Every Cloud Should Have A Security Lining: A Recap of The 2018 Cloud-Native Security Summit
Last month on Tuesday, September 18, Duo Security co-hosted the 2018 Cloud-Native Security Summit with Capsule8 and Signal Sciences in New York City. This full-day summit was jam-packed with panels, discussions and presentations focusing on security challenges and advancements in the cloud-native world.
Kicking off the event was Chenxi Wang, founder and managing partner for Rain Capital, as she went over the results of The State of Cloud-Native Security, our recent research survey of 486 IT and security professionals on adoption of and concerns about Cloud Native Applications.
The survey notes an increasing reliance on Cloud Native for three primary reasons: new software development, operational cost savings and business modernization. However, increased security risks present a barrier to cloud adoption. Many companies struggle with threat visibility and detection: 73 percent say that they lack real-time insight into threats and on-going attacks, while nearly half report that false positives account for more than half of their production environment security alerts. In addition, companies struggle with deploying effective security in their production environments, with 40 percent saying they do not have a DevOps function in place.
In order to solve these difficulties, the survey suggests that companies find ways to increase visibility to production infrastructure, demand more immediate and precise detection tools, establish defined DevOps processes, and enable security teams to work hand-in-hand on deployment scales.
Following Chenxi’s presentation, Art Coviello, former chairman and CEO of RSA, and Ed Amoroso, CEO at TAG Cyber, took the stage for a fireside chat. During the discussion, they noted the importance of taking cybersecurity seriously by focusing on people and processes instead of point products, as well as the importance of understanding and acknowledging the dangers of not taking security seriously.
They also discussed being realistic about what can and can’t be done, especially when it comes to things like Artificial Intelligence. Ed pointed out that there’s lots of crazy hype about AI solving all our problems — unfortunately, this isn’t the case, but AI is finding its place when it comes to detecting behavioral patterns.
The summit continued with a panel discussion between:
• Doug DePerry, Director of Product Security, Datadog
• Patrick Ancillotti, VP of Systems Engineering, Vimeo
• JJ Agha, Head of Information Security, WeWork
A key theme in this discussion was instilling a companywide security culture by bridging the gap between security groups and non-security groups. All three panelists emphasized transparency and clear communication, stressing that we need to approach people at their level. JJ mentioned the effectiveness of providing metrics, showing how things actually work, and explaining what you’re doing. Patrick mentioned moving accountability upwards and conducting audits. Doug suggested raising awareness through visibility, though he warned, “Don’t be Chicken Little!”
Continuing the theme of bridging gaps and working with others, Stephen Fridakis, CISO of HBO, shared his experiences in navigating security for the television network’s original productions in a fireside chat moderated by Andrew Peterson, Founder & CEO of Signal Sciences.
Stephen talked about the difficulty of controlling security for these productions, sharing that there are 20 to 70 entities involved in post-production, and the software they use does not always work in the cloud. Additionally, once the content is ready for distribution, there’s the problem of platforms and developers — HBO is available on 37 different platforms, all using a wide range of tools. Because of all this, they must strike a balance between security and the needs of the producers and developers.
In the summit’s second panel, the discussion shifted slightly to how people and processes figure into detecting attacks at scale. The panel was moderated by John Viega, co-founder and CEO of Capsule8, and included:
• Melody Hildebrandt, CISO, 21st Century Fox
• Heather Adkins, Director of Info Security & Privacy, Google
• Brad Maiorino, former CISO, Target, GE, GM
• Jess Frazelle, Microsoft
The panel explored the role of humans vs machines, with Heather noting that machine learning can provide insights into what’s happening, but not why it’s happening — the new role of humans, she suggested, is to teach the system this.
The panel also stressed that we need to change how we think about detection. Heather noted that we should be offering services instead of demanding requirements. Brad stressed the need for relentless practice and red team simulation, so that we can train people to fill in any technology gaps when it comes to missed threat profiles.
Geoff Belknap, CISO at Slack, also noted the importance of people during his fireside chat, stating that the most important thing is to help set the stage for culture. One of his biggest wins was using Security Bot (an automated program/persona within Slack) to discourage risky engineering behaviors. He noted that it’s possible to subtly modify behaviors by making the safe option the easiest option and providing incentives for doing the secure thing.
When asked how people are thinking about the problem of cybersecurity, Geoff suggested what was once a network and infrastructure problem is now an issue of the generation gap. Some people are used to thinking about things in a physical way, but we can’t do that now. We do need to understand how people are thinking about it, but then correct misconceptions and adapt our narrative so that it makes sense to them.
Following Geoff, Duo’s Director of Advisory CISOs Wendy Nather led a panel discussion on learning to trust zero trust. Participating in the panel were:
• Ross McKerchar, CISO, Sophos
• Nick Selby, Director, Cyber Investigations & Intelligence, NYPD
• Harry Sverdlove, CTO of Edgewise Networks
Just what is zero trust? Nick explained that it involves continuously checking if users are who they claim, with Harry adding that it’s starting with no trust and then building trust with every interaction. Ross stated that it means setting user identity as the perimeter instead of the server, while minimizing privilege to that user.
How do we implement a zero-trust structure? Ross advised that you shouldn’t change everything at once, but focus on one group at a time. Harry suggested starting with the biggest risk first, and Nick added that if you do, be sure that each part is finished completely before moving on to the next step. Wendy noted that users of critical systems are the crankiest, so an alternative approach would be to start off with users that you know will follow through.
All four panelists asserted that different systems will go through different paths in their journey to implementing zero trust. However, Wendy surmised that perhaps in the future, zero trust won’t be zero trust anymore...it will just be security.
The final presentation came from Rich Smith, Director of Duo Labs, who stressed that zero trust is not a product, but an approach. To continue protecting both users and devices (which are equally important), we must build security with an attack-driven defense in mind, by predicting how new technology will be abused and working to resolve those instances.
While the summit provided and reinforced many great points on the importance of security culture, human-machine responsibilities and interactions, and vigilance and collaboration in the face of threats and breaches, there’s still so much to learn about security in the cloud-native world. As we continue to grow our understanding and technologies, we appreciate all the contributions everyone has provided, and we look forward to seeing you at the next summit!