Cloud Sentry Blog https://cloudsentry.evident.io Powered by Evident.io Tue, 14 Mar 2017 21:01:14 +0000 en-US hourly 1 https://wordpress.org/?v=4.6.4 ../wp-content/uploads/2016/08/cropped-evident-shield-512-32x32.png Cloud Sentry Blog https://cloudsentry.evident.io 32 32 Are Your Automated Alerts Creating Too Much Noise? ../are-your-automated-alerts-creating-too-much-noise/ ../are-your-automated-alerts-creating-too-much-noise/#respond Tue, 14 Mar 2017 20:04:32 +0000 ../?p=1433 Responding to an unending influx of alerts takes up valuable time and resources. It can prevent you and your team from playing a strategic and proactive role in your organization’s success. How can you quell the volume of alerts that are holding both you and your team hostage? If you are using the Evident Security... Read more »

The post Are Your Automated Alerts Creating Too Much Noise? appeared first on Cloud Sentry Blog.

]]>

Responding to an unending influx of alerts takes up valuable time and resources. It can prevent you and your team from playing a strategic and proactive role in your organization’s success. How can you quell the volume of alerts that are holding both you and your team hostage?

If you are using the Evident Security Platform (ESP), the solution is simple.  ESP allows our customers to suppress security risk alertsin other words, it’s less noisy for you. Now, the question is: which suppression option should you choose?

Every organization will have their own unique AWS configurations. Sometimes, what we here at Evident.io would consider a “high level risk” might be a very minor risk to you and your team.  We believe all security alerts in the risk report are critical, but we give you, the customer, a way to put those alerts on mutewhile maintaining the ability to refer back to them at any time, if needed.

If you have been using ESP for any amount of time, I am sure you have noticed that we have a few options to help you suppress alerts:

ESP Suppression Alerts

Let’s dive a little deeper into those options:

By choosing “Suppress this alert”,  you will suppress recurrences of this alert specifically. If the unique details of this alert change it will no longer be suppressed.

By choosing Suppress this signature”, you will suppress any alerts that would normally be generated for any of the signatures either you or Evident.io created.

By choosing Suppress this region”, you will suppress any alerts that would normally be generated for specific region, however, we do not recommend this option as it leaves you completely blind to all activity in the region you choose to suppress.

No matter which option you choose, we know that either a manager or an auditor is going to want to know why an alert was suppressed. We require you to provide the reason for suppression in a one-time comment field. The suppression you approve will become active in the next report run within the hour.  

Congratulations, alert fatigue is no longer plaguing you and your team! Without all that noise, you can focus on priorities like getting that RFP done faster, getting a jump start on PCI compliance or finally having the time to train up your organization on doing their part to stay secure in the cloud.

Thank you for taking time out of your day to read this.  

My name is Erik Allen, I am the Customer Success Manager for Evident.io.  My goal is to make sure that our customers are having a great experience within our platform and truly seeing value and ROI.  

If you have questions about our Suppression Options, please feel free to ask us via sales@evident.io or if you are a current customer please feel free to email me directly at EAllen@Evident.io to schedule a training call.  

The post Are Your Automated Alerts Creating Too Much Noise? appeared first on Cloud Sentry Blog.

]]>
../are-your-automated-alerts-creating-too-much-noise/feed/ 0
The CIA Leak and the Government’s Role in Cyber Warfare ../the-cia-leak-and-the-governments-role-in-cyber-warfare/ ../the-cia-leak-and-the-governments-role-in-cyber-warfare/#respond Fri, 10 Mar 2017 18:45:46 +0000 ../?p=1426 It has been interesting to watch the commentary flying around the interwebs about the CIA Wikileaks leak. It has sparked many conversations around our office, and frankly we’re more surprised that so many people apparently had not considered that the government would be developing these kinds of defenses. On one hand, the American people depend... Read more »

The post The CIA Leak and the Government’s Role in Cyber Warfare appeared first on Cloud Sentry Blog.

]]>

It has been interesting to watch the commentary flying around the interwebs about the CIA Wikileaks leak. It has sparked many conversations around our office, and frankly we’re more surprised that so many people apparently had not considered that the government would be developing these kinds of defenses.

On one hand, the American people depend on our military forces (including the intelligence community and their specialists) to protect us from conventional threats as well as emerging threats. This is not unlike security professionals in the commercial industry — protecting employees from security attacks of both generic and hyper-specific types.

