Cyber Security As A ‘Value Driver’: Q&A With Threat Stack’s CEO, EVP
Solution Providers Discuss Threats, Credentials
The threat landscape is changing on a daily basis. Menacing insiders are wreaking havoc on enterprises around the globe. How is our credentialing changing as a result?
We were able to catch up with Threat Stack Chairman and CEO, Brian Ahern, and the company’s EVP of Products and Technology, Aditya Joshi, about these pressing cyber topics. Ahern and Joshi tackled everything from their own security backgrounds to expiring credentials.
What follows is our in-depth Q&A with the Threat Stack duo.
Cyber Security Hub: Can you briefly tell us about your cyber security experience?
Brian Ahern: I’m Chairman and CEO of Threat Stack, joining the company in 2015 after my previous company – Industrial Defender – was acquired by Lockheed Martin. Industrial Defender was founded in 2002 and prior to its acquisition was a leader in the industrial control security market. Since joining Threat Stack, I’ve used my experience in industrial infrastructure security and applied it to the cloud infrastructure of growth companies like SMBs and highly scalable SaaS companies. This is traditionally a difficult marketplace for security vendors because it means dealing with organizations that are in a constant state of infrastructure transition and organizational change; however we’ve been fortunate enough to help grow the company to over 150 employees and more than 450 customers in three short years.
Aditya Joshi: I joined Threat Stack as EVP of Products and Technology in January of 2018, subsequent to the sale of my previous company, Intralinks, in 2017. My journey into cyber security started early as a systems integration consultant working on some of Accenture’s largest customers globally and being exposed to multiple generations of deployment architectures – mainframe, monolithic, client/server, distributed and cloud. Later at Novell, I was presented with the unique opportunity to delve much deeper into the infrastructure layer, working on identity and access management, linux (OS), networking and systems management. Finally at Intralinks, I was able to bring these experiences of application and infrastructure security to bear on emerging issues surrounding data privacy and compliance to deliver a highly secure, GDPR-compliant platform for enterprise collaboration. Today at Threat Stack we are committed to building the leading Cloud Security Platform that delivers security at speed and scale for our customers.
Cyber Security Hub: What is your assessment of the current threat landscape?
Ahern: There are a lot of market forces combining to make the current threat landscape daunting for businesses. Organizations are rushing to adopt cloud infrastructure without a proper understanding of the security risks and they’re doing this while the industry is in the midst of an enormous cyber security skills shortage. On top of public and hybrid cloud deployments, many businesses are migrating to container-based environments, which adds another layer of complexity and (creates an) increased attack surface to over-stretched security teams.
This is a challenge that can be met if the industry responds appropriately. Too many organizations are reacting to the skills shortage by throwing money at the few qualified candidates rather than building talent from within. Most businesses are buying tech or point solutions to cover this gap rather than building security into their organizational culture by mapping solutions back to people and processes.
In order to combat this, vendors need to be consultative and think about more than just their products. Every organization needs to prioritize security as a value driver so it can serve as a competitive differentiator rather than a roadblock to innovation.
Cyber Security Hub: How ‘real’ is the fear of insider attacks and what can organizations do to protect against them?
Joshi: You just need to look at the recent Apple or Timehop incidents to know it’s real. Businesses issue thousands of credentials to employees and contractors and it’s pretty easy to abuse those credentials. Employees today have an unparalleled level of access and that drastically increases the opportunity for abuse. As we saw in the Timehop incident, it’s important to remember that if an employee’s credentials are compromised, they now pose the same risk as a malicious insider.
With this in mind, organizations need to think about how they approach user access management. The IT or security team often doesn’t know what level of access a third-party contractor or specific team members need so they end up giving them way more access than necessary. To avoid this, IT and security teams need to draw clear lines around privileged access. They must segment their network into role-based groups that define cloud infrastructure access levels and periodically evaluate these groups to ensure they’re still accurate.
Looking beyond access management, it’s important to remember many organizations don’t even know the location of all their data. Organizations should invest in solutions that continuously monitor their entire infrastructure including the container and host environment. This level of visibility will provide a complete understanding of where the data is, who should have access to it, and if the system it’s stored on is risk appropriate. Furthermore, any large data download, even if it’s by an insider, should trigger an alert. For example, in an ideal world the Timehop situation would have prompted a “why is this happening?” moment to the security team. Solutions that continuously monitor infrastructure can identify risk hot spots and reduce the organization’s attack surface significantly.
Cyber Security Hub: Are the employees truly the “weakest link”? If so, can you describe?
Ahern: Whether they’re actually acting maliciously or simply being negligent, employees represent a significant risk. There’s a reason most cyber-criminals still rely on phishing techniques – because it works. An attacker isn’t going to bother busting through a firewall when they can just trick an employee into handing over their credentials.
Having said that, it’s also important to ask if businesses are doing enough to support their employees. Every business is made up of people, and security is done by human beings. Yet very few security solutions actually map back to people and processes. It’s not enough to just throw tech at a problem. We hear from organizations all the time that think they do security because they monitor logs, but if no one is actually reading the log files, you might as well not do it.
Security solutions need to help people actually do their jobs and vendors need to be consultative. Map your solutions back to workflow and identify opportunities for improvement. Establish shared goals and highlight opportunities for Dev, Sec and Ops to all work closer together. And also be sure to identify the things that the organization is doing well from a security standpoint to encourage them to do more. Employees can be the weakest link, but they won’t improve if all we do is tell them to be better. We need to be prescriptive.
Cyber Security Hub: How can expiring credentials help the enterprise? And the third parties they work with?
Joshi: Public cloud credentials are useful to attackers, as many of them create bots with the sole purpose of crawling public repositories like GitHub looking for credentials and API keys. Once they find these unsecured keys, it’s very easy to exploit a system and exfiltrate data, take over the infrastructure for malicious purposes like crypto-mining, or move laterally to escalate privileges and access more sensitive parts of the cloud infrastructure.
Unfortunately, it’s very easy to accidentally commit credentials to code, especially when developers are using their credentials to make command line changes in AWS or other cloud service providers. That’s why we are huge fans of eliminating the use of permanent credentials altogether.
Try implementing a secrets management system and generating temporary keys so that the development team can make the changes they need to make, but the security team can protect the business by revoking the credentials once the work is done. Relatively simple strategies like this can go a long way to avoiding the dangers of identity creep.
Cyber Security Hub: What are some other best practices CISOs should keep in mind when thinking about cyber-threats?
Ahern: There is a need for infrastructure visibility and continuous monitoring in order to quickly detect intrusions. If companies don’t know where their data is, how are you going to know when it’s being inappropriately accessed or exfiltrated? Infrastructure visibility makes it possible to understand where your data is stored, whether the service using sensitive data is risk-appropriate, where the risk hot spots are and how risk is changing over time.
Keep in mind just how many organizations are sacrificing security for speed. The C-Level is gaining a greater appreciation for security, but if security is misaligned with the business objective, security will lose that battle nine times out of ten. In order to not be seen a cost center running counter to business success, security needs to be able to move and scale at the pace of the business. An approach that unites sec, dev and ops can turn security from an interruption into a critical part of the business.
If you treat security as nothing more than insurance, there will never be justifiable ROI unless there has been a breach. But if you focus on integrating security into the operational efficiency of your organization, it not only provides ROI, it becomes a value driver for your business.
Be Sure To Check Out: 'Black Hatter' Lists Top 5 Show Takeaways: AI, IoT & More