SecOps teams tell themselves three lies so they can sleep at night

March 11, 2020 - Alex Peay

I just spent a week in San Francisco at RSA Conference 2020 as the cybersecurity industry rallied for what appears to have been the last large in-person tech conference to be held  before we can figure out what to do about Coronavirus. SaltStack sponsored the conference again this year and, as always, it was a great opportunity to see the latest trends in the cybersecurity industry, talk with SecOps teams and practitioners, and hear from industry leaders.

I spoke to hundreds of people throughout the week and quickly started to notice a trend. Cybersecurity professionals desperately want to believe business is secure because they’ve invested in all the right tools to identify vulnerabilities, threats, non-compliancy, and security issues. As I listened more closely, there were three comforting lies I heard over and over that SecOps teams like to believe instead of facing unpleasant truths.

Security professionals on SecOps teams--and everyone else--gravitates toward comforting lies over unpleasant truths.

Comforting Lie #1 – The insight I get from my security tools is all I need. 

I get it, for more than a decade you’ve been told by your security vendors that insight is all you need, when in reality “insight” is simply all those tools had to offer. We’ve been conditioned to believe visibility into infrastructure security posture was enough. 

But once the security team gained visibility they were forced to beg, borrow, and steal in order to take meaningful action. In some cases this came in the form of a boardroom brawl as SecOps teams debate which issues should be prioritized for manual remediation, or placed in a growing list of unfixed vulnerabilities that don’t get addressed within a reasonable window by IT operators. In either case, these golden insights go unattended, are ripe for exploit, and the finger-pointing begins.

Getting insights from one team and throwing them “over the fence” so a different team can take action only leads to frustration, delays, and added risk. SecOps teams must be able to work together using common, integrated tools that can both find and fix the issues critical to securing and supporting business activities. 

Comforting Lie #2 – The images I use from my cloud provider are hardened and secure.

We all want this to be true given the pervasiveness of cloud adoption in business today.  Considering how much is spent on cloud services, and the nature of the workloads running in the cloud, you’d expect cloud images to be hardened…but the reality is they aren’t. 

There is grey area when it comes to responsibility for cloud security. Cloud providers don’t want to take on the added cost or burden of hardening images. SecOps teams historically haven’t had the tools to coordinate the hardening of cloud images deployed at scale, to provision and configure the image, and to automate the long-term maintenance of the image.

We use SaltStack Comply internally and consistently find that a standard image from a leading cloud provider is non-compliant in more than half of the configuration settings when checked against an industry-defined standard such as a Center for Internet Security (CIS) Benchmark.

A newly provisioned CentOS cloud image is non-compliant with more than half of CIS Benchmark checks.

While most CTOs and CISOs expect “out-of-the-box” cloud images to be compliant with security standards, the thousands of cloud images their companies spin up every day each have hundreds of configuration issues that can be exploited if not addressed. The ability to use a single tool to orchestrate cloud provisioning while running a simple scan against industry standards or to check for company-defined policy compliance is critical and should be a bare minimum requirement. Bonus points if the same tool can trigger and automate actions to remediate vulnerabilities and compliance issues with both speed and agility. 

Want a view into how this might work within your own organization? You can always try a hosted instance of SaltStack Enterprise for a first-hand, self-guided tutorial.

SaltStack can do all of this, ultimately provisioning cloud images at scale while ensuring a hardened state before they go into production. Even more important is providing SecOps teams with ongoing maintenance of a desired security state so cloud and IT systems do not drift out of compliance and put them business services at risk.

Comforting Lie #3 – Containers allow me to quickly provision secure services even if the underlying infrastructure is insecure. 

The promise of development in a containerized world is alluring, but too often new technology creates unintended consequences and security risks. When dev teams focus exclusively on container and application-layer security, and assume the underlying host OS and infrastructure is secure, they run the risk of building a house on the sand. In these containerized, often cloud-native environments the underlying infrastructure must be hardened from the outset and maintained in a secure state. 

Companies that fail to automate initial infrastructure provisioning and long-term configuration security drift identification and remediation run the risk of becoming ‘container blind.’ Don’t overlook the risks lurking just under the container layer.

Each of these three comforting lies have their beginning in the silos that have emerged within security and IT operations teams. When these teams operate independently they fail to meet the business needs of sustainability and speed. When they focus only on their own priorities they create gaps in the process that will expose the company to risk. 

The unpleasant truth is a massive culture shift has to occur if we are going to truly fix and secure IT. SecOps needs to move beyond a buzz word and become a collaborative mindset focused on taking informed action to secure infrastructure. . SecOps teams need tools that go beyond a simple scan and go to the heart of fixing and truly remediating the issue rather than passing the buck and pointing a finger. 

By building solutions that enable close collaboration for security and IT operations teams, SaltStack is helping enable better, actionable processes that deliver real security and substantial value to the business. But don’t just take my word for it. Schedule a demo of SaltStack SecOps products or try SaltStack Comply yourself in our hosted product tutorial. See for yourself how SaltStack is helping expose these comforting lies so SecOps teams can deliver true value to the business.