The call for continuous security

The call for continuous security

Why the Capital One Breach Should Be a Call for Cybersecurity Transformation

The Routine Breach Reaction Cycle

The onslaught of personal data breach reports over the past decade has desensitized cybersecurity professionals (as well as the general public) to the perpetual flutter of cyber attack news. Major breach announcements often kick off a series of events that security professionals have come to know so well.  

• Like clockwork, CXOs and board directors turn to their CISOs with the hope of being assured that a similar outcome would not be likely for their organization.
• Security teams spin up their own analyses and investigations of the events to make sense of the noise and half-stories purported in big media articles. 
• Security consultants and sales reps jump to the occasion to be the first to coin a breach-related listicle or blog post to pump up how their proprietary product would have prevented the breach.

It has been over a month, but the Capital One breach, first publicized on Monday, July 29, 2019, seemed to pierce through the noise in a way that that we haven't seen since the Equifax breach in 2017. There are many reasons for this, of course: 

• The sheer volume of records exposed.
• The sensitivity of data exposed, which included some of the most protected data, including Social Security numbers, addresses, phone numbers, etc.
• The intrigue that the key malicious actor, Paige Thompson, was a former employee of AWS (the cloud infrastructure provider for the breached systems) who worked on Amazon S3 (the platform that was breached). 
• The concern that the breach was related to the world’s largest and most-used cloud provider.   
• The sense (and worry) that the breach affected a key player in the Financial Services industry, which is a pillar in the United States' critical infrastructure. 

Ensuring an organization’s security strategy is aligned with the business has been a long-standing best practice in security governance. With the panic of this well-publicized breach wearing off, now is an opportune time to reflect on your security strategy once more. Updates to your security strategy should not just focus on your projects, initiatives, and goals, but should include an objective look at your security team’s way of working. In fact, if your business has undergone a significant transformation, it’s likely that your security function needs similar transformation as well.     

Trouble with a Capital T, That Rhymes with C, That Stands for…Cloud?

There was some chatter across executive circles that inappropriately suggested that the breach was evidence of an inherent immaturity or insecurity of cloud vendors and their platforms, like Amazon Web Services, Microsoft Azure and Google Cloud Platform. Those who were already leery of cloud environments pounced on the opportunity to confirm their anti-cloud biases and leverage the latest news to tout their perspective with an "I told you so" attitude.

For the more level-headed, or simply anyone who worked closely with cloud technologies, it was clear that major news outlets' early descriptions of a "firewall misconfiguration" did not seem to add up or describe the situation completely. More details were necessary before a sound point of view could be formed. 

A few days after the initial reports as more people were able to review the legal filings against Paige Thompson, it became clear that the breach was not the result of an insecure AWS firewall. Rather, the breach was facilitated through exploitation of a security group (which provides firewall-like functionality within AWS) with excessive permissions being attached to a resource within Capital One's environment.  Many have pointed out that law enforcement's complaint clearly pointed to the root cause stemming from a Capital One misconfiguration, as opposed to an issue with the cloud provider itself.  

As J. Cole Morrison’s stated in his The Technical Side of the Capital One AWS Security Breach blog, the lesson we should take from the Capital One breach is not the insecurity of the cloud, but the appropriate steps security organizations must take to audit, audit, and then audit again. As if securing static environments in traditional on-premise data centers wasn’t hard enough, security organizations already suffering from a skills shortage will find it hard to stay afloat in cloud-based environments where business units and teams have the ability to scale-up, scale-down, and deploy at close to lightning pace.  A knee-jerk reaction would be to try one's best to keep the cloud contained. Allowing only trusted resources in IT or Security's inner circle the ability to harness the cloud's power. For many, however, the proverbial horse has already fled the stable in the sky. So what is a CISO to do?  

Taking Morrison's lesson from Capital One further, I'd argue that the continual auditing mantra fits best within a framework that aligns with a technical organization's approach to operations. Now that business units and organizations have one-by-one transformed their operational processes, adopting  Continuous Integration, Continuous Delivery, and Continuous Deployment methodologies, it's time that security organizations align with their businesses, to adopt Continuous Security.