However, we don’t think it is unfair for our security professionals in our organizations to have software and technology advantages over the attackers to better defend us… why is this such a surprise for our government? They need to have unique, specialized software and technology to protect our citizens from cyber warfare threats. Our tax dollars fund the intelligence community’s efforts to develop better, more sophisticated technology than attackers have to best protect our interests. Sometimes, the human element means these things can be misappropriated — but that doesn’t make their existence wrong.

On the other hand, we have to ask ourselves how we differentiate enemy combatants from innocent citizens when this technology is used. The concept of privacy and the sanctity of one’s home is no longer what it was 10, 20, or 30 years ago. If the intelligence community is truly using these asset to protect citizens, we need to make sure they can properly safeguard the usage of such software under the guidance of our governing policies and documents in this country.

I have no doubts the leaked data is real, and likely only a fraction of what assets the governments of the world have. The CIA is one of many agencies in the world, across world governments, that have this kind of technology. The need for cyber advantages is real, and every country on the planet is investing in this kind of stockpiling. This may be the trove that was leaked recently, but many others have been purposefully or maliciously leaked in smaller portions over the past decade. Anticipating anything less than their existence, use, and availability makes us naive as a population of this technology-forward planet.

The post The CIA Leak and the Government’s Role in Cyber Warfare appeared first on Cloud Sentry Blog.

]]>
../the-cia-leak-and-the-governments-role-in-cyber-warfare/feed/ 0
Healthcare Organizations Increasingly Seek Relief in Cloud ../healthcare-organizations-increasingly-seek-relief-in-cloud/ ../healthcare-organizations-increasingly-seek-relief-in-cloud/#respond Wed, 08 Mar 2017 19:33:16 +0000 ../?p=1421 Healthcare organizations are turning to cloud computing in greater numbers – and for good reason. Healthcare is facing unprecedented pressures to streamline operations and slash costs while also experiencing increased regulatory scrutiny. Under such pressures, cloud computing – especially public cloud – provides a way to potentially meet these objectives while also improving security of... Read more »

The post Healthcare Organizations Increasingly Seek Relief in Cloud appeared first on Cloud Sentry Blog.

]]>

Healthcare organizations are turning to cloud computing in greater numbers – and for good reason. Healthcare is facing unprecedented pressures to streamline operations and slash costs while also experiencing increased regulatory scrutiny. Under such pressures, cloud computing – especially public cloud – provides a way to potentially meet these objectives while also improving security of their IT infrastructure. Security improvements are always relative, of course, to organizational ability to execute. But organizations with significant restraints on resources and lacking dedicated security expertise on staff have a better chance at improving security in the cloud than managing their own on-premises systems. This is especially true for many healthcare organizations.

In a recent talk at a DevOps Connect event, Where Bits and Bytes Meets Flesh and Blood – DevOps, Cybersecurity and IoT, Josh Corman stated that 75 percent of healthcare organizations have no dedicated security staff. If this is the case, there’s no way these organizations can ever hope to maintain the security of complex IT systems.

Perhaps this is why healthcare cloud growth is outpacing many, if not most, other vertical market segments when it comes to cloud adoption. They are moving to cloud to help reduce IT complexity and costs. According to the recent report Global Healthcare Cloud Computing Market 2017-2021, the global healthcare cloud computing market is expected to grow at a compound annual rate of just over 21% between now and 2021.

Few would argue that cloud services don’t provide improved flexibility for most organizations, along with the ability to manage these systems more easily. And it’s that increased agility that is driving most organizations to cloud. According to a recent DevOps.com survey, Security at the Speed of DevOps, about a quarter of the 240 respondents were already running all of their business in the public cloud, and another 25% expected to move more of their computing resources to public cloud. However, as I interviewed users for the report, I found that many small and mid-sized enterprises (not healthcare-specific but certainly inclusive of healthcare) said they were struggling to find people with the necessary skillsets as well as the security toolsets to secure their cloud systems and manage them using on-premises security.

And it’s even more of a challenge for healthcare organizations when security isn’t centrally managed by anyone, but instead is managed by the CIOs, operations, development and remote office teams.

Being tight on staff and resources is certainly a reason for rising data breaches and system availability problems – but it’s not an acceptable excuse. This is especially true for healthcare providers. Recent guidance from the Department of Health and Human Services Office for Civil Rights made clear – healthcare providers and business associates are the ones responsible for making certain that their cloud environments and cloud service providers are secure and compliant with security and privacy mandates.

