Tripwire’s Brent Holder and Stephen Wood discuss recent study findings that provide a snapshot of what organizations are doing (and not doing) to secure their cloud.
The following is an edited excerpt from a recent episode of Tripwire’s Cybersecurity Podcast.
Tim Erlin: Welcome everyone to the Tripwire Cybersecurity Podcast. I’m Tim Erlin, vice president of product management and strategy at Tripwire. Today, we’re here to talk about some survey results from a Tripwire-sponsored survey around cloud security. To have that conversation, I’m joined by two folks: Stephen Wood, who is a strategic product manager at Tripwire, and Brent Holder, who is a technical product manager at Tripwire. Welcome both Stephen and Brent.
Stephen Wood: Good morning.
Brent Holder: Hello. Thanks for having me.
TE: I’ve asked Stephen in Brent to pick out a couple of the metrics or the results from a survey of 310 professionals who are responsible for cloud security at a variety of organizations in North America, Europe, the Middle East and Africa. I want to dig into some of the results.
Automation and Security
Brent, you picked out one of the results around the question, “How does your company assess overall cloud security posture?” The responses were “fully automated,” “partially automated,” “manual” or “we don’t assess at all.” What was interesting for you?
BH: I think the most interesting thing was the less automated quarter of the results. We had 22% of organizations that say they handle it manually and then 2% who say they don’t assess it at all whatsoever. Sounds like an interesting situation, to say the least, but that’s a quarter of the respondents who don’t have any automation. Just thinking about what it would take to manually check some of these things.
TE: Well, the other result was 70% said it’s “partially automated.” I couldn’t help thinking that partially automated leaves an awful lot of room for “manual” or “not assessed.”
BH: During one user interview, we were talking to someone who was in the manual use case where they literally had a spreadsheet and they were logging into their cloud account and working through one at a time and checking to see that things were configured correctly. I asked how many accounts they had done that for. I think it was something like 10 over the course of quite a long period of time.
One of the things I think that’s probably suggested is that the number of organizations that are not that sophisticated in terms of their basic security is probably a fairly large number. This has shown up in some other conversations we’ve talked to people about whether they’re verifying their accounts’ configuration. And it was surprisingly few companies that were doing that, or at least a lot less than you would think would. So I am concerned that we are moving a lot of people into the cloud space without necessarily having given them appropriate education about how to do it properly, even though the tools are there to do it.
One of the things that caught my attention there was how many people are concerned about human error, and there should be a natural correlation. The more automation you have, the less human error you’re likely to experience. So, if they really had 70% deploying a healthy degree of automation, seeing a 93% still concerned about human errors is inconsistent. What I really think you’re doing there is saying that “we’re concerned because, well, it’s still a risk.”
TE: That’s interesting. There there was a question in there neither of you picked out as an interesting result. The specific question is “Which best practice security frameworks does your organization use for securing public cloud environments?” Number one was NIST at 50%. And the second was the CIS benchmarks for cloud at 46%. Below that, we had DISA, other and “we don’t use any frameworks.” Twenty percent said, “We don’t use any framework for cloud.” That gives you at least a little bit of a sense of where organizations that are paying attention are looking for that kind of guidance.
When you move to the cloud or you move assets to the cloud or processes or services, the core security controls that are required don’t really change. The methods of implementing them and the tools might change, but fundamentally, you still need to understand what assets you have, what your inventory is, how those things are configured, how they’re changing, how they’re vulnerable and be able to take steps to respond and remediate to those situations.
SW: Absolutely. But this also ties into the skills gap question.
If you imagine that what we’re doing this monolithic shift of the entire workload inventory of the country from on premise into cloud, we’ve got this workforce that has not had that experience. All the truly experienced people that live in the on-prem environment don’t have that exposure yet. And so, we’re throwing them in there rather quickly and just hoping they’ll make do. I think what we’re going to find is it’s going to be reflected in the amount of human error that occurs and the amount of low level, “I’ve got the first certification, but I’m not really that familiar with cloud yet” kind of behavior going on. And I think that could go on for maybe 10 years.
