we don’t just provide learning capabilities for advanced cyber warriors. For mid-range people just coming into the technical side of cybersecurity, we have an entire learning path that starts with a product called inCyt. Now, inCyt is a very fun browser-based game of strategy where players have some hackable devices they must protect—like operating systems and phones. Meanwhile, your opponent has the same objective: protect their devices from attacks. Players continually hack each other by gathering intel on their opponent and then launching different cyberattacks. While they’re doing this, players get a fundamental understanding of the cyber kill chain. They learn things like what reconnaissance means to a hacker, what weaponizing means to a hacker, what deploying that weapon means to a hacker, so they can start to recognize that behavior in their everyday interactions online.

Some people ask why this is important and I always say, “I used to be a bomb technician, and there is no possible way I could defuse an IED or nuclear weapon without understanding how those things are put together.” It’s the same kind of concept.

It’s impossible to assume that someone is going to learn cyber awareness by answering some questions or watching a five-minute phishing tutorial after they have already clicked a link in a suspicious email. Those are very reactive ways of learning cyber. inCyt is very proactive. And we want to teach you in-depth understanding of what to look for, not just for phishing but for all the attacks we’re susceptible to. inCyt is also being used by some of our customers as a preliminary gate track for those who are interested in cybersecurity. So if you demonstrate a very high aptitude within inCyt, we would send you over to our CyberBridge portal where you can start learning some of the basics of cybersecurity to see if it might be the right field for you. Within our CyberBridge access management portal, you can then go into Project Ares Academy, which is just a lighter version of Project Ares.

Professional and Enterprise licenses in Project Ares pave more intricate learning pathways for people to advance in learning, from novice to expert cyber defender. You’ll be able to track all metrics of where you started, how far you came, what kind of skill path you’re on, and what kind of skill path you want to be on. Very crucial items for your own work role pathway.

How to close the cybersecurity talent gap

Keenan’s perspective and the solution offered by Project Ares really helps to understand how to train security professionals and give them the hands-on experience they require and want. We’re in interesting times, right? With innovations in machine learning and artificial intelligence (AI), we’re increasingly able to pivot from reactive cyber defense to get more predictive. Still, right now we’re facing a cybersecurity talent gap of up to 4 million people, depending on which analyst group you follow. The only way that we’re going to get folks interested in cybersecurity is to make it exactly what we have been talking about: a career-long opportunity to learn.

Make it something that they can attain, they can grow in, and see themselves going from a novice to a leader in an organization. This is tough right now because there are relatively few cybersecurity operators compared to demand, and the operators on the front lines are subject to burnout. With uncertain and undefined career paths beyond tactical SecOps, what is there to look forward to?

We need to get better as a community in cybersecurity, not only protect the cybersecurity defenders that we have already, but also help to bring in new cybersecurity defenders and offenders who are really going to push the boundaries of where we’re at today. This is where we have an excellent and transformational opportunity to introduce more immersive and gamified learning to improve the learning experience and put our people in a position to succeed.

Learn more

To learn more about how to close the cybersecurity talent gap, read the e-book: CISO essentials: How to optimize recruiting while strengthening cybersecurity. For more information on Microsoft intelligence security solutions, see Achieve an optimal state of Zero Trust.

You can also watch my full interview with Keenan.

Bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Go to Original Article
Author: Microsoft News Center

IBM Cloud Pak for Security aims to unify hybrid environments

IBM this week launched Cloud Pak for Security, which experts say represents a major strategy shift for Big Blue’s security business

The aim of IBM’s Cloud Pak for Security is to create a platform built on open-source technology that can connect security tools from multiple vendors and cloud platforms in order to help reduce vendor lock-in. IBM Cloud Paks are pre-integrated and containerized software running on Red Hat OpenShift, and previously IBM had five options for Cloud Paks — Applications, Data, Integration, Automation and Multicloud Management — which could be mixed and matched to meet enterprise needs.

Chris Meenan, director of offering management and strategy at IBM Security, told SearchSecurity that Cloud Pak for Security was designed to tackle two “big rock problems” for infosec teams. The first aim was to help customers get data insights through federated search of their existing data without having to move it to one place. Second was to help “orchestrate and take action across all of those systems” via built-in case management and automation. 

Meenan said IT staff will be able to take actions across a multi-cloud environment, including “quarantining users, blocking IP addresses, reimaging machines, restarting containers and forcing password resets.”

“Cloud Pak for Security is the first platform to take advantage of STIX-Shifter, an open-source technology pioneered by IBM that allows for unified search for threat data within and across various types of security tools, datasets and environments,” Meenan said. “Rather than running separate, manual searches for the same security data within each tool and environment you’re using, you can run a single query with Cloud Pak for Security to search across all security tools and data sources that are connected to the platform.” 

Meenan added that Cloud Pak for Security represented a shift in IBM Security strategy because of its focus on delivering “security solutions and outcomes without needing to own the data.”

“That’s probably the biggest shift — being able to deliver that to any cloud or on-premise the customer needs,” Meenan said. “Being able to deliver that without owning the data means organizations can deploy any different technology and it’s not a headwind. Now they don’t need to duplicate the data. That’s just additional overhead and introduces friction.”

One platform to connect them all

Meenan said IBM was “very deliberate” to keep data transfers minimal, so at first Cloud Pak for Security will only take in alerts from connected vendor tools and search results.

