The NBA season has finally tipped-off, and it’s already interesting. One coach fired after only three games, some off-season megatrades look dubious, and the Warriors are still finding their footing. Admittedly, we’re coming from a Bay Area bias, but no one in our office will rest well until the Warriors achieve world domination. We expect that will happen soon.
As a basketball nut and a one-time wearer of Adidas Top Tens for actual hooping purposes, I’ve come to appreciate that there are lessons to be learned from the great game of basketball that extend beyond the 94 feet of hardwood. Perhaps the most poignant ones were about the importance of defense, and thankfully I was exposed to some very wise thinking on the subject, which I am now applying to cloud security.
Some of that thinking is distilled below from some die-hard coaches. While they might not know Hadoop from an API, these gentlemen would fit in nicely with the security crowd: irreverent, irrepressible, colorful, and brilliant. Their thinking on the subject of preventing a round ball from getting into the bucket can be applied to keeping hackers away from your AWS S3 buckets:
“Don’t try to out-rebound your man. Keep him out of the rebounding area to begin with and the rest is simple.”
– Scotty McDonald (Loyola Marymount, Phoenix Suns)
Is there any better way to describe the essence of enterprise security? If you keep the bad guys out of your environment, you won’t have to worry about them doing any damage. But of course, wise Coach McDonald knew what every CISO understands, and that’s that your cloud environment, like the dynamics of the ten players on the court, is constantly changing and there’s no one perfect way to just shut everything down. Movement on the court is like data being transacted among applications and integrated data sources; it’s constant, and with each change you’re looking at a new and different version of your cloud. Adaptation becomes critical, but you have to first know what to adapt before you can make any change.
Just as it’s almost impossible to totally keep DeAndre Jordan out of the paint, it’s also not reasonable to think you can completely prevent hackers from attempting to enter your environment. That’s why a continuous monitoring solution is the most effective way to control the situation. The more you know about your environment, the better equipped you are to plug holes and fix issues that could make your cloud vulnerable. Call it “digital boxing out”, perhaps, but what’s important is to identify issues, fix them immediately, and keep looking. You’re always moving, because the enemy is always moving, and eventually, you reach a point of containment where you can comfortably control the activity happening within your cloud.
“Defense…is reflected in constant attack and harassment, in denying your man cutting lanes and passes, in contesting every dribble, every rebound, and every shot, in applying unrelenting pressure.”
– Bud Presley (Menlo College)
Take part of Coach Presley’s comments and it sounds like it could be a hacker manifesto – “…constant attack and harassment…” But turn it on it’s head and it’s an astute framework for cybersecurity – before the hackers can penetrate your environment, give ’em hell. Make their efforts difficult by fixing vulnerabilities and shutting down opportunities for them to do what they want. Most enterprises that rely on manual security audits are basically choosing not to play defense at all; they’re just waiting for hackers to score, and hope they don’t get too far ahead. It’s always a game of catch-up, but it’s not winnable.
Hackers are inclined to take the path of least resistance. They keep trying doors, hoping one will be open, and once in, they wreak havoc, take what they want and move on to the next target. But if you do the necessary work to identify potential vulnerabilities and fix them, you will frustrate their efforts and force them into a place where they can’t operate. To do this means pursuing a state of security and compliance excellence, and that is done through continuous monitoring and rapid remediation. THIS is the kind of unrelenting pressure that creates an environment hackers deem unattractive and unworthy of attention.
“You have to make shots to win basketball games…you also have to get back on defense.”
– Gregg Popovich (San Antonio Spurs)
Some players love playing defense. Others just see it as the time between segments where you get to shoot. Organizations can be excused for thinking in a similar vein. For many, their purpose, their reason for starting a company or spending long days at the office is about creating and delivering great products. It can be fun and challenging, and if you’re good at it, it can even become somewhat glamorous. But you always have to defend your position and protect against bad actors who seek to deprive you of your livelihood.
In addition to applying continuous security and keeping constant vigilance over your cloud environment, it’s critical to apply security best practices and regularly evaluate your security posture and ensure you’re meeting rigorous requirements. You know your cloud stack and how DevOps will be deploying updates; it’s therefore within your ability to structure your security practices in a way that will complement and support your business goals. In order to maintain a state where your organization can thrive, the health of your operation requires that you are always prepared to eliminate threats.
“Defense is one man guarding the ball and four others helping him.”
– Mike Krzyzewski (Duke University)
The point from Coach K is that defense, like security, requires a team effort. Security cannot function if it’s treated in isolation. The first essential piece of this is actually creating an effective security team that can define and collaborate to achieve effective security goals. It’s also critical to ensure that groups like DevOps are integrated into security efforts.
To truly be effective, however, security has to be built into the overall organizational culture and embedded into the practices of all stakeholders. That includes things like best practices for building security (no piggybacking, for example), applying authentication effectively, protecting screens when traveling; these help everyone recognize that they play a part not just in removing risk, but strengthening the collective security posture of the enterprise. Just as a team has to play together to win, every organization has to ensure that all players are doing their part.
“If you’re not talking, you’re not playing defense.”
– Doc Rivers (Los Angeles Clippers)
Cybersecurity is often portrayed as an esoteric art that’s only practiced by elite geniuses. There certainly are superstars who guide the security thinking of a team, just like a Michael Jordan can carry a team on his back when needed. Yet, without Steve Kerr and Dennis Rodman, Michael Jordan doesn’t have as many championship rings. All players contribute, and for them to be effective and play their roles, there needs to be communication among all participants.
In cybersecurity, we see how critical this is when applying best practices. While a CISO or CIO might formulate the strategy, the implementation and continuous monitoring falls to a variety of roles and tools within the organization. All of those people and resources need to be in communication to ensure alignment and coordination of purpose. A tool like Evident Security Platform (ESP®) is useful in this kind of environment because it provides a single dashboard across the entirety of the cloud environment, and it gives the organization a way to communicate using a common language.
In both basketball and the cloud, there’s constant change and movement. Effective communication, teamwork, and applying the fundamentals will reduce information gaps, increase awareness, and help to solidify activity towards goals.