There’s no one way for healthcare providers to succeed at managing and securing cloud environments, but there are certainly tactics that don’t work. And that’s doing what too many businesses have focused on for too long: ad-hoc security and reviews, attempting to secure systems based off checklists, and building “security” programs that focus on compliance rather than mitigating real risks. The good news here is that cloud can be used to help simplify these efforts through automation and continuous monitoring for new systems that may arise as well as systems that fall out of compliance with regulatory and security policies or otherwise become vulnerable.

This is good advice for all enterprises, as cloud systems exist in a constant state of flux and updating, where misconfigurations and vulnerabilities can creep in at any time. But leveraging automation is especially beneficial for any enterprise with tight limits on resources.

The post Healthcare Organizations Increasingly Seek Relief in Cloud appeared first on Cloud Sentry Blog.

]]>
../healthcare-organizations-increasingly-seek-relief-in-cloud/feed/ 0
Shining a Light Into IT’s Shadows ../shining-a-light-into-its-shadows/ ../shining-a-light-into-its-shadows/#respond Wed, 01 Mar 2017 19:51:21 +0000 ../?p=1417 It seems every week there’s another study or headline highlighting how shadow IT is an ever-increasing concern for IT teams. And, despite this, CIOs and CISOs remain blissfully unaware (well, blissful until a breach or regulatory finding pops up) of the extent to which shadow IT is actually running within their organization. Just last week... Read more »

The post Shining a Light Into IT’s Shadows appeared first on Cloud Sentry Blog.

]]>

It seems every week there’s another study or headline highlighting how shadow IT is an ever-increasing concern for IT teams. And, despite this, CIOs and CISOs remain blissfully unaware (well, blissful until a breach or regulatory finding pops up) of the extent to which shadow IT is actually running within their organization.

Just last week in CloudSentry, Evident.io’s Alison Arnott wrote in “Who knows what evil lurks in the heart of the cloud? how a recent report from ESG found that 65 percent of IT professionals said that they are not aware of either a significant or moderate number of rogue cloud applications in use within their organizations. Not good. But this is also an opportunity.

We know that such shadow IT can pose significant risks to an organization. When cloud services and custom applications are running in the cloud without the oversight of IT, especially systems and apps that handle critical intellectual property or regulated data, these risks are quite high. It’s something that all organizations must get a handle on – not just to reduce those risks but to better serve the organization as well.   

Therefore, to get a handle on shadow IT security, reduce the associated risks and better serve the business-technology needs of the enterprise, it’s important to first understand why staff are deploying their own cloud services. It happens primarily because IT isn’t delivering technology services as swiftly as business users need. Consider an OutSystems report published earlier this month which found that more than three-quarters (76 percent) of IT professionals say their organization takes more than three months on average to develop a mobile application. Eleven percent cited one year.

And we often hear of the same backlog levels when it comes to getting storage and virtual workloads deployed by the IT department. The inconvenience of this lag is why more workers than ever are turning to shadow IT. After all, it isn’t acceptable, and one can hardly blame workers for taking the initiative to do what they need in order to do their jobs well. But this doesn’t change the fact that no matter how noble the intentions, shadow IT can and does create enterprise risk.

What’s the best way to shine a light into shadow IT? First is to realize that shadow IT is often a cry for help: employees are seeking ways to get their work done more efficiently. This means, first and foremost, shadow IT is an opportunity for IT to see what services, apps, and features users need most – this information should be used to inform them as to what areas business users need the most support in, how to allocate cloud services in the future, and how to best service the business overall.

For this reason, instead of immediately shutting down any uncovered shadow IT as forbidden and telling users and lines of business that they’ll have to get back in the queue and wait for IT – consider whether the app really calls for a draconian crackdown. And if it does, then so be it. But help the enterprise find a way to quickly bring the shadow apps or services that staff are using into security and policy compliance.

Whether apps pose a risk or are acceptable for use will always be a point of contention. Most organizations have varying levels of risk acceptance. But certainly some classes of data deployed to cloud need to have the appropriate controls in place, notably significant intellectual property, customer financial or health data, and anything material to earnings reports. And, just because data resides in the cloud doesn’t mean that all the risks associated with data management go away: data availability and service availability, system vulnerability and configuration management, disaster recovery and business continuity, and so on. So the question becomes how do IT teams harness the innovation that their internal customers are trying to create while also obtaining the necessary level of governance over the shadow IT systems growing within?