Automation: More or Less?
TE: Brent picked out the question, “In your ideal world, how would your organization change the level of enforcement automation?” And this was a question that was centered around whether people want more or less automation for security enforcement in their cloud environments. Brent, why did you pick out that one?
BH: It was the mirror image from, “How does your company assess your overall cloud security posture?” Because 6% of people said that they fully automated that. The only people who said they don’t want to change the level of automation when we were asking in your ideal world is 6%. I’m wondering if that’s kind of a mirror reflection.
When we have interviews centered around this type of question, it’s interesting. “Would you want to automate more?” It’s a very easy “yes” because there’s just not enough hours in the day and there’s not any way for someone to cram the full amount of expertise into their head to just do this by clicking with the keyboard. But there’s also this hesitation. It’s like, “do I want more automation? Yes, of course. But you know, I need to vet it. It needs to be proven.” You know?
TE: Well, you know, there’s a security mindset. When you’ve worked in information security for a while, you start constantly thinking about how systems might break. And automation is one of these things that can, in an ideal scenario, prevent human error.
But in many scenarios, it amplifies human error because if you have a human error that starts at the beginning of that automation process, it can be amplified to everywhere that automation exists, as well. So, I can imagine security professionals looking at that and saying, “Well, yeah, I like automation, but I also want to make that I’m not just amplifying the human error that that naturally exists when you put people inside of a process.”
BH: Yeah, I think it’s kind of like an “Are you concerned?” question if the question was, “How much would you completely trust automation to assess your security?” We might have gotten drastically lower numbers.
TE: There’s a good question. We probably wouldn’t ask it in a survey, but it’s a good one. “How concerned are you that the automation of security enforcement will cause a breach or problem?” You’d probably get a relatively high percentage of “yes’s” from a security audience. I think that’s a worthwhile question to ask. It’s an interesting question. As we make this transition from traditional on-premise systems to cloud, automation seems to sort of come with it in terms of configuration deployment. We’ve always had folks who say, “Well, I don’t really want automated response because I want a human being in the process. I want to create a ticket, want it to go through my workflow.” On the cloud side, because so much of the deployment and configuration is done through automation, we don’t see that that same response to automation. So there are two different environments at play.
SW: There’s one other data point I picked up in a conversation one time that I thought also bears on this question.
A customer said I have to move to automation because the bad guys are automating their attacks and they’re much faster and much too fast for us to respond to. And I will be outclassed if I don’t have automation. And so I feel like, you know, well, the problems of “Do you trust it?” have to be overcome. Your alternatives are pretty much, “Well, you’ll get beaten if you don’t find a way to make it trustworthy.”
TE: That’s a fair point. Yeah. You’ve got to pay attention to that threat landscape and adjust your defensive posture to match what the threats are actually doing.
BH: In whatever environment you’re trying to secure, there’s often a series of playbooks under this set of circumstances. And the playbook doesn’t change. And if you have a person who’s got some expertise around security who has to take action and jump in when one of these playbooks needs to be run, and they take the exact same steps and they move through the same systems, you’re kind of taking off the table that security expertise for all the time that they spend running through these kind of repeated processes. So, I think this drive to move towards automation might be a little bit in response to that. You want to have the people there to think through the tough problems and understand the things that might happen between the lines of alerts.
TE: Well, you can also think of that as applying the expertise at the point in the process where it has the biggest benefit. If we are 2 million plus people short, one of the problems that we’ve got is there are unmanned stations and those that aren’t manned or overworked. And so, we’re going to have a burnout problem to compound the skills gap problem. So, I think people will be naturally forced into the automation side of the house as we go forward in time unless we are able to recruit and train a lot of people really fast.
Alright. Well, I think that brings us to the end of our time for this episode. I always love these kinds of surveys because they give us plenty to talk about. Thank you, Stephen. Thank you, Brent. I thought it was a great conversation, and I’m looking forward to the next episode. I hope you all join us for the next episode of the Tripwire Cybersecurity Podcast.