“As our Cloud Pak develops, we plan to introduce some capability to create alerts and potentially store data as well, but as with other Cloud Paks, the features will be optional,” Meenan said. “What’s really fundamental is we’ve designed a Cloud Pak to deliver applications and outcomes but you don’t have to bring the data and you don’t have to generate the alerts. Organizations have a SIEM in place, they’ve got an EDR in place, they’ve got all the right alerts and insights, what they’re really struggling with is connecting all that in a way that’s easily consumable.”

In order to create the connections to popular tools and platforms, IBM worked with clients and service providers. Meenan said some connectors were built by IBM and some vendors built their own connectors. At launch, Cloud Pak for Security will include integration for security tools from IBM, Carbon Black, Tenable, Elastic, McAfee, BigFix and Splunk, with integration for Amazon Web Services and Microsoft Azure clouds coming later in Q4 2019, according to IBM’s press release.

Ray Komar, vice president of technical alliances at Tenable, said that from an integration standpoint, Cloud Pak for Security “eliminates the need to build a unique connector to various tools, which means we can build a connector once and reuse it everywhere.”

“Organizations everywhere are reaping the benefits of cloud-first strategies but often struggle to ensure their dynamic environments are secure,” Komar told SearchSecurity. “With our IBM Cloud Pak integration, joint customers can now leverage vulnerability data from Tenable.io for holistic visibility into their cloud security posture.”

Jon Oltsik, senior principal analyst and fellow at Enterprise Strategy Group, based in Milford, Mass., told SearchSecurity that he likes this new strategy for IBM and called it “the right move.”

“IBM has a few strong products but other vendors have much greater market share in many areas. Just about every large security vendor offers something similar, but IBM can pivot off QRadar and Resilient and extend its footprint in its base. IBM gets this and wants to establish Cloud Pak for Security as the ‘brains’ behind security. To do so, it has to be able to fit nicely in a heterogeneous security architecture,” Oltsik said. “IBM can also access on-premises data, which is a bit of unique implementation. I think IBM had to do this as the industry is going this way.”

Martin Kuppinger, founder and principal analyst at KuppingerCole Analysts AG, based in Wiesbaden, Germany, said Cloud Pak for Security should be valuable for customers, specifically “larger organizations and MSSPs that have a variety of different security tools from different vendors in place.”

“This allows for better incident response processes and better analytics. Complex attacks today might span many systems, and analysis requires access to various types of security information. This is simplified, without adding yet another big data lake,” Kuppinger told SearchSecurity. “Obviously, Security Cloud Pak might be perceived competitive by incident response management vendors, but it is open to them and provides opportunities by building on the federated data. Furthermore, a challenge with federation is that the data sources must be up and running for accessing the data — but that can be handled well, specifically when it is only about analysis; it is not about real-time transactions here.”

The current and future IBM Security products

Meenan told SearchSecurity that Cloud Pak for Security would not have any special integration with IBM Security products, which would “have to stand on their own merits” in order to be chosen by customers. However, Meenan said new products in the future will leverage the connections enabled by the Cloud Pak.

“Now what this platform allows us to do is to deliver new security solutions that are naturally cross-cutting, that require solutions that can sit across an EDR, a SIEM, multiple clouds, and enable those,” Meenan said. “When we think about solutions for insider threat, business risk, fraud, they’re very cross-cutting use cases so anything that we create that cuts across and provides that end-to-end security, absolutely the Cloud Pak is laying the foundation for us — and our partners and our customers — to deliver that.”

Oltsik said IBM’s Security Cloud Pak has a “somewhat unique hybrid cloud architecture” but noted that it is “a bit late to market and early versions won’t have full functionality.”

“I believe that IBM delayed its release to align it with what it’s doing with Red Hat,” Oltsik said. “All that said, IBM has not missed the market, but it does need to be more aggressive to compete with the likes of Cisco, Check Point, FireEye, Fortinet, McAfee, Palo Alto, Symantec, Trend Micro and others with similar offerings.”

Kuppinger said that from an overall IBM Security perspective, this platform “is rather consequent.”

“IBM, with its combination of software, software services, and implementation/consultancy services, is targeted on such a strategy of integration,” Kuppinger wrote via email. “Not owning data definitely is a smart move. Good architecture should segregate data, identity, and applications/apps/services. This allows for reuse in modern, service-oriented architectures. Locking-in data always limits that reusability.”

Go to Original Article
Author:

Kubernetes security opens a new frontier: multi-tenancy

SAN DIEGO — As enterprises expand production container deployments, a new Kubernetes security challenge has emerged: multi-tenancy.

Among the many challenges with multi-tenancy in general is that it is not easy to define, and few IT pros agree on a single definition or architectural approach. Broadly speaking, however, multi-tenancy occurs when multiple projects, teams or tenants, share a centralized IT infrastructure, but remain logically isolated from one another.

Kubernetes multi-tenancy also adds multilayered complexity to an already complex Kubernetes security picture, and demands that IT pros wire together a stack of third-party and, at times, homegrown tools on top of the core Kubernetes framework.

This is because core upstream Kubernetes security features are limited to service accounts for operations such as role-based access control — the platform expects authentication and authorization data to come from an external source. Kubernetes namespaces also don’t offer especially granular or layered isolation by default. Typically, each namespace corresponds to one tenant, whether that tenant is defined as an application, a project or a service.