What to do? The first step is to get an accurate accounting of all of the cloud systems and apps in use in the enterprise. Get to know what systems hold the most valuable data, regulated data, and customer data. Map where this data resides in public and private clouds and what software services support which data types.

When you find shadow IT, whether it be cloud servers, storage, platforms, or even custom apps, the first goal after determining that it creates too much risk or isn’t compliant is to bring the cloud service into the enterprise fold in a way that is secure and compliant. Perhaps even provide the business units with ideas on how to achieve what they want in more effective or efficient ways.  

When a light is shone on shadow IT like this, it’s critical that the IT team and security teams don’t automatically swing the ban-hammer and, instead, become supportive of the business. I’m sure you’ve heard that security is too often the department of ‘No’. This can also be true when it comes to shadow IT. This way, IT becomes part of the constructive business conversation and business units get the services they need, while costs, service quality, and risks also are properly controlled.

The post Shining a Light Into IT’s Shadows appeared first on Cloud Sentry Blog.

]]>
../shining-a-light-into-its-shadows/feed/ 0
Spring Training for Your Security Team ../spring-training-security-team/ ../spring-training-security-team/#respond Wed, 01 Mar 2017 18:17:43 +0000 ../?p=1406 Like professional baseball, cloud security takes focus, practice and a keen understanding of the game. In the cloud, the best defense is a strong offense. A proactive approach is the best way to strengthen security best practices within your organization. Think of this as building your team playbook, implementing organization wide standards sets expectations and... Read more »

The post Spring Training for Your Security Team appeared first on Cloud Sentry Blog.

]]>

Like professional baseball, cloud security takes focus, practice and a keen understanding of the game. In the cloud, the best defense is a strong offense.

A proactive approach is the best way to strengthen security best practices within your organization. Think of this as building your team playbook, implementing organization wide standards sets expectations and allows you to measure performance. Require multi-factor authentication and deploy such technologies as encryption or tokenization to secure sensitive data transferred and stored in the cloud. Develop a more formal procurement process will help thwart the existence of Shadow IT within your environment. And, old or unused access keys for dormant accounts should be deleted regularly.

Once you’ve developed your plays, it is all about practice, practice, practice. Running drills allows you to identify your strengths and weaknesses. Over time, continuously exercising these best practices ingrain them into your muscle memory and your security posture gets stronger with every compliance test. Security best practices become second nature.

Security is a team effort. There is no one person within your organization that can single-handedly protect your cloud. That said, just like in baseball, it only takes one person to drop the ball to allow your opponent to get on base or a bad actor to get into your environment. Educating your staff on the dos and don’ts will help to strengthen the fundamentals of your security game.

Lastly, remain vigilant. Your team must be ready to clear the dugout if anyone decides to rush the mound. Unlike baseball, every hour of everyday is game time and you never know who you will be up against.

It’s time to find out if you’re ready for the big game or if you need to go back and review the tape. Run the CIS AWS foundations Benchmark today to see where you need to up your game and the remediation steps you need to take.

The post Spring Training for Your Security Team appeared first on Cloud Sentry Blog.

]]>
../spring-training-security-team/feed/ 0
Fear & Loathing In The Cloud ../fear-and-loathing-in-the-cloud/ ../fear-and-loathing-in-the-cloud/#respond Fri, 24 Feb 2017 21:21:34 +0000 ../?p=1398 Whether you’ve already bought your ticket for the cloud or still have some issues to sort through, fine-tune your security practices to make sure your ride is a smooth one. For those of us who started our careers amid the structure and disciplined rigor of old-school, waterfall, data center-centric application development, the cloud seems like... Read more »

The post Fear & Loathing In The Cloud appeared first on Cloud Sentry Blog.

]]>

Whether you’ve already bought your ticket for the cloud or still have some issues to sort through, fine-tune your security practices to make sure your ride is a smooth one.

For those of us who started our careers amid the structure and disciplined rigor of old-school, waterfall, data center-centric application development, the cloud seems like a psychedelic trip straight out of a Hunter S. Thompson book. Code is being deployed in nearly continuous fashion. Servers are history. Penetration tests are so out of date by the time they’re done, you might as well have not even tried. It can be overwhelming, and there are days you probably want to jump in a red Chevrolet Impala and hit the road.

