With increasing tools, risks, and regulations, the onus of ensuring security is strong falls on all leadership- not just the CISO, – read on for the second part of our conversation with Jimmy Mesta, co-founder and CTO of KSOC.
Continued from part 1: Kubernetes and Cybersecurity
- In your opinion, there are two very broad categories here regarding ownership- the CIO and the CISO. Do you think the CIO should take complete ownership of it from the point of view of the developer and the IT infrastructure or the CISO only from the point of view of security and vulnerability management or threat management? From your experience, who do you think would do a better job if they were given this tool?
JM: There’s a third player, the CTO, because the cloud infrastructure is critical too. Some things aren’t just Kubernetes; AWS, Azure, and even the data centers must be considered.
But typically, it is a combination of CTO-CIO responsibilities. The CISO may or may not be the best person to have repeatable Kubernetes security guardrails in place. We have great tools for security teams to respond to incidents, but it’s a cross-team effort.
However, some things are very clear cut, but Kubernetes security crosses too many boundaries not to have other teams deeply involved. The CSO, at least at KSOC, deals with CSOs mostly. This is because we are still in that firefighting mode where it’s like, help me get some telemetry, help me put guardrails in place. But there’s rarely an instance where we engage with a full security team, and they don’t pull in the platform team, or they don’t pull in even the IT team. So it’s very like a cross-domain sort of concern.
- What are the best threat detection and mitigation technologies that businesses need on their tech stack today to minimize the risks and the trending, the upcoming risk in the next 12 months or so, whatever you’re foreseeing as the vulnerabilities happen?
JM: It’s difficult to predict individual technologies, but we build a great technology to handle much of what we’ve discussed.
But at the end of the day, it isn’t a single technology. The question should be: what are you doing to operationalize your chosen use?
From a security standpoint, there’s a lot of great technology to do many different things across your cloud stack. What we see more often is that people buy all sorts of stuff or roll out open source, but how do you extract meaningful insights from it that are high fidelity, flexible, and can be mapped to other business initiatives and ownership? So, operationalizing what those tools and technologies are providing is probably more, it is more important, in my opinion than choosing just the technology.
If you can do that and then fold in identity again, the top three CISO concerns are addressed. You need clarity on who’s doing what, and you have high-fidelity alerts and responses that are either automated or have strong run books and playbooks internally. Then, you’re in a better place than most organizations.
Also Read: Security Strategies to Truly Evolve with The Business
- How can businesses secure their containers and CI or CD pipelines? This is a little technology question, but you can discuss what CXOs should do: CIUs, CTOs, or CSOs.
JM: The CI CD ecosystem has had a moment in the past, like a year or two, where I think it was like Kubernetes where everyone felt we were running arbitrary code. Machines and humans have access to service accounts, and many people have been talking about this, but it’s become more apparent that our CI CD systems are attack-like paths and vectors.
They’re great for internal or external attacks because they help a lot. Every enterprise has a built-in remote code execution as a service. We’ve been running these tools for years. And they can do a lot of damage across the enterprise. So, to secure your CI CD pipeline, there are a lot of things you can do. A whole top 10 from OASP discusses that, and most of it comes down to similar concerns. They usually pertain to access control, hard coded secrets, supply chain, and then the containers and workloads and configuration that flow through those pipelines and ultimately into Kubernetes.
You can put a lot of guardrails and checks in place throughout CI-CD so you don’t end up in a situation where you have to do everything ten weeks after it’s deployed. You want to catch the low-hanging fruit early. So, things like checking for Kubernetes misconfigurations in your manifest, image scanning, and shrinking your base images to something reasonable are important.
This way, you don’t have to deal with many vulnerabilities or static code analysis.
There are many things in that realm that you can do in CI upfront, which is the cheapest place to do it. And then, runtime, you always have the instrumentation, but you don’t have to go back and fix something serious; later, you’ve already caught it in CI.
So, I think that’s an evolving space for many interesting tools and projects. And even AI is starting to take over CI and doing pull requests. But is AI-generated code going to be tested with the same rigor? That’s a whole different discussion, but it’s an interesting space. There’s a lot of security innovation happening there.
Listen to this podcast: Emerging Tools for Better Security
- What should we be ready for 2024? Now, there is AI, there is automation, and a whole bunch of new risks are coming. What do you think deserves the most attention as far as businesses are concerned that they should be prepared for regarding technology, strategy, investments, or budgeting? What do you think should be the thing to watch out for security?
JM: A new theme is CISOs being held to a high level of accountability. Recently, we’ve seen some incidents with the SEC and other government organizations diving into breach details.
The CISO said it was the state of security, and it wasn’t. And now you’re in trouble in a pretty big way, not just a slap on the wrist. So, if that’s the theme for next year, that sets the stage for really deep scrutinizing. They will be putting a fine tooth comb through the entire program.
There’s no shortage of security programs across the globe that are getting a C minus. So, we need to increase the security posture, which means scrutinizing Kubernetes too.
But I say, let’s not delay that for next year. Let’s put the experts on it. Let’s do the audit of the CI CD pipeline. Let’s put the controls in place, document them, and verify them. Next year, we will see more scrutiny from outside forces. We will only get more sophisticated from an attacker’s perspective. I think we’re already there. Kubernetes attacks are on the rise.
This year has been insane for CVEs, like real nation-state-style attacks and Kubernetes. It’s something that wasn’t the year before, like that was not the case the year before. And next year, we’ll see more sophistication. It’s the same way we’re evolving into cloud-native; the adversaries are doing the same thing! They’re sometimes better than most of the platform teams we deal with, and that’s scary.
So, we’ll see more sophistication and sprawl, whether that’s identity, just containers, or anything more. And more is not always our friend in security because you can’t track it. So we will have an interesting 2024 with those two power dynamics at play—more attacks and more real scrutiny. And then if we use less budget, that doesn’t help with the issue. We were spending high on security two or three years ago, and less budgets now will be challenging.
For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.