Wednesday, Dec 22, 2021
BY: Team Nuspire
In a world where new technology and updates are deployed on a daily basis, security professionals can find themselves struggling to keep up. During a recent webinar, J.R. Cunningham, CSO of Nuspire and Michael Wilson, CTO of Nuspire, discussed how the security landscape has changed dramatically and ways to navigate current challenges with actionable recommendations and tools.
“When I started in cybersecurity, we maybe did one release per week,” said J.R. “But now, the frequency has grown exponentially, which requires a lot more security support – support that’s hard to scale. That’s where we start looking at ways to deputize technology professionals to help distribute the burden.”
Michael echoed those thoughts, adding that today’s developers need to do more than write code.
“Security is everyone’s jobs, and technology is a huge catalyst for distributing security accountability across an organization,” said Michael. “It really doesn’t make much financial sense to have a team of 100 security professionals to monitor everything. The entire business needs to have security knowledge awareness, and each department needs to have processes in place to ensure adequate security measures.”
In the past, developers typically didn’t deploy code straight to production – now we have technology that can scan the code dynamically as soon as developers commit it. This enables developers to fix the code before it goes into production – something traditionally done by security practitioners.
Security professionals are adapting
“Most of us in cybersecurity come from an infrastructure or compliance background, which can be insufficient to deal with the rapidly-changing technology,” said J.R. “Many of us have the experience of approaching our technology teams with dose of humility to get their help to validate the right way to secure tech.”
He added that security professionals are learning to adapt on the fly to accommodate emerging technology, which is a challenge given the fact that many organizations are on three- to five-year buying cycles.
Tech professionals focused on limiting exposure
“One of the approaches we take from a tech perspective to limit liability and reduce the attack vector is to limit exposure,” said Michael. “That way, the only thing we’re worrying about is the little amount of code we put out there.”
He gave the example of servers. If his company has 100 servers in AWS, it’s much harder to patch all of those if a security issue arises; however, if his team is using small-hosted functions or containers, it’s significantly less likely that an operating system or underlying server gets exploited.
To help organizations better equip themselves with the tools needed to address the current security landscape, J.R. and Michael offered some recommendations.
“One of the most important things businesses can do is go back to basics,” said J.R. “I know it doesn’t sound exciting, but we’re seeing the need to beef up on the fundamentals to enable our rapidly-changing landscape.”
He and Michael offered recommendations in four areas:
- Endpoint Protection: SentinelOne, CrowdStrike, Cybereason
- Email & Web Security: KnowBe4, Proofpoint
- Proxy/CASB: Zscaler, Netskope
- Identity: Okta, Ping
“You may notice some tools not on the list like antivirus or firewalls – it’s not because they’re not important, but rather our recommendations are more in line with the move to a zero-trust framework,” said Michael. “To enable the ‘new age of work,’ we need to emphasize the security efforts we’re undertaking with remote employees.”
J.R. added that today’s security tools are a lot less obstructive than the tools of the past.
“Security tools used to either be obstructive or degrade the end-user experience,” said J.R. “However, a lot of the tools we deployed in the past year and will continue to deploy are a win from the user experience because they’re a lot less frictionless. For example, password managers and multi-factor authentication.”
Michael added, “Another example is moving away from VPNs and moving toward a service like Okta, which offers the same level of encryption without requiring heavy agents on laptops that slow things down.”
Recommendations: Budget-Friendly Options
Because no organization has an unlimited budget for security technology and services, J.R. and Michael offered a list of budget-friendly options:
- Open-Source Technology: Both agree that in 2022, we’ll see more viable open-source technology because of the transition to CICD (continuous integration and continuous delivery/deployment). The key is to continuously monitor open source code given the risks.
- Integrated Solutions (like MISP for TIP): MISP is a free, open source threat intelligence platform that shares and correlates indicators of compromise.
- Do More with Policies, Procedures & Training: A lot of legacy procedures don’t work well today. Take a good look at your policies, procedures and training to see where you can make updates to align with current security needs (i.e., deputizing developers to extend your security manpower).
- Security Awareness: A lot of companies do one security awareness training/course for their employees. But security awareness can be different depending on the department. For example, training folks in finance is a lot different than training developers. Review your current training and see where you can add layers to make the message more applicable (and memorable) to your various teams.
For more information, you can watch the full webinar. Or if you want to talk to us about how we might be able to help you improve your security posture, drop us a line!