“To build logical isolation, you have to add a bunch of components on top of Kubernetes,” said Karl Isenberg, tech lead manager at Cruise Automation, a self-driving car service in San Francisco, in a presentation about Kubernetes multi-tenancy here at KubeCon + CloudNativeCon North America 2019 this week. “Once you have Kubernetes, Kubernetes alone is not enough.”

Karl Isenberg, Cruise Automation
Karl Isenberg, tech lead manager at Cruise Automation, presents at KubeCon about multi-tenant Kubernetes security.

However, Isenberg and other presenters here said Kubernetes multi-tenancy can have significant advantages if done right. Cruise, for example, runs very large Kubernetes clusters, with up to 1,000 nodes, shared by thousands of employees, teams, projects and some customers. Kubernetes multi-tenancy means more highly efficient clusters and cost savings on data center hardware and cloud infrastructure.

“Lower operational costs is another [advantage] — if you’re starting up a platform operations team with five people, you may not be able to manage five [separate] clusters,” Isenberg added. “We [also] wanted to make our investments in focused areas, so that they applied to as many tenants as possible.”

Multi-tenant Kubernetes security an ad hoc practice for now

The good news for enterprises that want to achieve Kubernetes multi-tenancy securely is that there are a plethora of third-party tools they can use to do it, some of which are sold by vendors, and others open sourced by firms with Kubernetes development experience, including Cruise and Yahoo Media.

Duke Energy Corporation, for example, has a 60-node Kubernetes cluster in production that’s stretched across three on-premises data centers and shared by 100 web applications so far. The platform is comprised of several vendors’ products, from Diamanti hyper-converged infrastructure to Aqua Security Software’s container firewall, which logically isolates tenants from one another at a granular level that accounts for the ephemeral nature of container infrastructure.

“We don’t want production to talk to anyone [outside of it],” said Ritu Sharma, senior IT architect at the energy holding company in Charlotte, N.C., in a presentation at KubeSec Enterprise Summit, an event co-located with KubeCon this week. “That was the first question that came to mind — how to manage cybersecurity when containers can connect service-to-service within a cluster.”

Some Kubernetes multi-tenancy early adopters also lean on cloud service providers such as Google Kubernetes Engine (GKE) to take on parts of the Kubernetes security burden. GKE can encrypt secrets in the etcd data store, which became available in Kubernetes 1.13, but isn’t enabled by default, according to a KubeSec presentation by Mike Ruth, one of Cruise’s staff security engineers.

Google also offers Workload Identity, which matches up GCP identity and access management with Kubernetes service accounts so that users don’t have to manage Kubernetes secrets or Google Cloud IAM service account keys themselves. Kubernetes SIG-Auth looks to modernize how Kubernetes security tokens are handled by default upstream to smooth Kubernetes secrets management across all clouds, but has run into snags with the migration process.

In the meantime, Verizon’s Yahoo Media has donated a project called Athenz to open source, which handles multiple aspects of authentication and authorization in its on-premises Kubernetes environments, including automatic secrets rotation, expiration and limited-audience policies for intracluster communication similar to those offered by GKE’s Workload Identity. Cruise also created a similar open source tool called RBACSync, along with Daytona, a tool that fetches secrets from HashiCorp Vault, which Cruise uses to store secrets instead of in etcd, and injects them into running applications, and k-rail for workload policy enforcement.

Kubernetes Multi-Tenancy Working Group explores standards

While early adopters have plowed ahead with an amalgamation of third-party and homegrown tools, some users in highly regulated environments look to upstream Kubernetes projects to flesh out more standardized Kubernetes multi-tenancy options.

For example, investment banking company HSBC can use Google’s Anthos Config Management (ACM) to create hierarchical, or nested, namespaces, which make for more highly granular access control mechanisms in a multi-tenant environment, and simplifies their management by automatically propagating shared policies between them. However, the company is following the work of a Kubernetes Multi-Tenancy Working Group established in early 2018 in the hopes it will introduce free open source utilities compatible with multiple public clouds.

Sanjeev Rampal, Kubernetes Multi-Tenancy Working Group
Sanjeev Rampal, co-chair of the Kubernetes Multi-Tenancy Working Group, presents at KubeCon.

“If I want to use ACM in AWS, the Anthos license isn’t cheap,” said Scott Surovich, global container engineering lead at HSBC, in an interview after a presentation here. Anthos also requires VMware server virtualization, and hierarchical namespaces available at the Kubernetes layer could offer Kubernetes multi-tenancy on bare metal, reducing the layers of abstraction and potentially improving performance for HSBC.

Homegrown tools for multi-tenant Kubernetes security won’t fly in HSBC’s highly regulated environment, either, Surovich said.

“I need to prove I have escalation options for support,” he said. “Saying, ‘I wrote that’ isn’t acceptable.”

So far, the working group has two incubation projects that create custom resource definitions — essentially, plugins — that support hierarchical namespaces and virtual clusters that create self-service Kubernetes API Servers for each tenant. The working group has also created working definitions of the types of multi-tenancy and begun to define a set of reference architectures.

The working group is also considering certification of multi-tenant Kubernetes security and management tools, as well as benchmark testing and evaluation of such tools, said Sanjeev Rampal, a Cisco principal engineer and co-chair of the group.

Go to Original Article
Author:

Check Point: Qualcomm TrustZone flaws could be ‘game over’

Security researchers found vulnerabilities in the Qualcomm TrustZone secure element extension that could allow attackers to steal the most sensitive data stored on mobile devices.

