Reading the title, you might expect this blog to be about artificial intelligence or maybe even blockchain ledgers. Maybe a treatise on the need to hire the most world-class cyber experts or follow existing and emerging laws to a tee? No, it’s none of these.
For me, the single most important thing in cybersecurity is operational excellence.
Who am I to say this?
I am not a security expert. And I don’t pretend, or even want, to be one. I am a Systems Reliability Engineer that worked for a decade as a Developer, another decade as a Database Architect and Engineer, and another one as Operations. Yes, those are many decades.
And something I have learned over them, and from seeing our systems from many vantage points, is that security is probably the most important aspect of our work. It doesn’t matter if you are a developer, an operator, a DBA, a team lead, a commercial contact, the most junior, or the most senior member of a team; the security of our code and data is YOUR responsibility.
A chain is only as strong as its weakest link, so we all need to realize our importance and responsibility in cybersecurity. We should not delegate to a dedicated security team but work with them to make sure our security posture is the correct one. Together.
Do you know where your towel is?
In the seminal book The Hitchhiker’s Guide to the Galaxy, a towel is the most important item a hitchhiker can carry, and if they always know where it is, it’s a sign that they really have their house in order. In the cyber world, enterprises need to “know where their towel is” at all times, too.
To use another analogy, if you are a spy, and about to infiltrate an enemy stronghold, what you want is a disorganized stronghold. You want them not to have entrance controls or entrance controls with a lot of exceptions, so you can “slip in.” You want them to lack standardized procedures so you don’t raise any suspicions when you make your move. For the soldiers not to know everyone, so they don’t suspect somebody new. For a lack of cameras and entry logs so they won’t be sure if somebody unauthorized was present on a given day. For them not to have inventories so they can’t tell what’s missing or if something appeared from nowhere.
Now, say you’re a hacker, and the “enemy stronghold” is a website or some other application. If your target meets the above criteria, it makes your job so much easier!
Are you making things easy for a hacker?
Do you know how many computers your company is using right now? Or to find the number you need to start a project involving a small team that will spend some hours or days to find it?
Do you know which of your applications use Java JDK 1.7, and where are they running? In all of your environments?
Do you know when was the last time your server had its Operating Systems patched? Do you know up to which patch level? Are they missing patches? Is there a reason for it? When are they going to get patched?
Do you know which of your accounts accessed your production databases yesterday? Which queries were executed? Were there any abnormal queries?
Are there documented processes that are being used and updated by the operation teams? Up to date onboarding and offboarding processes for when there are personnel changes? How many exceptions happen in a month? Are you sure of it, or are you unaware of the real number?
How many abandoned access accounts, databases and servers are there, forgotten, just laying around, in your systems?
Those are the questions hackers are asking about you. Are you making it easy for them?
The most important thing is the basics. The day-to-day stuff.
If we don’t know what is happening in our infrastructure, systems, and data stores, we won’t be able to detect intrusions or exfiltrations because we won’t be able to distinguish them from our normal processes.
If our systems fail, are we sure it was because of a bug or an attack? Or do we need a couple of weeks of forensic work to realize the issue was not an accident?
Do we have the monitoring and alerting in place to identify outliers? To respond in time?
Do we have the right backups and processes to respond to a data breach? Have we tested it to be sure they work as expected?
Do we have a cybersecurity consulting firm on our side, advising on best practices and ready to fight when things go awry?
The way forward is with Automation…
The warning is real: We need to be right all the time. The hackers only need to be right once.
It sounds like a losing proposition. Like fighting a losing battle. But we have one advantage. The home turf. We DO control our infrastructure. We DO create, maintain and apply our processes and controls. We can be ready for them.
But to make sure it happens all the time we need automation. We need to avoid manual processes and exceptions. We need observability and alerting.
… to enable Continuous Security.
We need Continuous Security.
It is no longer enough to make audits every six months. Or ask for compliance checks every year. We don’t have days or weeks to respond to a security incident. We need to respond immediately.
We need automated controls that control, monitor, alert, and even automatically respond to abnormal situations. Automated processes that prevent exceptions, manual errors, or even a disgruntled coworker from breaching our systems.
And we are not talking about some “special” part of our operations. We are talking about our day-to-day ones. Those are the ones a hacker will attack first. Those are the ones that, if not done properly, will allow the more sophisticated attacks to be recognized in the first place.
We need our systems and infrastructure clean and organized. All the time.
Let’s not make things easy for the hackers. Let’s practice operational excellence, because to me, that’s the most important thing in all of cybersecurity!