Let’s be honest. This is a mess. We are losing in the battle of cybersecurity. There is no stopping the attacks.
We have no shortage of great cybersecurity products. From data encryption to access control, network threat detection, endpoint behavior analysis, asset inventory and vulnerability management, there exist thousands of cybersecurity vendors with five times that many security products and services. Many organizations end up deploying dozens of security products that yet don’t stop them from being breached.
Compliance regulations and frameworks in the cyber space are exploding — PCI DSS, HIPAA/HITECH, FISMA, FERPA, GDPR, ISO 27001/27002, NIST, SOC 1/SOC 2/SOC 3/SOC for Cybersecurity, HITRUST, CSA STAR, etc. — yet the number of security breaches continues to grow exponentially year after year.
Why is our situation not getting better? How did we get into this mess?
I wrote a short article early last year describing my view on the pandemic of cyber breaches and attacks. Throughout my career in cybersecurity, I’ve made it my goal to find a “cure”. The following three challenges are significant contributors to the cyber pandemic:
- Too much too quick. Our operational environments have become too complex for us to fully grasp and are changing too quickly for us to keep up.
- Too many tools, not enough people. Again, we are fortunate to have many strong security controls and tools in the market, but they each require extensive expertise and resources to operate effectively.
- The good guys are not on the same page. Whether it is between security teams and developers in the same organization, or between vendors and partners, there are growing gaps that inhibit true collaboration.
Seeing the incredible rise in cloud technologies and the pervasive adoption of APIs, I believe we finally have a fighting chance. With the help of a team of super talented engineers, we are getting close to a critical part of a “cure”.
Welcome to the age of Precision Security
The current speed of innovation requires us to embrace an organizational culture and engineering practices that are distributed and open — think developers working remotely from anywhere, BYOD where end-users are the device administrators, and millions of lines of open source code that we have no control over yet our critical software depends on. This trend is the polar opposite of the security best practices we have learned and practiced for decades — centralized controls behind closed doors.
There is no going back. The approach we’ve been relying on for decades in cybersecurity is no longer working for us. We already know that we can’t continue building “walls” to barricade our systems and users in a locked-down environment.
Not only do we need to answer questions like what happened, when, where, and how did it happen as part of security operations and incident response, it is increasingly important to answer the so what and what if questions. Perhaps you saw a new virtual instance pop up in your cloud environment. Perhaps a user’s laptop was infected with a malware. Or perhaps an employee failed a simulated phishing exercise. So what? Does it matter? Is it malicious? Will it result in compromise or leakage of customer data? Do I need to jump on it right away? There is so much going on in your environment, so many alerts happening, but you have limited resources. How do you quickly answer the so what question and move on? How do you pick the right battle?
On the other hand, how can you detect and prevent the unknowns? How do you know the security controls you’ve implemented are working? What are you not covering? What if malicious code enters your production environment? What if an internal user makes a mistake? Worse, how do you provide maximum freedom and flexibility to empower your teams to do their job easier and faster, knowing you have these unknowns and what if’s?
Even best practices like role-based policies fall short. The days of security relying solely on standard best practices and role-based configurations are over. Treating users, systems and events in a standardized way is a root cause to alert fatigue and poor visibility. Having dozens of individual security controls and operational management solutions in your environment is simply too disjointed and overwhelming, no matter how good each of them is at doing its job independently. We don’t need more tools, we don’t even need better tools, we just need to know the ones we currently have are working and working together. What we need is Precision Security.
Precision Security enables every cybersecurity operational decision, every policy enforcement and every compliance audit to be driven by individualized attributes and real-time context. JupiterOne is the cornerstone of this paradigm shift.
Don’t let the lack of visibility give you a false sense of security. Don’t just check the boxes for the sake of compliance. And stop operating your security based on assumptions or counting on luck even if you are small. To get to precision security, we need to focus on these principles —
First, know yourself. “Know yourself and know your adversaries, a thousand battles, a thousand victories.” The cybersecurity industry has had dramatic improvements over the years in external threat intelligence. But I don’t believe anyone today can claim complete visibility at any given time. You can’t protect what you can’t see — this lack of visibility is a major roadblock to truly effective cybersecurity operations, making threat detection and prevention extremely difficult and resource intensive.
In today’s software-defined, ephemeral cloud environments where infrastructure is code, the underlying ecosystem can change with every code deploy, often multiple times per day. How do you keep up with this constant change and make the right operational decisions, much less provide up-to-date documentation and evidences for compliance?
