Managing Data Leaks Outside Your Perimeter
It's one thing to protect your data within your four walls. But when data leaks increasingly come from third-parties, what can you do to protect your organization?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark , the producer of CISO Series , and Geoff Belknap , CISO, LinkedIn . Joining us is our sponsored guest, Mackenzie Jackson , developer advocate, GitGuardian .
Understanding the scope of the issue
Security teams can often feel at odds with developers, characterizing them as “not caring” about security. But this ignores systemic issues across the entire development process. "We need to make it really easy for software development teams to do the 'right' thing, and very hard to do the 'wrong' thing. That's on the Security community - not on developers. This is a human-centric issue and therefore a culture issue," said Dutch Schwartz of Amazon Web Services (AWS) . Creating a native security culture within software development can lead to a virtuous cycle, with Ian Poynter of Kalahari Security noting, "When the software development culture in your organization becomes security aware, security will become second nature for all software teams."
A lack of oversight leads to leaks
Secret sprawl directly leads to data leaks. When an organization doesn’t have oversight over what secrets they even have, the cat is out of the bag. "One of the main reasons secrets are exposed is the lack of proper management and protection. R&D teams are the ones responsible for creating and storing secrets, but they are not the ones who are responsible for securing them," said ????Mark Fireman of Entro Security . This becomes compounded when you’re dealing with credentials for third-parties. Erik Bloch of Atlassian noted that he’s seen far more compromises through third party credentials, saying, “If you have a reasonable SSO/MFA platform set up, but yet let third parties access your SaaS or other applications without requiring them to use at least MFA, it’s a prescription to get owned.”
Tooling can complement process changes
Secrets exposed in published code remain an issue. Scanning tools provide an immediate bandage to quickly find and remove these instances, but should pair with a wide process shift. "The key is to improve better coding practices and processes to force regular secret rotation or expiration that would leave secrets useless even if found in code or repositories," said Mauricio Ortiz, CISA of 默克 . Getting visibility into secrets sprawl requires organizations to have context into how secrets were created and where they are being used. Randall Hettinger of Permiso Security advised, "Companies should prioritize developing more visibility into how their secrets are being used. Who has provisioned them, who has access to them, and where are they being shared?"
The horse is out of the barn
Preventing leaked secrets remains a goal, but a security posture should assume they are already out the door. Amit Arora of Amazon Web Services (AWS) recommended this approach and pointed to it as an industry opportunity, "Any activities happening in your environment, things that normally an attacker does, can be monitored to guess backwards if a secret is stolen. Signals around stolen secrets can go to a centralized bucket from where enterprises can subscribe and continuously monitor every activity. Instead of protecting the key, protect the kingdom."
Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.
Huge thanks to our sponsor, GitGuardian
Capture the CISO Season 2 has begun!
Subscribe and listen to the first episode and watch the contestant demo videos.
CISO Series Game Show LIVE in San Francisco (05-07-24)
All your favorite games from Super Cyber Friday, brought to the stage for one special afternoon during the week of RSA 2024 in San Francisco. CISO Series will be hosting this event, and I'll be the emcee. We'll have lunch (while it lasts), a bunch of really fun cyber games, and prizes.
EVENT: CISO Series' Super Cyber Game Show Friday (TUESDAY EDITION)
WHERE: W Hotel,181 3rd St, San Francisco, CA 94103 (2nd Floor)
WHEN: Tuesday, May 7th, 2024 from 12:30pm-1:30pm PT (come early for lunch!)
HUGE thanks to our sponsor and host, Veracode
Join Us 04-26-24 for “Hacking Your Cybersecurity Career” – Super Cyber Friday
领英推荐
Please join us on Friday April 26, 2024 for Super Cyber Friday.
Our topic of discussion will be “Hacking Your Cybersecurity Career: an hour of critical thinking about how to level up your professional development.”
Joining me for this discussion will be:
It all begins at 1 PM ET/10 AM PT on Friday April 26, 2024. At the end of the hour [2 PM Eastern/11 AM Pacific] we’ll switch gears to our meetup where everyone will get a chance to chat face to face.
Cyber Security Headlines - Week in Review
Make sure you?register on YouTube?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter Richard Stroffolino.?We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be Dan Walsh, CISO, Paxos. Thanks Conveyor.
Thanks to our Cyber Security Headlines?sponsor, Conveyor
Jump in on these conversations
"Question for the younger folks in the 'biz, about motivation" (More here)
Hey recruiters, what are the answers you wish to hear when you’re interviewing for a junior role?"?(More here)
How can I learn to schmooze? I've been told my communication style is too direct, cold, and rough around the edges." (More here)
Coming up in the weeks ahead?on?Super Cyber Friday?we have:
Save your spot and register for them all now!
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at?cisoseries.com.
Interested in sponsorship,?contact me,?David Spark.
Great dad | Inspired Risk Management and Security | Cybersecurity | AI Governance & Security | Data Science & Analytics My posts and comments are my personal views and perspectives but not those of my employer
11 个月David Spark Thank you for including my comment this week and always happy to share my personal thoughts. Secrets sprawl is real?? It will not be resolved with a Silver bullet. The solution must include better education/awareness of security implications, better security practices, and implementation of tools that can help prevent or detect embedded secrets. And for the love of god at least use great products like GitGuardian to minimize the sprawl in your organization ??
Identity Threat Detection & Response in Cloud & SaaS | Permiso Security
11 个月Thanks for the shoutout and for covering this important topic!
I empower you to grow your business with AI and cloud | Executive Security Advisor | ex-AWS | Top Voice | Speaker | Veteran | QTE
11 个月Thanks for including me David! Building a great culture of security is one of my favorite topics with Brian Lozada, CISSP and Tony Gauda.
Cloud and AI Security | Ex-Amazon | Helping AI Startups | Mentoring Cloud Engineers
11 个月David Spark ???????????? ?????? ?????????????? ????????.. Humbled this morning after seeing a ?????????????? ???? ???? ???????? ???? ???????? ????????????????????..? "?????? ?????????? ???? ?????? ???? ?????? ???????? Preventing leaked secrets remains a goal, but a security posture should assume they are already out the door. ???????? ?????????? ???? ???????????? ?????? ???????????????? (??????) recommended this approach and pointed to it as an industry opportunity, "Any activities happening in your environment, things that normally an attacker does, can be monitored to guess backwards if a secret is stolen. Signals around stolen secrets can go to a centralized bucket from where enterprises can subscribe and continuously monitor every activity. Instead of protecting the key, protect the kingdom."
Entro Security. Transforming Non-Human Identity Management. Director of Business Development ??Secrets protection, designed for security teams. Fastest Gartner "Cool Vendor" in History??
11 个月Thanks for sharing David Spark, and or the mention of Entro Security When Developers create secrets, they're often scattered across vaults, committed to code, and saved in cloud assets, sent over collaboration platforms such as Slack and more. This creates a situation where security teams often have no idea: ?? How many secrets they have ?? Where they are ??? What they can access and lots more. Non-human identity attacks on the supply chain is the new attack path