system breaches occur at the application layer. Yet only 3% to 4% of annual security budgets are spent on protecting applications. https://twitter.com/petecheslock/status/595617204273618944?lang=en
Mis-config!!! Secrets/Creds No (few) gates Cloud as glorified CoLo Skillset changes Defining normal OSS Vulnerabilities Ephemeral Organizations including Verizon, Booz Allen Hamilton, the WWE Foundation, Alteryx, the U.S. National Credit Federation, the Australian Broadcasting Corporation (ABC), and Accenture have all left information exposed due to configuration errors.
made us more secure Prevention measures have proven to have limited efficacy - Breaches will happen Attempts to significantly limit user access can impact agility and business goals “Bolt-on” solutions get worked around 99.9% of exploited vulnerabilities > 1yr Social attacks were utilized in 43% of all breaches (2017 VDBIR) Increase in compliance requirements (SOC, PCI, FERPA, States) Our Strategy Move preventative controls closer to the data (robust IAM, data encryption, masking and de- identification) Build security “guardrails”, not ridged procedures Invest in new methods and technologies to improve Visibility/Detection/Response (VDR) capabilities Let VDR inform preventative control investment (inc. deception tools) Continuously scan for vulnerabilities and fix them Incident response needs to be a core competency Build security into processes and leverage automation Develop “Human Firewalls” – awareness and training