Join Jesse as he talks about the endless amount of news out there for security professionals and how to find the signal in the noise, how understanding your organizational mission helps you understand your risks, how to develop a news strategy, what your attack surface is and how to think about it, Jesse's recommendation on how to triage your news needs, why you should scan major publications to see what sources are saying across the board before determining what critical elements warrant deeper investigation, and more.
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Announcer: This episode is sponsored by ExtraHop
. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn’t translate well to cloud or multi-cloud environments, and that’s not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial
. That’s extrahop.com/trial
Jesse: There’s a constant daily show of security-related news from all directions. It’s a storm that never abates. Sifting through it all feels daunting to most people, including many security professionals. We need a strategy to sort it all out and focus on the things that matter, as quickly as we can. [laugh]. The easy and terrifying answer is just to subscribe to all the newsletters for everything your organization uses or your group manages; go read the articles they point to, and [laugh] give up because it’s total information overload.
For some security people, this approach does make sense and it works; except the whole giving up part, of course. However, if this isn’t useful for most of us. As with anything driven by business needs, understanding how to find and evaluate useful security news starts with knowing your business. Whatever your role, you should understand how your work supports and furthers the organizational mission.
Understanding your mission leads to understanding your risks, therefore you will know your role in risk mitigation. This leads to understanding how and why your technological solutions both support your mission and mitigate your risks to that mission. Now, let’s look at how this foundational understanding of your business drives your consumption and evaluation of security news.
News strategy. It should be obvious that the role you and your technology have relative to the mission and risks determine the choosing of both the types and the sources of security news you should read. It is tempting to focus only on cloud-specific sources and topics, but running in the cloud does not obviate the need for the security of your systems, applications, and data. It is also true that ignoring cloud-specific security news is a bad idea. To determine which to focus on first or most, look at the likely exposure your infrastructure has in terms of your risks.
For example, if your application delivers the services of your business to external customers as opposed to an internal employees’ service, then most people will interact primarily with your application services presented by your systems. Your largest attack surface would be your service application, the data presented and used by your application, the operating system or microservice platform supporting your application, and the network infrastructure to tie it all together. We define attack surface as the collective group of services, systems, or data exposed to access by a potential adversary. In other words, if something can be touched on the network, it is part of the attack surface for initial intrusion. And if something on the system can be touched by local access, it is part of the attack surface for an attacker who has gained access beyond the network resources.
This means most of us have a primary or larger attack surface in the application and systems exposed in services delivery, and our cloud infrastructure underneath and supporting our systems and services is likely a secondary or smaller attack surface. For more reading on attack services, check out Okta’s article called “What is an Attack Surface? (And How to Reduce it)
” and read some attention to the topic in the US National Institute of Standards and Technology or NIST Special Publication 800-160, Volume Two called “Developing Cyber Resilient Systems: A Systems Security Engineering Approach
.” Wow, that’s a mouthful.
Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport
, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com
. That’s goteleport.com
It is generally the case for most people and organizations that non-cloud-specific news will provide the most return on our investment of time upfront, though this changes once processing and acting upon general security news become streamlined. Now, let’s talk about how to determine the usefulness of the news we encounter.
Evaluating news. Most of us would head straight to industry sources to see what the biggest news of the day is, but I suggest a different approach to triage your news needs. First, look at mainstream news sources such as the New York Times Washington Post, and the Guardian or even NPR, CNN, and BBC. Is there cybersecurity-related news showing up in many or all of these sources? If there is big news, it will be all over it with original source articles, and even articles summarizing those other news sources.
This will likely give you a general idea of the service or technology affected, which helps you determine whether further research is required to understand the impact it may have on your organization. These sources may not clarify what specific technical services or systems are involved, however. Once you found these big news items, search in the tech industry-focused sources to get more relevant detail that isn’t over-simplified for larger public audience. If there isn’t a big news from mainstream sources, look for popular topics across tech industry-focused sources. See what these sources are saying across the board to see what are the most critical elements you should consider and investigate.
Some popular sites to consider are Wired CIO and CSOs security site. Also, don’t forget your LinkedIn newsfeed or your various social media venues like Twitter, your Facebook timeline, Instagram, or your other favorite internet Hangouts. Your next stop to further refine your understanding of the technical things happening with a widespread security issue is to dig into a topic on technical-focused sites. These can be specific to a particular vendor technology, like Microsoft’s security blog, Red Hat’s security channel, or Cisco’s security content, for example. This is where you start getting into the detailed and specific vulnerabilities, including the method of compromise, such as buffer overflows, remote code execution, or RCE, privilege escalation, or denial of service, or DoS, attack types.
I’ll discuss more about these attack types another time. To dig into the deep technical details, find articles on your topic in publications like SC Magazine’s security news site, the Hacker News, or Dark Reading among others. Although keep in mind, these sometimes get deep into the security domain and use security-specific language and jargon that might be a bit hard to follow if you’re not used to it. The technical articles often will reference the common vulnerabilities and exposures, or CVE identifiers. The CVE Program is a service of The MITRE Corporation, which operates federally-funded research and development centers, or FFRDCs, in a number of areas including a [Strong Center 00:08:37] in the National Cybersecurity FFRDC.
MITRE’s cybersecurity work extends to a number of areas and come up frequently in security domains. I will cover more of what MITRE does in a future episode. In a short description, a CVE identifier points to an entry in the CVE program list that provides basic information about a vulnerability in a standard format, covering things like the operating system or software package affected, vulnerable versions, a description of the vulnerability, and pointers to the deep dive into the exact nature of the vulnerabilities. Follow the links in the CVE entry for remediation and mitigation specifics on patches, upgrades, or other mitigation steps for vulnerabilities, such as configuration changes.
While searching for a security exploit, and looking at headlines at the time of recording this podcast, I see big news about patching iPhones, and iPads, and a widespread attack on Exchange servers, which includes things about the Black Kingdom ransomware used by the Hafnium cybergang. Those are great rabbit holes to fall into for some fun security reading. If your organization uses iPhones, iPads, or Microsoft servers, go down the holes and see where they lead.
Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.
Announcer: This has been a HumblePod production. Stay humble.