You need up-to-date and accurate visibility of every entity in your environments, including systems, users, applications and data. You need to validate that the controls you intended to have are in place and working. And you need to provide evidence of all of this to your customers, investors and auditors.
Now you can.
Second, automate with confidence. Imagine you have this detailed map that captures every entity and relationship in your digital ecosystem along with their detailed attributes. Imagine this map is continuously updated with every change. Imagine you can find exactly what you are looking for with either Google-like full text search in an intuitive UI or complex query over API. Imagine you can automate and truly build security into a DevOps workflow regardless of the type of systems you are using for build, deploy or issue tracking. Imagine the freedom to choose the most suitable security controls, whether for static code analysis, vulnerability scanning, host intrusion detection or endpoint compliance monitoring, knowing they will all be able to work together and create shared insight.
Imagine no longer.
Third, get all the help you can get. Good security solutions have typically been reserved for the few, either larger organizations with deep pockets or members of the security team.
We have seen countless examples of global enterprises taken down by attacks initiated through a smaller vendor — Target via stolen credentials of a HVAC vendor, Home Depot via stolen vendor credentials, and Equifax via a flaw in vendor software, to name a few. There are many other reasons why these initial attacks resulted in massive breaches beyond the third-party vendors, but we cannot ignore the fact that we are all operating in a connected ecosystem and that everyone, even the smallest organization we work with, matters. It is great to see organizations starting to put increased scrutiny on vendors via risk assessments, information security questionnaires and compliance/certification requirements. However, if great security solutions continue to be beyond the reach for these small firms due to limited budgets, resources and/or expertise, how can we truly expect everyone in our connected ecosystem to be secure beyond checking the boxes?
We know now that “security is everyone’s responsibility”. Yet how can we expect developers and other users in the organization to help us if we don’t provide them the same visibility in security? How do we balance information sharing with need-to-know access and separation of duties? These are no doubt tough challenges.
Say no more.
Welcome to JupiterOne
JupiterOne is NOT some fancy, next-gen, AI-powered, APT-defense solution that will solve all the problems for you. After years of attending RSA and Black Hat, I have grown tired of the buzzword bingo played by the vendors in the cybersecurity industry. I could not have said it better myself so I am going reference this article published on CSO by Brian Contos where he writes:
“In our industry, the security solutions can be extensible – which is often code for complex. Complex things require tuning to perform. Tuning can be slow, problematic and resource intensive. To overcome this, you need automated security instrumentation solutions … Without a way to validate your controls with assurance testing and understand the efficacy of your security stack – you are relegated to assuming, hoping and praying that your security solutions are actually working … Your security posture should not be based on assumptions. It should be based on empiric evidence. That empiric evidence can be derived by validating your controls with security instrumentation solutions.”
JupiterOne is the platform for automated security instrumentation and orchestration. It is the platform that enables the Security and DevOps teams to “talk in the same language” and easily collaborate on improving security. It is the platform where you can easily provide assurance and compliance evidences by asking simple questions. It achieves this by integrating into your existing digital infrastructure, cloud and DevOps environments, and security controls via APIs. It automatically ingests and analyzes your resources to build out an abstract security model on top of a native graph database, while preserving all detailed attributes and history.
A Microsoft DevOps lead once told me,
‘Defenders think in terms of lists, while attackers think in terms of graphs. That’s why attackers win.’
JupiterOne is a graph-based security solution built in the cloud, for the cloud. We are helping organizations take a data-centric approach to achieve full visibility and context-aware automation in security operations. Not only that, JupiterOne is for companies of all sizes — putting simple, usable security onto the hands of even the smallest technology startup companies.
JupiterOne is no silver bullet or panacea. It is a critical, missing piece of the puzzle. We are just at the beginning of this amazing journey. I am proud of what our team has accomplished so far, and even more excited to see the next phase of JupiterOne development take shape.
Are you ready to be more efficient and effective with security? Schedule a demo today.
Want to see where you stand with your current security approach? Take this free assessment.
Stay tuned for more in-depth tours of JupiterOne:
- How JupiterOne leverages AWS infrastructure and services, including AWS Neptune at its core
- Identifying misconfigured IAM policies and security group rules using JupiterOne Graph
- Generating asset inventory report and other compliance evidences automatically using JupiterOne
- Building a complete set of policies and procedures from scratch in a week or less with JupiterOne
- Abstracted secure code analysis automation with JupiterOne for continuous delivery
- Security in a connected world – vendor security with JupiterOne