3 New Year’s Resolutions That Every CSO Should Make

It is the season for new year’s resolutions and planning 2017. In an environment of a constant bombardment of security advice, where do you start? This blog will combine 15 years of hard lessons with newest, best practice distilled into a few practical pieces of advice, ready to take your security team to the next level.

1. Prioritize using Metric Driven Impact security
   1. Change your security metrics from measuring work done, to measuring achieved security outcome.
      1. Some measure time until patches are applied
      2. Others measure how many high-risk vulnerabilities they have.
      3. 2017 Cloud Security Leaders measure the percentage of machines that are PCI compliant and improve on that metric.
   2. Measure daily and provide instant feedback to the security engineers.
      1. Some companies measure their security posture every quarter and spend days or weeks collecting data in spreadsheets and make the graphs by hand, at which point the metrics are shared with senior management.
      2. 2017 Cloud Security Leaders calculate their posture every day and every security engineer gets the rewards of the work done the day before.
   3. Trend directionality is more important than absolute values.
      1. Some count the number of non-compliant hosts and despair when the number increases.
      2. Some calculate the percentage of non-compliant hosts and despair when that number is high
      3. 2017 Cloud Security Leaders know that works loads in the cloud scale up and down. Plus, that it is more important to measure the percentage of compliant hosts and that the percentage is moving in the right direction.
   4. Pivot from counting vulnerabilities to counting compliant hosts
      1. Counting absolute vulnerabilities made sense when the number of vulnerabilities was manageable.
      2. 2017 Cloud Security Leaders realize that counting compliant and secure hosts is more relevant.
   5. Remediate for the highest impact of work done and not highest CVSS score.
      1. Many companies sort their vulnerabilities by CVSS base score and do the highest scoring vulnerabilities first, typically one at a time.
      2. 2017 Cloud Security Leaders consolidate remediations so that the cumulative service pack or SSL certificate which fixes most vulnerabilities and hosts is done first.
2. Reduce blast radius
   1. 2017 is not about preventing breaches or attacks, but about containing the blast radius. Segment your networks, your data, your applications, and your cloud infrastructure to make watertight compartments to ensure that attacks will not sink your company.2017 Cloud Security Leaders:
      1. Separate functions like Exchange and Outlook Web Access onto different servers (this happens to also be PCI DSS 3.2 Requirement 2.2.1)
      2. Have different AWS accounts (and passwords) for production systems and their S3 storage for backup.
      3. Have many small AWS security Groups
      4. Separate subnets for public access and backend systems.
      5. Multiple DMZ subnets for different functions
      6. Multiple database servers for different functions
      7. Smaller separate subnets in large offices
      8. Guest Wi-Fi for BYOD, instead of shared Wi-Fi for business and private devices.
3. DevOps your SecOps
   1. Make sure your Security tools have APIs, SDKs, and Examples
      1. Many companies manually schedule scans, download reports, and review results.
      2. Other have security alerts sent to them via email.
      3. Modern Security companies are increasingly making APIs available. The best API’s comes with SDK in popular languages like Python ready for integration into your code and plenty of examples.
      4. 2017 Cloud Security Leaders only buy from companies with robust APIs, SDKs, and examples and they apply their DevOps methodologies to integrate their security vendor into their Security Operations.
   2. Bake security into your “golden image” by creating a pipeline
      1. Some companies take months to make a new “golden image” with manual regression testing.
      2. Better organizations have their “golden image” built in a “create pipeline” with daily builds using the newest patches and full unit testing.
      3. 2017 Cloud Security Leaders have configuration testing and vulnerability assessment as part of their “golden image” build a pipeline, with the break of the pipeline if vulnerabilities are found.
   3. Bake security into your cloud deployment pipeline
      1. Modern Cloud implementation push to production several times a day using continuous integration pipelines.
      2. 2017 Cloud Security Leaders run vulnerability and configuration assessment as part of every deployment.
   4. Automatically retire cloud instances that fail a vulnerability scan
      1. Some cloud software teams launch their workloads in auto scaling groups, that are self-healing, automatically restarting workloads that fail.
      2. Better teams ensure that newest images are used when restarting a workload.
      3. Best teams monitor workloads for health, CPU, RAM, disk, and “shoot” under-performing instances instead of repairing them, to allow the self-healing process to launch the newest version of the image.
      4. 2017 Cloud Security Leaders expand on that process and automatically retire older images with vulnerabilities as part of their daily automatic scans.

To learn more about:

• Vulnerability Management from Alert Logic, please see Cloud Insight, Cloud Defender, and Threat Manager
• Cloud Insight API, SDK, and examples