The Dream for SaaS Security Teams
When only a few spare minutes can be spent on proactive security operations, what should you do?
Getting ahead of potential problems can result in warm, fuzzy and very rewarding feelings for security teams. There is nothing like spec'ing out your vision for combating potentially crippling and detrimental threats. It's that ability to see into the future and have your colleagues stand aside, in awe, of your ability to measure up your defenses, identify vulnerabilities and correct them before a problem occurs ...bahahahaha.
If that is the world you live in, more power to you. Let all of us know when the next rocket ship is available to transport us through the portal to your reality.
Unfortunately for the rest of us, proactive security operations for cloud and SaaS companies are competing for just minutes of each week that haven't already been blanketed with meetings, emails, or alerts. So what should you do when you stumble upon a clearing of unscheduled, uninterrupted minutes?
"I've got 5 minutes"
Most of the time, this is going to happen post lunch or when a meeting ends early. You stumble across a few minutes before your next planned commitment, whether it's a meeting or a task, and are a little surprised. Don't waste that time.
From a more micro-perspective, if you have a few minutes, jump into Bitbucket, GitHub or whatever you use for a Code Repo and review the PR's for potential security issues. It's a proactive way to getting ahead of issues that may show up next week. Flagging something for further security review in this brief window may just catch a major issue before it was merged into the wild.
On a macro level, look at any resources added to your environment over the past 24 hours. This should give you a true sense of potential issues that have arisen while also building in the importance of recency. Recency matters because, let's face it, there are risks, vulnerabilities and issues that have been around in your environment for months. They are important, yes, but they are almost a part of the status quo at this point. Digging into those will take more time whereas this approach will allow for more of a purview of what changes are happening of which to make note.
A key note on both of these tasks, if your goal is to have a good sense on what happened yesterday or through the night, it is better to do this earlier in the data before a lot of activity picks up with your devs.
"I've got 10 minutes"
It doesn't sound like a lot of time but when combined with uncompromising focus, 10 minutes can go a long way for security operations and planning. There isn't a lot of flexibility for going down the rabbit hole on 'interesting' changes to your environment, but you can still feel like you made a net positive impact towards security assurance.
Towards the beginning of the week, 10 minutes can be put to particularly good use if you spend it reading through documentation of new features recently pushed to dev. The goal again is to think of ways either your internal team or potential attackers could break or attack your organization. It's unlikely stumbling across a potential issues can also be resolved in 10 minutes, but you can outline plans for when you have half an hour or more to bang on things. It's efficiency that you can redeem in the future.
Ten minutes is also a good amount of time, when spent head down, to wrap up other tasks or projects you didn't finish. Making more headway or completing that script that automates away or assists with tedious log analysis and other manual SecOps processes frees up your next half hour or hour long chunk to execute, analyze and generally just dig deeper. More focus means more impact.
I'd also throw in that 10 minutes is also great for looking at changes in your digital environment over the past 24 hours, especially if you are able to pivot around timestamps to catch suspicious behaviors.
"I've got half an hour"
When you consider the research behind the hugely effective personal sprinting approach of Pomodoro, you should have a lot of confidence as to what you can tackle with 30 minutes.
First, 30 minutes should rarely be a window of time where you squander with puttering around. Ideally, you can pull from a task or project and accomplish something. The 5- and 10 minute windows above could be a good source.
That said, sometimes a meeting ends early or is cancelled all together. You've got 30 minutes you weren't expecting, so what can you do? Pre-planned time is usually in reaction to a change or vulnerability needing attention. Important but reactive. Let's use found time to be proactive.
One more micro-approach would be to use a tool like Burpsuite to watch requests within your applications, then spend time mapping the attach surface. Another "you'll thank me later" option would be to assemble evidences for any upcoming audits. Or begin documentation for the next security review that comes across your desk for a prospective customers. Better yet, begin building out externalized documentation to shortcut the whole process.
Time doesn't grow on trees – actually, that doesn't make sense. Let's just say effectively putting your spare moments to work can have an exponentially positive impact on your security operations. Don't waste them.
Proactive actions like above could be a shortcut or lay the foundation for things we know are coming. We either procrastinate because we have plenty of time or we convince ourselves the data we will need to collect may vary. In both respects, you are both right and wrong. There is always value in putting in foundational efforts that you know are required, even if it doesn't feel like it's as pressing or urgent. Remember that you will always outline time to address surprises, but what you do with found time could reduce the surprises from occurring all together.
What do you do with your found time?