TrustZone implements architectural security extensions on ARM processors that can be integrated into the bootloader, radio, Android system image and a trusted execution environment (TEE) in mobile devices. Slava Makkaveev, security researcher at Check Point Software Technologies, discovered the issues in the Qualcomm TrustZone implementation often used by major Android manufacturers.

“TEE code is highly critical to bugs because it protects the safety of critical data and has high execution permissions. A vulnerability in a component of TEE may lead to leakage of protected data, device rooting, bootloader unlocking, execution of undetectable APT and more. Therefore, a Normal world OS restricts access to TEE components to a minimal set of processes,” Makkaveev wrote in his analysis. “Examples of privileged OS components are DRM service, media service and keystore. However, this does not reduce researchers’ attention to the TrustZone.”

Makkaveev said the Qualcomm TrustZone components can be found in popular Android devices from Samsung, Google, LG and OnePlus. He used fuzzing tools to discover the vulnerabilities and exploited them in order to install a trusted app in a normal environment.

Check Point claimed the flaws affect all versions of Android up to the most recent Android 10; however, Makkaveev mentions testing on only a Nexus 6 running Android 7.1, an LG G4 running Android 6 and Moto G4/G4 Plus running an unknown version of Android.

Samsung, Motorola, LG and Qualcomm did not respond to requests for comment at the time of this post. Google responded but did not have information readily available as to whether more recent Google Pixel devices are at risk.

Liviu Arsene, global cybersecurity researcher at antimalware firm Bitdefender, based in Romania, told SearchSecurity this research is important because “high-complexity and high-reward vulnerabilities [like this] can potentially offer untethered access to critical assets and data on the device.”

“When a vulnerability in the software that sits between the hardware and the operating system running on top of it is found, successful exploitation can have serious security and privacy implications,” Arsene said. “Not because attackers could potentially access critical and sensitive data, but because attackers can compromise the security of the device, while being invisible to the victim. Depending on how the vulnerability is triggered, weaponized attackers might successfully exfiltrate sensitive data such as passwords, financial information, or even planting additional software on the device.”

Ekram Ahmed, head of public relations at Check Point, told SearchSecurity, “it’s only a matter of time before we find more vulnerabilities.”

Once someone gains access into Trust Zone, it’s game over. They can get unprecedented access to our credit cards, biometric data, keys, passwords.
Ekram AhmedHead of public relations, Check Point

“Once someone gains access into Trust Zone, it’s game over. They can get unprecedented access to our credit cards, biometric data, keys, passwords,” Ahmed said. “It wouldn’t be too difficult for a medium-skilled cyber actor to exploit. What is difficult is knowing exactly who is affected. The vulnerability is a deeper infrastructure issue.”

Arsene said he wouldn’t expect to see these Qualcomm TrustZone flaws exploited “en masse in the wild.”

“While weaponizing the vulnerability may be possible, it’s likely that only a handful of users could potentially be impacted, possibly in highly targeted attacks,” Arsene said. “However, the difficulty of pulling off these attacks lies in how easily the vulnerability can be weaponized.”

Ahmed added that Check Point notified all potentially affected device manufacturers, but the company had “strange” interactions with Qualcomm leading up to the patch being released.

“We asked them to patch, and they only told us they patched a day before we published the blog, because the media was reaching out to them,” Ahmed said. “They went months without communicating a single word to us.”

Go to Original Article
Author:

ZombieLoad v2 disclosed, affects newest Intel chips

Security researchers disclosed a new version of the ZombieLoad attack and warned that Intel’s fixes for the original threat can by bypassed.

The original ZombieLoad attack — a speculative execution exploit that could allow attackers to steal sensitive data from Intel processors — was first announced May 14 as part of a set of microarchitectural data sampling (MDS) attacks that also included RIDL (Rogue In-Flight Data Load) and Fallout. According to the researchers, they first disclosed ZombieLoad v2 to Intel on April 23 with an update on May 10 to communicate that “the attacks work on Cascade Lake CPUs,” Intel’s newest line of processors. However, ZombieLoad v2 was kept under embargo until this week.

“We present a new variant of ZombieLoad that enables the attack on CPUs that include hardware mitigations against MDS in silicon. With Variant 2 (TAA), data can still be leaked on microarchitectures like Cascade Lake where other MDS attacks like RIDL or Fallout are not possible,” the researchers wrote on the ZombieLoad website. “Furthermore, we show that the software-based mitigations in combinations with microcode updates presented as countermeasures against MDS attacks are not sufficient.”

One of the ZombieLoad researchers, Moritz Lipp, PhD candidate in information security at the Graz University of Technology in Austria, told SearchSecurity  the problem with the patch for the initial MDS issues is that it “does not prevent the attack, just makes it harder. It just takes longer as the leakage rate is not that high.”

Lipp added that the team’s relationship with Intel has been improving over the past two years and the extended embargo was a direct result of ZombieLoad v2 affecting Cascade Lake processors.

In an update to the original ZombieLoad research paper, the researchers noted that the main advantage of variant two “is that it also works on machines with hardware fixes for Meltdown,” and noted that the attack requires “the Intel TSX instruction-set extension which is only available on selected CPUs since 2013,” including various Skylake, Kaby Lake, Coffee Lake, Broadwell and Cascade Lake processors.