Each week, I talk to folks in enterprises who are either beginning or accelerating their to move from traditional on-premises infrastructure to the cloud. They anticipate they will realize benefits including increased agility, reduced costs, flexibility, and ease of use. But along with this transition there are new security concerns, fear, and, yes, sometimes a little bit of loathing. They’ve heard cloud stories from their friends, after all.

However, almost all organizations recognize that they need to adapt and modernize their security policies and posture so they can continue to achieve corporate goals while taking advantage of everything the cloud offers. Security can be the ultimate accelerator or the biggest blocker in cloud adoption and technical innovation. Many security and development professionals are struggling to find the right cloud security approach to fit their modern IT practices. They worry most about the lack of control and visibility but also don’t want to see their organizations fall behind competitors because they’ve slowed or blocked cloud adoption.

When it comes to cloud security today, there are many issues that organizations are trying to sort through, but here are a few I hear the most.

  1. Organizations viewing the cloud as just another product: You can’t make an assessment of your security today and assume it holds true tomorrow. Heck, it probably won’t hold true an hour from now. The cloud is living, breathing, and rapidly changing. Security within this constantly changing environment has to be continuous, or it won’t be effective. Traditional security solutions weren’t created to fit the rapidly changing elastic infrastructure of the cloud. While attacks become increasingly automated, you need to adopt new security tools and techniques to work effectively in this new ecosystem.
  2. Traditional scanning won’t do: Traditional data center solutions rely on being in the path of traffic, being deployed within an application or operating system, or on traditional network-based IP scanning techniques. That approach doesn’t work in the cloud. Users run application stacks on abstracted services and platform-as-a-service layers or leverage API-driven services that render conventional security solutions ineffective. Cloud environments are so fundamentally different from their static on-premises counterparts that they require an entirely new way of administering security practices, and this means adopting new cloud security technologies that provide extreme visibility.
  3. Differentiating real security issues from “noise”: Teams working in the cloud benefit from speed and acceleration, but it’s important to recognize how their approach to security must be vastly different. Discerning real vulnerabilities from solely infrastructure noise is a major challenge. All this change and noise make a manual inspection of the infrastructure too slow to be effective. The API-centric cloud world requires a new way for defenders to protect their environments, but not all cloud and IT teams really understand these security nuances. Security automation is one way to overcome the knowledge and skills shortfall that exists in every development and IT shop.
  4. Lack of compliance with API-driven cloud security: The emergence of API-driven cloud service suites has changed the way security must be architected, implemented, and managed. While the API is a completely new threat surface that we need to defend, it also provides the ability to automate detection and remediation. As new compliance benchmarks such as the CIS AWS Foundations Benchmark are released, we will have a means to assess our security posture against industry-defined best practices and ensure that we’re taking the right steps to keep our customers, employees, infrastructure, and intellectual property secure. Cloud migration is happening quickly, and compliance with rapidly evolving security requirements is an ever-increasing challenge that must be resolved through automation. 

Whether your organization was born in the cloud, is migrating to the public cloud, is building out a private cloud, or has a crazy complex hallucination-inducing hybrid cloud strategy, the cloud is happening, and it’s an absolute necessity that we adapt our security practices. No longer is security left to the security guys: we all have a part in creating a holistic, continuous, and rapid security program fit to support the cloud. As Hunter S. Thompson wrote, “Buy the ticket, take the ride.”

Originally published on Dark Reading

The post Fear & Loathing In The Cloud appeared first on Cloud Sentry Blog.

]]>
../fear-and-loathing-in-the-cloud/feed/ 0
The Time Has Come to Fully Embrace Security Automation ../the-time-has-come-to-fully-embrace-security-automation/ ../the-time-has-come-to-fully-embrace-security-automation/#respond Wed, 22 Feb 2017 12:52:26 +0000 ../?p=1387 Last week the security industry put another RSA Conference in the record books. This year certainly was an interesting conference, at least for me. In addition to all of the great meetings, content, keynotes, and hallway discussions that always makes RSA so worthwhile, some associates and I had the bonus journey of learning we would... Read more »

The post The Time Has Come to Fully Embrace Security Automation appeared first on Cloud Sentry Blog.

]]>

Last week the security industry put another RSA Conference in the record books. This year certainly was an interesting conference, at least for me. In addition to all of the great meetings, content, keynotes, and hallway discussions that always makes RSA so worthwhile, some associates and I had the bonus journey of learning we would not be allowed back into our Airbnb rental. All of our clothes, toiletries, and much of our work gear were under lockdown.