Alignment: The Forgotten Security Fundamental

A recurring theme within security circles in the past 4-5 years has been "focusing on the security fundamentals," which (rightfully so) places an emphasis on the foundational pillars of an effective security program.   Security fundamentals (e.g., effective security awareness, access controls, asset management, effective patch management, configuration management, and monitoring to name a few) are viewed as being more effective than searching for a shiny, expensive, silver-bullet security tool when it comes to mitigating risk and preventing breaches. Based on what we know from the Capital One breach and countless others, this approach certainly rings true.  But I believe another fundamental pillar of cybersecurity has often been forgotten: Alignment with the Business. 

Most security executives agree that aligning security strategy to business strategy may be the most important aspect in implementing an effective security program. However, what is often missing in most organizations is an alignment in security's way of working to the business’ way of way of working. 

Some of the key benefits that organizations have realized over the past decade have been the agility, scale, and rapid deployment available through automation that the cloud provides. The competitive landscape the cloud has shaped has allowed ambitious and savvy organizations to spin-up, test, iterate, scale, and transform existing infrastructure in a fraction of the cost and time. A desire to stay competitive in this new environment has pushed some organizations to fully adopt the cloud, moving forward while their security teams struggle to catch up. It has become clear, in a general sense, that security organizations relying on traditional security approaches and on-premises data centers have not always kept pace with the business. For a security function to effectively mitigate a business unit’s risk, it must refine its traditional processes in order to make sure its safeguards can operate, scale, adapt, and change direction at the same rate as the business. 

Business Transformation Needs to Drive Security Transformation

The business case for adopting cloud technologies (efficiency, agility and scalability) has drastically transformed the way traditional business units operate. Long gone are the days of marathon Change Advisory Board meetings held once a week. Organizations adopting a more agile model to build and deploy workloads rapidly, iterate on previous architectures, and adopt new workflows at faster and faster rates, need to be protected by a security organization that can anticipate risks and work to mitigate them in real-time.  It's not enough for security leaders to simply extend legacy controls, left over from the on-prem era (e.g., archaic firewall approval processes, auditing and recertifying firewall rulesets every 6 months) to protect resources in the cloud. Environments that have been transformed to scale intelligently based on live business demands or change configuration based on developer-submitted Infrastructure-as-Code commits require a similar transformation in the way security controls are managed. Without this transformation, legacy controls in the cloud will only increase risk within a cloud environment and continue to keep security out of step with the business. 

Let’s picture an organization where security processes are just as agile as the businesses. Instead of relying on controls built for environments where IT and Security management were the gatekeepers for all system changes, environments managed by business unit DevOps teams using Infrastructure-as-Code are safeguarded via security monitoring, detection, alerting and response in the form of Security-as-Code. Leveraging Security-as-Code to build guardrails for DevOps teams removes the perceived red-tape and makessecurity less human-dependent. This transformed Security approach provides the ability to programmatically analyze corporate systems, providing continuous monitoring and audit of an environment’s current state. Depending on the needs of the business, Security-as-Code could also take automated action to close holes and remediate misconfigurations that were intentionally or unintentionally introduced.

Is Continuous Security Right for Your Organization?

This article is not to suggest that Continuous Security is a silver bullet or panacea to satisfy all security ills. An optimized security framework layers human-based security processes with programmatic-security safeguards as a protective layer of assurance to supplement the limits any given control. As it has been true for business transformation initiatives, security transformation changes must be sustainable in order to provide any value to the organization it supports. When adopting Continuous Security, CISOs are likely to find that leveraging the same tools, methodologies, and workflows of transformed businesses will position their security teams to realize similar gains in efficiency, agility, scalability and cost savings to their business counterparts.  

Several leading organizations have already started adopting the Continuous Security philosophy. If you haven't done so recently, don't let the Capital One breach be a missed opportunity to re-evaluate your security practices.  If your cybersecurity team is still operating with the controls and processes from a prior decade (or prior century), can you honestly say that you're aligned with your business? Take the opportunity for some self-reflection before your team falls further behind.   

It’s time for cybersecurity transformation. Aim for continuous security.