Intel did not respond to questions regarding ZombieLoad v2 — which the company refers to as TSX Asynchronous Abort (TAA) —  or the original MDS patch, and instead directed SearchSecurity to the company’s November 2019 Intel Platform Update blog post. In that blog post, Jerry Bryant, director of communications for Intel Product Assurance and Security, admitted Intel’s MDS mitigations fell short.

“We believe that the mitigations for TAA and MDS substantively reduce the potential attack surface,” Bryant wrote. “Shortly before this disclosure, however, we confirmed the possibility that some amount of data could still be inferred through a side-channel using these techniques (for TAA, only if TSX is enabled) and will be addressed in future microcode updates.”

In an attached “deep dive,” Intel also admitted the ZombieLoad v2 attack “may expose data from either the current logical processor or from the sibling logical processor on processors with simultaneous multithreading.”

The researchers also noted that with the range of CPUs affected, the attack could be performed both on PCs as well as in the cloud.

“The attack can be mounted in virtualized environments like the cloud as well across hyperthreads, if two virtual machines are each running on one of them,” Lipp told SearchSecurity. “However, typically huge cloud providers don’t schedule virtual machines anymore.”

Chris Goettl, director of product management, security at Ivanti, told SearchSecurity that while the research is interesting, the risks of ZombieLoad are relatively low.

“In a cloud environment a vulnerability like this could allow an attacker to glean information across many companies, true, but we are talking about a needle in a field of haystacks,” Goettl said. “Threat actors have motives and they will drive toward their objectives in most cases as quickly and easily as they possibly can. There are a number of information disclosure vulnerabilities that are going to be far easier to exploit than ZombieLoad.”

Lipp confirmed that in order to ensure the leak of sensitive data an attacker would need to ensure “a victim loads specific data, for instance triggering code that loads passwords in order to authenticate a user, an attacker can leak that.”

Ultimately, Goettl said he would expect Intel to continue to be reactive with side-channel attacks like ZombieLoad until there is “a precipitating event where any of these exploits are used in a real-world attack scenario.”

“The incomplete MDS patch probably says a little about how much effort Intel is putting into resolving the vulnerabilities. They fixed exactly what they were shown was the issue, but didn’t look beyond to see if something more should be done or if that fix could also be circumvented,” Goettle said. “As long as speculative execution remains academic Intel’s approach will likely continue to be reactive rather than proactive.”

Go to Original Article
Author:

Jamf Protect offers visibility, protection for macOS admins

MINNEAPOLIS — Compliance and behavioral analysis features in endpoint security tool Jamf Protect may lessen IT concerns about adopting macOS devices in the enterprise.

Jamf Protect offers a kernel-less — or kextless — approach to endpoint security, which was announced here at Jamf Nation User Conference (JNUC) 2019, Jamf’s annual user conference. The platform offers day-one support of new macOS security features, insight into compliance across an organization’s fleet of macOS devices and behavior-based malware detection.

As the use of macOS in the enterprise increases, the landscape of security threats evolves, said David McIntyre, CISO and CTO of Build America Mutual, a financial services company in New York.

“There were so many more threats for Mac than I thought, so we had to add something to fight them off,” McIntyre said.

The origin of Jamf Protect

The announcement of a Jamf endpoint protection tool aligns with the company’s acquisition of Digita Security, a macOS endpoint security management company, earlier this year.

A lack of security management is one of the biggest hindrances to macOS adoption in the enterprise, said Patrick Wardle, co-founder at Digita Security and current principle security researcher at Jamf. Most enterprise organizations that consider deploying macOS devices have existing Windows machines that they manage, and as such they have a Windows-focused desktop management infrastructure.

“In an ideal world, the single pane of glass for Windows and Mac endpoint management would work, but feature parity is largely missing for the macOS components of these tools,” Wardle said.

What can Jamf Protect do?

Jamf Protect offers kextless management; instead of kernel extensions, it builds on the EndpointSecurity framework that Apple provides. Kext files extend Mac OS X kernels and can bloat a desktop with additional code. With the release of macOS 10.15 Catalina, Apple deprecated kernel extensions to encourage a kextless approach.

“It’ll be huge for us if we can get rid of apps that use kext files,” said Tom O’Mahoney, a systems support analyst at Home Advisor in Golden, Co. “Hopefully that’s the future of all desktop management.”

It’ll be huge for us if we can get rid of apps that use kext files — hopefully that’s the future of all desktop management.
Tom O’MahoneySystems support analyst, Home Advisor

Some kernel extensions only work with certain versions of Mac OS X and can prevent users from booting desktops after OS updates. Admins must troubleshoot this issue by searching through all of the OS’ kext files and determining which non-Apple kext file is causing the issue, as Apple automatically trusts kext files that have its developer ID.

“The kextless approach prevents a lot of issues that our current endpoint manager has with macOS updates,” said Brian Bocklett, IT engineer at Intercontinental Exchange, a financial services company in Atlanta, Ga.

Jamf Protect will also provide visibility into an organization’s entire macOS fleet. Admins can view the status of macOS devices’ security configurations and settings in the Insights tab of Jamf Protect and compare this data to endpoint security standards published by the Center for Internet Security (CIS).

Jamf Protect screenshot
Jamf Protect’s Insights tab

Michael Stover, a desktop engineer at Home Advisor, which has roughly a 90-10 split on Windows and macOS devices, said that macOS visibility is a common compliance issue.

“The CIS benchmarks are probably the biggest selling point for us,” he said. “It would be game-changing to see all that configuration data in one place and compare it to the benchmarks.”

