Cybersecurity is not a Band-Aid – It’s not about treating a symptom, but taking in the entire environment for a wholistic diagnosis and solution. An elaborate perimeter security strategy is no longer enough. Without a secure foundation built from within, a walled perimeter cannot fully protect you. Spending lots of money does not solve the problem either. According to Gartner, despite a surge in global cybersecurity spending of 8.7 percent ($124 billion) in 2019, the list of cyberattack victims continues to grow. However, security also cannot be an afterthought. It isn’t the dessert at the end of the evening meal. It should be at the center of your yearly, monthly, and daily decision-making.
The critical need to secure your DevOps environment
Security is especially pertinent to the DevOps community. Companies are realizing today that IT security must play an integrated role in the full lifecycle of their apps. Poorly-conceived or outdated security practices can prove highly detrimental to not only the organizations that develop and host applications, but also to the third parties whose data is stored or passes through these applications. Agile development practices have drastically reduced development cycles so security cannot be something postponed until the end by a designated team of specialists. The discussion of DevSecOps is a hot topic at the RSA 2020 Conference with numerous presentations and managed discussions outlining how to secure engineering processes and frameworks throughout the organization. It was also identified as a growing trend for 2020 at RSA.
What is DevSecOps
DevSecOps is about integrating security from the ground up within your DevOps environment. It is about built-in security, a concept that should not be just limited to your online application environment, but your entire IT estate. There are four main concepts about this secure approach.
- Determining what the inherent risks are as well as a risk/benefit analysis.
- Focusing on security, rather than just convenience and ease-of-deployment, as part of the default configurations for both the software and hardware that make up your DevOps infrastructure.
- Ensure that security is integrated, not only at the initial release, but is a part of each feature update.
- Having the right individuals in place at all stages of the development process to ensure security protection for all stakeholders.
Developing a ground-floor built-in strategy
So how do companies today go about implementing a core security strategy from the ground up that permeates throughout the enterprise framework? Well, creating a ground-up cybersecurity strategy does not mean you have to start at ground zero. That is because a principled security framework already exists called the Duty of Care Risk Analysis Standard (DoCRA). DoCRA offers companies a proven standard approach for analyzing risks that pertain to all potential parties that may be vulnerable to those risks. It is a balanced approach that considers not only the risks at hand, but also the burden of protecting against them. It is an approach that does not speak in security acronyms, protocols, and jargon that only security professionals can understand. Instead, it speaks the language of business, regulators, and litigators in order to ensure that business and security priorities properly align with one another. DoCRA centers on the principle of implementing reasonable measures that a reasonable person would use to protect against those risks. This focus on what is reasonable allows judges to differentiate expectation levels amongst companies large and small in times of litigation and it translates technical language into business terms.
CIS ControlsTM & CIS RAM
An integral part of a security strategy is the implementation of necessary security controls. The CIS Controls™ are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. Some especially relevant controls pertinent to DevSecOps include:
- CIS Control 3: Continuous vulnerability assessment and remediation
- CIS Control 4: Controlled state of administrative privileges
- CIS Control 5: Secure configuration for hardware and software on mobile devices, laptops, workstations and servers
- CIS Control 6: Maintenance, monitoring and analysis of audit logs
- CIS Control 9: Limitation, and control of network ports, protocols and services
These controls help provide focus on maintaining documented, security-minded configuration standards for all authorized operating systems and software. It’s about ensuring that administrative privileges are not widely distributed and that those administrative accounts are restricted to only elevated activities. It is about being mindful that local logging is enabled for all systems and that appropriate logs are aggregated to a central log management system and other relevant controls. In all, security does not have to be burdensome; it just needs to be reasonable and effective.
An essential cybersecurity tool that establishes reasonable implementation of the CIS Controls is CIS RAM (Risk Assessment Method). CIS RAM was authored by HALOCK Security Labs in partnership with the CIS (the Center for Internet Security). CIS RAM is based on the Duty of Care Risk Analysis standard (DoCRA.org) and recognized by attorneys, regulators, and interested parties alike for its ability to demonstrate reasonable and appropriate implementation of controls. Utilizing the right risk assessment method can help organizations balance their mission, objectives, and obligations to interested 3rd parties.
Find that balance of corporate goals, compliance, and social responsibility. Scope and quote your risk assessment for reasonable security.
Let’s Connect at the RSA Conference 2020!
Birds of a Feather Session: A free-form discussions that allow attendees to “flock together” and dig deeper into the topics that matter to them.
The Google Translate for InfoSec – Communicating to Legal and the C-Suite
Do you feel you have a legally defensible position in case of a breach? Are you able to effectively communicate and justify technology investments you really need with your C-Suite? Join to discuss how you are addressing these concerns today as well as how the Duty of Care Risk Analysis (DoCRA) method bridges these gaps. Attendance is strictly limited to allow for a small group experience.
Date: 02/27/2020 – Thursday
Time: 9:20 AM – 10:10 AM
Room: RSAC Engagement Zone Moscone West 2020 – Table E
HALOCK Happy Hour at The Living Room – RSVP
Date: 02/27/2020 – Thursday
Time: 5:00 PM – 7:00 PM
Room: Intercontinental – The Living Room
Securing the right budget is often harder to do than performing the project requiring the budget. If your goal is to secure the budget you need vs. prioritizing into the budget you’re given, then you need a different approach than what you’ve been using. Learn how an industry-proven methodology (DoCRA) can help you communicate to the C-Suite in a new way and receive the budget you truly need.
Speaker: Jim Mirochnik, Senior Partner and CEO, HALOCK Security Labs
Date: 02/28/2020 – Friday
Time: 8:30 AM – 9:20 AM
Room: Moscone West