Fortunately, we were eventually able to convince the very courteous San Francisco police to escort us to the rental to retrieve our stuff so that we could relocate to a hotel.

Before all of that excitement, during a panel discussion following Monday’s pre-RSA DevOps Connect: DevSecOps Edition, we discussed just how difficult companies have it when it comes to integrating DevOps processes and adapting to cloud apps. This is especially true when it comes to building software and using cloud infrastructure that is secure and resilient. Many of the challenges enterprises face when moving to the cloud and integrating DevOps is learning how to bring security along for the ride, or, in many cases, how to build them in the first place.

What’s interesting is that larger companies are better at integrating security and DevOps than smaller enterprises are. Well, at least for now. In DevOps.com’s inaugural Security @ the Speed of DevOps annual survey, they surveyed 255 security IT decision makers within organizations currently practicing DevOps. As one might expect, the degree of security and compliance automation/controls varied greatly between enterprises of various sizes.

When it comes to organizational size, DevOps is not evenly distributed. More than 90% of enterprises with more than 5,000 employees have either adopted or started to embrace DevOps methodologies. Of enterprises with fewer than 501 employees, only 38% have embraced DevOps. That’s still a good number, but it clearly shows a significant opportunity for smaller businesses to improve their processes, which is absolutely necessary to remain competitive.

Another gap is security automation. Only 6.5% of organizations with less than 100 employees have incorporated automated security testing on a significant portion of their applications. The good news is that these smaller organizations are at least starting to use security automation, with about 30% saying they have automated some of their testing. Again, here we see a stark contrast between smaller and larger organizations. At least 40% of organizations with 5,000 to 10,000 employees have automated large parts of their security testing.

My prediction is that by next year’s RSA Conference, we’re going to see a significant increase in security automation investment across companies of all sizes. Those companies that haven’t started yet are going to have to start, and those who are already well down this path are going to continue to shed as many manual application and cloud security processes as they can.

Consider a report from cloud access security broker Skyhigh Networks and the Cloud Security Alliance (CSA) titled, Custom Applications and IaaS Report 2017. This report found that custom application use in the cloud has hit an all-time high, yet information security teams are aware of less than 40% of those apps. That’s not a sustainable structure. The Custom Applications and IaaS Report 2017 also found that companies are continuing to consume ever more cloud services with no sign of slowing down. Astonishingly, among those surveyed, infrastructure-as-a-service clouds hold more custom applications today than currently reside in corporate datacenters.

Indeed, in the years ahead, all organizations are going to have to embrace security automation with both arms just to survive in the cloud.

The post The Time Has Come to Fully Embrace Security Automation appeared first on Cloud Sentry Blog.

]]>
../the-time-has-come-to-fully-embrace-security-automation/feed/ 0
Time for CISOs to Empower DevOps ../time-for-cisos-to-empower-devops-webinar03092017/ ../time-for-cisos-to-empower-devops-webinar03092017/#respond Tue, 21 Feb 2017 19:11:35 +0000 ../?p=1375 On-demand Webinar As DevOps is adopted at more organizations, it is becoming recognized as a means to enhance security efforts. Security tests should always be an integral part of the DevOps workflow, however it isn’t the reality for many organizations. There is a growing need for new cloud security tools built to enforce security and... Read more »

The post Time for CISOs to Empower DevOps appeared first on Cloud Sentry Blog.

]]>

On-demand Webinar

As DevOps is adopted at more organizations, it is becoming recognized as a means to enhance security efforts. Security tests should always be an integral part of the DevOps workflow, however it isn’t the reality for many organizations.

There is a growing need for new cloud security tools built to enforce security and compliance measures at the speed of scale, while allowing applications to be developed faster and more securely. As new cloud security platforms and automation tools fill the gaps to overcome key security challenges, organizations turn to DevOps to enable continuous compliance.

