Seven Security Summits to Scale in 2022
By
— February 16th, 2022
I am a fan of poetry. And alliteration. And nature. And of course, security. So how do they all come together? For the title and focus of this blog!
The “Seven Summits” is a reference to the highest mountain peaks in each of the seven continents. It is every serious mountaineer’s dream to scale all seven summits.
In the security world today, there are so many problems to solve. And there are countless vendors constantly seeking to tell me about the huge mountain of risk that their product can uniquely help scale.
But being a Chief Information Security Officer means learning to use the pragmatic lens of RISK to evaluate each of the mountains and their respective security gaps.
So as I survey the security landscape in front of us, these are the seven biggest summits to scale in 2022:
# 1 Secure Release Pipeline
# 2 Automated Collection of Evidence
# 3 Log Everything
# 4 Zero Trust Identity
# 5 Privileged Access Management
# 6 Data Lifecycle Protection
# 7 Ransomware Protection
# 1 Secure Release Pipeline
The recent security challenges we faced with the breach of SolarWinds and the log4j vulnerability make this the Mount Everest of security summits for CISOs to scale. There are 4 Ss that I have identified as critical to scaling this summit:
1. Static and Dynamic Code Analysis: Identify vulnerabilities – both in the static code as well as while it runs
2. SCA: Software Composition Analysis, focusing especially on Open-Source components, and maintaining an up-to-date SBOM (Software Bill of Materials)
3. Secrets Management: Ensuring that all secrets are secured throughout the pipeline
4. Signing: Ensure the integrity of the code throughout the build and release process
# 2 Automated Collection of Evidence
Every country and many industries have their own version of compliance certifications. But, at best, compliance is a point-in-time check of properly-working security capabilities.
Strong ongoing security guarantees compliance certification. Meanwhile, compliance certification badges guarantee close to nothing about strong ongoing security (almost all the major companies that suffered breaches had obtained many compliance certifications).
Organizations, where the number of Compliance experts is greater than the number of Security Engineers, must be overhauled to keep up with today's modern architecture. We need to fundamentally change the game about proving compliance. Point-in-time evidence collection to auditors is pointless!
Rather, we need to automate the collection and monitoring of security health ALL THE TIME, so that we ensure not only point-in-time compliance but all-the-time compliance as well. Automation helps us set a way higher bar than merely sampling preventative and detective controls.
Chad Woolf, VP of Security responsible for Compliance, Privacy, and Regulatory Affairs at AWS, often stressed the point of automated reasoning when we partnered together while I was the Cloud Information Security Officer at VMware:
Systems are becoming so immense and so complex that it’s hard for us humans to wrap our minds around the complexity — so we’re using math to do it for us
# 3 Log Everything
Back in the 1980s, former President Reagan repeatedly told Mr. Gorbachev, “Doveryai, no proveryai” (Trust but verify)!” So when the current President of the United States issued an Executive Order that mandated “Zero Trust,” we know that there is a new world order!
Log Everything and the next point (Zero Trust Identity) are two basic building blocks of Zero Trust that we must work on right away. I went back and forth on which of the two points of Zero Trust I should address first.
I landed on Log Everything because, in a world of unknown threats and zero-day attacks, we will not have holistic protection with just Zero Trust Identity. But if we are logging everything, we at least have the possibility of building meaningful alerts to detect an anomalous action, and we also have the ability to look forensically at what an attacker did after the fact.
Alas, where there are no logs, we have nothing to go back to and investigate.
One important note: There is a great danger in using the word “everything” in anything we say! So also, in this case, I don’t care quite as much to see the logs of coffee machine usage in the office – as I am to see when users last logged into their company accounts.
So when I say “everything,” I must start with obtaining logs based on the criticality of the data (information) that the assets store or process.
# 4 Zero Trust Identity
This is the most famous building block of Zero Trust. Fundamentally, I must never trust an identity, but always verify that the person seeking access is someone I trust.
Spoofing and masquerading as someone else is the sin that Jesus condemned the most (hypocrisy), and 2000 years later, it is still the primary deception mechanism of almost all hacking attempts.
Zero Trust is a mindset of establishing Pervasive Least Privilege throughout the enterprise. Zero Trust Identity is a key first step in this multi-year journey.
# 5 Privileged Access Management
Following on closely to Zero Trust Identity is the risk of elevated access. If a hacker steals the identity of a user and gets access to a read-only account of non-sensitive data, there is limited risk.
Yes, that might be the entry point for an attacker. But the attacker is really looking for a way to elevate his access, hoping to acquire privileged access to exploit corporate systems.
So having a clear open-and-close case for managing privileged or elevated access to all information systems is critical.
# 6 Data Lifecycle Protection
Data is the new oil. Oil has made countries with very few other natural resources (e.g. desert countries in the Middle East) very rich. All it took was oil that lay under the ground. Data is the rich oil hiding underneath the surface of every company. The data of our source code, our employees, our customers, our password, etc. — are commodities of immense value.
So protecting data throughout its lifecycle — from creation to destruction and everything in between — is paramount. I chose the word Protection because I would like to redefine DLP, because the security of data is much more expansive than just Data Loss Protection.
# 7 Ransomware Protection
Probably even more famous than “Zero Trust” is the word Ransomware. It is the most prevalent security risk facing enterprises today. Protecting ourselves here is having a specific focus on it – and building out, maturing, and routinely testing the various key components.
We must be laser-focused on holistic protections here — from our company’s backup and recovery capabilities, all the way to an always-updated, keenly-engaging, and never-ending training and awareness program for all employees. (For more on Ransomware threats in 2022 see this blog by my FWI | Poppulo colleague Joel Mack)
And finally.......
None of these summits can be scaled through one-year actions! So I am not packing a victory flag on my journey. The hackers are most often one step ahead of us. So it will serve us well to remain humble and vigilant.
Success comes through an earnest and unrelenting commitment to the journey of constantly reducing risk. The destination will take care of itself.
Onward and upward!