The behavioral analysis style of macOS threat detection also drew some interest from JNUC 2019 attendees. This approach to malware detection identifies actions that files or software try to execute and searches for anomalies. If Jamf Protect finds instances of a phantom click, a common malware tactic, it can alert IT professionals to the suspicious behavior.

Jamf Protect forgoes attempts to recognize specific instances of malware; instead it recognizes the actions of potentially malicious software. Jamf Protect also detects software with an unfamiliar developer ID attempting to access data, install additional software or take actions that could invite malware onto a desktop.

“You don’t need to have every bank robber’s photo to know that someone running into a bank with a ski mask and a weapon is trying to rob that bank,” McIntyre said. 

Still, some aspects of Jamf Protect gave macOS admins pause, including the behavior analysis style of threat detection. In a Q&A after the Jamf Protect session ended, several attendees asked if the tool provides a more proactive approach for threat prevention and if Jamf Protect had any way to prevent false positives before they happen.

Spotify, for example, includes the suspicious phantom clicks as part of its UI, so users running Spotify could generate false positives. IT professionals can add exceptions to the behavioral analysis with Spotify and other similar cases, but it’s difficult to anticipate every exception they’ll need to add.

Additionally, some organizations require security standards far stricter than those of the CIS, and Jamf Protect doesn’t allow organizations to add their own benchmarks or customize the CIS benchmarks.

Jamf Protect is generally available as a paid subscription service for commerical U.S. customers, according to Jamf.

Go to Original Article
Author:

Threat Stack Application Security Monitoring adds Python support

Threat Stack has announced Python support for its Threat Stack Application Security Monitoring product. The update comes with no additional cost as part of the Threat Stack Cloud Security Platform.

With Python support for Application Security Monitoring, Threat Stack customers who use Python with Django and Flask frameworks can ensure security in the software development lifecycle with risk identification of both third-party and native code, according to Tim Buntel, vice president of application security products at Threat Stack.

In addition, the platform also provides built-in capabilities to help developers learn secure coding practices and real-time attack blocking, according to the company.

“Today’s cloud-native applications are comprised of disparate components, including containers, virtual machines and scripts, including those written in Python, that serve as the connective tissue between these elements,” said Doug Cahill, senior analyst and group Practice Director, Cybersecurity at Enterprise Strategy Group. Hence, the lack of support for any one layer of a stack means a lack of visibility and a vulnerability an attacker could exploit.

Application Security Monitoring is a recent addition to Threat Stack Cloud Security Platform. Introduced last June, the platform is aimed at bringing visibility and protection to cloud-based architecture and applications. Threat Stack Cloud Security Platform touts the ability to identify and block attacks such as cross-site scripting (XSS) and SQL injection by putting the application in context with the rest of the stack. It also allows users to move from the application to the container or the host, where it is deployed with one click when an attack happens, according to the company.

“[Application Security Monitoring] … provides customers with full stack security observability by correlating security telemetry from the cloud management console, host, containers and applications in a single, unified platform,” Buntel said.

To achieve full stack security and insights from the cloud management console, host, containers, orchestration and applications, customers can combine Threat Stack Application Security Monitoring with the rest of the Threat Stack Cloud Security Platform, according to the company.

Cahill said customers should look for coverage of the technology stack as well as the lifecycle when looking to secure cloud-native applications, because such full stack and lifecycle support allows for threat detection and prevention capabilities “from the code level down to the virtual machine or container to be implemented in both pre-deployment stages and runtime.”

“Cloud security platforms, which integrate runtime application self-protection functionality with cloud workload protection platforms to provide full-stack and full lifecycle visibility and control, are just now being offered by a handful of cybersecurity vendors, including Threat Stack,” he added.

Threat Stack Application Security Monitoring for Python is available as of Wednesday.

Threat Stack competitors include CloudPassage, Dome9 and Sophos. CloudPassage Halo is a security automation platform delivering visibility, protection and compliance monitoring for cybersecurity risks; the platform also covers risks in Amazon Web Services and Azure deployments, according to the company. CloudGuard Dome9 is a software platform for public cloud security and compliance orchestration; the platform helps customers assess their security posture, detect misconfigurations and enforce security best practices to prevent data loss, according to the company. Sophos Intercept X enables organizations to detect blended threats that merge automation and human hacking skills, according to the company.

Go to Original Article
Author:

Atlassian CISO Adrian Ludwig shares DevOps security outlook

BOSTON — Atlassian chief information security officer and IT industry veteran Adrian Ludwig is well aware of a heightened emphasis on DevOps security among enterprises heading into 2020 and beyond, and he believes that massive consolidation between DevOps and cybersecurity toolsets is nigh.

Ludwig, who joined Atlassian in May 2018, previously worked at Nest, Macromedia, Adobe and Google’s Android, as well as the U.S. Department of Defense. Now, he supervises Atlassian’s corporate security, including its cloud platforms, and works with the company’s product development teams on security feature improvements.

Atlassian has also begun to build DevOps security features into its Agile collaboration and DevOps tools for customers who want to build their own apps with security in mind. Integrations between Jira Service Desk and Jira issue tracking tools, for example, automatically notify development teams when security issues are detected, and the roadmap for Jira Align (formerly AgileCraft) includes the ability to track code quality, privacy and security on a story and feature level.

However, according to Ludwig, the melding of DevOps and IT security tooling, along with their disciplines, must be much broader and deeper in the long run. SearchSoftwareQuality caught up with him at the Atlassian Open event here to talk about his vision for the future of DevOps security, how it will affect Atlassian, and the IT software market at large.

