By now, you’ve read Part I of How to CISO in the Cloud, and its accompanying blog. And hopefully, you’ve just read Part II, or you’ll be inspired to read it after reading this. Just in case I need to get you up to speed: I wrote How to CISO in the Cloud to be a guide for new and seasoned CISOs on how to build a strong cloud security strategy that’s specific to their organization’s needs. In this blog post, I’m going to outline some of the key messages found in Part II that can help get your thoughts flowing on how you may want to approach adjusting your organization’s security strategy. Okay, let’s begin.
If, like me, you watched GI Joe as a kid, you might have developed your own follow-on catchphrase to their “Knowing is half the battle.” For me, it was “…and accurate aim is the other half.” You see, watching those shows, I was always impressed at how ineffective both GI Joe and Cobra were. Despite firing off seemingly endless numbers of plasma bolts, no one was ever hit.
The lesson I drew was to take careful aim before just spraying and praying, and that’s a model that works well when building a cloud security strategy. There is a lot of good work that can be done, and sometimes it is tempting to just latch onto a shiny project right in front of you. But if you want to build a truly effective program, there are two key steps that you can use to apply to building your own cloud security strategy.
Odds are, you already have plenty of capabilities in house: people, tools you’re using, and tools you’ve spent money on but aren’t using (shelfware). Before you make any changes, assess what you have. Can you use a tool better? Are there tools you can get rid of because they don’t work (or aren’t monitored)? Do you have people who could solve certain problems, but are stuck doing “vital” work that doesn’t stretch their potential?
You have a variety of partners in your business, from your finance team (who knows what you spend) to your vendors (who want you to use their products more) whose business goals directly align with yours: maximize the value you receive from your existing budget. Be harsh yet realistic about what’s already in place before starting over from scratch.
The word “risk” is thrown around a lot in the cybersecurity arena, and it’s a vague word with lots of different meanings. I like three specific definitions, each of which fortunately has its own unique phrase.
These are outcomes you are worried about (e.g., “Loss of customer data”). Odds are, your business has specific unacceptable losses that they worry about the most, and you should orient your security program, and communication, around those.
Hazards are the structural elements of your system that can expose you to unacceptable losses. Using a third party provider is a hazard; any compromise of their underlying system can expose you to an unacceptable loss.
These are a collection of attack paths that an adversary could follow, triggering a number of hazards until they create an unacceptable loss. Why does this language matter? Because as we design and communicate our new security program, we want to make sure we’re aiming at the correct things. While tactically, we might be remediating specific attack paths, our overarching goal is to defend against the attack scenarios that plausibly expose us to the worst unacceptable losses, and we do that by reducing or controlling the hazards common to those attack scenarios.
As an example: 78% of all cloud attack paths begin with known exploitable vulnerabilities on internet-facing systems. Many of those attack paths cluster into attack scenarios like “An adversary compromises an Internet-facing system, finds a credential accessible to that machine with overly permissive entitlements, uses the credential to access a datastore with customer data, and steals it.” One unacceptable loss: loss of customer data. Three major hazards are present: unpatched machines, unprotected credentials, overly broad entitlements. To attack this problem, we might institute programs targeting each of the hazards: software vulnerability management, key management, and cloud identity entitlements management.
In short: understanding the attack paths that your specific organization needs to be concerned with helps you hone in on what’s needed from a security tooling standpoint.
If you’ve found this insightful and want more details surrounding these recommendations, check out Part II of How to CISO in the Cloud! As a bonus, if you’re interested to learn more about how to break down risks into the three specific categories, and communicate them to business stakeholders, check out my talk happening at RSAC 2023 called “Turning Attack Paths into Fairy Tales.” Want to learn more about how Orca’s security solutions can benefit your business? Sign up for a complimentary cloud risk assessment or request a demo of the Orca Cloud Security Platform to get started today.