Join guest speakers, Steve McAtee, CIO at Vibrant Credit Union and Adrian Sanabria, Senior Analyst at 451 Research Group, to understand the drivers for Continuous Compliance and Security in the Cloud, including:

  • Trends in cloud adoption and development
  • Rising demand and costs of cybersecurity
  • Continuous compliance vs. emergency compliance
  • Compliance automation tools for DevOps

WATCH WEBINAR

SPEAKERS
Steve McAteeSteve McAtee – CIO at Vibrant Credit Union

As Vibrant’s chief information officer, Steve McAtee is the man with the plan when it comes to any of the high-tech gadgetry around the office. A lifelong Quad Cities resident, Steve bookends his days at work with tug-of-war matches with his dog. He hopes he’ll win one of these days.

 

 

 

Adrian Sanabria 451Adrian Sanabria – Senior Analyst at 451 Research Group, Information Security

Adrian is a senior industry analyst at 451 Research, where he does his best to make sense of the security industry for clients. After over 15 years as a hacker, security professional, PCI QSA and incident responder he still sees the glass as half full. Follow Adrian on Twitter @sawaba.

The post Time for CISOs to Empower DevOps appeared first on Cloud Sentry Blog.

]]>
../time-for-cisos-to-empower-devops-webinar03092017/feed/ 0
Proud to Join the GV Portfolio ../proud-to-join-the-gv-portfolio/ ../proud-to-join-the-gv-portfolio/#respond Thu, 09 Feb 2017 12:00:49 +0000 ../?p=1362 We are pleased to announce that Evident.io was recently infused with $22M in fresh capital. This Series C funding round was led by GV (formerly Google Ventures) with participation from our existing partners at Bain Capital, Venrock and True Ventures. This investment strengthens Evident.io for the foreseeable future and allows us to continue operating in... Read more »

The post Proud to Join the GV Portfolio appeared first on Cloud Sentry Blog.

]]>

We are pleased to announce that Evident.io was recently infused with $22M in fresh capital. This Series C funding round was led by GV (formerly Google Ventures) with participation from our existing partners at Bain Capital, Venrock and True Ventures. This investment strengthens Evident.io for the foreseeable future and allows us to continue operating in beast mode, accelerating to fully realize our vision.

Evident.io was founded in 2013, born out of the void of and desperate need for a cloud infrastructure security solution. My co-founder and CTO, Justin Lundy and I experienced, first hand, the entire gamut of how the cloud exposed the weakness of traditional security while working together to reinvent and secure Adobe’s Creative Suite in the Cloud. This is when the lightbulb moment hit — Traditional security best practices do not translate to the Cloud, and we had the opportunity to affect change. As a result, Evident.io was born with a mission.

Since our beginning, we have been working at breakneck speed to create a cloud security capabilities that are as easy to install and use as they are rock solid. The Evident Security Platform (ESP) is a SaaS-based platform that provides complete visibility across an organization’s public cloud infrastructure and enables consistent enforcement of policy requirements in line with industry compliance standards. ESP was designed specifically to help modern IT and DevOps teams automate and maintain security within the shared responsibility model that has become commonplace in today’s services economy. We approach security less like a transaction and more like a partnership. Working together, we’ll secure the cloud, defend your fortress, and increase your security awareness 24x7x365.

Today, with over 200 customers, we automate over 750 Cloud Security Best Practices and analyze more than 360 Million risks per day. ESP’s powerful transparency has thwarted countless attacks and has helped to remediate and secure thousands of vulnerabilities.

This infusion of capital will enable us to deliver our vision faster. We plan to accelerate company growth to address the market demand by enabling support of public cloud platforms beyond AWS to Microsoft Azure and Google Cloud Platform. We plan to accelerate the innovation and development of new features and capabilities of ESP to extend functionality beyond infrastructure security and compliance automation offering. Our new automated Compliance Views for PCI, NIST 800-53, SOC2, ISO-27001 and BCBS 239 remain our focus in the near term.

To support these efforts, we also growing the sales and marketing teams to target new geographies and vertical markets. The team will grow its commercial and government sales teams in the US, Europe, Asia and Australia.

We are excited to work with GV and look forward to learning from their expert team and gaining insights from their impressive network of portfolio companies.

Join our mission –  evident.io/jobs/

View official press release

The post Proud to Join the GV Portfolio appeared first on Cloud Sentry Blog.

]]>
../proud-to-join-the-gv-portfolio/feed/ 0
What Cool Cybersecurity Job is Right for You? ../what-cool-cybersecurity-job-is-right-for-you/ ../what-cool-cybersecurity-job-is-right-for-you/#respond Mon, 06 Feb 2017 17:22:40 +0000 ../?p=1345 Information security is one of the hottest, most-desired careers. When I, however, talk with college students and recent graduates, and even experienced professionals looking for a career change to cybersecurity, there is often a lot of confusion about where and how to begin. Interestingly, this conversation came up during a recent dinner with CSOs. The... Read more »

The post What Cool Cybersecurity Job is Right for You? appeared first on Cloud Sentry Blog.