SearchSoftwareQuality: We’re hearing more about security by design and applications security built into the DevOps process. What might we expect to see from Atlassian along those lines?

Ludwig: As a security practitioner, probably the most alarming factoid about security — and it gets more alarming every year — is the number of open roles for security professionals. I remember hearing at one point it was a million, and somebody else was telling me that they had found 3 million. So there’s this myth that people are going to be able to solve security problems by having more people in that space.

And an area that has sort of played into that myth is around tooling for the creation of secure applications. And a huge percentage of the current security skills gap is because we’re expecting security practitioners to find those tools, integrate those tools and monitor those tools when they weren’t designed to work well together.

Adrian LudwigAdrian Ludwig

It’s currently ridiculously difficult to build software securely. Just to think about what it means in the context of Atlassian, we have to license tools from half a dozen different vendors and integrate them into our environment. We have to think about how results from those tools flow into the [issue] resolution process. How do you bind it into Jira, so you can see the tickets, so you can get it into the hands of the developer? How do you make sure that test cases associated with fixing those issues are incorporated into your development pipeline? It’s a mess.

My expectation is that the only way we’ll ever get to a point where software can be built securely is if those capabilities are incorporated directly into the tools that are used to deliver it, as opposed to being add-ons that come from third parties.

SSQ: So does that include Atlassian?

Ludwig: I think it has to.

SSQ: What would that look like?

Ludwig: One of the areas that my team has been building something like that is around the way that we monitor our security investigations. We’ve actually released some open source projects in this area, where the way that we create alerts for Splunk, which we use as our SIEM, is tied into Jira tickets and Confluence pages. When we create alerts, a Confluence page is automatically generated, and it generates Jira tickets that then flow to our analysts to follow up on them. And that’s actually tied in more broadly to our overall risk management system.

We are also working on some internal tools to make it easier for us to connect the third-party products that look for security vulnerabilities directly into Bitbucket. Every single time we do a pull request, source code analysis runs. And it’s not just a single piece of source code analysis; it’s a wide range of them. Is that particular pull request referencing any out-of-date libraries? And dependencies that need to be updated? And then those become comments that get added into the peer review process.

My job is to make sure that we ship the most secure software that we possibly can, and if there are commercial opportunities, which I think there are, then it seems natural that we might do those as well.
Adrian LudwigCISO, Atlassian

It’s not something that we’re currently making commercially available, nor do we have specific plans at this point to do that, so I’m not announcing anything. But that’s the kind of thing that we are doing. My job is to make sure that we ship the most secure software that we possibly can, and if there are commercial opportunities, which I think there are, then it seems natural that we might do those as well.

SSQ: What does that mean for the wider market as DevOps and security tools converge?

Ludwig: Over the next 10 years, there’s going to be massive consolidation in that space. That trend is one that we’ve seen other places in the security stack. For example, I came from Android. Android now has primary responsibility, as a core platform capability, for all of the security of that device. Your historical desktop operating systems? Encryption was an add-on. Sandboxing was an add-on. Monitoring for viruses was an add-on. Those are all now part of the mobile OS platform.

If you look at the antivirus vendors, you’ve seen them stagnate, and they didn’t have an off-road onto mobile. I think it’s going to be super interesting to watch a lot of the security investments made over the last 10 years, especially in developer space, and think through how that’s going to play out. I think there’s going to be consolidation there. It’s all converging, and as it converges, a lot of stuff’s going to die.

Go to Original Article
Author:

DevOps security shifts left, but miles to go to pass hackers

DevOps security processes have matured within enterprises over the last year, but IT shops still have far to go to stem the tide of data breaches.

DevOps teams have built good security habits almost by default as they have increased the frequency of application releases and adopted infrastructure and security automation to improve software development. More frequent, smaller, automated app deployments are less risky and less prone to manual error than large and infrequent ones.

Microservices management and release automation demand tools such as infrastructure as code and configuration management software to manage infrastructure, which similarly cut down on human error. Wrapped up into a streamlined GitOps process, Agile and DevOps techniques automate the path to production while locking down access to it — a win for both security and IT efficiency.

However, the first six months of 2019 saw such a flood of high-profile data breaches that at least one security research firm called it the worst year on record. And while cybersecurity experts aren’t certain how trustworthy that measurement is — there could just be more awareness of breaches than there used to be, or more digital services to attack than in past years — they feel strongly that DevOps security teams still aren’t staying ahead of attackers, who have also learned to automate and optimize what they do.

Adrian Sanabria, advocate at Thinkst Applied ResearchAdrian Sanabria

“The attackers have innovated, and that’s one of the problems with our industry — we’re at least five years behind the attackers,” said Adrian Sanabria, advocate at Thinkst Applied Research, a cybersecurity research and software firm based in South Africa. “We’re in a mode where we’re convinced, with all this VC money and money spent on marketing, that we have to wait for a product to be available to solve these problems … and they’re never going to be ready in time.”

DevOps security tools aren’t enough

A cybersecurity tool is only as good as how it’s used, Sanabria said, citing the example of a Target breach in 2013, where security software detected potentially malicious activity, but IT staff didn’t act on its warnings. In part, this was attributed to alert fatigue, as IT teams increasingly deal with a fire hose of alerts from various monitoring systems. But it also has to do with IT training, Sanabria said.

