The security practitioner's role is changing significantly. Trends like mobile, cloud, DevOps, and Zero Trust are creating new roles and erasing others. This presentation navigates these changes and makes some recommendations for folks wanting to keep up with the curve.
2. 2
Adrian who?
10 years as a security practitioner
5 years as a security consultant
3 years as an industry analyst
2 years building my own company and working for vendors
Founded local cybersecurity community groups:
• BSides Knoxville
• 10-Sec
• DC865
Now: doing cybersecurity product reviews for CyberRisk
Alliance
4. 4
Early Days of InfoSec
• Network security
• IDS/IPS
• Vulnerability management
• Anti-virus
• Incident Response
5. 5
Current InfoSec
A bit more.
Source: https://rafeeqrehman.com/wp-content/uploads/2021/07/CISO_Job_MindMap_Rafeeq_Rehman_v_2021.png
6. 6
An early mistake
“The security industry has made a lot of
mistakes along the way, and some of these
mistakes have made the security
professional's job needlessly difficult.
In hindsight, one of these mistakes was to
separate security from IT.
We need to correct that.”
Source: https://www.vice.com/en/article/nz7q37/we-need-to-change-the-psychology-of-security
11. 11
What made all this change
possible?
1. Always-on Internet
2. Cloud (~2007)
3. True smartphones (2008)
4. DevOps (~2012)
5. Everything-as-a-service (2010-present)
6. Ad-tech: obscene reach (2013-present)
7. Venture Capital: obscene cash (2015-present)
12. 12
Why change?
1. Speed
2. Agility
3. Less risk when taking big chances
4. Instant feedback
Sources: http://tweetstorm.io/user/pmarca/473910743834693632
https://twitter.com/mrry550/status/524624073779720194
13. 13
Security shares many of the same
needs
• Technology moves fast
• Startups move fast
• DevOps moves fast
• Attackers move fast
• Deploying the new SIEM is estimated to take 18 weeks…
14. 14
New tricks from our DevOps
friends
• Immutability (reducing and removing administrative
access to production workloads)
• high availability (patch and release whenever you want,
with no noticeable production impact)
• guardrails - autocorrecting configurations
• automated vulnerability and policy checks as part of
the CI/CD pipeline
• short asset age, shorter password age (ephemeral)
• automated response and recovery
15. 15
The DIE triad
• Distributed - highly distributed systems and data
remove the need for availability within any one
component of the system
• Immutable - integrity can't be attacked if data can't
be changed
• Ephemeral - less need to worry about the
confidentiality of systems and data if they have short
lifecycles
• Use CIA for pets, DIE for cattle
https://www.youtube.com/watch?v=_omGtDfaAjI
18. 18
Presented at Cloud Security World
in 2016
Source https://www.slideshare.net/AdrianSanabria1/cloud-devops-and-the-new-security-practitioner
19. 19
Traditional approach to security:
• Security is always a secondary or enabling layer
• Security must have direct knowledge and experience with the
underlying layer in order to be effective at protecting it or
recommending feasible solutions
• Direct experience in core technical disciplines goes a long way in
earning respect and cooperation
Physical
Security
OS
Layer
Network
Layer
Service
Desk
Dev, QA,
Test
Web/App
Layer
Ops
Understanding security’s role by understanding IT
20. 20
Issues with the traditional approach:
• Few security teams can ever be ‘well-rounded’
enough
• Security team isn’t qualified to advise much of IT
• Adversarial/dysfunctional relationships common
• IT changes often; attackers adapt quickly
• Defenders and security tools adapt slowly
Physical
Security
OS
Layer
Network
Layer
Service
Desk
Dev, QA,
Test
Web/App
Layer
Ops
Understanding security’s role by understanding IT
21. 21
Security
An example: going ‘cloud-first’
• Lower-level IT layers are outsourced
• Most security practitioner knowledge lies in these
layers
• Infrastructure-heavy security skillsets lose value
• Concept of bi-modal IT further confuses things
• As IT changes, so must security
Physical
Security
OS
Layer
Network
Layer
Service
Desk
Dev, QA,
Test
Web/App
Layer
Ops
Security’s Changing Role
22. 22
Cloud and DevOps – an opportunity to redesign
security:
• Smaller ‘well-rounded’ groups
• Dev, ops, infrastructure and security roles are shared
• Everyone working towards a clear, common goal
• Relationship between security and developers is
crucial
• Security can’t impact delivery schedule
Physical
OS
Layer
Network
Layer
Service
Desk
Dev, QA, Test;
Web/App Layer; Ops
Security
Security’s Changing Role
23. 23
Questions
• Security is redistributed into IT for all operational tasks
• Dedicated security staff performs
• high-level design, design/architectural input
• monitor changes in risk/attackers/landscape
• instruct/consult individual SMEs as needed
Physical
OS
Layer
Network
Layer
Service
Desk
Dev, QA, Test;
Web/App Layer; Ops
Security
SME
Internal Security Team
Security
SME
Security
SME
Security
SME
What should security’s future
role be?
25. 25
How common are these new skills?
• 6 out of the first 10 jobs I looked at required:
- coding skills
- new tech generation experience and/or skills
26. 26
Like what experience or skills?
• “Ability to automate tasks using scripting or other
programming language”
• “Scripting or general-purpose programming languages”
• REST, JSON, XML (API scripting)
• “Experience with DevOps, CI/CD, Chef, Puppet”
• “Experience testing for vulnerabilities in Ruby on
Rails applications”
• “Experience with various scripting and programming
languages”
• “Teach secure coding practices to software engineers”
27. 27
What should I learn?
• Scripting (automation)
• Get familiar with cloud, agile, devops, containers,
microservices, etc.
• AppSec
• Data protection
• Learn to write code
28. 28
What should I learn?
• Cloud – focus on AWS, Azure, Digital Ocean (cheap)
• Containers – focus on Docker
• Pick a language - ruby and python are most common
• Jenkins
• Ansible, Chef, Puppet, Salt
• New attack surface Don’t make security worse!
• Automation Make security better!
29. 29
Automation was on each of the
last 3 slides…
Every bit as true today…
https://twitter.com/vboykis/status/1098950011415597056
31. 31
What should I learn: additional
influences
• The art of selling
• Security innovation:
corporate githubs and giving
back
• Security Chaos Engineering
32. 32
Security Chaos Engineering
The identification of security
control failures through
proactive experimentation to
build confidence in the system's
ability to defend against
malicious conditions in
production.
https://www.verica.io/sce-book/
33. 33
Security Chaos Engineering
• Things will go wrong: why not figure out what they are
now?
• Like fuzzing, but at a more macro level
• Resilience is the foundation of chaos engineering (the
“R” in SRE, sorta)
• Confidence: most orgs don’t know if they’re ready to
handle an incident until it happens
Instead of avoiding failure, accept that it’s a natural
state that aids learning
34. 34
The bottom line
If you want to understand where
security is going, stop looking at
security, and start following IT
innovation, trends and changes
35. 35
Additional resources
• How to implement cloud security that actually works:
https://securityweekly.com/webcasts/how-to-implement-
cloud-security-that-actually-works-lessons-from-the-
front-lines/
Go ahead, say it – you know you want to. Let’s just get that out of the way and out of our systems, shall we?
The security industry has made a lot of mistakes along the way, and some of these mistakes have made the security professional's job needlessly difficult. In hindsight, one of these mistakes was to separate security from IT. We need to correct that.
We can't fix security's problems by throwing more people at them
security will never be large enough to secure the entire organization on its own
we must have help from asset owners - they should own responsibility for security on their assets
In fact, if security isn't part of someone's job, that doesn't make them neutral. It usually results in them working against us.
expense-in-depth vs defense-in-depth
teams focused on operational activities and digging through the mess of alerts created by security tools, instead of doing security work
FOMO - we want to know about all the logs, all the alerts, all the vulns. This isn't productive or feasible
Sifting through giant piles of alerts isn't work security folks enjoy doing - it results in churn and more folks interested in offensive work, rather than defense. I mean, when the winning team is obvious, it's tough to recruit people to the losing side
Security is not just a role, it's a skill. It's a way of thinking.
AI/ML can help security analysts, but it won't replace them. It can't. By nature, detecting and avoiding threats is an exercise in avoiding patterns. ML is designed to identify patterns - it's literally designed in a way that makes it infinitely evadable
Need to dismantle the idea of security as a gatekeeper - we should be partners and advisors the business can leverage and come to with questions or concerns. Almost like an HR, but for non-human assets!
TL;DR – major changes in technology come more quickly now and most of them will impact security.
I think it’s important for security folks to keep up with technology
AT&T’s “You Will” ad campaign was surprisingly prescient.
Back in the 90’s predictions were something that would eventually come, in some unspecified year in the future, thanks to some unspecified technological advances.
Today, predictions are something someone could be building now, or could have already built – we’re just waiting for the announcement to drop.
To remain competitive, businesses today are expected to truly innovate and predict competitors’ innovations
for example, it took Uber less than half a decade to replace 50% of taxi rides. Similarly, Netflix blew past Blockbuster in a similar timeframe.
The way we often think about these problems is like each era is replaced by the last.
Which isn’t really true! Mainframes, AS/400s, modems… Windows XP – they’re all still in use today, alongside a lot of the newer stuff (at least, in large, older orgs)
Uber, predictably looks a lot like a 21st century, cloud-first organization. At least, if you’re looking at the driver and rider facing app. Look at the backoffice stuff and you’ll find they’ve got SAP, laser printers, Cisco switches, and guest WiFi.
Again, with the importance of keeping up with technological changes
We often find we don’t even understand what we’re driving towards or what the goal is
But… it will hit us eventually, whether we’re prepared or not
My point here is not that companies need to be better prepared…
but that you, as an individual should understand these trends and have opinions on them
you can help drive, or be a passenger
I generally think security folks who are drivers go farther (also, possibly, get fired more often)
It's a different way of thinking and doing business.
While AT&T was predicting things that could happen if certain technologies got created or took off, we're in the future where most of the prerequisites exist.
Internet is ubiquitous.
Mobile computing is ubiquitous.
Compute and storage can be rented for pennies and scaled in minutes or hours.
VC cash flows steadily.
Apps can be built in hours, not months.
Ad platforms can reach hundreds of millions, almost instantly.
These days, if you have an idea for a disruptive business, there's not much holding you back. Understanding this, I think, can help you understand why we're seeing such a dramatic shift in how systems are managed.
(re:#3 - somewhere, an ex-Blackberry exec is triggered…)
In the early 2010s, this was just a quirky thing that Amazon, Etsy, and other crazy west-coast startups and tech giants were playing with.
But the results were too good to ignore
So suddenly, the startup way of doing things just becomes the way of doing things.
And that really, finally landed the definition of “Digital Transformation” in a tangible way.
Shorter cycle times gave businesses the ability to fail quickly, recover, try again
More and more, agile has been accepted as the more ideal development model.
What’s more, we see it used for any sort of development, including building security controls and a security program!
I really didn’t have to change much here!
We could also throw some other things in here as well.
People (security awareness training)
HR
Data
Supply Chain/Third party partners
Compliance/regulation
Design/Architecture
Identity
We could also throw some other things in here as well.
People (security awareness training)
HR
Data
Supply Chain/Third party partners
Compliance/regulation
Design/Architecture
Identity
We could also throw some other things in here as well.
People (security awareness training)
HR
Data
Supply Chain/Third party partners
Compliance/regulation
Design/Architecture
Identity
We could also throw some other things in here as well.
People (security awareness training)
HR
Data
Supply Chain/Third party partners
Compliance/regulation
Design/Architecture
Identity
Just an idea – doesn’t have to be precisely like this. Depends on the business, the culture, trial/error and a hundred other factors. The general idea though, is to get security responsibility and expertise closer to where the work is done.
The ability to sell a new security project or change is essential.
We’re well past “you got to do it because security”
But obviously, we want to force failure in controlled ways, so that it doesn’t cause harm to the business!