Meny Har, CEO Opus, recently hosted Andy Ellis, Hall of Fame CISO, in our inaugural live LinkedIn chat. I participated from my home in Cheyenne, Wyoming, where the snow was blowing and quickly piling up on the deck; welcome to springtime in Wyoming.
There were numerous brilliant pieces of information and theories, and I wanted to take a moment to share my top five:
What we really have is a configuration hygiene problem. Security teams have too many tools. We’ve spent 10+ years trying to shift left and in trying to do so we’ve accumulated (collected) numerous detection tools. Scanning tools - SAST, DAST, SCA, and I’m likely forgetting at least seven more. Oh and BTW, we’ve also created an acronym nightmare. Do we really need that many? I digress. This “tool tsunami” or “death by 10,000 alerts” is the result of constantly re-creating the idea of software architecture (skip to 14:27 to hear Andy’s take). While this paves the way for cooler, better things, it also creates a whole new set of risk exposure issues, thus a whole new set of tools with…. You named it, alerts!
We’re now in a time where context matters. It’s no longer effective to have remediation centered in each of your tools. Sure, tools like Synk, Wiz, Orca, and the like have remediation operations built in, but it’s only for their specific tool. They can’t aggregate across each, let alone appsec tools and cloud sec tools. That sucks. Opus gives you all that AND a bag of chips… well we will if you want them. Opus sees alerts from all the tools, aggregates duplicate alerts, AND enriches the alert with context within your company. Opus enriches the alert with information such as, who checked in the code, what app it belongs to, what other alerts/findings it's related to, reasons to prioritize or not, and much more. We will slay your alert monsters!
Security teams are left to “solve the remediation problem”. The number one goal of security teams is to keep their product (application) secure at all times. One of the ways they do this is by monitoring scanning tools and managing alert…monsters. But, as Andy mentions, vulnerability detection vendors have no incentive to hide alerts of any kind. They will show you everything, and a human needs to decide prioritization, urgency, etc. This creates a huge time suck for security teams, duplicate tickets for developers, inability to prioritize what matters, and will almost always result in friction between security teams and developers. [Insert cheeky Opus Security sales pitch here.] In all seriousness, if you want to see a demo click here. Bonus points if you ask for me to be on the call!
Auto-remediation: When do you rely on it? When does it cause more harm than good? At around 14 minutes, Andy brilliantly states that automation should only happen in tasks. In other words, if you don’t have a well-oiled process and buy-in from all people (devs, sec, operations, cloud, etc), and a list of tasks to support your process, you shouldn’t rely on auto-remediation. In fact, implementing auto-remediation before a well defined, agreed upon process will cause you more harm than good. It’s also important to note you need to find the right balance between auto-remediation and humans.
Most importantly, it comes down to culture change. I’ve been marketing security tools for about 12 years now; everything from SAST/DAST to Cloud SOAR/Cloud SIEM; and we’ve been talking about developers, security, IT operations, and cloud teams working hand-in-hand for at least that long. At Opus we believe in security posture; take app sec posture, cloud sec posture, etc., and connect them like Connect Four! We like the idea of a culture where security is looked at as product security (#ditchtheacronyms). It’s everybody’s responsibility to do remediation, and organizations that adopt this culture change need a tool that makes it accessible and enables teams to collaborate easily. In product security culture, the vulnerability alert can come from the code of the application, the container, AWS, Azure, the carrier pigeon, it doesn’t matter, we’re going to aggregate them, enrich them, help you orchestrate the fix, and ultimately build a culture of trust and respect.