]]>

Information security is one of the hottest, most-desired careers. When I, however, talk with college students and recent graduates, and even experienced professionals looking for a career change to cybersecurity, there is often a lot of confusion about where and how to begin. Interestingly, this conversation came up during a recent dinner with CSOs. The subject proved to be divisive even among this group who regularly hires cybersecurity professionals.

During the dinner, some CSOs advised that those interested in a cybersecurity career should focus on cybersecurity-specific education, while others argued that it is better to focus one’s formal education in other areas, such as computer science or even business to better understand the nature of the business and the vertical market in which a security professional may work. The student would then minor in security. Perhaps the answers to these questions vary depending on the career path one chooses.

In addition to education and training, there’s the question of where the best jobs are in the field. While “best” is certainly subjective, it is important to give considerable thought to which specialty within the broad field of cybersecurity one wants to specialize. In fact, while many people speak of cybersecurity or information security as a career in itself, it’s actually a diverse field with many specialties ranging from enterprise risk management roles such as application security, forensics, and investigations, infrastructure, malware, to many other disciplines.

In fact, there are so many positions and disciplines in cybersecurity for newcomers that choosing one may not be easy for some. Fortunately, SANs has help for future (and current) cybersecurity professionals who seek an area of focus: The Top 20 Coolest Cybersecurity Career list.

It’s both an interesting and a helpful list. For each career category, there are recommended courses. Here’s what they have to say about the CISO career, for instance:

#10 – CISO/ISO or Director of Security
“Seems like I can get a lot done with little to no push back”

Job Description

Today’s Chief Information Security Officers are no longer defined the way they used to be. While still technologists, today’s CISO/ISO’s must have business acumen, communication skills, and process-oriented thinking. They need to connect legal, regulatory, and local organizational requirements with risk taking, financial constraints, and technological adoption.

SANS Courses Recommended

Why It’s Cool

  •    “Authority always wins.”
  •    “These people get to decide where to build the “watch towers,” how many rangers are stationed in the park, where fires can be safely built, and the rules of engagement.”

How It Makes a Difference

  •    “You have the creative direction to influence and directly contribute to the overall security of an organization. You are the senior security player, the only one whom the CEO will trust.”
  •    “This position usually reports at a very high level, and gets to see and influence the big picture. You work with physical security, IT, the businesses, even the FBI and other law enforcement agencies.”
  •    “You are da Boss. You can pick and choose who does what, what gets done, and motivate and then share the credit with your people. You make a real impact on a daily basis.”

How to Be Successful

Organizations succeed by taking risks. But they frequently fail because they don’t manage the risk-taking very well. The risks are business risks, and the security team needs to see business constituencies as “customers.” The “this is how it’s always worked” approach must be thrown out. Data-driven decisions, devolving perimeter, any-device thinking, collaboration technologies, virtualization, and mobile data are diametrically opposed to prior thinking. Today’s solutions are tomorrow’s threat, and global and geopolitical landscape shifts are tightly coupled to intellectual and informational threats.

Experience is often the training ground; diverse thought and scenario planning are requirements for a good outcome. Focus on the business goals: Never forget that this is the basis for security thinking.

You should take the time to look at the other 19 job write-ups. As you’ll see, there are many paths in the enterprise to a cybersecurity career, so there’s no need for newcomers to feel they are getting themselves locked into something. After writing about cybersecurity for more than 20 years now, I can assure everyone that this field is indeed dynamic and anyone who picks an area of interest today and carves themselves a niche will always be able to shift their focus to another area if they wish with training and additional experience.

The reality is that many cybersecurity jobs either didn’t exist or were very sparse, 20 years ago. And the day-to-day duties from as little as 10 years ago certainly don’t resemble what they are today. No one knows what this field will look like in 10 or 20 years. So if a cybersecurity career is something that is of interest, it’s best to pick an area and run with it. You just don’t know where the path will lead over time.

The post What Cool Cybersecurity Job is Right for You? appeared first on Cloud Sentry Blog.

]]>
../what-cool-cybersecurity-job-is-right-for-you/feed/ 0