“In the breach research I’ve done, generally everyone owned [the tools] they needed to own,” he said. “They either didn’t know how to use it, hadn’t set it up correctly, or they had some kind of process issue where the [tools] did try to stop the attacks or warn them of it, [but] they either didn’t see the alert or didn’t act on the alert.”

The attackers have innovated, and that’s one of the problems with our industry — we’re at least five years behind the attackers.
Adrian SanabriaAdvocate, Thinkst Applied Research

DevOps security, or DevSecOps, teams have locked down many of the technical weak points within infrastructure and app deployment processes, but all too often, the initial attack takes a very human form, such as a spoofed email that seems to come from a company executive, directing the recipient to transfer funds to what turns out to be an attacker’s account.

“Often, breaches don’t even require hacking,” Sanabria said. “It requires understanding of financial processes, who’s who in the company and the timing of certain transactions.”

Preventing such attacks requires that employees be equally familiar with that information, Sanabria said. That lack of awareness is driving a surge in ransomware attacks, which rely almost entirely on social engineering to hold vital company data hostage.

Collaboration and strategy vital for DevOps security

Thus, in a world of sophisticated technology, the biggest problems remain human, according to experts — and their solutions are also rooted in organizational dynamics and human collaboration, starting with a more strategic, holistic organizational approach to IT security.

Jeremy Pullen, PolodisJeremy Pullen

“Technology people don’t think of leadership skills and collaboration as primary job functions,” said Jeremy Pullen, CEO of Polodis, a digital transformation consulting firm in Atlanta. “They think the job is day-to-day technical threat remediation, but you can’t scale your organization when you have people trying to do it all themselves.”

An overreliance on individual security experts within enterprises leads to a ‘lamppost effect,’ where those individuals overcompensate for risks they’re familiar with, but undercompensate in areas they don’t understand as well, Pullen said. That kind of team structure also results in the time-honored DevOps bugaboo of siloed responsibilities, which increases security fragility in the same way it dampens application performance and infrastructure resilience.

“Developers and operations may be blind to application security issues, while security tends to focus on physical and infrastructure security, which is most clearly defined in their threat models,” Pullen said. “Then it becomes a bit of a game of Whac-a-Mole … where you’re trying to fix one thing and then another thing pops up, and it gets really noisy.”

Instead, DevSecOps teams must begin to think of themselves and their individual job functions as nodes in a network rather than layers of a stack, Pullen said, and work to understand how the entire organization fits together.

“Everyone’s unclear about what enterprise architecture is,” he said. “They stick Jenkins in the middle of a process but might not understand that they need to separate that environment into different domains and understand governance boundaries.”

Effective DevOps security requires more team practice

Strategically hardening applications and IT management processes to prevent attacks is important, but organizations must also strategically plan — and practice — their response to ongoing security incidents that can and will still happen.

“Cybersecurity so far has been focused on solitary study and being the best technical practitioner you can be, and building stand-alone applications and infrastructure to the best technical standard, which reminds me of golf,” said Nick Drage, principal consultant at Path Dependence Ltd., a cybersecurity consulting firm based in the U.K., in a presentation at DevSecCon in Seattle last month. “But in reality, cybersecurity is a fight with an opponent over territory — much more like American football.”

As long as security is practiced by isolated individuals, it will be as effective as taking the football field armed with golf clubs, Drage said. Instead, the approach should be more team-oriented, cooperative, and, especially, emphasize team practice to prepare for ‘game time.’

This is the future of governance — controlling risk on the human side of our systems.
Charles BetzAnalyst, Forrester Research

American football defenses are particularly instructive for DevOps security strategy ideas about defense in depth, Drage said in his presentation. Among other things, they demonstrate that an initial incursion into a team’s territory — yards gained — does not amount to a breach — points scored. IT teams should also apply that thinking as they try to anticipate and respond to threats — how to protect the ‘end zone,’ so to speak, and not just their half of the field.

Thinkst’s Sanabria uses a different analogy — the DevOps security team as firefighters.

“We’re not going to get good at this if we don’t practice it,” he said. “We buy all the tools, but imagine firefighters if they’d never donned the suits, never driven the truck, never used the hose and they’re not expecting the amount of force and it knocks them down. Going out to their first fire would look like a comedy.”

And yet that’s exactly what happens with many enterprise IT security teams when they must respond to incidents, Sanabria said, in part because companies don’t prioritize experiential learning over informational training.

The good news is that IT analysts expect the next wave of DevOps security to look very much like chaos engineering used in many organizations to improve system resiliency, but with a human twist. Organizations have begun to emerge such as OpenSOC, which sets up training workshops, including simulated ransomware attacks, for companies to practice security incident response. Companies can also do this internally by treating penetration tests as real attacks, otherwise known as red teaming. Free and open source tools such as Infection Monkey from Guardicore Labs also simulate attack scenarios.

Charles Betz, Forrester ResearchCharles Betz

Tech companies such as such as Google already practice their own form of human-based chaos testing, where employees are selected at random for a ‘staycation,’ directed to take a minimum of one hour to answer work emails, or to intentionally give wrong answers to questions, to test the resiliency of the rest of the organization.

“Despite the implications of the word ‘chaos,’ some companies are already presenting chaos engineering to their risk management leaders and auditors,” said Charles Betz, analyst at Forrester Research. “This is the future of governance — controlling risk on the human side of our systems.”

Go to Original Article
Author: