Before founding RedLock, I spent over 10 years in cloud security - both as a practitioner at a leading cloud service provider, and later as a company builder at a leading CASB. From those experiences, I discovered one thing that is core to our mission at RedLock: securing cloud infrastructure requires a fresh set of tools, processes and mindset. The days of deploying proxies and firewalls to secure the “new data center” are gone.
As we approach 2018, I recognize the market is still in its early stages. But, we have learned a lot about cloud threat defense and the needs of the market. In this, my final blog for the year, I’d like to share with you some of RedLock’s lessons learned in 2017.
- “First-gen” cloud compliance scanning tools are ready to be retired - Many organizations in the news this year experienced cloud security incidents using rule-based compliance and configuration scanning tools (“first-gen” tools). Unfortunately, these tools only tell you what CAN potentially go wrong. Without any context or impact analysis, it’s impossible to identify what IS going wrong, and what needs to be fixed immediately. With organizations lacking the necessary visibility into public cloud infrastructure, how can you break through the “noise” of thousands of alerts to get to the real signals that require immediate action? Merely meeting compliance requirements offers a false sense of security, and a new era of comprehensive compliance and threat defense tools are poised to take their place.
- Context makes alerts actionable - Alerts without context are not actionable. To make an alert actionable, you must answer a few key questions - what is the problem, how was it introduced into your environment, has it been exploited or is really exploitable, and how critical are the assets that can be compromised? This is vital where security teams have no knowledge of what developers are running across dozens of cloud accounts, and more importantly don’t have expertise in the different cloud services. For example, if an alert highlighted to a security analyst is an open security group on port 22 to the Internet, what is expected of that analyst? Does he/she just shut down that rule, and run the risk of breaking a production application? What if it was a legitimate bastion host running with that associated security group? A true cloud infrastructure solution must be able to provide all the meaningful context, such as what instances are associated with that security group, what applications they are running, are they accepting traffic from the Internet, do they also have a key patch missing that could be exploited, etc.
- Continuous monitoring without continuous learning will fail youThe vast majority of enterprises are still in the very early stages of migrating workloads to public cloud environments. But, the near future is clear: The typical organization will soon have thousands of workloads strewn across multiple cloud service providers distributed around the globe. First-gen cloud infrastructure security tools were rule-based configuration checkers that helped with basic blocking and tackling. But those tools would not have found, much less stopped, a breach discovered by RedLock’s CSI team where an open Kubernetes administration console belonging to Aviva was hijacked and being used to steal “free" compute power to mine Bitcoins. Cloud threat defense requires an AI-driven approach that is constantly learning your environment and pinpointing anomalies. Looking forward, enterprises will quickly adopt a new generation of tools and services that will continuously ingest volumes of security and configuration data from a variety of sources, putting alerts into context, and making the context actionable.
- DevSecOps doesn’t mean the death of security organizations - There’s speculation that 2018 is the end of security as we have known it, because with DevSecOps, developers will manage security and there will be no further need for security teams. That’s simply not true. DevSecOps will make security a shared responsibility between developers and security teams. Security by design will be key, but so will the trust but verify model. Even if you have the most secure coding pipeline with checks at the Cloud Formation and Terraform templates level, you will still need a cloud threat defense solution looking for anomalous activities in your environment, which could be introduced through zero-day attacks or developer oversight. So we don’t see security teams going away. In fact, it is now more important for them to re-tool and be ready to enable business transformation via public cloud.
As exciting as 2017 was, I’m even more excited about what lies ahead. I'm proud of our team's efforts in defining the vision of what an ideal cloud threat defense platform is, and becoming an early leader. Now, the pressure is on other competitors to share that vision and pivot from first-gen to cloud threat defense. I want to thank our customers, prospects, investors and all the RedLock employees for a terrific year. As always, I'd love to hear your thoughts about what lies ahead, so please feel free to get in touch. And I want to wish everyone a safe, healthy and secure 2018.